On February 18, Jonathan Scott published a report that he says disproves years of research by Amnesty International and Citizen Lab into use of sophisticated spyware in and/or by Morocco to target activists, journalists, politicians, and others. A week later, Scott spoke at an in-person hearing in Morocco organized by the country’s National Control Commission for the Protection of Personal Data (CNDP).
Amnesty International said its Morocco branch was “invited at short notice” and has “put CNDP in contact with technical experts at Amnesty’s Security Lab for any follow up.” Citizen Lab said it was not invited at all, nor have Moroccan authorities reached out regarding its research on cases of Pegasus spyware in the country. The lawyers who appeared with Scott, Tor Ekeland and Michael Hassard, did not respond to a request for comment.
Here’s a fact check of some of the claims Scott makes in his report.
What Scott wrote:
“In 2012, The Citizen Lab wrote a report titled, Backdoors are Forever Hacking Team and the Targeting of Dissent?, and definitively stated the Moroccan government used Hacking Team's RCS surveillance technology to target the journalism project Mamfakinch.”
This is false. The 2012 report by Morgan Marquis-Boire for Citizen Lab states that a phishing message was sent to Mamfakinch “from Moroccan IP space,” but it does not attribute this attack to the Moroccan government. On March 3, Scott published a “supplementary source” that he did not include in his first report. Here, Scott links to a 2016 post by Marquis-Boire for Amnesty International in his role as acting Advisor on Amnesty’s Technology and Human Rights Council. It’s in this 2016 post that Marquis-Boire attributes the 2012 attack on Mamfakinch to Morocco.
What Scott wrote
“According to The Citizen Lab’s report, they claimed to have acquired a leaked PDF document detailing Hacking Team’s ability, but this assertion was completely fabricated.”
This is false. The 2012 report states Hacking Team’s system “is described in a leaked copy of their promotional literature” and quotes a document provided by WikiLeaks.
What Scott wrote
“For Citizen Lab, the irrefutable evidence confirming the Moroccan government had attacked Mamfakinch was a single IP address.”
This is false. Marquis-Boire disclosed the attack on Mamfakinch in a 2012 report for Citizen Lab, but only attributed this to the Moroccan government in a 2016 post for Amnesty International. The 2016 post does not provide any additional information about the attribution. Unless Scott has more information about how Marquis-Boire reached his conclusion, he’s basing this claim on the assumption that there is no more evidence.
What Scott wrote
“Hacking Team said that the they [sic] had always operated within the law, but ultimately the leak led to a significant loss of business, and the company shut down in 2016.”
This is false. Hacking Team was acquired by another firm and renamed Memento Labs in 2019. A year later, Motherboard reported on a LinkedIn post published by the former Hacking Team CEO saying the surveillance firm is “definitely dead."
What Scott wrote
“Ryan Gallagher writes another article about the alleged Moroccan government hacking, and also the alleged the [sic] Ahmed Mansoor hacking by the UAE.”
This is false. Gallagher’s article describes how Mamfakinch in Morocco and Ahmed Mansoor in the United Arab Emirates were victims of Hacking Team’s spyware, but does not attribute either of the attacks.
What Scott wrote
“Morgan Marquis-Boire stumbled upon an outdated demoserver that was once used by Hacking Team to demonstrate its software capabilities…Additionally, the software was configured during a demo and trial period in a way that would prevent it from being used in the field, limiting it solely to internal use,which means it would not be possible for anyone from the Moroccan government to have even attempted to attack Mamfakinch.”
This is false. In the 2012 report, Marquis-Boire states that the malicious Word document used to target Ahmed Mansoor is “very structurally similar” to a file available on a malware analysis site. It’s this file, not the Word document, that contains references to a Hacking Team demo. In other words, the 2012 report mentions both a Hacking Team demo and a live installation.
What Scott wrote
“Citizen Lab accused Morocco of deploying GammaGroup’s FinFisher surveillance tools, despite being aware of Wikileaks' disclosures and acknowledging that there was no evidence linking Morocco to Gamma Group and their FinFisher technology.”
This is false. The 2015 report from Citizen Lab shares new information about the deployment of FinFisher, including in Morocco. The report says servers were found in countries where neither Citizen Lab’s “previous research nor documents disclosed by Wikileaks had previously found evidence of a FinFisher deployment.”
What Scott wrote
“Amnesty Tech created a forensics methodology and a software program called MVT-Tool. However, the details of the software's logic and reasoning have not been publicly disclosed.”
This is false. Amnesty International published its forensic methodology in July 2021. The same post links to the free and open-source Mobile Verification Toolkit (MVT).
What Scott wrote
“Morocco has repeatedly demanded that Amnesty provide substantiated evidence of its allegations related to Pegasus, yet these demands have gone unmet.”
This is false. This July 2020 letter from Amnesty International to the government of Morocco regarding its reporting on use of spyware in the country is just one example of communications between the two parties.
What Scott wrote
“Amnesty quietly removed the process [com.apple.softwareupdateservicesd.plist] from their Pegasus indicator list.”
This is false. Any changes to the Mobile Verification Toolkit, including the list of indicators, can be reviewed by the public. Scott includes a screenshot of this in his report.
What Scott wrote
“This issue is particularly significant, as it impacted the investigations into the alleged cases of Pegasus infection for both Omar Radi and Claude Mangin.”
This is exaggerated. Amnesty International provides plenty of details about additional traces relating to the targeting of Omar Radi and Claude Mangin. Scott’s claims that this one indicator is “significant” and “impacted the investigations” is exaggerated.
What Scott wrote
“The allegations of malicious software installed on the mobile devices of political opponents have been shown to be nothing more than normal iPhone processes that exist in every device.”
This is exaggerated. Amnesty International and Citizen Lab both provide details about traces that they say point to NSO’s Pegasus spyware, traces that are more than just “normal iPhone processes.” In 2021, French intelligence confirmed that Pegasus spyware had been found on the phones of three journalists. Amnesty International attributed those attacks to Morocco.
Thank you very much for this fact-check list.
The victims of Pegasus spying in Morocco deserve better than this half-ass smear campaign by a con artist.