‘Chasing Shadows’: How a Small Civil Society Investigative Team Is Fighting the Growing Cyber Surveillance Threat

No one knows how many watchdog journalists or political dissidents are being digitally surveilled right now. But thanks to forensic counter-surveillance work pioneered by the  Citizen Lab — a small research group at the University of Toronto — we do know that thousands of human rights defenders around the world have already been hacked. What’s more, government agents could be covertly monitoring all of the information in your smartphone, or even the view from your camera, as you read this — without the need for you having clicked on anything.

In a chilling and essential new book that reads like a spy thriller, “Chasing Shadows: Cyber Espionage, Subversion, and the Global Fight for Democracy,” published by Simon & Schuster, Ron Deibert, founder and director of the Citizen Lab, reveals how his team of cyber sleuths uncovered a rapidly growing commercial espionage industry over the past 15 years, and how numerous government security agencies have used those tools to covertly target journalists and dissidents around the world.

The accounts are stunning. Like the night the team was analyzing a live computer log file, and realized they were actually witnessing a salesperson’s live demo of Cyberbit spyware to the Uzbek National Security Service. Or how a typo helped them discover that the confiscated phone of the wife of Washington Post journalist Jamal Khashoggi had been manually infected with Pegasus spyware, at precisely 10:18 am on April 18, 2018 — months before his state-sponsored murder.  Or how one spy firm made the mistake of trying to covertly entrap a Citizen Lab cyber research expert — John Scott Railton — and how Railton then organized a sting operation with the Associated Press to trap the spy at a New York restaurant.

The book describes techniques reporters can use on both defense and offense. But perhaps its most alarming revelation is that, despite numerous individual forensic victories by Citizen Lab and other civil society defenders such as Amnesty International and Access Now — the tide of sophisticated surveillance tools and their sinister applications is poised to overwhelm watchdogs, tech platforms, and regulators.

GIJN: For you, what are the top takeaways from “Chasing Shadows” for investigative journalists?

Ron Deibert: One big takeaway is that journalists are in the crosshairs of an out-of-control surveillance industry that governments have access to, and they are definitely targets and victims. There are a plethora of surveillance capabilities now from the private sector in the hands of government security agencies to put journalists under surveillance. I included a quotation in my book from a New York Times Middle East bureau chief, Ben Hubbard, after we discovered his phone had been hacked with a zero-click version of Pegasus — with no email attachment to click on or suspicious text message. It just infected his phone. He said: ‘It was like being robbed by a ghost.’

Second, that their sources and the family members of sources are also at risk. When your phone is compromised, that contains contacts, notes, recordings, photos, and videos to which now adversaries can easily have access.

Another takeaway is that there is now a really disturbing convergence of what’s happening with the personal surveillance economy — surveillance capitalism and social media-driven privacy invasions — and governments able to tap into that directly, or with the help of mercenary companies made up of ex-intelligence agents giving them a whole toolkit of services to hack into devices or track targets. This market didn’t exist 10 years ago, and this is highly dangerous for investigative journalists and human rights defenders. I do believe it’s contributing to the spread of authoritarianism, because those tools are used to undercut systems of accountability. There is also a chilling effect, and we heard from a lot of people who are retreating from their work because of the threat.

Deibert’s new book takes readers behind the scenes into how his team of cyber sleuths have uncovered a rapidly growing commercial espionage industry, and how numerous government security agencies have used those tools to covertly target journalists and dissidents around the world. Image: Courtesy of Simon & Schuster

GIJN: What does the cyber surveillance landscape look like today, compared to five years ago and 15 years ago? 

RD: This market has become far more elaborate,  complex, and dynamic, and it’s growing in leaps and bounds. I think the threat is far worse, actually, even than a year ago — and part of that is due to what’s going on in the United States.

There are the firms that offer hacking, which is the principal focus of the book, where the customer says: ‘I want to get inside someone’s phone without them knowing, and spy on them that way.’ There are easily 40 companies like that. Then there are firms involved with the exploitation of the SS7 protocol, with a roughly equal number of firms specializing in that. That involves exploiting the insecurities of the roaming signalling networks used by telecoms companies in order to track people’s locations. And then there’s a whole other sector to do with advertising intelligence, or ‘ADINT’ — a byproduct of the surveillance economy in which social media companies collect information about our habits, our location, our interests, and they sell that in a real-time exchange. There are so many firms now — at least six I’m aware of — that set themselves up specifically for government intelligence agencies and law enforcement to tap into ADINT markets.

In the book I talk about a series of victories against these operators in the past decade, one of which was the 2023 executive order under President Biden restricting US federal agencies from doing business with surveillance firms implicated in human rights abuses worldwide. Remarkably, that’s still in place. That was definitely a blow to the industry, and some firms have actually gone under. We had one company, QuaDream, actually fold, and say that our reporting was the final nail in their coffin.

But overall those are actually minor victories in the overall tsunami of covert surveillance. Also, there’s the huge volume of resources being put into the US mass deportation regime there, which involves, at least in part, using some of the same technologies we’re talking about.

GIJN: How has the civil society countersurveillance community responded to the growing power of these companies? And what could or should be done by others — including investigative newsrooms — to close this gap?

RD: This is definitely on the positive side of the ledger. The response has been especially encouraging in the last five years — and especially connected to the Spyware Accountability Initiative, which was precipitated by a donation from Apple, and then complemented by other donors.

We had a convening of this community a year ago, and it was really impressive to see how many groups there are. If you look at any Citizen Lab report now, it’s typical to see a number of collaborations with especially local groups.

But there are new problems for this community. Many groups have received funding from the US in some form, either directly or indirectly; from USAID or the National Endowment for Democracy, and others. Many of those entities have largely evaporated now, and the funds have withered up, so I’m hearing panic now in this community.

Separately, within each of the big tech platforms, there are threat intelligence groups. Occasionally, we have to work pragmatically with those groups, and they often surface important issues and publish reports.

It’s possible that a lot of these investigations could be done independently, and part of our mission is to help cultivate those same skills in other groups around the world.

In general, newsrooms should seek partnerships with specialist groups — something we’ve done, with agreements with many news organizations. For example: we worked with Al Jazeera journalists, and discovered that 35 of them had phones that had been hacked with Pegasus — and El Faro, in El Salvador: same thing.

GIJN: The book reads like a spy thriller, but the real-world cases and the threats to you and your team are bone-chilling. What has the reaction been from friends who might have thought your work, as a social science professor, only involved academic research?

RD: Well, from friends and family members, a bit of shock and apprehension about my well-being. Some only had a vague idea of the world we’ve been investigating, and now they see the unvarnished whole, and they’re freaked out on our behalf.

But we take our security extremely seriously. We evaluate everything from physical to travel to digital security. But you do get a little desensitized to the topic, because you treat it clinically. I have received a lot of feedback on my book tour, and usually it’s been shock at what we are unearthing, but also shock at the cumulative impact that this one small research group at a university in Canada has had on the world as a whole.

Citizen Lab’s Ron Deibert, alongside Sheila Coronel, discussing digital threats to the press at the 13th Global Investigative Journalism Conference in Gothenburg, Sweden, in 2023. Image: Rocky Kistner for GIJN.

GIJN: What were your favorite forensic investigations by John Scott Railton and Bill Marczak? And how did they persuade total strangers that they might be victims, and even to hand over their personal phones for analysis? 

RD: I’m so very fortunate to be working with them, as well as the rest of our team. They have driven forward so many amazing investigations. I particularly appreciated how JSR handled the Black Cube targeting that came at us; the way he was able to turn the tables and organize a sting with the Associated Press. It just speaks to his talents and character.

When Bill was mapping out NSO’s infrastructure, he could see there was an infected device in Canada, but all we had was the IP address.  From there, Bill going door to door to speak to Saudi dissidents until we discovered [Saudi dissident] Omar Abdulaziz. Omar told me later he had no prior idea of what Citizen Lab was. It really was like finding a needle in a haystack.

We are always faced with a conundrum of how to reach out to victims. There is a technical challenge to overcome: how do you alert someone on a device that itself may be under surveillance?

GIJN: Is ‘zero click’ surveillance now the dominant threat, rather than people being lured to click on compromised links? And what new threats — or counter-surveillance opportunities — do you expect to emerge from AI tools?

RD: We don’t know that exact ratio. However, from substantial details from invoices that have been leaked or information from the discovery process in the WhatsApp litigation with the NSO Group, we do know that the zero click versions of spyware are much more expensive for bad actors to use. So definitely still beware of suspicious links or attachments.

Regarding AI, I think we’re just at the cusp of a huge bonanza of firms exploiting AI and advertising intelligence. Everyday online processes are now going to be AI-enabled to put a whole lot more people in the crosshairs of government surveillance.

GIJN: What basic steps should at-risk journalists and dissidents take to reduce their risk of hacking and cyber surveillance?

RD: They should use whatever advanced protections the platforms are rolling out, which are good — and say ‘yes’ to the updates. Take the opportunities to go to Amnesty International or Access Now or Citizen Lab, and, as a matter of due diligence, have your phone checked. It doesn’t take long, and you can even do it remotely. If you suspect a breach, Access Now has a 24/7 digital security helpline, which people can call for rapid response. Enabling Lockdown Mode on iPhones is recommended for reporters working on sensitive subjects, because we have not yet seen evidence of any spyware overcoming Lockdown Mode. I have that on all the time.

Rowan Philp is GIJN’s global reporter and impact editor. He was formerly chief reporter for South Africa’s Sunday Times. As a foreign correspondent, he has reported on news, politics, corruption, and conflict from more than two dozen countries around the world.