radiofree.asia

How Gulf Countries Are Acquiring Spyware to Suppress Dissent

Introduction

The repression of human rights activists and political dissidents is one of the biggest problems in the Gulf states. There are constant reports of arbitrary arrests, enforced disappearances, torture in prisons and other incidents targeting these groups. Those who want to fight to assert their rights or criticise regimes that stifle them always find a wall stopping them from pursuing their battles. All this represents a worrying repression of human rights and freedom of expression.

A further worrying aspect of this situation in the Gulf countries relates to the way the authorities obtain the information that they then use to crack down on these critical voices. In recent years many of these countries have started to adopt advanced digital surveillance systems that are used to carry out this repression. These surveillance systems consist of “spyware” that is used to hack certain information and then send it back to the operator. These spyware differ significantly from mass surveillance systems in that they allow more precise actions towards specific targets.

The development of these systems can be seen first and foremost as a consequence of the investments that many Gulf countries are making in technology. GCC members are in fact collaborating with tech giants and various start-ups. All this is being done with a view to diversifying their economy and shifting it away from the dependence these countries have long had on hydrocarbons.

The technological development that these countries are having must also be seen as a desire to reinforce their power and control over the population. The spyware and the means that many tech companies provide to these countries, in fact, have a purpose that is totally different from the desire to diversify their economy. The real purpose is to bring about the silencing of critical voices in an increasingly precise and capillary manner by exploiting these new means. The technological development we are seeing in these countries must therefore also be seen from the perspective of how it affects the rights of the citizens of these countries.

This also raises a question that needs to be answered as thoroughly as possible: Who is helping these countries acquire these systems? In fact, these are not systems that are simple to use and develop, but complex programmes that require considerable know-how to develop. In addition to this, the spyware acquired by the Gulf countries needs teams to take care of their operation and carry out the operations through which the information is collected.

The aim of this paper is to get to the bottom of this issue and answer the question posed above. The spyware that some Gulf countries use is are real means of repressing the rights of citizens, and it is important to understand who and how they help these countries to appropriate them. To this end, we will consider two countries about which much documentation is available and which have been at the centre of much controversy: the United Arab Emirates and Saudi Arabia.

United Arab Emirates

It is weel known that the UAE is one of the Gulf Countries that is investing a lot in the digital field. The country, in fact, has established itself as the technology hub in the region, hosting the offices of large companies such as Google and Facebook. However, the digital systems that the UAE is acquiring are used to hunt down activists and political dissidents. A 2021 US State Department report on UAE Human Rights Practices said that journalists, dissidents and activists were among the people most affected by the digital monitoring services used by the UAE.

The revelations made within this document have opened the debate on how the work of activists will have to change in the future. Indeed, if the governments they fight against have systems with which they can so easily spy on them, the risks of censorship become ever higher. Their ability to speak out and raise awareness on certain issues is therefore restricted. In addition to this, they must also be able to recognise suspicious movements that might suggest a possible hacking of their information.

As always, however, a fundamental question returns: how did the UAE obtain these control systems? To answer this question, we must talk about the spyware used in the UAE: Karma. The wat the country obtained this system is worth mentionin, as it often takes a back seat and does not receive the attention it deserves. This is rather problematic since the project that led to the development of the system, Project Raven, also involved ex-NSAs from the United States.

Project Raven and the Creation of Karma

Project Raven is the brainchild of a former US counter-terrorism agent, Richard Clarke. The latter had created a consulting firm called Good Harbour and, in 2008, held meetings with the Emirati authorities to convince them of the need to create a digital security system. The latter, interested in the project, then hired Clarke and his company to help develop it. As Clarke later said, the incentive behind this project was that it would be useful to fight Al-Qaeda, whose activities also raised various concerns in the Gulf countries.

Clarke then began work on the creation of a secret unit called the Development Research Exploitation and Analysis Department (DREAD). In order to make this unit work and help the Emirates in the creation of progress, Clarke decided to involve US intelligence veterans and ex-NSA agents. According to the testimony of one of them, Lori Stroud, the unit worked under conditions of extreme secrecy and clandestinity. The experts met inside a house not far from Abu Dhabi and helped the Emirati technicians develop the cybersecurity system.

This testimony, therefore, demonstrates how the whole project already had unclear lines and how the US contractors were doing everything on the threshold of legality. Their experience with legal loopholes allowed them to pass on their knowledge to the Emirati technicians despite knowing that the country had a very poor human rights record. The only rule they had set themselves was that they would not target US servers with the DREAD project. Apart from that, however, everything else was allowed and, in fact, Google, Yahoo and Hotmail accounts were targeted by the former spies.

The fact that former US spies were working on this project, knowing that it could have risky consequences, is a worrying and serious fact. It is hard to imagine that such experienced and well-trained people did not realise at an early stage that, once they had obtained the security system, the UAE would then use it in a different way than originally intended. Clarke himself, when questioned on this issue, replied that the biggest problem at the time was countering Al-Qaeda

In addition to this, still at the beginning of the project, the aim was to help Emirati technicians obtain the basic knowledge to run these programmes and then leave the country. After a short time from the start of the project, however, it became clear that they needed more support. For this reason, the involvement of US contractors became greater. From what Reuters has stated in its reports, it appears that former spies were involved in every phase of the project except that of pushing the button that would start the actual hacking phase.

During these early stages of the project, in any case, the targets that the UAE asked to be tracked were mostly terrorism-related. Since 2011, however, things have started to change. The Arab Uprisings in that year brought fear to the country, and the authorities were sure that their country would be the next to be touched by the protests. Thus, in that period, Project Raven’s targets shifted to “national security targets”. This means that activists and people who could have been involved in acts against the governments started to be spied on and tracked down.

Things started to change radically. From that moment on, the person responsible for the project started to be asked to hack rival governments and political personalities. In 2012, for instance, the Google and Hotmail accounts of some employees of the German Konrad Adenauer Foundation were hacked. This foundation, at the time, was pushing for greater freedom of expression in the UAE. Also in the same year, Ahmed Ghaith al-Suwaidi, an Emirati economist and member of the Muslim Brotherhood, was targeted. As a consequence, in March of the same year, the latter was arrested, tortured and sentenced to 10 years in prison on charges of wanting to organise a coup.

The Takeover by Dark Matter and the Problem of US Contractors

From this point onwards, US contractors began to complain that many of the operations launched by the project were crossing a red line. Then, in 2015, the programme was taken over by the Emirati firm DarkMatter, thus coming under the total control of the UAE. From this point onwards, the hacking operations, no longer restrained by the US, began targeting UN databases, the emails of diplomats from rival countries and various human rights activists.

However, the operations against human rights activists were not only aimed at Emirati activists, but also at those of neighbouring and allied countries. An operation carried out by DarkMatter, for instance, led to the arrest of Saudi activist Loujan Al-Athloul. The latter, who is very active in raising awareness for women’s rights, was arrested in Abu Dhabi and sent back to Saudi Arabia, where she was arbitrarily imprisoned and tortured for several days.

One of the most controversial aspects behind these later developments in Project Raven lies in the fact that, when it was taken over by DarkMatter, many US officials were told that continuing to work for the firm would put them in a borderline position. Continuing to work with the Emirates, in fact, would have meant violating certain hacking laws since they were sharing their knowledge in this field with another country without the permission of the State Department. Despite this, however, many of them continued to work on the project.

The history of Project Raven shows us how, in acquiring certain control systems, the Gulf countries do not act alone. The know-how, in fact, came from outside and allowed the creation of a system that, little by little, began to be used for repressive purposes. It is unbelievable that the intelligence personnel of another country allowed this and continues to collaborate covertly with this regime by helping it in the repression of freedoms and human rights.

We are therefore faced with a problem that goes beyond the actions of one country alone, but which draws in another. Although the UAE was the actual instigators of the operations against the various activists, the US contractors were the ones who materially helped the Emirates develop the system that allowed the operations. In the face of this, it is difficult to believe that the US government did not know what was happening in the Gulf country and could do nothing to curb this project. We are faced with a rather blurred line of demarcation of responsibility but, in any case, it is shared by the two countries.

Project Raven thus sheds light on how the UAE managed to achieve a powerful and precise digital control system. Having clarified this point, however, it is also good to briefly outline how it works. This helps to understand how targets are attacked and what dangers they may face.

“Karma”: How the Spyware Works

The spyware that former US secret agents have developed for the United Arab Emirates is extremely powerful. Karma, this is the name of the system, is a tool that allows information to be hacked from targets without them having to do anything. Usually, in order to extract information, these systems require the victim to click on a link or some other attachment that is sent to them. Karma, on the other hand, is a “zero-click” tool, capable of hacking into victims’ information without them having to click on anything.

According to information gathered by Reuters, some staff members of Project Raven claimed that the tool leveraged a flaw in Apple’s iMessage. Target e-mails and phone numbers were being uploaded into a database. The latter would then automatically send messages to the targets and the hack was completed. The flaw in iMessage allowed immediate implantation of the malware into the system even if the person did not use the messaging app or open the message that had been sent.

Between 2016 and 2017, Karma was used to spy on political rivals and activists. The latter were often also from other countries, as in the case of Yemeni activist Tawakkol Karman. The latter said she had been targeted for taking the lead in the Arab uprisings of 2011 and had already suffered several attacks over many years. This, however, was different for her because, as she told Reuters, she never expected the US to help a repressive regime like the UAE carry out these human rights violations.

The Controversial Justifications of the NSA

The discovery that the UAE was using this system using an Apple flaw clearly raised many issues and questions about the security of Apple’s systems. The Cupertino company, however, declined any request to comment on what had been discovered about Karma’s operation. Regarding the participation of former US intelligence agencies in the project, the NSA reiterated that “under no circumstances would the agency request that an individual, contractor, foreign government or other US government agency engage in activities on its behalf that the NSA would not itself be authorised to undertake.”

This latest answer from the NSA only raises doubts. The latter does not condemn US contractors for collaborating with a country that has violated the human rights of several individuals and has also spied on the accounts of US officials. Instead, it says that the latter can act as they see fit as long as what they do would not be prohibited by the NSA itself. Does this mean that the NSA would easily allow activists’ devices to be hacked in order to boycott their activities and violate their human rights? It is difficult to answer this question. Anyway, these statement gives a further idea of how responsibility in this field never lies solely with the country using the spyware, but also with those who supply it and allow it to be used for these purposes.

Activism Is Increasingly Difficult In The UAE

The clear aspect in this story is that, nowadays, activists and political dissidents in the UAE are exposed to greater dangers. Karma is a spyware that, as we have seen, is extremely strong in its way of hacking without making the intended victim perform any kind of action. This means that it is increasingly difficult to find out whether and how information has been stolen.

In the face of this, activists and dissidents in the UAE have to be increasingly careful about how they exchange information or conduct their activities. In particular, they need to pay more attention to the way they use their devices and apply more care to be able to immediately recognise suspicious activities or activities that may point to hacking. However, these are restraining measures that it is not known how much effect they will have in practice. In fact, there are many other hacking tools besides Karma, and there may be many more of which not much is yet known. For this reason, the measures that activists can take will always be relative and may not work.

The above inevitably leads us to a final conclusion on the state of activism in the UAE. In this country, the activities of activists and those opposed to the government have become increasingly difficult. The new technologies that the country has obtained mean that these people are constantly under control and at risk of hacking at any time without even realising it.

Since most of these people’s activities take place online, through posts, comments, videos, etc., the presence of spyware makes it difficult for them to continue with this form of communication. This is extremely limiting because nowadays everything goes online and all information is within our mobile devices. This is why all those who fight for human rights in the UAE are facing an increasingly difficult situation.

The use the UAE makes of the digital control technologies it possesses demonstrates a total restriction of the human and digital rights of the people towards whom information attacks are directed. This is why it is good to continue monitoring the situation regarding this issue in the country to see how it will evolve,; whether new systems will be created; or whether there will continue to be help from other countries that support the repression that the UAE carries out by these digital means.

Saudi Arabia

Like the neighbouring Emirates, Saudi Arabia is also investing heavily in technological development. This is demonstrated, for instance, by the construction of ultra-modern smart cities using innovative technologies for various purposes. These range from traffic control to the control of people in their daily lives within cities.

Perfectly in line with what was said at the beginning, this development that Saudi Arabia is facing on a social and technological level has also led to the country’s acquisition of spyware and other digital control systems. This has raised a lot of concerns among Saudi Arabian activists and political dissidents as the risk of being targeted by the government becomes greater, and the conduct of their activities needs to be more cautious.

The situation for political activists in Saudi Arabia is not the best. Despite the fact that the country’s government wants to make it seem extremely modern and on the road to change, the repression of human rights within the country shows no signs of stopping. There are continuous reports of activists being persecuted by the authorities, arbitrarily arrested on unfounded charges, tortured or sentenced to death. The fact that the country now has spyware and other digital control systems only strengthens the power of the regime and increases the danger to dissidents.

The spyware being used by Saudi Arabia is called Pegasus. In this case too, it becomes necessary to understand how the country has its control system its way. In fact, it must be borne in mind that until a few years ago, Saudi Arabia did not have all the means it has today, least of all in terms of technology. It is therefore obvious that, even in this case, the systems that are then used to spy on opponents were acquired with external help.

Unlike the United Arab Emirates, however, the way in which Saudi Arabia acquired the Pegasus spyware is in the open. The latter was not developed through a secret programme or with the collaboration of former secret agents. It was purchased by an Israeli company called NSO Group, which is already well known for having sold this system to countries that have then used it to spy on journalists or other relevant personalities. This also raises a discussion here about the responsibility of third parties in the actions carried out by the Saudi government.

In this respect, it is crucial to first understand what the NSO Group is, how it operates and how it supplied Saudi Arabia with spyware. In this way, it is possible to see how the group, despite the recent openness it is demonstrating, still operates almost exclusively with countries where the record for protecting human rights is very low. Secondly, it is good to understand how Pegasus works and to see how many activists have responded to the violation of their information and the repression against them through this system.

The NSO Group: How It Works For Regimes

Very often, the programmes through which spyware and various control systems are developed are kept hidden. This is what happened, for instance, with the aforementioned Project Raven in the UAE. Saudi Arabia, however, turned to the NSO Group for its spyware, which makes no secret of its activities. This group, based in Israel, was founded in 2010 and immediately positioned itself as one of the leaders in the spyware market. Already in 2018, it had more than 700 employees and a turnover of $ 250 million.

The company, given its weight in the market and the possibilities it gives in the field of espionage, was placed immediately under the control of Israel’s Defence Exports Control Agency (DECA). The latter, in fact, through licences and export laws, is able to strategically control the way the company supplies its spyware (Pegasus) and the countries to which it is licensed. This allows the country to strategically manage the system by supplying it to allied countries and blocking it to those considered enemies.

In 2019, DECA began lobbying the NSO Group to reopen sales of Pegasus to Saudi Arabia as well. After the murder of journalist Jamal Khashoggi, in fact, the company had stopped selling the system to the country. Apparently, the spyware had been installed on the mobile phone of the journalist’s wife in the months before his murder to spy on messages between them. This case was very controversial as it demonstrated a misuse of a spy system to track Saudi political dissidents. Following this scandal, it also emerged that Pegasus had been used to track and steal the information of many other activists. Among them, for instance, was Loujain Al-Hathloul, the women’s rights activist.

In 2020, however, the NSO Group resumed its business with the Saudi Arabian government. This was done through a series of meetings, many of which were held in Israel. According to a report by Hareetz, the Group also did not conduct due diligence on the country’s use of its sfotware. Officially, Pegasus was sold to Saudi Arabia for the purpose of helping the country track down criminals and terrorists. On the fact that it was not being used for other purposes, however, no one seemed interested.

This is the problem that has always surrounded the NSO Group and its spyware. The group’s top management always plays on the fact that their product is invaluable to countries and can even “save lives”. This is said because through Pegasus it really is possible to track down criminals and prevent possible terrorist attacks. The Group also puts integrity and accountability as its core values, thus wanting to demonstrate a certain transparency.

In addition to this, it seems that the NSO Group, before selling its product, always carries out checks on the final use of Pegasus in the country to which it is sold. Indeed, it appears that between May 2020 and April 2021, the NSO has rejected $300 million of new sales based on this factor. Thus, it would seem that the NSO is interested in whether the use of Pegasus respects human rights but, as we have already seen, the group’s focus on this remains doubtful.

The Use of Pegasus as a Means of Repression

Despite these “controls”, the fact that Saudi Arabia uses Pegasus to spy on political dissidents is now a fact. This is proven by a number of cases in which political activists have publicly accused the Saudi government of spying on them. This is the case of Yahya Assiri, a Saudi activist, who accused the Saudi government of spying on him through spyware between 2018 and 2020. His case was also discussed in a UK court as the country’s High Court allowed him to file a legal complaint against Saudi Arabia for the misuse of Pegasus.

Another prominent case is that of Ghanem Almasarir, a Saudi citizen and critic of the regime who was granted political asylum in the UK. He too was a victim of NSO Group spyware and was also physically assaulted by Saudi agents in London in 2018. Following this incident, Almasarir commented saying that knowing that the Sauidta government is able to retrieve information about him so easily made him live in a state of constant fear. Again, however, the High Court confirmed that Almasarir could pursue legal action against the Saudi Arabian government.

Given these and the many other similar cases, one cannot believe that the NSO Group is completely unaware of Saudi Arabia’s use of its spyware. Here again, therefore, it is clear that the responsibility for the repression of human rights that is carried out by means of these systems does not lie solely with the party using them, but also with those who supply them. The NSO Group may say that it carries out all the necessary checks before supplying its spyware to countries that request it, but if the news reports that it is used in unlawful ways, doubts obviously arise.

On the part of Saudi Arabia, it is clear that being in business with a group as influential as the NSO is seen as a way to achieve its aims smoothly. In recent years, the country has embarked on a series of social and economic renewal projects. The work of activists who want to unveil the dark sides of these projects, however, risks damaging the reputation that the Saudi government is trying to build globally. This is why the repression of these personalities is so deep in the country, and the fact that the latter has a device like Pegasus at its disposal makes it even more widespread.

Just as in the UAE, activists in Saudi Arabia face a new kind of danger and take new measures to protect themselves against the government’s attacks on them. The way in which they communicate, exchange information and organise their protests is currently severely restricted by the way the government is able to obtain information without much effort. Like Karma, Pegasus is also a very powerful spyware that manages to retrieve information without too much effort. It is therefore worth briefly commenting on how this spyware works.

“Pegasus”: A Strong Spyware to Suppress Dissent

What makes (or should make) conversations through technological devices secure is end-to-end encryption. The latter shields discussions that take place through messaging services such as WhatsApp or iMessage, or online discussions. In order to be able to access these, therefore, it is necessary to have a system capable of passing through it. Pegasus is capable of this, and the way it does it is extremely difficult to recognise and combat.

Like Karma, Pegasus is also “zero-click” malware. This means that, in order to be installed on victims’ devices, they are not redirected to any suspicious page or click on a link sent to them. Pegasus, in fact, exploits vulnerabilities in the systems it attacks; bugs within the devices that have not yet been covered or fixed through updates. Karma, for instance, also exploited these flaws in the systems it attacked.

Unlike the spyware used by the neighbouring Emirates, which only exploited a flaw in iMessage, the one in the hands of the Saudis manages to find more access points in the systems. One of these, for instance, is WhatsApp. In 2019, the company revealed that the NSO Group’s software was used by more than 1400 users. It also emerged that, among them, many were activists and journalists from around the world, thus raising serious doubts as to whether the Group carried out due diligence before selling the device to certain countries.

In order to gain access to devices via WhatsApp, Pegasus forwards a simple call to its targets. Without them having to answer, the malware is automatically installed and starts collecting all kinds of information. Photos, videos, e-mails, and chats are scanned, and the most relevant information is collected. The spyware also has the ability to activate the GPS position of the targeted person. All this is done in a very simple way because the spyware passes through apps that, nowadays, everyone uses and has installed on their devices.

As Claudio Guarnieri, head of Amnesty International’s Security Lab, pointed out, the attacks that are exercised through Pegasus are extremely difficult to predict and recognise. In this way, governments using this spyware exert a new kind of pressure on people, leveraging the fear of being spied on without being able to realise it. On top of that, people who are targeted and spied on with Pegasus are then powerless in the face of it. The attack is irreversible, and there is no way to remove the malware from the device.

Difficulties for Saudi Activists

The fact that Pegasus spyware can infiltrate devices in such a capillary manner makes the activities of the Saudi Arabian activists difficult. Like those in the UAE, they too have no means to defend themselves or to understand when and how their systems have been infected with the NSO Group’s spyware. Thus, their activities are greatly restricted, as, since they mainly move online, they have to pay more attention to what they post and the information they share.

This also shows how Saudi Arabia, despite its grand plans for social renewal, continues to be a regime that restricts the freedom of expression of its citizens and takes unacceptable measures against them. The spying that the country’s authorities carry out at the expense of activists and all those who fight for human rights in Saudi Arabia is a glaring demonstration of the violation of human and digital rights of a huge number of people.

This phenomenon is becoming increasingly widespread and more and more the order of the day. This, however, does not mean that it should become normal. There is nothing normal about being spied on through malware that is maliciously installed on a device and then being stalked, arrested and convicted. Saudi activists, as was for those in the Emirates, must be free to be able to express their opinions and pursue their battles without being spied on by the country’s authorities.

Furthermore, although the responsibility lies mainly with the Saudi Arabian government, it is crucial that the NSO Group is also made accountable. The latter should, in fact, carry out more investigations into the country’s use of its software. By not doing so, however, it makes itself a co-participant in the violation of the human rights of thousands of innocent people by allowing the repression of the right to speech without doing anything concrete to stop it. To this end, it is crucial to continue to bring these cases to light so that both the Saudi government and the NSO Group are held accountable for the improper use of Pegasus and the violation of the digital rights of activists and dissidents.

Conclusion

The technological development that is being observed in Saudi Arabia and the UAE must be watched with an eye to the future. As much as these countries want to pass this development off as an integral part of their development and openness to the world, it is nothing more than a further means of repression. Through the new means they are adopting, the repression of those who stand up for human rights in these two countries is becoming stronger and harder to counter.

Spyware that is used by the UAE and Saudi Arabia could also be functional if it were used for the purpose for which it was created. If they were used to track criminals and prevent terrorist or other attacks, then their use would at least be justified. Used as they are now, however, these spyware do nothing but restrict the freedom of expression of many people, making it impossible for them to carry out their usual activities.

What makes the situation even more problematic is that nothing can be done against these systems. Even leaving the country, for example, no longer allows dissidents or activists to escape from the control of their governments. They will always be under their control and will still be able to access their information wherever they are without realising it. Nowadays, therefore, no one has the possibility to hide completely, which makes the situation even worse.

The governments of the UAE and Saudi Arabia, however, are not the only ones to be held responsible. As we have seen, the spyware at their disposal has been created by groups or companies that have provided these regimes with very powerful means. It is hard to believe that neither the Raven Project nor the NSO Group did not know what these countries would actually do with Karma and Pegasus. They must be held accountable. They should have ascertained the purposes for which it was being used or, at the very least, exercised more control over the governments of the countries. This, however, did not happen and the use of their spyware led to the silencing of many activists.

Understanding how these Gulf countries obtain certain digital ontrol systems, who provides them and how they work therefore makes one realise how complex this issue is. Despite this, however, it also gives an idea of who the actors are and what the difficulties are that today afflict all those who, in those countries, continue to fight for their rights. For this reason, it is crucial that we continue to talk about how the UAE and Saudi Arabia strip citizens of their digital rights. The repression of freedom of expression will increasingly move into the digital sphere and it is therefore crucial to know how to fight it and protect oneself from it.

The post How Gulf Countries Are Acquiring Spyware to Suppress Dissent appeared first on Americans for Democracy & Human Rights in Bahrain.

This post was originally published on Americans for Democracy & Human Rights in Bahrain.