United Arab Emirates: Renewed demands for an international dual-use technology ban as further evidence of spyware campaign emerges

02.02.19

Reliable reports have uncovered a deeply concerning collaboration between hackers who have previously worked for the U.S. National Security Apparatus (NSA) and the United Arab Emirate’s State Security Apparatus (SSA). The clandestine group of hackers, officially operating as Project Raven, have been using their knowledge and tools to allegedly aid the UAE government in combating terrorism since 2014. 

However, several former employees of this group have exposed the reality of this collaboration which has been directed at uncovering the targeting of human rights defenders in the UAE and abroad. The sophistication of the technologies used have enabled the UAE authorities to hack into devices notably for their security and user privacy measures including Apple’s iPhone devices which have won support internationally after the company refused to allow U.S. authorities a backdoor to the device of the Boston bomber in 2013.  

Project Raven developed ‘Karma’ a tool that grants them remote access to iPhones simply by uploading phone numbers or email accounts into an automated targeting system. Karma successfully hacked the accounts of hundreds of prominent Middle East political figures and activists across the region as well as nationals of the European Union and the U.S. While the operatives of Karma say that Karma was only a cybersecurity purchase, interviews with the Project Raven team who are critical of the violations committed through Karma have attested that Project Raven was relocated from the U.S. to UAE to work from the office of DarkMatter, a UAE cybersecurity company to spy on ‘enemies of the UAE’. Karma mainly exploited vulnerabilities in the Apple application, iMessages. 

Current U.S. legislation on outsourcing cybersecurity and spyware are said to be murky. The allegations raised in this report should motivate the U.S. to commit to democracy and human rights by banning dual-use technology and cybersecurity tools. 

This is but another revelation in the long line of dual-use technologies cases that GCHR and partner organisations have been vigorously campaigning to have banned.

The Gulf Centre for Human Rights (GCHR) urges the various international mechanisms and in particular the UN system in addition to the US administration, the UK government, the EU and other governments that have influence to:

  1. Address the lack of legislation criminalising export of technology used in violating human rights; 
  2. Enhance the commitment of businesses to the privacy and security of their users by updating and acting to resolve their software vulnerabilities; 
  3. Encourage and facilitate the Introduction of national legislation that clearly prohibits the sale of dual-use technology, especially in the U.S;
  4. Enforce European Parliament resolutions that are focused on the banning of dual-use technology; and
  5. Develop enforcement mechanisms in the MENA region to protect human rights and the security of human rights defenders.