Undercover agents have been questioning U of T Citizen Lab researchers in recent months about their study of an Israeli spyware that was used on murdered Washington Post journalist Jamal Khashoggi’s friends, reported The Associated Press.

Agents have approached researchers twice in the past two months claiming to be “socially conscious investors” interested in partnerships. During meetings set up after online contact, the agents questioned the researchers about their personal lives and work regarding the NSO Group, a surveillance technology firm based in Israel that has sold a clandestine software called “Pegasus” to governments seeking to spy on iPhones.

The Associated Press reported that Bahr Abdul Razzak, a Citizen Lab researcher, was approached in December by an investigator who called himself Gary Bowman.

Bowman’s questions to Razzak included, “Do you pray?”, “Why do you write only about NSO?”, and “Do you hate Israel?”. Another Citizen Lab researcher, John Scott-Railton, was later approached on January 9 and was asked similar questions.

The Associated Press was not able to reach either of the agents, nor is there any evidence that they are linked to the NSO, which has stated that it is not involved.

Citizen Lab’s research into the NSO Group is part of its larger initiative on tracking “nation state spyware,” said senior research fellow Bill Marczak on CNN in October.

The lab concluded with “high confidence” that Omar Abdulaziz, a close friend of Khashoggi and fellow Saudi dissident, had been under surveillance using the Pegasus software. Abdulaziz lives in Quebec.

“When a government buys Pegasus,” said Marczak, “What they do is they can send a text message to someone’s phone containing a link, and if they convince the person to click on that link in the text message, then the phone becomes infected and the government can see anything on the phone — including pictures, contacts, listening into calls, watching text messages, and even turning on the camera and microphone.”

Citizen Lab is a Munk School of Global Affairs laboratory that studies human rights issues using computer science and social sciences techniques.

An alleged sexual assault that coincided with a Citizen Lab event in 2014 was revealed in an open letter from Director Ronald Deibert, posted the Citizen Lab website last week. The alleged assaulter, Morgan Marquis-Boire, has been removed from his position as a security researcher and technical advisor with the lab.

According to the letter, posted on October 13, Marquis-Boire allegedly sexually assaulted another individual during the Citizen Lab-hosted Cyber Dialogue conference in March 2014.

In the letter, Deibert says Marquis-Boire requested to resign from the Citizen Lab’s technical advisory group in September, shortly before the accuser approached Deibert to inform him of the alleged sexual assault. Following this encounter, Deibert terminated Marquis-Boire’s position at the Citizen Lab.

Marquis-Boire also held positions at First Look Media, Electronic Frontier Foundation (EFF) and the Freedom of the Press Foundation. EFF has revoked affiliation with him following the sexual assault allegations.

Marquis-Boire did not respond to The Varsity’s attempts to contact him.

Deibert writes that he broached the possibility of pursuing legal action or going public with the unnamed individual, both of which the individual declined at the time. However, after a second consultation with the original party, Deibert wrote that he felt it was his “responsibility to make a public statement on behalf of the Citizen Lab.”

In the letter, Deibert states the Citizen Lab stands “behind survivors of sexual assault in all its forms, [supports] those who come forward to share their experiences, and [is] committed to creating safer spaces in our community.”

The letter indicates that the Citizen Lab incorporated a Code of Conduct in July 2017 to “clearly articulate what constitutes inappropriate behavior at events we organize.”

The Citizen Lab declined to comment beyond the scope of the letter. Similarly, U of T’s media relations did not directly address the alleged sexual assault, explaining to The Varsity that they were first made aware of the incident via Deibert’s letter on October 13.

In an interview for The Varsity regarding sexual violence policy at U of T, Executive Director, Personal Safety, High Risk and Sexual Violence Prevention & Support Terry McQuaid said, “We know that sexual violence is a broader societal issue, and universities are no different, they’re grappling with this issue as well.”

Deibert also alluded to the management of and attitudes toward sexual violence at the Citizen Lab in his letter. “We will continue to monitor the situation closely, are committed to ongoing internal dialogue, and aim to be responsive to feedback from our community,” Deibert writes. “This incident highlights that there is much work to be done to counter a toxic culture of sexual discrimination, harassment, and violence in many areas of the tech community, and we are fully committed to that fight.”

Focused on global security research and development, the Citizen Lab is based out of the Munk School of Global Affairs at U of T. The Citizen Lab has hosted the Cyber Dialogue conference annually since 2011. The conference invites private and public voices to discuss cyberspace security and governance.

Editor’s Note (October 23): A previous version of this article incorrectly stated that the alleged sexual assault occurred at the Citizen Lab event. In fact, the alleged sexual assault coincided with the Citizen Lab event. 

The Citizen Lab, a University of Toronto institute based out of the Munk School of Global Affairs, has been making headlines this past year due to the rise of increasingly complex cybersecurity issues in countries such as the United Arab Emirates (UAE), China, and Mexico. The lab, which investigates both domestic and foreign affairs, aims to ensure that cybersecurity issues overseas do not taint the comparatively secure hold Canadians have on their own rights.

Canada, however, is not immune from the tempting prospect of spying on its own citizens. A Citizen Lab report by Christopher Parsons and Tamir Israel explains how various legislative initiatives were proposed by the government to allow warrantless disclosure of digital identifiers, such as IP addresses, for national security reasons.

The authors reject the principle upon which the proposals were founded –  primarily, the idea that you have nothing to fear if you have nothing to hide. Their research indicates that online privacy from the government actively allows users to honestly explore and express ideas without fear of consequence.

Another concern within this realm is the use of spyware. Cyber warfare companies that sell government-exclusive spyware have become infamous for selling their products to human rights abusers. This spyware is often used to quell government dissent and freedom of expression.

Ron Deibert, the director of the Citizen Lab, says that concerns like these require serious accountability. On his blog, he describes the mission of the Citizen Lab as using “mixed methods research to highlight digital security issues that arise out of human rights concerns, and then […] try to mitigate the problem.”

The following review details some of the Citizen Lab’s major findings over the course of the past year, and explains how these findings relate to, and shed light on, issues concerning cyberspace.

ELHAM NUMAN/THE VARSITY

Abuse of Spyware by the UAE

One regime that regularly targets its citizens with spyware is the UAE. The Citizen Lab broke the story of Ahmed Mansoor, an internationally recognized human rights advocate who was targeted by multiple government hacking attempts. One suspicious SMS link that Mansoor received on his iPhone 6 was sent to Citizen Lab researchers to test its source. It was discovered as belonging to a company called NSO Group, an Israel-based cyber warfare company that specializes in a government-exclusive spyware product called Pegasus.

Had Mansoor clicked on the link, it would have activated a ‘zero-day’ exploit and jailbroken his phone, installing spyware without his knowledge. Once installed, it would have logged all his calls and messages, relaying them back to the spyware’s customer.

The value of zero-days is that they give software developers zero days to patch the malware before it becomes active. In other words, it is an unknown vulnerability that has high value when used successfully against dissident voices, which Mansoor clearly represented in the UAE. The Citizen Lab’s response was to report the iOS vulnerability directly to Apple, which patched it immediately with a software update.

ELHAM NUMAN/THE VARSITY

Liu Xiaobo and Chinese censorship

Online censorship is another strategy the Citizen Lab frequently finds to be effectively used in suppressing populations. In July, The New York Times published an article on the death of Liu Xiaobo, a Chinese dissident who won a Nobel prize while in jail for his activist work. Immediately following his death, Citizen Lab research discovered “a ‘significant shift’ in censorship techniques” in China; this included blocking keywords relating to his name in direct messaging applications.

Notably, WeChat, one of the main platforms censored by the Chinese government, did not indicate to users when certain messages were blocked. The Citizen Lab also uncovered that the degree of censorship varied depending on whether a WeChat account was linked to mainland China or outside of the country. China holds a tight rein on its internet companies, penalizing all who fail to censor ‘sensitive’ content.

Censorship is a broad weapon to use against civilians; however, as seen with Mansoor, targeting through spyware like Pegasus is far more effective when attempting to portray the illusion of freedom. NSO Group is an interesting company: alongside Pegasus, it was virtually unknown to the public sphere until Hacking Team, NSO’s competitor, had sensitive information leaked about the companies.

Citizen Lab research identified various themes that NSO operators used to bait its targets into clicking on its exploit links; these included fake news, taunts, and threats.

However, the Citizen Lab’s largest case study of civilian targeting in the last year came not from the UAE or China, but from Mexico.

ELHAM NUMAN/THE VARSITY

NSO and the Targeting of Mexican Civil Society

Mexico, an admitted customer of NSO, has allegedly used its spyware to target vast swaths of civil society. These have included scientists, journalists, politicians, foreign investigators, and non-governmental organizations (NGOs). This blatant assault on freedom of expression allows a corrupt government to act with impunity and must be condemned on democratic grounds.

In Theory, Pegasus, as with all government-exclusive spyware, is meant to aid law enforcement in fighting criminal enterprise and terrorism. However, when Citizen Lab was contacted by Access Now, an organization committed to defending digital rights, they stumbled onto the first of many instances in which civilians were improperly targeted with NSO spyware.

Scientists: In Mexico, an obesity epidemic prompted the government to introduce a “soda tax” to pursue healthier alternatives. The implementation of the tax lead to a decrease in obesity. The fast food industry, displeased with the negative effects on their profit margins, soon began placing political pressure on the Mexican government, with companies such as Coca-Cola begging the President to oppose the tax.

Soon after, supporters of the soda tax began a campaign to promote it. Some of the scientists involved in the campaign started receiving suspicious SMS links aiming to disrupt their campaign. Citizen Lab research determined that they were analogous to the messages Ahmed Mansoor received in the UAE, concluding they were NSO infiltration attempts.

Journalists: Even before the wide availability of spyware, Mexico was considered one of the most dangerous places in the world for journalists to work. Some estimates place half of the acts of intimidation and violence against journalists from government agencies.

One way freedom of the press has been suppressed is through digital surveillance that hinders the ability of journalists to investigate instances of corruption against their own government. Eleven Mexican journalists were targeted with NSO exploit links.

One of the most heavily targeted investigative journalists that the Citizen Lab found in the NSO targeting campaign was Carmen Aristegui, who, alongside her son Emilio, was sent SMS exploit links. The intensive targeting campaign happened to coincide with the investigation of Mexican President Enrique Peña Nieto’s “Casa Blanca” scandal.

The Casa Blanca scandal was a defining moment of Peña Nieto’s tenure, centred upon the purchase of a mansion by his wife that was interpreted as being paid for with taxpayers’ money. The breaking of Aristegui’s story battered the President’s credibility, which led to Aristegui’s employer, Noticias MVS, firing her and her team for publishing the story.

Other journalists were then targeted after they found evidence of government involvement in suspicious events, such as massacres, disappearances, and mysterious murders. Though the Citizen Lab discovered many of the same NSO targeting techniques in Mexico as in the UAE, the tactics used in Mexico were far more extreme.

Mexican governmental deceptions also included fake AMBER alerts and set an alarming precedent by impersonating the United States Embassy, claiming that clicking on a link would help their visa status. The latter was used against Emilio Aristegui, a minor, while he was on US soil to gain information about his mother.

Politicians: In an effort to control the Mexican population, the operators of Pegasus likely broke US law and certainly broke diplomatic norms. Interestingly, Citizen Lab researchers never came across NSO operators targeting Peña Nieto’s party, but they did target high-ranking opposition politicians. The leaders of the National Action Party (PAN), which includes the President of the Mexican Senate, received exploit links while anti-corruption legislation was being discussed by the government.

Foreign Investigators: In 2014, 43 students disappeared while on route to Mexico City in what has since been dubbed the Iguala Mass Disappearance. Due to the relatively nonchalant reaction the Mexican authorities had concerning the incident, a group of foreign, independent experts came in to investigate the details of the case to ensure that the government was not involved.

The investigators were soon targeted with NSO infection attempts after casting doubt about the degree of government involvement in the disappearance. Citizen Lab research believes, through circumstantial evidence, that the Office of the Prosecutor (PGR) was one of the government branches responsible for the infiltration attempts in an effort to control the official narrative.

Non-governmental organizations: The final case that the Citizen Lab investigated regarding targeting Mexican civil society involved Claudio González, the director of Mexicanos Contra la Corrupción y la Impunidad (MCCI). MCCI is an anti-corruption organization whose director was targeted with NSO infection attempts while he was investigating government corruption and advocating for anti-corruption legislation. According to the Citizen Lab, this is the 22nd known target of spyware abuse in Mexico.

The Citizen Lab found that a pattern has emerged in Mexico demonstrating that a new weapon is being used against anti-corruption advocates: targeting via government-exclusive spyware. It appears that those who question official government narratives are liable to be targeted by NSO spyware. As Deibert puts it, “Should it come as any surprise that these powerful surveillance technologies would end up being deployed against those who aim to expose corrupt Mexican officials?”

Though no direct links of NSO abuse have been attributed to the Mexican government, it is known that government agencies possess the spyware and have the ability to use it. The circumstantial evidence gathered through the help of the Citizen Lab strongly indicates that unless a massive breach in security has occurred, a nation at peace should not allow its own citizens to be harassed in such a manner.

NSO Group, has not ensured that its spyware will not target civilians. Selling to states that have reputations for human rights abuses clearly demonstrates a lack of consideration for freedom and security.

Although the Israel-based group was recently courted by the US company Blackstone Group for a 40 per cent stake in NSO, the failure of the deal is thought to have resulted from an awareness campaign by groups such as Citizen Lab.

Implications

The lessons of the UAE, China, and Mexico clearly demonstrate the potential for abuse when countries without strong accountability measures are given incredibly powerful weapons.

Such weapons bring into question a citizen’s freedom — whether it be of speech, expression, or thought — even in a country that claims to be a liberal democracy. “Freedom of speech is the antithesis to one-party rule,” Deibert writes, “[Authoritarian censorship] underscores why careful evidence-based research is so essential to the progress of human rights.”

Every year, Forbes magazine recognizes 600 individuals under the age of 30 who are changing the world at the forefront of their sector. In the latest installment of the Top 30 Under 30, Claudio Guarnieri, senior research fellow at the University of Toronto, earned a spot in the Enterprise Technology sector.

Aside from his position at the Citizen Lab at U of T, Guarnieri is the creator of open-source malware analysis tools Cuckoo Sandbox, Viper, and malwr.com. This year marks Guarnieri’s second nomination for the award, having been previously nominated in the law and policy sector. Guarnieri told The Varsity that he was surprised to win in the field of enterprise technology, as his work does not relate directly to enterprise. He views the win, however, as recognition from mainstream media for the work of the Citizen Lab and its impact beyond its direct sphere of influence. Guarnieri is a graduate from the University of Milan and is a remote senior research fellow with the Citizen Lab, housed at the Munk School of Global Affairs.

The Citizen Lab uses interdisciplinary research and skills to make international information publicly available, with recent reports focusing on Iraq information controls, China’s Great Cannon, and Vimeo blocks in Indonesia. “I focus on investigating and reporting on targeted digital attacks against activists, dissidents, and journalists around the world. The Citizen Lab is [an] inter-disciplinary laboratory that bridges technical research with political analysis,” said Guarnieri on his work.  “[The Citizen Lab] is a very unique place where people with very diverse backgrounds come together to produce some of the most outstanding and revealing research projects in technical and internet policy communities.” Guarnieri works in this capacity alongside Morgan Marquis-Boire, John Scott Railton, and Bill Marczak to spearhead initiatives that expose information about the commercial spyware market.

Citizen Lab director Ron Deibert said that “Claudio is an extraordinary researcher and a very gifted malware analyst with a strong commitment to human rights. This mix of characteristics is exactly what we aim to attract at the Citizen Lab.” When asked what the future holds for him, Guarnieri said that he intends to “keep fighting the fight, exposing oppression and oppressors, and making it more costly for them to hinder social change through digital means.”

The rigorous selection process for the Top 30 Under 30 begins with open online nominations on both social media and the Forbes website, in which over 15,000 individuals were nominated this year. Of the nominees, 600 earn top spots in the competition’s 20 different categories. Upon making it to the final round, contestants are interviewed by a judging panel comprised of Forbes reporters and experts in various fields, including Ta-Nehisi Coates and Sarah Jessica Parker, who make the final decision.

Spanning a series of glass-doored rooms in the spire of the Munk School of Global Affairs’ location at the former Dominion Meteorological Building, Ron Deibert’s Citizen Lab bears a tongue-in-cheek resemblance to images of Jeremy Bentham’s Panopticon. The irony is not lost on Deibert; as he is quick to remind us that the building is at least architecturally, if not practically, an observatory.

As the culture wars rage against a backdrop of classified information leaks — brought to light courtesy of the Internet and insiders-turned-whistle-blowers — the work done by Deibert and his lab ranks among the most important currently conducted at the University of Toronto.

The hothouse

The Citizen Lab, according to its website, is a “‘hothouse’ that combines political  science, sociology, computer science, engineering, and graphic design.” This Swiss Army knife of a research group has tasked itself with the tall order of monitoring, analyzing, and ultimately, affecting how political power is exercised in cyber-space.  The nature of the lab’s work is multifaceted and draws from a variety of resources. Their goal is to redefine “interdisciplinary” research, which as far as Deibert is concerned, is largely misappropriated as an educational buzzword. “I see what we’re doing as ‘field building’” Deibert suggests. “There is a problem, in my opinion, with the way that universities are structured around disciplinary silos, and you often hear a lot about interdisciplinary research, but usually that means little more than there is an office with a sociologist next to a computer scientist. But here, there is truly interdisciplinary research going on; the way we approach the topics, the methods we employ, it’s all a mixture, it’s like alchemy,” he says.

Risky business

This kind of work does not come without risk; we need look no further than Edward Snowden’s forced relocation to Moscow, or the subsequent maltreatment of the journalists who abetted him, to see that. Deibert perceives the risks of the Citizen Lab’s work fitting into two categories; the first of which is what Deibert terms the “obvious physical risks that we face that have to do with the fact that we are pulling back thick drapes around agencies who would rather stay behind those curtains.”  These investigations, says Deibert, are a particularly “dangerous thing when you’re dealing with some nasty countries.”

The second category is legal liability. On that note, Deibert’s primary concern is focused on the companies that are the subject of the lab’s research. He sees Canada as being a particularly “plaintive friendly environment” for defamation and libel suits, which only reinforces the importance of making sure the work is as “rigorous, transparent, and peer reviewed as possible.” 

That looming threat of litigation was realized in the aftermath of the lab’s report on the breach of an Italian company called Hacking Team.

Hacking Team first drew the Citizen Lab’s interest as a developer of “offensive security” technologies. Earlier this year, hackers breached the firm’s protective measures and released a trove of documents that confirmed suspicions about how the firm produced software and sold it “to several governments with repressive human rights records, such as Ethiopia.” This software was being used to spy on journalists in, “Sudan, Saudi Arabia, Kazakhstan, and more,” Deibert explains. “All of [Hacking Team’s] corporate data was put on the public domain after the breach, and in the correspondences of the company executives they actually contracted a company to silence us through litigation. They actually say, ‘how do we shut the Citizen Lab down?’” 

Security

Much of the reporting the Citizen Lab does is on “nasty countries,” at least insofar as freedom of information is considered. Some of the most recent reports — “almost all of [which]” are available on the lab’s website — bear titles such as “Iraq Information Controls Update: Analyzing Internet Filtering and Mobile Apps,” “China’s Great Cannon,” and “The Blocking of Vimeo in Indonesia.”

Deibert states that the Citizen Lab takes the safety of their researchers, many of whom are working abroad and in conflict areas, very seriously. “We have a whole protocol that we think through very carefully that deals with security in risky environments,” he says. In order to manage that risk, the lab contracts the services of Morgan Marquis-Boire, one of their fellows.

Marquis-Boire, a former Google security researcher, hacker, and journalist, is the director of security at First Look Media and publisher of The Intercept, the post-Snowden online home of journalists Glenn Greenwald and Laura Poitras. Marquis-Boire’s added value is significant, considering that he was the one who “actually came up with the protocol of how to actually secure the [Snowden documents].”

It is no surprise that Marquis-Boire found a place for himself at the Citizen Lab, or that he and Deibert became acquainted; after all, Deibert is a member of a very exclusive club with access to the complete Canadian archive of the Snowden leaks. Regarding the responsibility that accompanies that access, Deibert distinguishes between two considerations, although he is quick to qualify that they “aren’t ranked.”  He adds, “so you’re thinking of the public interest, first and foremost, so, what in here is critical for the public to know and needs to be in the public domain?” Deibert continues, “then, secondly… is there information in here, that if it were published, would put somebody’s life at risk, or do harm?”  Upon further consideration, he concludes that “around protection of the source, Edward Snowden put out certain obligations to the journalists and that extends to the people who consult on it, how to treat the material and report on it.” 

Education

Among the chief concerns of those who study the Internet is the relative lag in consumer awareness. Deibert points out that, “for most people, the beginning and end of their experience is their screen in front of them, when in fact it is just the tip of the iceberg, and really the interesting stuff, especially from a perspective of how power is exercised and how freedom and liberty are protected, happens beneath the surface in the kind of bowels of it all. There is a subterranean realm to the machine.” For those as involved and as knowledgeable as Deibert and his peers, opportunities to edify the public are everywhere. Aside from the mundane drudgery of digging up information on everything from South Korean mobile applications to wearable technology, Deibert sees the education of a train of undergraduates, post-doctoral fellows, and other researchers, as being “critical” to the work.

Interestingly, Deibert and his peers sometimes find themselves at odds with the institution that houses and facilitates them. He famously refuses to use Blackboard in his teaching, favouring an embedded forum on the Citizen Lab’s website, a choice that follows a personal aversion to proprietary software. “I try to avoid it,” he says.

Those criticisms extend to the sharing of private data, whether it belongs to students or faculty, in a variety of other veins. “I think it would be good for the University of Toronto to issue a transparency report. Only one other university in the world has done that. How often does law enforcement come here and ask for data on faculty or students?” Deibert seems conflicted about whether people should generally be optimistic about the Internet, or if a healthier cynicism than we currently exhibit is warranted. He explains: “the way I look at this machine is that we’ve created, this wonderful thing that can be terrific for lots of goals we have, you know, throughout history, goals that we’ve had as a species, this wonderful mechanism of information storage and exchange, but we haven’t thought through all the downsides to it and the unintended consequences to it are getting more and more serious, on multiple levels.” What really worries him is the observation that “most people in my conversations are completely oblivious to it and don’t really care.” When asked if he had anything in particular that he wanted to share, Deibert offered the following tidbit: “Trust no one.”