“Digital targeting has a serious impact on the well-being of victims, undermines their ability to engage in transnational advocacy work, violates fundamental rights such as the right to privacy, freedom of expression, and peaceful assembly, and increases the dangers faced by their family members and friends who remain within the country of origin,” the report concluded.
The countries the Citizen Lab identified as some of the more common perpetrators of digital transnational repression include Yemen as well as Afghanistan, China, Iran, Rwanda, and Syria. Zero-click software hacks, which allow an attacker to break into a phone or computer even if its user doesn’t open a malicious link or attachment, are especially concerning, says Noura Al-Jizawi, a research officer at the Citizen Lab and coauthor of the report. That’s because “they can evade digital hygiene practices,” she says.
In 2021, hackers used such code to infiltrate and install spyware on the cell phone of Saudi women’s rights activist Loujain al-Hathloul, who was then living in British Columbia. In that case, the perpetrators mistakenly left an image file on her phone that allowed researchers to pin down the source of the code. The digital blueprint led to NSO Group, an Israeli technology firm that has made headlines for selling spyware to authoritarian nation-states.
Some forms of digital repression are meant to embarrass and doxx. One unnamed interviewee in the Citizen Lab report, who moved from China to Canada, found out that fabricated nude photos of her were being circulated among attendees of a conference she intended to visit. Her personal information was also posted in online ads soliciting sex services.
Victims of this type of harassment experienced distress, anxiety, and fear for their family’s safety, the report notes. “There’s also a bit of a sense of resignation among those who continued activism, like a realization that this type of targeting would continue,” says coauthor Siena Anstis, senior legal advisor at the Citizen Lab.
Many activists have become paranoid about the messages they receive. Kaveh Shahrooz, an Iraqi lawyer living in Canada who lobbies on behalf of dissidents, gives each email special scrutiny. Shahrooz says he once received a message from a supposed organizer of a human rights conference in Germany inviting him to speak and asking him to fill in personal information via a provided link. He researched more about the conference and found out he wasn’t invited, professional-sounding though the personalized email had been.
“That is one end of the spectrum,” Shahrooz says, “where you might get fooled into clicking a link. But then the other end is getting threatening messages about my activist work—things like ‘We know what you’re doing and we’ll deal with you later.’”
There is little legal recourse. Several victims of spyware attacks in the UK have brought (or are bringing) civil claims against state operators and NSO Group, Anstis says. She adds that such cases can be expected to be challenged, because they generally focus on claims against companies outside the purview of the host country.