Democracy campaigner to sue Saudi Arabia over Pegasus and QuaDream spyware in UK court

A pro-democracy and human rights activist has won the right to bring legal proceedings against the Kingdom of Saudi Arabia in a UK court after his phones were hacked by surveillance software.

The High Court in London has issued an order permitting campaigner Yahya Assiri to file a legal claim for damages against Saudi Arabia after the Saudi government used Israeli spyware to place him under surveillance.

The case is understood to be the first involving the use of QuaDream, an Israeli-developed spyware that targets iPhones, to reach the high court.

Monika Sobiecki, partner at Bindmans LLP, which is representing Assiri, said the high court had concluded that Assiri had a reasonable prospect of winning his case against Saudi Arabia. “The High Court has thus sent a powerful signal that states cannot shroud their conduct with secrecy and avoid accountability for the transnational repression of dissidents,” she said.

Assiri, who has lived in England since 2013, is a founding member and former secretary general of the Saudi opposition National Assembly Party, and the founder of human rights organisation ALQST, which promotes and defends human rights in Saudi Arabia.

He has worked with opponents of the Saudi regime including journalist Jamal Khashoggi, who was murdered in the Saudi consulate in Istanbul in 2018, and Saudi poet and activist Abdullah Hamid Ali al-Hamid, who died in detention in Riyadh in 2020.

According to the complaint, between 2018 and 2020, Assiri’s mobile devices were targeted and infected by Pegasus and QuaDream spyware, traces of which were detected by independent analysis by the Citizen Lab based at the University of Toronto in Canada.

Data access

The spyware potentially enabled the Saudi government to access a wide range of data, including text messages, calls, location data, photos and files. It also gave Saudi officials the ability to intercept voice calls, remotely activate and record from microphones in mobile devices, and take photos and track Assiri’s movements, according to the complaint.

Assiri is bringing claims against the Kingdom of Saudi Arabia over the misuse of private information, harassment and trespass of goods.

The former captain in the Royal Saudi Airforce, who claimed asylum in the UK in 2014, is a prominent dissident who has publicly criticised the Kingdom of Saudi Arabia’s human rights practices.

Assiri received a text message in May 2018 containing a link that he clicked on, causing his iPhone to freeze.

Analysis of Assiri’s phone by Amnesty International and The Citizen Lab revealed that the URL sent to him appeared to be hosted on a server linked to Pegasus spyware and associated with Saudi Arabia.

In September 2018, a replacement phone used by Assiri was compromised by spyware, attributed to QuaDream, resulting in large amounts of data being covertly accessed.

Assiri received a text message in July 2020 containing a link to Pegasus internet domains that matched previous attacks on Saudi dissidents.

Analysis by the Citizen Lab confirmed that his phone was successfully hacked by Pegusus spyware using “zero-click” exploits.

Yahya Assiri text Pegasus
Text message received by Assiri in July 2020 containing a link to Pegasus internet domains

At the time of the attack, Assiri was working on the case of murdered journalist and critic of the Saudi administration Jamal Khashoggi, advocating sanctions on Saudi officials and lobbying for a UK boycott of the Saudi-hosted G20 summit.

Assiri had stored a large volume of sensitive and confidential information on his iPhone, including court documents, details of contacts, ID documents of human rights defenders in Saudi Arabia, and other highly sensitive information

Pegasus

According to the complaint, Pegasus spyware is capable of monitoring text messages, emails, calendar records, call history, instant messages, contacts lists and the browsing history of infected phones.

It can also intercept phone calls and secretly record from built-in microphones, retrieve photos, take screen shots and photographs, retrieve files stored on mobile devices, and continuously monitor location through phone cell IDs and GPS.

Users of Pegasus software have the capability to create “rules” to send alerts, for example, when the target arrives at a particular location, meets another target, uses a key word in a message or phones a particular person.

Pegasus can be remotely uninstalled and is designed to leave no trace that it was ever on the target device. It features a self-destruct mechanism to uninstall where there is a risk of exposure.

QuaDream

Now-disbanded Israeli company QuaDream offered spyware exploits, malware and infrastructure marketed under the name, Reign.

There is little publicly available information about QuaDream, and it’s unclear whether the spyware is still in use.

The software uses “zero-click” exploits to allow it to be installed on a device without requiring the user to click on a link.

Like Pegasus, the spyware is able to intercept and record voice calls, activate the microphone of an infected device, take photographs, search and access files and databases, and track the users’ location.

Assiri’s case is the second to be brought against Saudi Arabia in the UK courts over Pegasus spyware.

In January, the Court of Appeal in London struck out an appeal by the Kingdom of Saudi Arabia against legal action brought by human rights campaigner Ghanem Al-Masarir, after the Kingdom failed to comply with an order to pay funds into court.

Al-Masarir, represented by Leigh Day, is claiming psychological damage resulting from the misuse of private information and harassment after the Saudi government targeted his phone with Pegasus spyware acquired from Israeli tech company NSO Group.

Metropolitan Police investigation

In a separate action, the Metropolitan Police is investigating complaints from four activists that they have been targeted by spyware from Saudi Arabia, the United Arab Emirates and Bahrain.

The case, filed by the Global Legal Action Network, names NSO Group Technologies Limited, the Israeli software company that supplied Pegasus technology; Q Cyber Technologies, a Luxembourg-based firm linked to NSO; and Novalpina Capital, a UK private equity business that undertook a “management buyout” of NSO in 2019; and individuals involved in the sale of Pegasus.

Pegasus was implicated in the murder of journalist Jamal Khashoggi at the Saudi embassy in Istanbul.

It has been used in attacks within UK government networks, including the Prime Minister’s Office and the Foreign, Commonwealth and Development Office, and it was used against a member of the House of Lords, Fiona Shackleton, when she was acting as the legal representative of Princess Haya of Dubai.

Saudi targeted human rights victims

Yahya Assiri said he was concerned that Saudi Arabia had targeted victims of human rights abuses and their families simply because they had been in touch with him.

“I am fully aware that the authorities will want to target me,” he said. “However, it is outrageous for them also to target individuals such as the victims of rights abuses and their families in Saudi Arabia simply because these people have been in contact with me. We have no idea how the authorities might use the information found on my device against them.”

Saudi Arabia is expected to argue that it has state immunity, a claim currently being tested by law firm Leigh Day in the case of Al-Masarir, a vocal opponent of the Saudi regime, who was also targeted with Pegasus.

Assiri is expected to argue that there are exceptions to state immunity for property damage and personal injury.

Leave a Comment