Fact Check: Gregorio Martin's presentation to the European Parliament
In March 2022, the European Parliament set up the PEGA Committee to investigate the use of Pegasus and other spyware by and/or in member states. In November, eight months after the publication of Citizen Lab’s CatalanGate report, the Committee held its first hearing on Spain. One of the individuals presenting was Gregorio Martin, the retired computer science professor who peer-reviewed Jonathan Scott’s report on CatalanGate. Scott’s report was fact-checked here.
Martin, along with José Javier Olivas-Osuna, has repeatedly criticized Citizen Lab for its work on the CatalanGate report and suggested that the University of Toronto launch an independent investigation. Olivas-Osuna recently presented his own review of CatalanGate to the European Parliament. Olivas-Osuna’s review, which references Martin and Scott’s work, was fact-checked here.
On Friday, the PEGA Committee announced that it will be in Madrid next week. To date, no Spanish government agency has reached out to Citizen Lab about its CatalanGate report. Members of the Committee have expressed frustration over the lack of cooperation from Spain and a few other countries.
Here’s a fact check of some of the claims Martin makes in his presentation. Martin presented in Spanish with slides in English. The quotes below are from the English voice translation.
What Martin said:
“Citizen Lab and Amnesty recognize that they are not able to carry out forensic analysis on Android phones, so they can only do this on Apple phones with iOS.”
This is false. Citizen Lab said Android “is more difficult to forensically analyse,” while Amnesty said there are “more forensic traces accessible to investigators on Apple iOS devices than on stock Android devices.” Neither group has said they’re unable to analyze Android phones.
What Martin said:
“WhatsApp filed a lawsuit in the American courts…they referred not to CVE-2019-3568 but to CVE-2016-46578.”
This is false. The complaint mentions CVE-2019-3568 on page 10.
What Martin said:
“The same day that this came out, Citizen Lab offered to collaborate with WhatsApp on 3568.”
This is false. WhatsApp said Citizen Lab “volunteered to help us to learn more about the impact of this attack on civil society, including journalists and human rights defenders.”
What Martin said:
“Then the news came out that the President of the Parliament [of Catalonia] could have been hacked. The publication stipulated that WhatsApp had confirmed this hacking.”
This is confusing and likely lost in translation. The Guardian first reported that the President’s phone had been “targeted,” something WhatsApp later confirmed. The CatalanGate report only refers to the “targeting” of the President Roger Torrent, it does not say the device was infected.
What Martin said:
“The seven domains did not exist when CatalanGate was closed.”
This is misleading. Martin is repeating Scott’s argument that Amnesty could not have validated Citizen Lab’s research because the domain names were parked or expired. Amnesty’s MVT tool looks for domain names associated with the Pegasus spyware, but “requires understanding the basics of forensic analysis” to determine whether a device has been targeted or infected. MVT simplifies parts of the analysis process and is just one component of Amnesty’s methodology.
What Martin said:
“I am not calling the ideas aired by [Citizen Lab] into question, of course not, I wouldn’t.”
This is false. Martin has published a handful of articles about Citizen Lab and the CatalanGate report, including one titled “The University of Toronto, on the brink of defamation” in which he refers to “American Wokism, the movement that seeks to interfere in our lives” and Citizen Lab “drawing blood.”
What Martin said:
“We’re talking 50,000 infected phones between 2016 and 2021… at the end of the day, when we’re looking at the Pegasus report that we’re dealing with now, they recognize that they’d reached 67 phones and they identified traces in 37.”
This is false. The 50,000 number refers to a list of phone numbers leaked to Forbidden Stories that NSO Group’s customers allegedly selected for surveillance with Pegasus. The CatalanGate report lists 65 individuals targeted by or infected with spyware. Citizen Lab confirmed a Pegasus infection in 51 of those cases: 37 have dates associated with them, 14 do not.
What Martin said:
“What I think is that the Spanish government could have reached this conclusion by using the MVT methodology that was used for CatalanGate.”
This is false. The CatalanGate report does not mention the MVT tool.