( Electronic Frontier Foundation) – Portland, Oregon—The Electronic Frontier Foundation (EFF) filed a lawsuit today on behalf of prominent Saudi human rights activist Loujain AlHathloul against spying software maker DarkMatter Group and three of its former executives for illegally hacking her iPhone to secretly track her communications and whereabouts.
AlHathloul is among the victims of an illegal spying program created and run by former U.S. intelligence operatives, including the three defendants named in the lawsuit, who worked for a U.S. company hired by United Arab Emirates (UAE) in the wake of the Arab Spring protests to identify and monitor activists, journalists, rival foreign leaders, and perceived political enemies.
Reuters broke the news about the hacking program called Project Raven in 2019, reporting that when UAE transferred the surveillance work to Emirati firm DarkMatter, the U.S. operatives, who learned spycraft working for the National Security Agency and other U.S. intelligence agencies, went along and ran DarkMatter’s hacking program, which targeted human rights activists like AlHathloul, political dissenters, and even Americans residing in the U.S.
DarkMatter executives Marc Baier, Ryan Adams, and Daniel Gericke, working for their client UAE—which was acting on behalf of the Kingdom of Saudi Arabia (KSA)—oversaw the hacking project, which exploited a vulnerability in the iMessage app to locate and monitor targets. Baier, Adams, Gericke, all former members of U.S. intelligence or military agencies, designed and operated the UAE cybersurveillance program, also known as Project DREAD (Development Research Exploitation and Analysis Department), using malicious code purchased from a U.S. company.
Baier, who resides in UAE, Adams, a resident of Oregon, and Gericke, who lives in Singapore, admitted in September to violating the Computer Fraud and Abuse Act (CFAA) and prohibitions on selling sensitive military technology under a non-prosecution agreement with the U.S. Justice Department.
“Companies that peddle their surveillance software and services to oppressive governments must be held accountable for the resulting human rights abuses,” said EFF Civil Liberties Director David Greene. “The harm to Loujain AlHathloul can never be undone. But this lawsuit is a step toward accountability.”
AlHathloul, whose statement on the case is below, is a leader in the movement to advance the rights of women in Saudi Arabia, where females were barred from driving until 2018, are required by law to obtain permission from a male guardian to work or travel, and suffer discrimination and violence. She rose to prominence for her advocacy for women’s right to drive and put herself at great risk in 2014 by publicly announcing her intention to drive across the border from UAE to KSA and filming herself driving. She was stopped at the KSA border and imprisoned for 73 days. Undeterred, AlHathloul continued to speak out for women’s rights and continues to be a target of the kingdom’s efforts to suppress dissent.
DarkMatter intentionally directed the code to Apple servers in the U.S. to reach and place malicious software on AlHathloul’s iPhone, a violation of the CFAA, EFF says in a complaint filed in federal court in Oregon. The phone was initially hacked in 2017, gaining access to her texts, email messages, and real-time location data. Later, AlHathloul was driving on the highway in Abu Dhabi when she was arrested by UAE security services, and forcibly taken by plane to the KSA, where she was imprisoned twice, including at a secret prison where she was subject to electric shocks, flogging, and threats of rape and death.
“Project Raven went beyond even the behavior that we have seen from NSO Group, which has been caught repeatedly having sold software to authoritarian governments who use their tools to spy on journalists, activists, and dissidents,” said EFF Cybersecurity Director Eva Galperin. “Dark Matter didn’t merely provide the tools; they oversaw the surveillance program themselves.”
While EFF has long pressed for the need to reform the CFAA, this case represents a straightforward application of the CFAA to the sort of egregious violation of users’ security that everyone agrees the law was intended to address.
“This is a clear-cut case of device hacking, where DarkMatter operatives broke into AlHathloul’s iPhone without her knowledge to insert malware, with horrific consequences,” said Mukund Rathi, EFF attorney and Stanton Fellow. “This kind of crime is what the CFAA was meant to punish.”
In addition to CFAA violations, the complaint alleges that Baier, Adams, and Gericke aided and abetted in crimes against humanity because the hacking of AlHathloul’s phone was part of the UAE’s widespread and systematic attack against human rights defenders, activists, and other perceived critics of the UAE and KSA.
The law firms of Foley Hoag LLP and Boise Matthews LLP are co-counsel with EFF in this matter.
Loujain Alhathloul Lawsuit Statement
“Never have I envisioned myself being recognized for standing up for what I believed was right. My early realization of my privilege to speak up and out for women and myself drove me to engage in the sphere of human rights defenders.
“In a 2018 article titled Kidnapped Freedoms, I expressed my understanding of freedom to be safety and peace:
‘safety to express, to feel protected, to live and to love.
[And] peace to reveal the purest and most sincere humanity implanted deep within our souls and minds without experiencing unforgivable consequences.
Deprived of safety and peace, I have lost my freedom. Forever?’
“Previously, I had limited consideration of all aspects of harm a human rights defender, or any individual for that matter, could face, especially in the online world. Today, I incorporate online safety as well as protection from misuse of power by cyber companies to my understanding of safety. The latter should be considered a basic and natural right in our digital reality.
“No government or individual should tolerate the misuse of spy malware to deter human rights or endanger the voice of the human conscious. This is why I have chosen to stand up for our collective right to remain safe online and limit government-backed cyber abuses of power. I continue to realize my privilege to possibly act upon my beliefs.
“I hope this case inspires others to confront all sorts of cybercrimes while creating a safer space for all of us to grow, share, and learn from one another without the threat of power abuses.”
For the complaint:
When governments or private companies target someone with malware and facilitate the abuse of their human rights, the victim must be able to hold the bad actors accountable. That’s why, in October, EFF requested that a federal court consider its amicus brief in support of journalist Ghada Oueiss in her lawsuit against DarkMatter, a notorious cyber-mercenary company based in the United Arab Emirates. Oueiss is suing the company and high-level Saudi government officials for allegedly hacking her phone and leaking her private information as part of a smear campaign.
EFF’s brief argues that private companies should not be protected by foreign sovereign immunity, which limits when foreign governments can be sued in U.S. courts. Hundreds of technology companies sell surveillance and hacking as a product and service to governments around the world. Some companies sell surveillance tools to governments—in 45 of the 70 countries that are home to 88% of the world’s internet users—and others, like DarkMatter, do the surveillance and hacking themselves.
DarkMatter’s hacking has serious consequences. In her lawsuit, Oueiss recounts being targeted by thousands of tweets attacking her, with accounts posting stolen personal photos and videos, some of which were doctored to further humiliate her. And earlier this month, EFF filed a lawsuit against DarkMatter because the company hacked Saudi human rights activist Loujain AlHathloul, leading to her kidnapping by the UAE and extradition to Saudi Arabia, where she was imprisoned and tortured.
U.S. companies are on both ends of DarkMatter’s misconduct—some are targets, like Apple and iPhone users, and other companies are vendors. Two U.S. companies sold zero-click iMessage exploits to DarkMatter, which it used to create a hacking system that could infiltrate iPhones around the world without the targets knowing a thing.
Human rights principles must be enforced, and voluntary mechanisms have failed these victims. U.S. courts should be open to journalists and activists to vindicate their rights, especially when there is a connection to this country—the smear campaign against Oueiss occurred here in part. EFF welcomed the Ninth Circuit Court of Appeals’ recent ruling that spyware vendor NSO Group, as a private company, did not have foreign sovereign immunity from WhatsApp’s lawsuit alleging hacking of the app’s users. Courts should similarly deny immunity to DarkMatter and other surveillance and hacking companies who directly harm Internet users around the world.
For more on state-sponsored malware: