Last month, the Government of the United Arab Emirates (UAE) was once again exposed for launching cyber-attacks against its citizens. A prominent human rights activist, Ahmed Mansoor, has been recently targeted by an invasive spyware hack that would have turned his cellphone into a monitoring device. On 10 and 11 August 2016, Mansoor, a Martin Ennals Award Laureate, received text messages from an unknown sender promising information on tortured detainees if he clicked an attached link. He forwarded the message to the technology rights group Citizen Lab, where it was quickly recognized as a Pegasus spyware product from the Israeli software company NSO. Clicking the link would have potentially allowed the Emirati government to activate the phone’s microphone and camera at any time, record calls and messages from any applications, and track Mansoor’s location. While it is impossible to prove the source of the attack, the Emirati government’s history of violating technological privacy, the cost of the spyware (which is listed as a government-only program), and the prominence of Mansoor as a political dissident leave few credible alternatives.
This attack is not unprecedented. Over the past decade, the government has actively used sophisticated technology to control and monitor its citizens. There are two mobile phone and internet service providers in the country that are either directly or indirectly state-owned. The government blocks numerous websites, filters search results to restrict access to information, and shuts down websites and social media accounts. In 2012, the government enacted a campaign to have citizens register their SIM cards to their identity, threatening to cut their phone lines if they did not comply. Between 2012 and 2016, Citizen Lab identified a campaign known as “Stealth Falcon” that hacked activists and journalists, many of whom were arrested shortly after their computers were infected with malware.
This most recent violation is also the third confirmed attack on Ahmed Mansoor, specifically. In March 2011, he was emailed a document carrying spyware from Finfisher. The authorities arrested Mansoor the following month and a court later convicted him of insulting the Emirati leadership, indicating he was under investigation at the time of the attack. In 2012, shortly after attackers broke into his email account, a virus infected Mansoor’s laptop and sent all of his information to a UAE intelligence agency. He was reportedlytargeted by attacks again in 2013 and 2014, including the hacking of his Twitter account. Nevertheless, Mansoor has continued to speak out for human rights. In response, the government has also imposed atravel ban on him.
The revelation of the new attack has generated vocal responses from the international community. News outlets, non-government organizations, and political leaders have responded by calling for more responsible use of such technologies. The cyber-security firm Lookout issued a report about the hack, calling on individuals and business leaders to safeguard against similar “unprecedented” violations of their privacy. United States Congressman Ted Lieu has called for a congressional hearing to discuss the mobile security concerns raised. When Citizen Lab informed Apple of the vulnerabilities in the iOS software that Mansoor was using, the company quickly added a solution to the 9.3.5 patch.
Still, technological solutions should not be the only response to the attack; the real problem is that the Emirati government continuously uses technology to spy on its citizens. If the government is indeed responsible for this most recent attack, it is simply the newest effort to target activists and obscure human rights abuses in the country. Such efforts are representative of the repression which activists like Ahmed Mansoor risk their safety to speak against.
The United Nations Human Rights Council (HRC) has condemned controlling the Internet and monitoring citizens as violations of human rights. The Emirati government should respect the HRC declarations and allow their citizens to peacefully express dissent without attacks on their privacy or freedoms.
Graham Pough is an Advocacy Intern at ADHRB.