U of T’s Citizen Lab reaches out to academics targeted by spyware
The fishy messages came to John Scott-Railton, a senior
researcher with the Citizen Lab, University of Toronto’s world-renowned digital
surveillance and human-rights watchdog, in January 2019. The man said his name
was Michel Lambert and that he headed an agricultural technology company based
in Paris. He professed interest and a desire to invest in the kite-mounted
robotic mapping technology that had been the subject of Mr. Scott-Railton’s PhD
thesis. “The problem was, this technology has been superseded by a little
something called drones,” says Mr. Scott-Railton.
Anyone with a real interest in crop surveillance techniques
would have known that. Further research revealed that other than a vague web
page, Mr. Lambert and his company didn’t seem to exist.
Mr. Scott-Railton was already on alert, as only three weeks
earlier, another Citizen Lab staff member had had a chilling encounter with a
similarly dubious character. Bahr Abdul Razzak, a Syrian refugee, was contacted
by a man who claimed to be a South African businessman in Madrid interested in
helping refugees. Mr. Abdul Razzak met with the man at the Shangri-La Hotel in
Toronto, and soon found himself being grilled about Citizen Lab’s research into
the work of the Israeli spyware company, NSO Group, and his attitude toward
Israel.
It seemed that both Mr. Abdul Razzak and Mr. Scott-Railton
were being targeted by undercover operatives looking to discredit their
research. Citizen Lab has publicly identified NSO Group as a “bad actor” in
world affairs. Along with directly defending academics and others from hacking,
Citizen Lab recently alerted a U.K. pension investment fund to the link between
NSO Group and private equity firms such as Novalpina Capital, which now holds a
majority stake in NSO.
Though NSO claims to provide digital surveillance (notably
the smartphone tracking technology Pegasus) only to government intelligence and
law enforcement clients seeking to investigate terrorism and criminal activity,
evidence laid out in numerous Citizen Lab reports suggests otherwise. NSO has repeatedly
spied on human-rights advocates who have spoken out about torture and other
abuses by governments such as those of the United Arab Emirates, Saudi Arabia
and China.
While everyone should be concerned about maintaining data
privacy in the digital age, Citizen Lab’s work, and that of other watchdogs,
shows that academics need to be particularly vigilant about protecting their
research, while at the same time not succumbing to the fear and paranoia
malware purveyors try to engender. “That fear is what these organizations feed
on,” says Mr. Scott-Railton, who has heard from academics, lawyers and
journalists all over the world who have had encounters with sketchy characters
similar to his. Their intent is to at the very least “chill” critics of authoritarian
regimes and discredit or stop research, he says, and the effect of such
encounters can be “rattling.” At worst, the intent of such spying is as dark
and sinister as it gets.
The existence of software such as Pegasus, in the hands of
commercial enterprises with mercenary motives, say experts, has the potential
to disrupt the work of academics and threaten their personal safety, and has
already done so. The technology can infect entire Cloud accounts from one
hacked cellphone; any academic whose work is perceived as threatening by an
authoritarian regime, for example, may be a target.
It’s a threat recognized by human-rights organizations such
as Amnesty International, which is suing NSO in Israel for allegedly spying on
members of its staff and other supporters after it was revealed that WhatsApp
had been hacked by software that could install spyware through one call.
The New York-based Scholars at Risk Network reports that in
2016, a master’s student of Arab studies at Georgetown University named Kristina
Bogos, researching labour conditions for migrant workers in Doha, was denied a
student visa by Qatar, seemingly based on details of her research that she had
to that point not published. According to Scholars At Risk, “Ms. Bogos has
since reported that her email account was hacked twice in April 2016, and that
she had received an email from an unknown sender informing her that Emirati
authorities had warned their counterparts in Qatar of her visit. She alleges
that the hacking led to her name being added to the blacklist.”
Citizen Lab also discovered Pegasus spyware had hacked a
single phone in Canada, belonging to permanent resident Omar Abdulaziz, a
student at Bishop’s University well known for his satire and YouTube critiques
of Saudi Arabia. Mr. Abdulaziz was horrified; he was in frequent contact with
Jamal Khashoggi, the U.S-based dissident Saudi journalist brutally murdered at
the Saudi consulate in Turkey on October 2, 2018. Mr. Abdulaziz is now suing
NSO Group, which denies any wrongdoing and continues to criticize Citizen Lab’s
work.
As for the attempted espionage on Mr. Scott-Railton, “it
appeared whoever this was thought I was a naive PhD student … I thought I’d
play along,” he says. He consulted colleagues, and agreed to meet the man for a
“grand meal” at the elegant Peninsula Hotel restaurant in New York. He also
contacted Associated Press reporter Raphael Satter, who came along with a
cameraman and photographer. They waited to confront the obvious operative. Mr.
Scott-Railton played up his naive young student persona, and watched in
amusement and shock as “Lambert” tried to ply him with alcohol and get him to
talk about his personal life and beliefs – specifically, he seemed to want to
trap his quarry into revealing anti-Semitism.
Before dessert came, Mr. Satter confronted the man and the
cameras started rolling. The operative was shaken and wandered around the
restaurant trying to escape the cameras and the journalist’s questioning.
The story of the sting and the “bumbling” cornered spy went
viral. It was later revealed that Mr. Lambert was really Aharon
Almog-Assouline, a retired security executive living in Tel Aviv. Toronto
lawyer Darryl Levitt saw the reports in early 2019 and believes Mr.
Almog-Assouline is the same man who met with him years earlier at a Toronto
restaurant, under a false name, in a bid for confidential information regarding
a lawsuit between two Canadian private-equity firms.
The plot thickens further: Mr. Levitt has filed court
documents that seek to establish that Mr. Almog-Assouline was working for Black
Cube, the Israeli private intelligence agency staffed by ex-Mossad and military
personnel.
It’s the same firm hired by Harvey Weinstein in his efforts
to silence women accusing him of sexual assault. That whole scheme was outed in
2019 by journalist Ronan Farrow, who also became a target for intimidation from
the agency’s spies, in a series of New Yorker articles and the book Catch and
Kill: Lies, Spies, and a Conspiracy to Protect Predators.
Mr. Scott-Railton says the experience has only heightened
his empathy for researchers lured into conversations with people who approach
them under false pretenses, seeking to undermine their work. It’s also served
to deepen Citizen Lab’s commitment to collaborate with academics and others
around the world who reach out when they find themselves targeted by spyware.
“This can lead people to want to close down. The challenge is figuring out how
to not be naive. It’s critical to academic freedom that we feel safe when we
communicate with each other.”
Comments
Post a Comment