Eleven court judgments, covering 181 pages, plus hundreds of other pages of legal documents have revealed an extraordinary spying scandal: state-sponsored mobile phone hacking conducted on behalf of the ruler of Dubai against his fearful sixth and former wife, Princess Haya, Britain’s most famous divorce lawyer and her associate, plus three others – against the backdrop of a bitter child protection battle being played out day after day in the English courts.
The conclusion, after just over a year of intense and costly legal arguments, is that “servants or agents” of Sheikh Mohammed bin Rashid al-Maktoum, the vice-president and prime minister of the United Arab Emirates, engaged in “the surveillance of the six phones” in Britain using technology supplied by Israel’s NSO Group, a company already embroiled in a string of hacking scandals, apparently to further his cause in the welfare battle.
“The surveillance occurred with the express or implied authority of the father,” writes the judge Sir Andrew McFarlane, the president of the family court, in one key ruling – although the stark conclusion he made was challenged again and again by Sheikh Mohammed’s lawyers, trying to argue the court had no right to find against a foreign ruler, or that it could not prove the hacking had taken place.
Each time, the sheikh’s lawyers were defeated, until the final permissions to appeal again to the supreme court were refused.
Yet, according to the judgments released on Wednesday, the story of how the phone hacking was discovered is remarkable in itself. It starts with the work of a digital detective, a specialist in computer forensics, but brings in Cherie Blair, a successful QC and wife of the former prime minister Tony, into an already acrimonious court battle that began after Princess Haya, half-sister to King Abdullah II of Jordan, fled to London in May 2019 with her two children as her marriage to Sheikh Mohammed began to fall apart.
Sheikh Mohammed with then prime minister David Cameron in 2013. Photograph: Stefan Rousseau/PA
William Marczak, an expert in the use of mobile phone surveillance software by nation states, had been monitoring the use of NSO’s Pegasus spyware around the world. Pegasus is sold by NSO only to governments, ostensibly for use against terrorists and organised criminals. The software has the power to remotely take control of a person’s phone, secretly reading and downloading data and even covertly turning on the microphone to record nearby conversations. In some cases the owner of the phone does not even need to click a link to be infected.
But a repeated accusation is that Pegasus has been misused by countries against a far wider range of targets – including journalists and dissidents. The claims are normally denied by the company. For some time, Marczak had been examining signs of unusual activity on the phones of Middle East human rights campaigners, many of whom had fled abroad, and had been focusing on a phone belonging to “a UAE activist” known only to the English courts as Mr X.
Pegasus is normally deleted after use. But Marczak had found telltale signs of its activity.
Once a target phone has been infected, Pegasus is directed by “command and control messages”. These are sent to the hacked device from remote servers which “in common with any other internet connected device, have its own individual IP address”, a judgment explains.
Linking the activity of Pegasus to internet addresses allowed the researcher to spot something surprising: it wasn’t just Mr X who was being targeted – but also another internet address linked to a prestigious British law firm, Payne Hicks Beach (PHB).
Its star lawyer is Fiona Shackleton, who had represented Prince Charles in his divorce from Diana and Paul McCartney when he split from Heather Mills. It was no surprise that PHB’s best known partner had been retained by Princess Haya as she battled with her ex-husband; but what would have been surprising was what happened on 5 August last year.
Via an intermediary, Lady Shackleton was informed of Marczak’s concern that “someone at PHB” was “being possibly targeted by UAE directed spyware”. But it was not the only warning that Shackleton received – because on the evening of the same day, 5 August, Shackleton was also contacted by Blair, who was passing on another warning of mobile phone surveillance.
The second warning was more specific.
Blair, a successful barrister who carried on practising as much as she could when her husband was prime minister, had stepped up her professional activities again after leaving Downing Street, starting a law firm, Omnia Strategy. Recent work included acting as an adviser to NSO Group, a company repeatedly embroiled in ethical crises, on business and human rights matters. Well into the evening, according to one of the judgments, Blair’s phone rang.
Cherie Blair, who acted as an adviser to NSO Group. Photograph: Money Sharma/AFP/Getty Images
On the line – “at nearly midnight Israeli time” – was a “senior member of the management team of NSO Group” with a message to pass on.
The senior manager is not named by McFarlane, but he recounts what Blair was told: “It had come to the attention of NSO that their software may have been misused to monitor the mobile phone of Baroness Shackleton and her client, Her Royal Highness Princess Haya.” Blair made contact with Shackleton to pass on the information; the alarm was raised and it quickly became clear that the hacking allegation would form part of the welfare battle, whose truth would have to be determined by the courts.
Shortly after Princess Haya had fled to Britain, in May 2019, she became embroiled in the legal battle over their two children, the youngest of Sheikh Mohammed’s 25 from six marriages. Suspicions between them grew rapidly and Haya had already successfully argued, in front of the family court, that there were questions to be raised about the sheikh’s treatment of two of his other daughters.
One of whom, Shamsa, McFarlane determined, was abducted from the UK in August 2000 after she had tried to separate from her family. Another daughter, Latifa, the court concluded, had been captured by Indian commandos on a yacht 30 miles (48km) off the coast of Goa, where she had fled in an attempt to escape Dubai.
The sensational ruling was issued in November 2019, but not made public until March of the following year. Sheikh Mohammed said it told only “one side of the story” but Haya was already saying she was the victim of a “campaign of fear and intimidation” before the phone hacking had taken place.
Something of Haya’s fear of her ex-husband and his agents can be seen in another of the judgments released on Wednesday from McFarlane, who made his findings on the balance of probabilities, the standard of proof for civil courts.
It described how Haya had learned that agents acting for Sheikh Mohammed were seeking to buy a property near Windsor that overlooked a house she owned nearby, which had been left to her by her father, King Hussein of Jordan. Eventually, last November, “those acting for the father [Sheikh Mohammed]” indicated the purchase of the house would not go ahead – but even so, Haya’s fears remained.
A passage from her witness statement, cited in a judgment made in December last year, sums up her mood.
Princess Haya and Sheikh Mohammed at Royal Ascot in 2011. Photograph: David Davies/PA
By this time, the phone-hacking allegations were also being considered by the court. “It feels like the walls are closing in on me, that I cannot protect the children and that we are not safe anywhere. I feel like I am defending myself against a whole ‘state’. Even in our own home they will be towering over us,” Haya told the court, which in turn ruled that Sheikh Mohammed or his agents could not buy the adjoining property or enter a restricted zone surrounding her own property – or even the airspace to a ground level of 1,000ft above it.
Meanwhile, the phone-hacking battle was ongoing. At first, Sheikh Mohammed’s legal team argued the English courts had no jurisdiction because any alleged hacking was “a foreign act of state”. The claim was thrown out by both the high court last October and again by the court of appeal in February. During those hearings, Sheikh Mohammed’s lawyers said “in relation to intelligence or security matters” it was the UAE’s policy to “neither confirm or deny” what practices it engaged with.
Ultimately, however, as the high court concluded, it was the court’s duty to make a decision: “A decision to abstain from adjudicating on these allegations would seem to us to undercut the United Kingdom’s sovereignty.”
Sheikh Mohammed’s legal team then sought to challenge the conclusions of Marczak, who first raised concerns. The court appointed its own independent expert, Alastair Beresford, professor of computer security at the University of Cambridge, who validated Marczak’s conclusions in evidence accepted by the court. There was “a unanimity of opinion between them”, McFarlane concluded.
That was endorsed, too, by statements made by NSO to the court, an effective admission by the company that it believed its software had been misused to target both Princess Haya and Shackleton.
In a letter to the court, NSO said on 4 August 2020 it had become “aware of a possible use of the technology by a customer that was not in accordance with the contractual terms applicable to it” and that “information was provided to NSO that raised the possibility that Baroness Shackleton’s mobile phone, that of another unnamed member of her firm and that of her client (the Respondent Mother), may have been compromised”.
NSO told the court it had terminated its contract with “the customer” – a state, most likely Dubai rather than the whole UAE.
Whether there were any wider political repercussions is not recorded in the court papers. The UAE, a federation of seven emirates, remains a close political ally of the UK, with its ruler, Mohammed bin Zayed, being received by Boris Johnson in Downing Street in September. Although a few months earlier, the Guardian reported that the UAE, including Dubai, had already been linked to 400 Britons whose UK mobile phone numbers appeared in a leaked list of numbers identified in the Pegasus project leak and believed to indicate persons of interest selected by government clients of NSO.
Boris Johnson and Mohammed bin Zayed outside No 10 last month. Photograph: Tayfun Salcı/Zuma Press Wire/Rex/Shutterstock
Taken together, McFarlane concluded the evidence was compelling: “I therefore find that all six of these phones have either been successfully infiltrated, or at least the subject of an attempted infiltration, by surveillance software. I find that the software used was NSO’s Pegasus software.”
As much as 265 megabytes of data was secretly extracted from Princess Haya’s phone last summer, the judge noted, a demonstration of the power of the technology.
As for who did it, the conclusions were clear in the judge’s mind, despite efforts from Sheikh Mohammed’s legal team to suggest that other nations, from Israel to Saudi Arabia and in particular Jordan, might have been responsible. “Firstly, it is obvious that the father, above any other person in the world, is the probable originator of the hacking. No other potential perpetrator, being a person or government that may have access to Pegasus software, can come close to the father in terms of probability,” McFarlane concluded.
Which meant that surveillance of the British phones belonging to Princess Haya, her two principal divorce lawyers and some of her associates “was carried out by servants or agents of the father, the Emirate of Dubai or the UAE” – a stark conclusion of state spying that, along with McFarlane’s others, was upheld by the court of appeal.
Yet, despite these developments, the legal battle between Sheikh Mohammed and Princess Haya is not over. The courts are yet to make their final decisions over the children’s welfare, but McFarlane argued that trust between the parties was at a fresh low.
In a striking phrase, the judge summed up the issue: “It is often said that the most important thing that a house burglar steals is the peace of mind of the householder. The same must surely be true of phone hacking.”
Dan Sabbagh Defence and security editor
Get worry-free complete website cleanup and protection
Our software continuously scans for malware using our accurate anti-malware database; your site continues to run stable after cleanup. Malware removal takes a moment, not hours. Compatible with PHP-based websites and popular frameworks like WordPress, Drupal, Joomla, DLE, etc.
Our website antivirus does more than just find and remove infected files on your website or put them in quarantine, It removes malicious code (redirections, trojans, backdoors, shell scripts, and other malicious code) from files like PHP, JS, HTML, images, and system files in seconds with high accuracy.