New evidence suggests spyware used to surveil Emirati activist Alaa Al-Siddiq

Even in death, there was little peace for Alaa Al-Siddiq.

When the body of the 33-year-old Emirati activist, who died in a car accident in Oxford in June, was shown in a viewing to mourners at Regent’s Park Mosque, a number of her close friends stayed away.

They wanted to avoid being seen paying their respects, for fear that the mosque was secretly being filmed, and that their association with the activist and researcher could be dangerous for themselves or their families at home in the UAE.

“I entered to see her, and to tell her these people were just outside, and that I was there on their behalf,” one close friend told the Guardian. “It was very painful to not have the simple right to be with her or say goodbye to her.”

No foul play is suspected in Al-Siddiq’s death, which occurred after a two-car collision in which people in both vehicles were injured.

But now, three months after her death, new evidence has emerged about an intense and pervasive campaign to surveil Al-Siddiq, who served as executive director of ALQST, a non-profit advocating for human rights in the UAE and wider region.

An examination of Al-Siddiq’s devices by researchers at Citizen Lab at the University of Toronto, which tracks the use of spyware against activists and journalists, found that she was most likely hacked by a government client of NSO Group, the Israeli spyware company, beginning in 2015, when she lived in Qatar, to 2020, when she was living in London. It is the first time Citizen Lab has confirmed its findings.

The case exemplifies a worrying trend for activists such as Al-Siddiq, who escaped the UAE to live in the relative safety of the UK, but was never out of the reach of Pegasus, NSO’s spyware. When the spyware is used by a government to infect a phone, Pegasus can monitor conversations, read text messages, see photographs and emails, and can turn a mobile into a remote listening device.

NSO has said its spyware is meant to be used by governments and law enforcement agencies to investigate serious crimes, not to target journalists and activists.

NSO requested that the Guardian provide it with the numbers Al-Siddiq was using when she was hacked.

It said in a statement: “As always, when we get credible information on an alleged misuse, we conduct a thorough investigation and act upon the findings.”

In 2020, shortly after she learned she had been hacked, Al-Siddiq gave an interview using a pseudonym to film-maker Laura Poitras and researchers at Forensic Architecture, a London-based research group that has studied NSO Group.

The interview was shared with the Guardian after Forensic Architecture was granted permission to share a recording of her comments by Al-Siddiq’s next of kin. In the interview, the soft-spoken activist described how her research, which involved documenting human rights abuses against prisoners and detainees in Gulf states, had likely made her a target.

“These are very sensitive topics to talk about in my country. They consider it as a crime against the government,” she said. Most of all, Al-Siddiq said she was concerned about the prospect of exposing people whose trust she had gained and who were helping her research.

“In this case, this kind of violation is not changeable and I cannot protect them,” she said, referring to her contacts. “It is a sad thing to feel.”

Pegasus in Saudi Arabia

Two of Al-Siddiq’s mobile numbers were listed in the massive data leak at the heart of the Pegasus Project, which contained numbers of individuals who were believed to have been selected as potential surveillance targets by NSO’s government clients. The data suggests that Al-Siddiq was selected as a potential surveillance target by the UAE, a known client of NSO, beginning in 2015. In at least one case, the timing of an attempt to hack Al-Siddiq’s phone through SMS matches a date contained in the Pegasus Project data.

NSO has strongly denied that the data has any connection to the Israeli firm and has said the list of phone numbers are not targets of NSO customers. NSO has always said it does not have access to the data of its customers. In statements issued through its lawyers, NSO said the Pegasus project reporting consortium had made “incorrect assumptions” about which clients used the company’s technology.

An analysis by Forensic Architecture – which closely studied Al-Siddiq’s case – shows that her entanglement with authorities in the UAE began months after her father, Mohammed Al-Siddiq, was arrested in 2012 after signing a pro-democracy petition. At 24, she left the Emirates for Qatar. In June 2015, Al-Siddiq became a central figure in a diplomatic dispute between Qatar and the UAE after officials in the UAE demanded that Qatar force her to return to her home. Qatar refused.

Later, after being stripped of her UAE citizenship, she left Qatar for the UK. Periodically she would be attacked on social media, and was called a terrorist for expressing views that were supportive of the Arab spring.

At ALQST, she worked alongside the Saudi dissident Yahya Assiri, who was also targeted with an attempted hack using Pegasus in 2018, according to Citizen Lab at the University of Toronto. A lawyer whom Al-Siddiq had contacted before her accident to discuss her legal options was also targeted with spyware, though the timing of that attempted hack was likely related to a separate matter. Both Assiri and the lawyer live in the UK.

Bill Marczak, a researcher with the Citizen Lab who tracks the use of spyware by repressive regimes, said Al-Siddiq first contacted him in January 2020, because she was concerned she may be a target of hacking.

Citizen Lab set up a monitoring system of Al-Siddiq’s phone and a few months later – that summer – her phone was hacked by a government using Pegasus spyware.

“There were persistent attempts to attack multiple devices that she had with UK numbers … they were trying to hack her 24/7,” Marczak told the Guardian. “She was distraught, understandably. Her main worry was that she didn’t want the UAE government to leak her family photos. She was concerned about that.”

Once the hacking began, Citizen Lab began a retrospective analysis on Al-Siddiq’s devices. They found evidence of Pegasus malware on a different mobile dating back to 2015.

That makes Al-Siddiq one of the first known victims of targeting using Pegasus. In 2019 alone, there were five successful hacks of her UK mobile, with some intrusions lasting several days.

The UAE did not respond to questions about Al-Siddiq’s case and its alleged use of spyware. The questions and request for comment were sent by the Guardian to the UAE’s embassy in Washington.

Forensic Architecture

Friends and close colleagues have said the surveillance campaign was a constant source of anguish and concern during the last 12 months of Al-Siddiq’s life. One friend, who was in the car when Al-Siddiq died and requested anonymity, said Al-Siddiq began to change her habits for fear she was being surveilled, including changing routes she travelled on the tube. She tried to be mindful to not stand too close to the edge when she was travelling by train, for fear she could be pushed on to the tracks.

The week before her birthday on 18 June, as she planned a weekend with friends in Oxford, she worried about which mobile devices she should take with her. “This was part of her daily life. It was there, in the background always. She did not want to surrender to this fear. But I think such fear would have paralysed other people. She was really fierce,” her friend told the Guardian.

She was also funny, told jokes, and liked to play cards. She loved to cycle. “What I admired most is that she had to reinvent herself in every stage of her life. She would not let where she came from define her or her future. She came from a very conservative background. She found her own voice and her own freedom,” her friend said.