Saudi human rights activist Loujain al-Hathloul has filed a lawsuit against spyware maker DarkMatter Group and three former US intelligence operatives for their role in helping the United Arab Emirates hack into her iPhone and track her movements.
al-Hathloul is one of several people the DarkMatter Group hacked, and three executives at the firm — 49-year-old Marc Baier, 34-year-old Ryan Adams and 40-year-old Daniel Gericke — were fined by the Justice Department in September for their role in helping oppressive governments like the UAE violate several US laws.
Surveillance isn’t just the purview of nation-states and government agencies — sometimes, it is closer to home.
The three were part of Project Raven, an effort by the UAE to spy on human rights activists, politicians, journalists, and dissidents opposed to the government during the Arab Spring protests.
In 2019, both Reuters and The Intercept conducted in-depth investigations into the work of Project Raven and DarkMatter after members of the team raised concerns about the hacking UAE officials were requesting. The case sparked widespread concern about how former officials at the National Security Agency (NSA) and other US spy agencies were spreading the tactics they learned while hacking for the US government.
al-Hathloul’s lawsuit was filed by the Electronic Frontier Foundation (EFF) and law firms Foley Hoag LLP and Boise Matthews LLP.
EFF said DarkMatter was working for the UAE but hacked al-Hathloul’s iPhone on behalf of the Kingdom of Saudi Arabia, noting that the DarkMatter used an iMessage vulnerability to monitor people’s devices.
EFF attorney Mukund Rathi said this is a “clear-cut case” of device hacking, where DarkMatter operatives broke into al-Hathloul’s iPhone without her knowledge to insert malware, with horrific consequences.
“This kind of crime is what the Computer Fraud and Abuse Act was meant to punish,” Rathi said, adding that the lawsuit includes claims that DarkMatter is liable for crimes against humanity for helping the UAE hack many human rights defenders.
Baier, Adams, and Gericke bought the malicious code from a US company during their time building out the UAE cybersurveillance program, according to EFF.
“No government or individual should tolerate the misuse of spy malware to deter human rights or endanger the voice of the human conscious. This is why I have chosen to stand up for our collective right to remain safe online and limit government-backed cyber abuses of power,” al-Hathloul said.
“I continue to realize my privilege to possibly act upon my beliefs. I hope this case inspires others to confront all sorts of cybercrimes while creating a safer space for all of us to grow, share, and learn from one another without the threat of power abuses.”
al-Hathloul gained prominence in 2014 when she pledged to drive across the border from the UAE into Saudi Arabia, where it was illegal for women to drive until 2018. She was stopped at the Saudi border and detained for 73 days. al-Hathloul also campaigned for women’s rights in Saudi Arabia, where women face significant discrimination and violence in addition to legal rules mandating male permission for work and travel.
In the lawsuit, EFF lawyers said al-Hathloul’s iPhone was hacked by DarkMatter in 2017, violating the Computer Fraud and Abuse Act because the malicious code was directed to Apple services in the US.
DarkMatter gained access to all of al-Hathloul’s emails, texts and real-time location, according to EFF. al-Hathloul was eventually arrested while driving in Abu Dhabi and extradited to Saudi Arabia, where she was jailed, electrocuted, flogged, and threatened with rape and death.
“Companies that peddle their surveillance software and services to oppressive governments must be held accountable for the resulting human rights abuses,” EFF civil liberties director David Greene said. “The harm to Loujain al-Hathloul can never be undone. But this lawsuit is a step toward accountability.”
The Justice Department faced backlash in September for not imposing harsh enough penalties on Baier, Adams, and Gericke after their work was revealed by several news outlets. The three “entered into a deferred prosecution agreement” that allows them to avoid prison sentences in exchange for paying $1,685,000 “to resolve a Department of Justice investigation regarding violations of US export control, computer fraud, and access device fraud laws.”
Baier will be forced to pay $750,000, Adams will pay $600,000, and Gericke will pay $335,000 over a three-year term. All three will also be forced to cooperate with the FBI and DOJ on other investigations and to relinquish any foreign or US security clearances.
They are also permanently banned from having future US security clearances and will be restricted from any jobs involving computer network exploitation, working for certain UAE organizations, exporting defense articles, or providing defense services.
“DarkMatter didn’t merely provide the tools; they oversaw the surveillance program themselves,” Galperin said.
- Hackers are using new malware which hides between blocks of junk code
- Crooks are selling access to hacked networks. Ransomware gangs are their biggest customers
- Here’s the perfect gift to protect anyone with a computer
- These researchers wanted to test cloud security. They were shocked by what they found
- Hackers are turning to this simple technique to install their malware on PCs
- Hit by ransomware? Don’t make this first obvious mistake