EFF sues spyware maker DarkMatter for illegally hacking Saudi activist

The Electronic Frontier Foundation (EFF) has filed a lawsuit against spyware maker DarkMatter, along with three former members of U.S. intelligence or military agencies, for allegedly hacking the iPhone of a prominent Saudi human rights activist. 

The lawsuit was filed on behalf of Loujain al-Hathloul, who claims she was among the victims of an illegal hacking campaign orchestrated by DarkMatter and three former U.S. intelligence officers hired by the UAE following the Arab Spring protests.

The former NSA operatives — named in the lawsuit as ExpressVPN CIO Daniel Gerike, Marc Baier and Ryan Adams — were part of the Project Raven hacking program, an effort by the UAE to spy on human rights activists, politicians, journalists and dissidents opposed to the government during the Arab Spring protests.

Back in September, the three former spies agreed to pay a cumulative $1.7 million after admitting to violations of the Computer Fraud and Abuse Act (CFAA) and prohibitions on selling sensitive military technology under a non-prosecution agreement with the U.S. Justice Department. They are also permanently banned from any jobs involving computer network exploitation, working for certain UAE organizations, exporting defense articles or providing defense services.

Al-Hathloul — best known for her efforts in calling for greater women’s rights in Saudi Arabia — claims the ex-spies exploited a vulnerability in iMessage to illegally hack into her iPhone in order to secretly monitor her communications and location. This, she claims, led to her “arbitrary arrest by the UAE’s security services and rendition to Saudi Arabia, where she was detained, imprisoned and tortured.”

The lawsuit alleges Gerike, Baier and Adams purchased malicious code from a U.S. company and intentionally directed the code to Apple servers in the U.S. to reach and place malicious software on al-Hathloul’s iPhone in violation the CFAA. It also alleges that they aided and abetted in crimes against humanity due to the fact the hacking of al-Hathloul’s phone was part of the UAE’s widespread and systematic attack against human rights defenders and activists.

The EFF, which filed the lawsuit alongside law firms Foley Hoag LLP and Boise Matthews LLP, says this is a “clear-cut” case of device hacking, whereby “DarkMatter operatives broke into al-Hathloul’s iPhone without her knowledge to insert malware, with horrific consequences.”

“Project Raven went beyond even the behaviour that we have seen from NSO Group, which has been caught repeatedly having sold software to authoritarian governments who use their tools to spy on journalists, activists and dissidents,” said Eva Galperin, cybersecurity director at EFF. “DarkMatter didn’t merely provide the tools; they oversaw the surveillance program themselves.”

In a statement, al-Hathloul said:

No government or individual should tolerate the misuse of spy malware to deter human rights or endanger the voice of the human conscious. This is why I have chosen to stand up for our collective right to remain safe online and limit government-backed cyber abuses of power.

I continue to realize my privilege to possibly act upon my beliefs. I hope this case inspires others to confront all sorts of cybercrimes while creating a safer space for all of us to grow, share and learn from one another without the threat of power abuses.