Fact Check: Jonathan Scott's review of Citizen Lab's CatalanGate report
In April 2022, Citizen Lab reported that “at least 65 individuals” in Spain had been “targeted or infected” with spyware. Citizen Lab did not “conclusively” attribute these attacks “to a specific entity,” but said “strong circumstantial evidence” suggests a connection to Spanish authorities. Three months later, Jonathan Scott published a report, peer-reviewed by Dr. Gregorio Martin, that he says disproves the work done by Citizen Lab. To date, no Spanish government agency has reached out to Citizen Lab about its CatalanGate report. Martin’s presentation to the European Parliament was fact-checked here.
Here’s a fact check of some of the claims Scott makes in his report.
What Scott wrote:
“Q3 of 2021, I was the #1 Security Researcher in The United States, and #4 globally [on HackerOne].”
This is misleading. Scott was permanently banned from both HackerOne and Bugcrowd in September 2021, before the end of Q3 that year. In the note that Scott himself shared on Twitter, Bugcrowd said he had “intentionally leaked PII and other sensitive data publicly.”
What Scott wrote:
“Citizen Lab’s report on the hacking of human rights defender Ahmed Mansoor, concludes that they have been researching, and ‘confirming spyware infections’ since 2011.”
This is false. The 2016 report on the targeting of Ahmed Mansoor using NSO’s Pegasus does not contain the quote that Scott uses here. Citizen Lab has researched digital threats for a very long time, though.
What Scott wrote:
“The entirety of the CatalanGate report is based on events that occurred April-May, 2019.”
This is false. The report states that “Citizen Lab assisted WhatsApp in notifying civil society victims” and then “undertook a large-scale investigation into Pegasus hacking in Spain.” In a letter to members of the European Parliament, Citizen Lab said its investigation “began in fall 2019 and continued until the time of publication.”
What Scott wrote:
“Citizen Lab in the same article then confirms Roger Torrent’s phone to be ‘successfully infected’ in a memo to the former parliament president.”
This is false. Here’s the quote from the Guardian: “Citizen Lab said in a memo to Torrent that this suspicious activity suggested his phone had been successfully infected.”
What Scott wrote:
“The successful infection confirmation is based on Torrent’s claims of ‘suspicious behavior’ he noticed on his mobile device.”
This is false. According to the Guardian, the memo from Citizen Lab to Torrent said this activity “suggested” his phone had been infected.
What Scott wrote:
“The lawsuit that WhatsApp filled against the NSO Group for their alleged hacking of mobile devices in 2019 made headlines around the world, but the civil complaint does not reference the WhatsApp CVE-2019-3568 vulnerability at all.”
This is false. The complaint mentions CVE-2019-3568 on page 10.
What Scott wrote:
“The lawsuit references CVE-2016-46578, as one of the exploits used to hack into 1,400 mobile devices.”
This is false. The complaint mentions CVE-2016-46578 on page 5 when providing background on NSO Group and its Pegasus spyware. In other words, this CVE is yet another vulnerability exploited by NSO Group.
What Scott wrote:
“JSR’s previous confidence in saying that there was no reason to believe Roger Torrent’s phone was not hacked, and then confirming the successful infection is met with caution by the WhatsApp team.”
This is false. According to the Guardian, the memo from Citizen Lab to Torrent said this activity “suggested” his phone had been infected. Appendix A of the CatalanGate report refers only to the “targeting” of Torrent, it does not say his device was infected.
What Scott wrote:
“July, 13th 2020 in an interview with The Guardian; news came forth stating that The Citizen Lab had already alerted pro-independence activists Jordi Domingo, and Anna Gabriel in early 2019 saying “it seemed clear the Spanish state [was behind the attacks.]”
This is false. Here’s the quote from the Guardian: “Torrent, who was warned about the targeting by researchers working with WhatsApp, said it seemed clear the “Spanish state” was behind the alleged attack on his phone.”
What Scott wrote:
“JSR’s nonchalant admission of The Citizen Lab exploiting servers by performing DNS cache poisoning attacks shows that CL is not concerned with ethics or integrity.”
This is false. The presentation at the 2018 VB Conference talked about DNS Cache Probing, not DNS cache poisoning. These are two different things.
What Scott wrote:
“Deibert states in his responses to the European Parliament that all field work Campo conducted remotely were under his supervision.”
This is false. The letter to members of the European Parliament does not mention “remotely” at all. Deibert says “all research work is conducted under my supervision and authority along with that of my co-investigator, Mr. Scott-Railton.”
What Scott wrote:
“How Elies Campo came to be involved in the identification of potential cases of hacked Catalonians before ever being employed by The Citizen Lab, is unknown.”
This is false. The letter to members of the European Parliament says Campo “first contacted the Citizen Lab in 2020,” then “worked with [Deibert] and [his] co-investigator, Mr. Scott-Railton, to provide outreach assistance for the Citizen Lab between 2020 and 2022.”
What Scott wrote:
“[Claudio Guarnieri and Etienne Maynier] both were research fellows with The Citizen Lab, and employed by Amnesty International during the time of the CatalanGate investigations.”
This is false. Guarnieri was a fellow at Citizen Lab around 2015 and 2016, and joined Amnesty International in 2017. In a letter to members of the European Parliament, Citizen Lab said that “Maynier’s fellowship at Citizen Lab ended in April 2021.“
What Scott wrote:
“In 2021 Amnesty released a publication endorsing The Citizen Lab, and provided information stating that they share the same methods and tools to identify Pegasus spyware indicators of compromise.”
This is false. The report from Amnesty International acknowledged “Citizen Lab for its important and extensive research on NSO Group,” but does not say what Scott claims here.
What Scott wrote:
“The primary tool used by both Citizen Lab and Amnesty International is called the MVT-Tool.”
This is false. Amnesty International said that the MVT tool “simplifies the process” of identifying “potential traces of compromise.” Citizen Lab does not refer to MVT as a “primary tool” in any of its reports.
What Scott wrote:
“Developed jointly by Citizen Lab and Amnesty international, the MVT-Tool or Mobile Verification Toolkit is an open-source program that is available for anyone to download and use.”
This is false. Amnesty International created the MVT tool.
What Scott wrote:
“For example, if any of the keywords that are on the IOC lists are found on your device, you are determined by their software to be infected with a specific brand of spyware.”
This is false. The MVT tool will look for indicators of compromise, but will not definitely say if your device has been infected. Amnesty International clearly states that using the tool “requires understanding the basics of forensic analysis and using command-line tools,” and that “MVT is not intended for end-user self-assessment.”
What Scott wrote:
“At the time the CatalanGate report was published, 123tramites[.]com had been expired for 6 months, yet Citizen Lab with the help of Amnesty International, Etienne Maynier and Claudio Guarnieri published 123tramites[.]com as an active indicator of compromise that is blacklisted around the world.”
This is misleading. A domain name can be an indicator of compromise one year, and have a new owner and non-malicious purpose two years later. This is why Amnesty International says that using the MVT tool, which relies on indicators of compromise, “requires understanding the basics of forensic analysis.”
What Scott wrote:
“The Hooking Candiru report attributes the Saudi government to the Candiru infection, and now Citizen Lab is wildly attributing the infection to the Spanish Government.”
This is false. The Hooking Candiru report does not attribute Matamala’s infection.
What Scott wrote:
“Over 55% of the alleged target or infected Catalonians do not have dates of compromise associated with them.”
This is false. Appendix A lists 65 individuals targeted by or infected with spyware. Of those, 37 have dates, 14 have no date or says Citizen Lab was “unable to determine” specific dates.