Princess Latifa campaigner had phone compromised by Pegasus spyware

A British human rights campaigner and lawyer who was fighting to free Dubai’s Princess Latifa had his mobile phone compromised by Pegasus spyware on 3 and 4 August 2020, according to a forensic analysis carried out by Amnesty International.

David Haigh is the first confirmed British victim of infiltration by Pegasus software, an attack suspected to have been ordered by Dubai, because of his connection with the 35-year-old princess, a daughter of the emirate’s ruler, Sheikh Mohammed, and the Free Latifa campaign of which he was part.

At the time his phone was compromised, Haigh had been helping the legal team of Princess Haya, a wife of the sheikh, who is embroiled in a battle with the ruler of Dubai in the English courts over the custody of their young children.

Haya’s own legal team were arguing, in part, that Sheikh Mohammed’s treatment of Latifa meant that he should not be allowed to take control of the children. The case in the family courts is continuing.

Haigh, 43, said he was “horrified” by the idea his phone had been targeted, which he said came a few days after a year and a half of secret smartphone contact with Latifa, then held under house arrest in Dubai, had been suddenly lost.

The phone, Haigh said, contained dozens of messages and videos from Latifa, who had obtained a phone and made recordings from her bathroom, the only room where she could lock the door.

Some of the films, which described her plight, were later released by the Free Latifa campaign to BBC Panorama in February, including one in which the princess says: “The police threatened me that I’ll be in prison my whole life and I’ll never see the sun again.”

Haigh said he believed the attack amounted to “state-sponsored harassment” and called on the UK government to investigate “all use of Pegasus software on British soil”. The campaigner has also reported the incident to Devon and Cornwall police, where he lives, and the force has begun investigating.

Dubai did not respond to a request for comment on the targeting of Haigh’s device. But last week the United Arab Emirates, the federation of which Dubai is part, said claims that it had ordered any hacking were false.

“The allegations made by recent press reports claiming that the UAE is amongst a number of countries accused of alleged surveillance targeting of journalists and individuals have no evidentiary basis and are categorically false,” a statement from the country’s foreign ministry said.

Pegasus, made by NSO Group of Israel, is powerful surveillance spyware that the company says is licensed only to governments, to fight terrorism and serious and organised crime. It can steal and even delete the contents from a mobile â€" or turn on the microphone or camera covertly to act as a surveillance device.

NSO Group said it was “a technology company” and that it did not operate the Pegasus system or routinely have access to the data of its government customers. It did not respond directly to the alleged compromise of Haigh’s phone, but said in a statement it would “thoroughly investigate any credible proof of misuse of its technologies”.

A leaked list of 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO contains numbers for journalists, human rights campaigners and political leaders.

Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. The consortium believes the data indicates the potential targets that NSO’s government clients identified in advance of possible surveillance.

Quick GuideWhat is in the Pegasus project data? Show

What is in the data leak?

The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.

What does the leak indicate?

The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity â€" in some cases as little as a few seconds.

What did forensic analysis reveal?

Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.

Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.

Which NSO clients were selecting numbers?

While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.

What does NSO Group say?

You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and that the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. They said it was a list of numbers that anyone could search on an open source system. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers' targets of Pegasus or any other NSO products ... we still do not see any correlation of these lists to anything related to use of NSO Group technologies”. Following publication, they explained that they considered a "target" to be a phone that was the subject of a successful or attempted (but failed) infection by Pegasus, and reiterated that the list of 50,000 phones was too large for it to represent "targets" of Pegasus. They said that the fact that a number appeared on the list was in no way indicative of whether it had been selected for surveillance using Pegasus. 

What is HLR lookup data?

The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons â€" unrelated to Pegasus â€" for conducting HLR lookups via an NSO system.

Following the leak, the company has come under investigation in its home country â€" although several governments as well as the UAE have denied misuse of the technology.

The number used by Haigh last August does not appear on the list, although the time periods appear different. More than 400 of the British numbers listed have been linked to Dubai and the UAE, based on an analysis of the data, but they cover the period 2017 to 2019. Haigh’s phone was targeted using Pegasus a year after that.

A number belonging to Princess Haya, and eight of her associates, including a member of her legal team, do appear on the leaked list. Sheikh Mohammed “emphatically denies” having selected for potential surveillance the persons listed, or having instructed others to do so.

Haigh became a human rights campaigner focused on the Gulf, and particular the UAE after becoming embroiled in a bitter legal battle. He was found guilty by a Dubai court in 2015 of embezzling nearly £4m from GFH Capital, a Middle East private equity firm that had owned Leeds United, a charge he has always denied.

The Briton spent nearly two years in jail in Dubai both before and after the conviction, where he said he was raped and repeatedly tortured and abused, claims accepted as truthful by a Scottish court in 2017. Last year, Haigh was ordered to repay the money in an English court, but he was declared bankrupt last August, although it is due to be discharged this week.

It has not yet been possible to determine who ordered the Pegasus intrusion of Haigh’s phone from the Amnesty analysis. At this time, any country attribution can only be tentatively based on an examination of the timing and circumstances.

Amnesty’s analysis of Haigh’s phone concluded there was evidence of a Pegasus-related infection on 3 August via Apple’s iMessage â€" and that there had been “the execution of a Pegasus process” â€" that is, Pegasus-related activity â€" on 3 and 4 August 2020. It is not clear what impact this had in this case, however.

A fortnight earlier, on 21 July, Haigh and other members of the campaign had lost contact with Latifa. They assumed that meant her phone and covert communications with them had been discovered by the Dubai authorities and were discussing what to do next.

“The hacking of my phone happened 10 days after we lost contact with Princess Latifa after having had communication with her for over a year and a half via a smartphone we managed to smuggle into the Dubai jail where she was being held against her will,” Haigh said. “In addition, it came at the exact time I was due to meet representatives of a supportive royal family member of Latifa in London.”

Latifa had tried and failed to flee her home city by yacht in March 2018, a dramatic escape that ended with the boat she was on being stormed by Indian commandos off the coast of Goa, a raid ordered at the request of Dubai’s ruler.

For months it was unclear what had happened to the princess, until she began smuggling out videos to say she was being held in a “villa jail”. Since May, she has begun to enjoy a degree of freedom, with Instagram pictures showing her with friends at a Dubai shopping mall and at a Madrid airport terminal.

Three sources familiar with NSO’s operations said within the past year the company had stripped Dubai of its Pegasus licence. They said the decision had been informed primarily by human rights concerns, but did not dispute that using the software against Sheikh Mohammed’s own family members had also been a factor.

Share this post