A member of the House of Lords is amongst greater than 400 folks whose UK cell phone numbers seem in a leaked checklist of numbers recognized by NSO Group’s consumer governments between 2017 and 2019, the Guardian can reveal.
The principal authorities liable for choosing the UK numbers seems to be the United Arab Emirates, in keeping with evaluation of the info. The UAE is considered one of 40 nations that had entry to the NSO spyware and adware that is ready to hack into and secretly take management of a cell phone.
Dubai, the emirate metropolis dominated by Sheikh Mohammed bin Rashid al-Maktoum, can also be believed to have been an NSO consumer.
The telephones of Sheikh Mohammed’s daughter Princess Latifa, who launched a failed bid to flee Dubai in 2018, and his ex-wife Princess Haya, who fled the nation and got here to the UK in 2019, each seem within the knowledge.
So too do the telephones of a number of associates of each ladies – together with, within the case of Haya, largely UK-based numbers.
In a number of statements, NSO mentioned that the truth that a quantity appeared on the leaked checklist was under no circumstances indicative of whether or not a quantity was focused for surveillance utilizing Pegasus. “The checklist will not be a listing of Pegasus targets or potential targets,” the corporate mentioned. “The numbers within the checklist will not be associated to NSO group in any method.”
However the Guardian and different media companions that had entry to the info as a part of the Pegasus mission, a media consortium, consider the checklist signifies individuals of curiosity chosen by authorities purchasers of NSO. It contains folks the world over whose telephones confirmed traces of NSO’s spyware and adware, Pegasus, in keeping with forensic evaluation of their gadgets.
These with UK numbers showing on the checklist embrace:
Girl Uddin, an unbiased member of the Home of Lords, whose quantity appeared on the info in each 2017 and 2018. She mentioned if there was spying on members of parliament it might quantity to “a terrific breach of belief” which “contravenes our sovereignty”.
A lawyer working for a London legislation agency advising Princess Haya. Haya is embroiled in a bitter custody battle with Sheikh Mohammed within the household division of the excessive courtroom of justice.
John Gosden, a number one horse coach based mostly in Newmarket, who can also be good friend of Princess Haya, herself a world equestrian rider. Numbers for different folks working for Haya’s safety and PR crew additionally seem within the knowledge.
John Chipman, the chief government of the defence thinktank the Worldwide Institute for Strategic Research, which runs an annual convention in Bahrain, one of many UAE’s allies.
Matthew Hedges, a Briton detained with out trial within the UAE for 5 months in 2018, whose quantity first seems within the knowledge whereas he was within the UK, earlier than embarking on his journey. “I need to know what the British authorities is doing about it,” he mentioned.
Different high-profile UK names who seem on the checklist have already been named, reminiscent of Roula Khalaf, the editor of the Financial Times, who was deputy editor when her quantity appeared within the knowledge in 2018. NSO later mentioned there have been no tried or profitable Pegasus infections of Khalaf’s telephone.
Earlier this week, the Guardian additionally revealed the itemizing of the variety of the human rights lawyer Rodney Dixon QC, who has acted for each Hedges and the fiancee of the murdered Saudi journalist Jamal Khashoggi, Hatice Cengiz. Evaluation of the info suggests his quantity was amongst a small group of UK numbers that seem to have been chosen by Saudi Arabia.
Attorneys for NSO prompt it was “technically inconceivable” for Dixon’s telephone to be focused by Saudi Arabia. Forensic evaluation of Dixon’s gadget carried out by Amnesty Worldwide’s Safety Lab confirmed Pegasus-related exercise however no profitable an infection.
Amnesty examined two different UK telephones within the knowledge. One confirmed the identical form of Pegasus exercise found on Dixon’s iPhone. The second, an Android telephone, confirmed no proof of an tried or profitable an infection.
Neither the United Arab Emirates, Dubai nor Saudi Arabia responded to requests for remark. Until Dunckel, a German lawyer representing Sheikh Mohammed, informed the newspaper Süddeutsche Zeitung: “Our consumer emphatically denies having tried to ‘hack’ the telephones of the individuals named in your request, or having instructed others to take action.” Representatives of the sheikh have additionally beforehand mentioned he feared Latifa was a sufferer of a kidnapping and that he had carried out “a rescue mission”.
NSO Group has all the time mentioned it doesn’t have entry to the info of its clients. In statements issued through its lawyers, NSO mentioned the Pegasus mission reporting consortium had made “incorrect assumptions” about which purchasers used the corporate’s expertise.
Exiled dissidents and supportive activists within the UK additionally appeared on the leaked checklist, which is certain to lift questions concerning the UAE, which is historically thought of a British ally, and whose main household, the rulers of Abu Dhabi, personal the Premier League champions, Manchester Metropolis.
The UAE has turn out to be a fast-emerging cyber energy, whose highly effective surveillance functionality is managed by the household of its ruler, Sheikh Mohamed bin Zayed, and specifically his brother, the nationwide safety adviser, Sheikh Tahnoon bin Zayed.
Three sources conversant in NSO’s operations confirmed that throughout the previous yr the corporate had stripped Dubai of its Pegasus licence. They mentioned the choice had been knowledgeable primarily by human rights issues, however didn’t dispute that the chance Sheikh Mohammed was wielding the software program in opposition to his family members had additionally been an element.
It’s unclear whether or not MI5 was conscious of any UAE spying exercise. Typically if the spy company turns into conscious a Briton is topic to overseas surveillance, it solely takes motion to alert the sufferer if it believes there’s a risk to life or different critical hazard within the UK.
However the British authorities issued a coded rebuke to the nation this week following the revelations of the Pegasus mission.
A authorities spokesperson mentioned: “It’s vital all cyber actors use capabilities in a method that’s authorized, accountable and proportionate to make sure our on-line world stays a secure and affluent place for all.”
Why sure folks could have been listed is tough to find out. Uddin was the primary Muslim girl to serve within the higher home, however will not be thought of a overseas coverage specialist. “If espionage is happening in opposition to the best of sovereign British establishments, questions come up concerning whether or not our authorities was conscious,” she mentioned.
Matthew Hedges, a Durham College PhD scholar specialising in safety, was first listed on the database in March 2018, two months earlier than he was detained and tortured with out trial for 5 months, accused of spying for MI6. The preliminary itemizing of his quantity within the knowledge befell earlier than Hedges had travelled to the UAE for his analysis.
MI6 denies he was performing as an agent, in a high-profile case that strained relations between London and Abu Dhabi. Hedges was topic to repeated interrogations that lasted hours and was injected with a cocktail of medicine on which he’s partly dependent right now, however was solely charged after being held for 5 months.
It was not potential to conduct forensic evaluation of Hedges’ UK telephone from the time as a result of UAE authorities confiscated his gadget.
Mohammed Kozbar, the chair of the Finsbury Park mosque, arguably the best-known mosque in Britain, additionally appeared on the leaked checklist. His quantity appeared within the knowledge in 2018, apparently due to the UAE. The mosque was comprehensively reformed in 2015 beneath his management, and is taken into account a mannequin of neighborhood relations, performing lately as a public vaccination centre.
Kozbar mentioned he was baffled as to why he might need been of curiosity to the Gulf state, saying he had “by no means been within the UAE” nor had any involvement with the nation. He mentioned he feared that “British residents will likely be open to abuse from each nation on the earth” except the UK spoke out in opposition to obvious abuses of NSO spyware and adware worldwide.
Dissidents – a few of whom centered on Saudi Arabia or Bahrain – and at the very least one British activist have additionally appeared within the checklist. They embrace the Emirati-born Alaa al-Siddiq, 33, the chief director of the Saudi marketing campaign group ALQST, who was killed in a automobile crash in Oxfordshire final month. After speaking to the police her organisation mentioned there was “no suggestion of foul play”.
One other one that seems within the knowledge in 2018 was the main Bahraini dissident and human rights campaigner Saeed Alwadei, who has political asylum within the UK. He was additionally chosen by a buyer understood to be the UAE, though he campaigns for democracy and rights in Bahrain, notably across the time of the grand prix, held that yr in April.
He known as on the UK authorities to “communicate out and cease defending these abusive governments”.
A quantity belonging to Rori Donaghy was chosen by UAE all through 2017 and 2018, in keeping with evaluation. He was beforehand reported to have been a goal of a UAE hacking marketing campaign unrelated to NSO.
He labored for 3 years till 2016 for Center East Eye, a UK-based information organisation that repeatedly criticised the UAE regime. However on the time his quantity appeared within the knowledge he was working for a specialist Center East consultancy, writing stories about Syria and the refugee disaster.
The variety of the president of the Muslim Affiliation of Britain, Raghad Altikriti, the primary feminine head of the organisation, additionally seems on the checklist. She was beforehand a vice-president and head of media, and her brother Anas Altikriti, who runs the Cordoba Basis thinktank, which promotes intercultural dialogue, was listed between 2017 and 2019.
The numbers of a number of staff of three London company intelligence corporations additionally appeared on the checklist. In a single case, it seems the top of the agency was chosen by the UAE together with two numbers belonging to his spouse. All three corporations work for Gulf state purchasers.