Citizen Lab researcher disputes claims from NSO Group after UK court finds UAE ruler used Pegasus to hack ex-wife, lawyers

"Would NSO Group have notified Princess Haya's lawyers had I not done my own notification?" Citizen Lab's William Marczak told ZDNet.
Written by Jonathan Greig, Contributor

A member of the team at the University of Toronto's Citizen Lab is questioning the actions of controversial Israeli spyware firm NSO Group in the case of Princess Haya bint al-Hussein, who had her devices and the devices of her lawyers hacked amid a UK custody battle with Sheikh Mohammed bin Rashid al-Maktoum, ruler of the United Arab Emirates. 

Sheikh Mohammed and Princess Haya are locked in a custody battle over their two children and the ruler ordered agents from the UAE to hack into his ex-wife's devices using Pegasus, the NSO Group's widely-criticized spyware. The ruler even ordered her British lawyers' phones hacked as well, drawing outrage from UK court officials who called the hacks "serial breaches of domestic criminal law," "in violation of fundamental common law and ECHR rights," and an "abuse of power" by a head of state. 

The tool has caused global outrage for months after Citizen Lab revealed that it was being used widely by repressive governments and cybercriminal groups to monitor dissidents, human rights activists and even some world leaders, including French President Emmanuel Macon.

William Marczak, a senior research fellow with Citizen Lab, testified in Princess Haya's case and told ZDNet that he felt compelled to participate in the trial because of how brazen Sheikh Mohammed's actions were. Marczak was also intimately involved in the case, having notified Princess Haya about Pegasus being used against her hours before NSO Group contacted her lawyers. 

Marczak explained to ZDNet that he personally confirmed the use of Pegasus by forensically analyzing the phones, but said he first became aware of the possible use of Pegasus when he identified the IP address of the lawfirm Payne Hicks Beach among a set of potential victim IP addresses he developed in his research.

During the trial, it was revealed that Princess Haya's lawyers discovered their devices had been hacked because the wife of former UK Prime Minister Tony Blair, Cherie Blair, works for NSO Group and knows Fiona Shackleton, one of the lawyers involved in the case. 

On August 5, 2020, Blair was called by an NSO Group employee and told that "it had come to their attention" Pegasus was being used on the phones of Princess Haya and Shackleton. The NSO employee said they cut off access to the phones through Pegasus and needed help contacting Shackleton about the issue. 

But Marczak disputed this retelling of events, saying he was the one who first told Princess Haya's lawyers about the hack hours before NSO Group tried to contact them. 

"One interesting detail that emerged in the proceedings was that NSO Group had notified Princess Haya's lawyers several hours after I did, despite the fact that the court found one of the targets was hacked as early as November 2019," Marczak said.  

"Here's an interesting question, would NSO Group have notified Princess Haya's lawyers had I not done my own notification?"

What stood out most to Marczak was NSO Group's atypically robust response, noting that it was not common for the spyware firm to cut off access to their tool.   

"Not only did NSO Group notify the targets of the surveillance shortly after I did, but they also claim to have disconnected one of their customers over the matter," he explained. "Furthermore, NSO Group said that they instituted a policy where their foreign customers are not generally allowed to spy in the UK. We see abuses of NSO Group's Pegasus spyware all the time, but we almost never see NSO take remediative action like this." 

Marczak's testimony in the case centered on how powerful the Pegasus spyware is and he explained how the tool gives users full access to a person's device without them knowing. He also confirmed that the phones were hacked by a single operator from the UAE. 

"This is one of the most naked abuses of government spyware I've ever seen. NSO Group and its customers sometimes try to justify surveillance against dissidents and journalists by pointing to national security or terrorism concerns, but it's a lot harder to paint your ex-wife and her family court lawyers as terrorists," Marczak said. 

"When the prospect of the UAE spying on Princess Haya's lawyers came to light, I felt compelled to notify them and help them make sense of what had happened."

Marczak added that he could not think of another case where forensics confirmed that Pegasus was used this way.  

He noted that there have been a few allegations of rulers using Pegasus for non-political reasons.

He mentioned the case of a former Panamanian President, Ricardo Martinelli, who was alleged to have used Pegasus to spy on his mistresses, according to an extradition request from the US.

Marczak added that there are now wider concerns that the spyware will be used in personal disputes by repressive world leaders. 

"It is an ongoing risk, especially when so many of NSO Group's customers are places where the personal affairs of the leader can often get entangled with national security concerns."

"There is nothing that the average person can do to defend against this, but the targets are often not average people." 

He recommended that at-risk users consider disabling iMessage, FaceTime, WhatsApp and other messaging apps if they're not using them because these are popular vectors for phone hacking. 

He also mentioned that it would help to segregate activity onto different devices, which can mitigate the damage if a single device is hacked. He suggested having one phone for work, one phone for a sensitive project you're working on and one phone for personal life.

NSO Group said it has cancelled its contract with the United Arab Emirates after it discovered how Pegasus was being used. 

"As the NSO letter of December 2020 makes plain, after its investigation NSO has adopted the extreme remedy of terminating its customer's use of the Pegasus software. In commercial terms, this step is to be understood as having great significance," Judge Andrew McFarlane, President of the Family Division in England and Wales, wrote in his ruling.

But Marczak said the NSO Group's flagrant actions prove more cases will emerge of Pegasus being misused in this way.

"Without better regulation of the industry and its customers, this is inevitable," Marczak said. 

Editorial standards