April 6, 2021, was my baby’s first birthday. Because it was still the pandemic, we celebrated with a small smattering of family on the weekend. On the actual day, we just had cupcakes in the kitchen — baby’s first taste of sugar. I snapped some photos, took a short video. I might have even shared them with some family over WhatsApp, like so many other memories shared remotely these past two years.
I didn’t think about those photos again until late November, when I received an iMessage from Apple informing me that they believed I was the subject of a state-sponsored attack on my iPhone. The notification states that I was most likely attacked because of who I am or what I do. I read the message twice. I was in a meeting and started messaging the Human Rights Watch colleague who leads our information security team. “I just received this message,” I told her. “Is this legit?”
A wave of emotions came over me; panic and dread and something I didn’t want to name at the time but can admit now: fear. And even before my colleague could confirm that the message was indeed legit, I already knew: I had been hacked.
I’ve spent my entire career working to defend people’s rights, and now a government is trying to use me as a tool to undermine them. It’s paralyzing and chilling, and it’s why the stakes are so high when it comes to ending unlawful surveillance.
But who was targeting me, and why? My colleague’s forensic analysis of my phone provided some answers, but there is a lot we still don’t know. She confirmed that Pegasus spyware, which is produced by the company NSO Group and sold to governments, was used to infect my personal iPhone at least five times between last April and August. The first attack started on April 6, maybe early enough in the day to capture the cupcake photos.
My phone was targeted using a so-called “zero-click” attack, which meant I didn’t need to do anything — like click on a link — for the hack to take effect. There is no way to prevent this type of attack, and once it is there, Pegasus can harvest more or less any information or data on your device or turn on your camera or microphone to spy on you.
But what did they harvest and who were they? Because of the way Pegasus covers its tracks it was impossible to find out the extent of the attack against me. NSO Group says it only sells its products to governments, but which government was responsible for the attack?
I went back through my calendar looking for clues that could lead me to the culprit. What was I working on that was potentially sensitive involving a country that was a potential NSO client and would target me? The truth is, since I’m the director of the Human Rights Watch Crisis and Conflict Division, the list of possibilities was too long to be useful.
NSO Group says Pegasus is meant to help governments stop criminals and terrorists. But human rights organizations and academic researchers have reported for years on governments using Pegasus to target the phones of journalists, rights activists, politicians and diplomats. We wrote to NSO Group to ask them if they thought that targeting me was a legitimate use of Pegasus and how this is consistent with their stated policies. NSO responded that it would open an initial assessment into our allegation to determine if an investigation is warranted. The company said it takes “any allegation of the misuse of [its] system against a human rights defender most seriously.”
I’ve been living with the reality of not knowing who targeted me and what they stole, not knowing how they have used my data or plan to, and whether I will be attacked again. I don’t know who may be at risk because of the attack or future attacks.
Human rights groups have criticized the unregulated trade in spyware for years. Unchecked sales and the use of surveillance technology make activists and journalists more vulnerable to government abuse and forced censorship. And when those who speak out against rights- abusing governments are attacked, that makes everyone more vulnerable to abuse.
That is why Human Rights Watch and many other human rights organizations and experts are calling on governments to suspend the trade in commercial surveillance technology until rights-protecting regulatory frameworks are in place, and for transparency and accountability in the spyware industry.
In an era when our devices are a gateway into nearly every aspect of our lives, government inaction to stop surveillance companies from profiting off of rights abuse should matter to us all.