In UK Pegasus Ruling, a Glimpse of How Court Craft Handles Spyware

The procedure followed by a British court should offer lessons to any country looking to probe the illegal usage of Pegasus.

Listen to this article:

New Delhi: A recent England high court ruling on the use of military-grade Israeli spyware to hack into the phones of Princess Haya bint al-Hussein — half-sister of Jordan’s King Abdullah II — offers up an interesting lesson for countries around the world that are looking to probe the usage of Pegasus spyware in their own backyard.

In July 2021, reporting by a consortium of media organisations, including The Wire, first revealed that Princess Haya was a potential Pegasus target based on an examination of leaked data accessed by Paris-based media non-profit Forbidden Stories and Amnesty International.

The Pegasus Project’s reporting indicated that hundreds of journalists, human rights activists, lawyers and political leaders around the world were selected as potential targets by government clients of the Israel-based NSO Group. Separate forensic analysis on a smaller cross-section of phones that were able to be examined by Amnesty’s Security Lab revealed traces of Pegasus spyware, infection or attempted targeting.

Since then, several countries including France and Hungary, have launched probes of their own.

It is in this context that the findings of Judge Andrew McFarlane, president of the high court’s family division in England and Wales, assume particular significance.

Judge McFarlane ruled that Dubai’s emir Sheikh Mohammed bin Rashid al-Maktoum ordered the phones of his ex-wife Princess Haya and her lawyers to be hacked as part of a “sustained campaign of intimidation and threat” during the custody battle over their children.

Prime Minister and Vice-President of the United Arab Emirates and ruler of Dubai Sheikh Mohammed bin Rashid al-Maktoum attends the Gulf Cooperation Council’s (GCC) Summit in Riyadh, Saudi Arabia December 9, 2018. Bandar Algaloud/Courtesy of Saudi Royal Court/Handout via REUTERS

But how did the court come to this conclusion, which not only confirms the Pegasus Project’s findings but goes further and declares that unlawful surveillance was carried out? How was the technical evidence examined? And what can other probes around the world take away from how it handled the usage of spyware? The Wire breaks it down.

How was Princess Haya alerted first to the hacking? When did she begin proceedings ?

The confidential court proceedings in this matter have been going on for a little over a year now.

The proceedings over the phone hackings were kicked off when Bill Marczak, a researcher at Citizen Lab reached out to a law firm that had been engaged by Haya. Citizen Lab is best known for having helped WhatsApp in its investigation against the NSO Group in 2019, which led to a lawsuit filed by the Facebook-owned firm against the Israeli company.

Marczak was investigating the hacking of an unidentified UAE activist when he came across evidence that led him to believe that someone in Payne Hicks Beach (PHB), a firm of solicitors led by Baroness Shackleton, could have also been targeted by Pegasus. PHB was representing Princess Haya in her custody proceedings involving the Dubai emir.

On August 4, 2020 and August 5, 2020, Marczak got in touch with Baroness Shackleton, informed her of this, following which Citizen Lab examined the a number of phones used by Haya, her staff along with the phones used by Baross Shackelton and others at PHB.

“He [Marczak] examined system diagnostic data (‘sysdiagnose’) from each phone together with the internet usage logs taken from the routers at the mother’s [Haya’s] London home and her home in Berkshire. As a result of his investigation, Dr Marczak produced a 42-page ‘witness statement’ dated September 7, 2020, in which he concluded ‘with high confidence’ that the phones of the mother, Baroness Shackleton and Nicholas Mannets (another solicitor, and since December 2020 a partner, at PHB) had been hacked by a single operator of NSO Group’s spyware.

On the basis that any such operator would be a nation state, he concluded ‘with medium confidence’ that the government in question is the UAE government. “Further, there was evidence that the phones of the mother’s personal assistant and two others on her staff had also been hacked,” the court’s judgement notes.

Also read: Hacking Software Was Used to Spy on Jamal Khashoggi’s Wife Months Before His Murder

How did the court start examining these claims?

It kicked off a fact-finding process that involved:

1) Allowing the al-Maktoum (Princess Haya’s ex-husband) to appoint a confidential scientific adviser, who would help them examine Marczak’s statement.

2) Appointing an independent technical expert, who would engage with Marczak’s research and provide an independent opinion on its validity.

3) Communicating with the NSO Group, which strangely, alerted Haya’s legal team that their software may have been used to hack the phone of the princess less than a day after Marczak got in touch with PHB.

What conclusion did the independent expert come to?

As it turns out, over the course of the proceedings, there were two experts. The first, a company called IntaForensics Ltd, ultimately decided that it was not able to fulfill its role, but its final report did confirm there was evidence that five of the six phones “may have been the subject of surveillance and/or interference from an unidentified source”.

The second independent expert, professor Alastair Beresford of the University of Cambridge, stuck on for the whole proceedings and was questioned by al-Maktoum’s lawyers after having had the opportunity to deeply engage with Marczak and his research.

According to the court findings, “Professor Beresford expressly confirmed Dr Marczak’s analysis of the sysdiagnose from the six phones.”

“He confirmed Dr Marczak’s conclusion that the phones of the mother [Princess Haya], Baroness Shackleton and Mr Manners showed infection by Pegasus as being ‘a proper conclusion to come to’. And that a lesser degree of specificity applied to the other three,” the fact-finding judgment noted.

“After an apparently meticulous audit, and some research of his own, professor Beresford has pronounced Dr Marczak’s method and conclusions as ‘sound’ and he has found no reason to challenge them insofar as they establish hacking via the Pegasus software,” it added.

Also read: NSO’s Employees Sleep Soundly Even as Journalists, Rights Activists Targeted by Pegasus Do Not

How did the court decide who was behind the hacking?

There are three reasons, only one of which had some technical and physical evidence behind it. They are:

1) On balance of probability, who could be a perpetrator? The court’s judgment notes that “no other potential perpetrator, being a person or government that may have access to Pegasus software, can come close to the father [Princess Haya’s ex-husband, the Dubai emir al-Maktoum] in terms of probability and none has been put forward other than via transient and changing hints or suggestions”.

2) Secondly, previous fact-findings by the court note that al-Maktoum, who is the head of the government of UAE, has used state machienry to achieve what “he regards as right”. “He has harassed and intimidated the mother both before her departure to England and since. He is prepared to countenance those acting on his behalf doing so unlawfully within the UK,”

3) Finally, separate evidence concerning the UAE activist that Citizen Lab was investigating, as well as testimony put forth by Cherie Blair regarding what a senior NSO Group manager told her regarding the potential perpetrator adds weight to the claim that the source of the hacking was UAE.

“The previous findings of fact and the evidence adduced at this hearing, as I have described it, taken together are more than sufficient to establish that it is more probable than not that the surveillance of the six phones that I have found was undertaken by Pegasus software was carried out by servants or agents of the father, the Emirate of Dubai or the UAE and that the surveillance occurred with the express or implied authority of the father,” the court’s judgment notes.

It is important to keep in mind that this finding is on the civil standard of proof, which requires a conclusion on the balance of probabilities and not the criminal standard of ‘beyond reasonable doubt’.

What was the NSO Group’s involvement in this case?

The court judgment yet again raises more questions regarding how the NSO Group deals with errant clients. It is unclear how exactly the NSO Group found out that its Pegasus software may have been misused to target Princess Haya’s phones. Who tipped them off?

And how likely is it that they figure this out on the very same day that Marczak and Citizen Lab came to the conclusion that Haya’s lawyers may have been targeted by Pegasus?

Finally, there is the question of the credibility of the NSO Group’s investigation. The company has been quick to pat itself on the back for terminating the UAE government’s access to Pegasus, but it’s final letter to the court notes that its own probe did not come to any concrete conclusion.

The NSO Group’s letter to the court, on its probe into the Haya lawyer affair, merely notes: “The activity of gathering information for the purposes of the investigation itself concluded on or around September 15, 2020, although the post-investigative process which NSO follows in order to make a final determination has only recently concluded. While the investigation could not make any determinative conclusions as to what in fact happened, the recommendation following the investigation was that the contract with the
customer should be terminated, and that the systems which that customer had contracts for be shut down”.

If the investigation could not “make any determinative conclusions”, why terminate the UAE government’s access to Pegasus?

The Pegasus Project is a collaborative investigation that involves more than 80 journalists from 17 news organisations in 10 countries coordinated by Forbidden Stories with the technical support of Amnesty International’s Security Lab. Read all our coverage here.