Boris Johnson’s government has been accused by MPs of prioritising trade agreements over national security in its handling of surveillance abuses on British soil by governments using spyware made by the Israeli company NSO Group.
A letter to the British prime minister signed by 10 MPs and peers has called on the government to end its cybersecurity programmes with countries that are known to have used NSO spyware to target dissidents, journalists and lawyers, among others, and to impose sanctions on NSO, “if they are at all serious about our national security”.
NSO is regulated by the Israeli defence ministry and sells its powerful Pegasus spyware to governments around the world. While the spyware is meant to be used by the governments to track criminals and terrorists, experts have documented dozens of cases in which NSO clients have abused the surveillance tool to use it against their own perceived enemies.
The letter was sent to Johnson as news broke in Israel that Isaac Benbenisti, who was serving as chief executive officer-designate of the company, had resigned, citing a decision by the Biden administration last week to place NSO on a US blacklist. Benbenisti, an NSO co-president, was named in the top role on 31 October but had yet to start. NSO declined to comment on the resignation.
Since 2019 researchers have documented a string of cases in which governments used NSO spyware to hack the phones of individuals in the UK. Targets whose phones were confirmed to have been hacked include Princess Haya bint al-Hussein, ex-wife of Dubai’s ruler, Mohammed bin Rashid al-Maktoum; five of Haya’s lawyers, including Fiona Shackleton; the late Emirati activist Alaa Al-Siddiq; Bahraini activists living as refugees in the UK; and the Saudi satirist Ghanem Almasarir, a frequent critic of Saudi’s royal family. Governments who use the spyware against UK-based targets are believed to include the UAE and Bahrain. It has been reported that NSO no longer allows clients to target UK-based phone numbers.
“The UK government’s credibility has been shot to pieces by its handling of the NSO surveillance scandal – a credibility already damaged by their cybersecurity programmes with Gulf states implicated in human rights abuses,” said the Liberal Democrat MP Layla Moran. “Prioritising free trade deals with countries like Saudi Arabia, Bahrain and the UAE must not mean handing them a blank cheque to commit abuses on UK soil with impunity.”
The Pegasus project, an investigation into NSO by a consortium of journalists led by the French non-profit Forbidden Stories, and which included the Guardian, found dozens of British mobile phone numbers on a leaked list of potential surveillance targets of NSO clients. They included Roula Khalaf, the editor of the Financial Times, and Sayed Ahmed Alwadaei, the director of the Bahrain Institute for Rights and Democracy.
It is not known whether Khalaf or Alwadaei’s phones were successfully hacked by governments using Pegasus, though forensic analysis of dozens of phones on the leaked list were later found to have been infected by the spyware or contained traces of it following analysis by Amnesty International’s security lab.
NSO has denied that the leaked list represents individuals who were targeted by its clients and has said it investigates credible allegations of abuse.
Alwadaei said that as someone whose mobile appeared on the Pegasus project list, it was difficult to describe the “pain of knowing that NSO’s malicious spyware may have put my family, loved ones and those who trusted me to defend their human rights at risk”.
He was equally shocked that the UK had not sought to censure those governments who have been accused of perpetrating the abuse and contrasted British policy with that of the Biden administration.
“The US has taken action and blacklisted this dangerous organisation; Boris Johnson should follow their example by sanctioning NSO and halting exports of surveillance equipment to abusive Gulf states,” he said.
Andy Slaughter, the Labour MP for Hammersmith, said: “The use of NSO Group’s Pegasus spyware by Gulf regimes against UK residents and nationals, including members of the House of Lords and refugees living under British protection, poses a threat to our national security and reveals the contempt with which our so-called allies in the Gulf view our laws. As well as immediately sanctioning NSO Group, the government must investigate the harms caused by these hacking operations and ensure consequences, starting with a fundamental reassessment of their relationship with Saudi Arabia, Bahrain and the UAE.”
In their letter, the MPs said the cyber-attacks represented “egregious breaches of domestic and international human rights law”, which prohibit “arbitrary or unlawful interference” with an individual’s correspondence.
“We are concerned that your government has failed to publicly condemn the actions of either NSO Group or the Saudi, Emirati, or Bahraini governments or take substantive action to protect UK nationals and residents, including those living under British protection as refugees, from cyber-attacks,” the letter stated.
It also called for the suspension of all UK spyware licences and cybersecurity contracts with Gulf nations implicated in cyber-attacks in the UK, namely the UAE, Saudi Arabia and Bahrain, pending an independent investigation. Signatories include Brendan O’Hara, Paula Barker, Lloyd Russell-Moyle, Richard Burgon, Martyn Day, Paul Scriven, Natalie Bennett and Jenny Jones.
Stephanie Kirchgaessner in Washington