A Saudi Arabian flag is seen flying on Parliament Hill, in Ottawa, in a Nov. 2, 2016, file photo.Dave Chan/The Globe and Mail
Government agents likely affiliated with the Kingdom of Saudi Arabia have been using cellphone-spying technology to try to eavesdrop on a refugee living in Canada, according to the University of Toronto’s Citizen Lab.
In a report released Monday, the organization says that it has “high confidence” that surveillance software targeted an individual in Canada this summer.
The goal, according to Citizen Lab, was to capture the iPhone communications of a 27-year-old Quebecker named Omar Abdulaziz , a dissident Saudi activist with a large social-media presence and who is publicly critical of the regime.
The report alleges that this may have amounted to unlawful spying taking place in Canada between June and August.
News of this activity arrives in the midst of an ongoing Canada-Saudi diplomatic row. In August, Foreign Affairs Minister Chrystia Freeland and her diplomatic department said on Twitter that they were “gravely concerned” about the kingdom’s jailing of “civil-society and women’s-rights activists" and publicly called for their release.
In response, the Saudi government complained that the country’s sovereignty was being undermined by Canada. It immediately cut some diplomatic and trade ties, while recalling thousands of Saudi students.
The Citizen Lab, a group of academics and digital detectives at the U of T Munk School, has recently aired several allegations about Saudi surveillance after its long-term research into the potential misuse of surveillance software sold to government agencies.
The Lab has spent many years researching the NSO Group, an Israeli company that sells a system known as Pegasus. It can be used to remotely infect a target’s cellphone in order to then relay back data accessed by the device.
The specific tactics and Internet architecture allegedly used by the NSO Group have been the subject of several reports by the Citizen Lab.
For example, in July, its researchers issued a statement alleging that misleading messages about demonstrations in Saudi Arabia were being used in attempts to target people’s phones − including that of a regional Amnesty International researcher.
In September, the Lab followed up with another report suggesting that at least 36 governments are now using NSO Group software, a number that the Lab says very likely includes Saudi Arabian security services.
The Globe tried several times to contact the NSO Group by e-mail and LinkedIn messages, but it did not respond. The Saudi embassy in Canada also did not respond to The Globe’s telephone calls and e-mails.
But in a Sept. 17 letter sent to the Lab, the Israeli company responded to the criticisms by alleging flaws in the Citizen Lab’s research.
“NSO Group develops products that are licensed only to legitimate government agencies for the sole purpose of investigating and preventing crime and terror," its statement said.
The company added that its software has helped prevent suicide bombings, convict drug lords and locate missing children, but it didn’t release details about which countries can use the software and which ones cannot. “The product will not operate outside of approved countries,” the statement said.
Citizen Lab director Ron Deibert said in an interview that repressive states inevitably abuse such tools to try to crush dissent. “What you see is a Wild West of crossborder surveillance with governments using commercial spyware, ” he said.
He argued that any foreign-government spying on a cellphone located in Quebec would violate Canada’s criminal laws against unlawful wiretapping.
The Citizen Lab studied the NSO Group by attempting to reverse-engineer the specific Internet pathways that its software uses. It was through these efforts that The Citizen Lab said it noticed an iPhone in Canada in contact with the surveillance infrastructure that the group associated with Saudi Arabia.
First spotted this summer, the activity pointed to a compromised cellphone in Quebec, The Citizen Lab says. But nothing in the data indicated whose phone it was. It was only clear that the phone used a home Internet network during the day but logged onto a nearby university-campus network in the evening.
Citizen Lab researcher Bill Marczak flew to Montreal in August, so he could canvass Saudi dissidents about these patterns. He was directed to Mr. Abdulaziz, who was known locally as not just an outspoken critic of Saudi Arabia, but who also worked out nightly at a gym at Bishop’s University.
The two men met in a café, and established that the timing of the gym excursions corresponded with the patterns the Lab had already seen.
An examination of the iPhone yielded some additional evidence.
In late June, after Mr. Abdulaziz ordered some protein powder online, he received a text message directing him to a package-tracking site. But according to the Citizen Lab, the link was a fake, and it would have directed the phone to a website that the NSO Group uses to take over cellphones.
But “we are unable to prove he clicked on the link,” the Citizen Lab report says. It also added that its researchers “similarly lack forensic data from his iPhone that would prove an infection.”
In an interview, Mr. Abdulaziz said he has no doubt that his former government is targeting him. Since being granted political asylum from Saudi Arabia by Canada five years ago, he says he has built an international following on social-media, including for his satirical YouTube channel.
The Saudi government doesn’t like his views, he said. He added that two of his brothers have been rounded up in the summer crackdowns in his homeland. He views this as a form of pressure to try to get him to stop criticizing the country on social media.
Since meeting the Citizen Lab researcher who came to him with an unsolicited warning a few weeks ago, Mr. Abdulaziz fears that the potential hacking of his iPhone may have caused other people to be targeted as well.
“I don’t know how many Canadians are in danger now – so many people,” he said, adding that he no longer uses that device.
citizen lab’s cybersleuths
The U of T Citizen Lab is a digital-rights organiza-
tion whose researchers seek to expose countries
that spy on their own people. The Lab’s
latest report highlights how data strongly sug-
gest that Saudi agents may have successfully
targeted the iPhone of a dissident living near
Montreal.
Here’s how it is alleged to have happened
Cellphones that are compromised
by commercial spyware secretly
send information back to “com-
mand and control” computer
servers.
Researchers at the Lab spent two
years scanning billions of internet
sites for telltale “fingerprints”and
deduced about 1,000 internet sites
were allegedly tied to a specific
spyware company.
JAN.
1
Researchers concluded that 36
“operators” – spyware clients,
most likely police and intelligence
services – were using this spying
infrastructure.
One operator appeared to be
taking an interest in Saudi citizens.
A compromised phone tied to this
infrastructure was traced to
Quebec, where it appeared to join
a campus network nightly.
A researcher flew to Montreal and
talked to Saudi dissidents who
urged him to speak to a refugee
who worked out at Bishop’s Uni-
versity each night.
The “pattern of life” matched, so
the researcher met the Saudi dissi-
dent and examined his iPhone. He
found a text sent weeks earlier,
which traced back to the suspected
spying infrastructure.
colin freeze, JOHN SOPINSKI and murat
yükselir/THE GLOBE AND MAIL additional
images: shutterstock; vecteezy
citizen lab’s cybersleuths
The U of T Citizen Lab is a digital-rights organization
whose researchers seek to expose countries that spy
on their own people. The Lab’s latest report highlights
how data strongly suggest that Saudi agents may have
successfully targeted the iPhone of a dissident living near
Montreal.
Here’s how it is alleged to have happened
Cellphones that are compromised
by commercial spyware secretly
send information back to “com-
mand and control” computer
servers.
Researchers at the Lab spent two
years scanning billions of internet
sites for telltale “fingerprints”and
deduced about 1,000 internet sites
were allegedly tied to a specific
spyware company.
JAN.
1
Researchers concluded that 36 “oper-
ators” – spyware clients, most likely
police and intelligence services –
were using this spying infrastructure.
One operator appeared to be
taking an interest in Saudi citizens.
A compromised phone tied to this
infrastructure was traced to
Quebec, where it appeared to join
a campus network nightly.
A researcher flew to Montreal and
talked to Saudi dissidents who
urged him to speak to a refugee
who worked out at Bishop’s Uni-
versity each night.
The “pattern of life” matched, so
the researcher met the Saudi dissi-
dent and examined his iPhone. He
found a text sent weeks earlier,
which traced back to the suspected
spying infrastructure.
colin freeze, JOHN SOPINSKI and murat yükselir/
THE GLOBE AND MAIL additional images: shutterstock;
vecteezy
citizen lab’s cybersleuths
The U of T Citizen Lab is a digital-rights organization whose researchers seek to expose
countries that spy on their own people. The Lab’s latest report highlights how data
strongly suggest that Saudi agents may have successfully targeted the iPhone of a dissi-
dent living near Montreal.
Here’s how it is alleged to have happened
Cellphones that are compromised
by commercial spyware secretly
send information back to “com-
mand and control” computer
servers.
Researchers at the Lab spent two
years scanning billions of internet
sites for telltale “fingerprints”and
deduced about 1,000 internet sites
were allegedly tied to a specific
spyware company.
JAN.
1
Researchers concluded that 36
“operators” – spyware clients,
most likely police and intelligence
services – were using this spying
infrastructure.
One operator appeared to be
taking an interest in Saudi citizens.
A compromised phone tied to this
infrastructure was traced to
Quebec, where it appeared to join
a campus network nightly.
A researcher flew to Montreal and
talked to Saudi dissidents who
urged him to speak to a refugee
who worked out at Bishop’s Uni-
versity each night.
The “pattern of life” matched, so
the researcher met the Saudi dissi-
dent and examined his iPhone. He
found a text sent weeks earlier,
which traced back to the suspected
spying infrastructure.
colin freeze, JOHN SOPINSKI and murat yükselir/THE GLOBE AND MAIL
additional images: shutterstock; vecteezy
Colin Freeze