As her plane touched down in April 2019, Princess Haya bint al-Hussein, who was accompanied by her two children, might have hoped she was beyond the reach of her ex-husband, the emir of Dubai, Sheikh Mohammed bin Rashid al-Maktoum.
Similarly, when he commenced custody proceedings in the high court of justice the following month, she might have imagined that the dispute would be settled in a courtroom, purely on the basis of its legal merits.
She did not know, however, it was likely mobile phone numbers belonging to her, her closest aides, advisers and friends, were being entered into a computer system operated by agents of the emirate of Dubai, one of the clients of spyware manufacturer NSO Group.
What is in the data leak?
The data leak is a list of more than 50,000 phone numbers that, since 2016, are believed to have been selected as those of people of interest by government clients of NSO Group, which sells surveillance software. The data also contains the time and date that numbers were selected, or entered on to a system. Forbidden Stories, a Paris-based nonprofit journalism organisation, and Amnesty International initially had access to the list and shared access with 16 media organisations including the Guardian. More than 80 journalists have worked together over several months as part of the Pegasus project. Amnesty’s Security Lab, a technical partner on the project, did the forensic analyses.
What does the leak indicate?
The consortium believes the data indicates the potential targets NSO’s government clients identified in advance of possible surveillance. While the data is an indication of intent, the presence of a number in the data does not reveal whether there was an attempt to infect the phone with spyware such as Pegasus, the company’s signature surveillance tool, or whether any attempt succeeded. The presence in the data of a very small number of landlines and US numbers, which NSO says are “technically impossible” to access with its tools, reveals some targets were selected by NSO clients even though they could not be infected with Pegasus. However, forensic examinations of a small sample of mobile phones with numbers on the list found tight correlations between the time and date of a number in the data and the start of Pegasus activity – in some cases as little as a few seconds.
What did forensic analysis reveal?
Amnesty examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration. For the remaining 30, the tests were inconclusive, in several cases because the handsets had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, phones that use Android do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
Amnesty shared “backup copies” of four iPhones with Citizen Lab, a research group at the University of Toronto that specialises in studying Pegasus, which confirmed that they showed signs of Pegasus infection. Citizen Lab also conducted a peer review of Amnesty’s forensic methods, and found them to be sound.
Which NSO clients were selecting numbers?
While the data is organised into clusters, indicative of individual NSO clients, it does not say which NSO client was responsible for selecting any given number. NSO claims to sell its tools to 60 clients in 40 countries, but refuses to identify them. By closely examining the pattern of targeting by individual clients in the leaked data, media partners were able to identify 10 governments believed to be responsible for selecting the targets: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. Citizen Lab has also found evidence of all 10 being clients of NSO.
What does NSO Group say?
You can read NSO Group’s full statement here. The company has always said it does not have access to the data of its customers’ targets. Through its lawyers, NSO said the consortium had made “incorrect assumptions” about which clients use the company’s technology. It said the 50,000 number was “exaggerated” and that the list could not be a list of numbers “targeted by governments using Pegasus”. The lawyers said NSO had reason to believe the list accessed by the consortium “is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes”. They said it was a list of numbers that anyone could search on an open source system. After further questions, the lawyers said the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers' targets of Pegasus or any other NSO products ... we still do not see any correlation of these lists to anything related to use of NSO Group technologies”. Following publication, they explained that they considered a "target" to be a phone that was the subject of a successful or attempted (but failed) infection by Pegasus, and reiterated that the list of 50,000 phones was too large for it to represent "targets" of Pegasus. They said that the fact that a number appeared on the list was in no way indicative of whether it had been selected for surveillance using Pegasus.
What is HLR lookup data?
The term HLR, or home location register, refers to a database that is essential to operating mobile phone networks. Such registers keep records on the networks of phone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. Telecoms and surveillance experts say HLR data can sometimes be used in the early phase of a surveillance attempt, when identifying whether it is possible to connect to a phone. The consortium understands NSO clients have the capability through an interface on the Pegasus system to conduct HLR lookup inquiries. It is unclear whether Pegasus operators are required to conduct HRL lookup inquiries via its interface to use its software; an NSO source stressed its clients may have different reasons – unrelated to Pegasus – for conducting HLR lookups via an NSO system.
The phone numbers of Haya, and eight of her close associates, appear in a dataset believed to indicate people of interest to a government client of NSO. That data has been obtained by Forbidden Stories and Amnesty International, and analysed by media organisations around the world, including the Guardian.
The numbers in the leaked records include those of Haya’s personal assistant, senior staff at her private security firm, and even one of the lawyers advising her in her custody dispute with Sheikh Mohammed.
NSO Group says it cannot see how its customers, which are all governments, use its military-grade spyware Pegasus, which is capable of secretly infecting a mobile phone and then extracting massive amounts of data from it.
It says Pegasus is only supposed to be used to prevent terrorism and serious crime, and that its clients sign contracts agreeing to these terms when they purchase a licence.
The company believes the dataset examined by the media consortium has “no bearing on the list of the customers’ targets of Pegasus, or any other NSO products”, though it said it “may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes” that were entirely legitimate.
NSO also says it is legally and contractually prevented from identifying its government clients. But a source familiar with the company’s operations confirmed that within the past year it had stripped Dubai of its Pegasus licence. They said the decision had been informed primarily by human rights concerns, but did not dispute that the possibility Sheikh Mohammed was wielding it against his own family members had also been a factor.
Till Dunckel, a German lawyer representing Sheikh Mohammed, told the newspaper Süddeutsche Zeitung: “Our client emphatically denies having attempted to ‘hack’ the phones of the persons named in your request, or having instructed others to do so.” John Kelly, one of the sheikh’s British lawyers, echoed the same denials to the Guardian, but did not respond to any specific or detailed questions.
‘I care not whether you live or die’
Much of what is known about the circumstances in which Princess Haya left Dubai for London is detailed in a fact-finding public judgment published by the high court last year.
Her relationship with Sheikh Mohammed, which had been cordial, began to deteriorate following a highly public and unsuccessful escape attempt by another of his children, Princess Latifa.
Haya, according to the judgment, began making inquiries about Latifa’s welfare, but subsequently began to experience a “progressively more hostile climate” from the sheikh and his advisers.
Trusted staff members were dismissed without her approval, and Haya and her representative were ejected from the ruler’s court – “a huge public slap in the face”, she said. She also discovered that Sheikh Mohammed had divorced her under sharia law on 7 February 2019, the anniversary of her father’s death, without telling her first.
A few weeks later, the judgment described how she claimed Sheikh Mohammed phoned her directly. “I have received bad news about you,” he said, making an ambiguous reference to her relationship with one of her bodyguards, “I am starting to doubt you.” Haya told the court that the call “terrified” her.
Anonymous, threatening notes, and even firearms, were left in her bedroom, she claims. On 11 March 2019, a helicopter landed outside her house, and a pilot emerged and informed her that he had come to transport a single passenger to Awir, a UAE desert prison. Haya attempted to defuse the situation by laughing it off as a joke, while one of her children clung to her leg in terror, and the pilot eventually left. (Sheikh Mohammed told the court the incident was “simply a mistake”.)
Sheikh Mohammed, an amateur poet, also published verses online that appear to refer to Haya. In his February 2019 poem Luck Strikes Once he wrote: “My spirit is cured of you, girl. When your face appears, no pleasure I feel. Don’t say troublemakers are the ones to blame. It’s your fault, though you’re fairer than the moon …”
Less ambiguous was You Lived, You Died, which he published in June 2019 and admits related to Haya. “You, traitor, you betrayed the most precious trust. I exposed you and your games …” he wrote. “I have the evidence that convicts you of what you have done … You know your actions are an insult … Let’s see if mischief brings you benefits, I care not whether you live or die.”
By this stage Haya had resolved that her position was “wholly unsafe and untenable”, and in April 2019 she arrived in England with her two children. She claims that the following month Sheikh Mohammed told her directly: “You and the children will never be safe in England.”
The list grows
Shortly before Haya arrived in London, and continuing into at least the summer of 2019, the phone numbers of people around her began to appear on the database seen by the Pegasus project.
Among them were Martin Smith, the CEO of Quest, which had for several years provided Haya with her private security. The firm’s director of investigations was on the list, as was Shimon Cohen, a public relations expert and a communications adviser to Quest.
John Gosden, a horse racing trainer and a friend of Haya, confirmed a number in the dataset belonged to him, but declined to comment.
Also appearing in the list were phone numbers belonging to one of Haya’s aides, and even a lawyer at a London firm of solicitors advising Haya . The firm declined to comment, but asked the Pegasus project consortium not to identify the aide or the lawyer.
The investigation by the Pegasus project suggests the presence of a number in the dataset reflects that the number was of interest to an NSO client, but it does not reveal whether any attempt to hack the phone was carried out. Princess Haya declined to comment.