Fact Check: José Javier Olivas-Osuna's review of Citizen Lab's CatalanGate report
In March 2022, the European Parliament set up the PEGA Committee to investigate the use of Pegasus and other spyware by and/or in member states. A month later, Citizen Lab published its CatalanGate report stating “at least 65 individuals” in Spain had been “targeted or infected” with spyware. Citizen Lab did not “conclusively” attribute these attacks “to a specific entity,” but said “strong circumstantial evidence” suggests a connection to Spanish authorities. To date, no Spanish government agency has reached out to Citizen Lab about this report.
Last week, MEP Jordi Cañas hosted José Javier Olivas-Osuna, a political scientist from Spain’s Universidad Nacional de Educación a Distancia, for a presentation on his review of Citizen Lab’s CatalanGate report. Cañas, who’s also a member of the PEGA Committee, commissioned the report last year after the committee invited Olivas-Osuna to testify, then rescinded the invitation after victims, academics, and surveillance experts warned that his testimony “would impede the committee’s goal of fact-finding and accountability.” (Disclosure: I’m listed as a signatory.)
Olivas-Osuna has repeatedly criticized Citizen Lab for its work on the CatalanGate report and requested that the University of Toronto launch an independent investigation. The 233-page review, based on almost 600 tweets, repeats much of the same criticism. It also asks numerous open-ended questions about the origin and timing of Citizen Lab’s investigation, political bias, connections to Russia and blockchain technology, and whether the victims were really victims.
The PEGA Committee works to understand whether countries are “using intrusive surveillance” to violate the rights and freedoms enshrined in EU law. It’s odd then that Olivas-Osuna’s review, commissioned by a member of the Committee, says “it is beyond the scope…to assess whether Spain spied–legally or illegally…or if Pegasus was the spyware of choice.” Olivas-Osuna declined to comment for this article. Cañas did not respond to my emails.
Here’s a fact check of some of the claims Olivas-Osuna makes in his report.
What Olivas-Osuna wrote:
“Apple announces that it is suing NSO and commits to a $10 million reward for Citizen Lab, Amnesty International and other organisations for collecting evidence for the NSO lawsuit.”
This is false. When Apple announced the lawsuit against NSO Group in November 2021, the company said it “will be contributing $10 million, as well as any damages from the lawsuit, to organizations pursuing cybersurveillance research and advocacy.” In May last year, Citizen Lab told MEPs that it “has never been commissioned to find evidence for a lawsuit by any parties to any litigation, including Apple.”
What Olivas-Osuna wrote:
“However, there is no clear explanation as to why only four samples (Mr Jordi Sànchez, Ms Sonia Urpí, Ms Elisenda Paluzie and Ms Meritxell Bonet) were submitted for external validation.”
This is false. In a letter addressed to Cañas and other members of the European Parliament, Citizen Lab said the “cases were selected to include multiple types of indicators (SMS infection attempts, infections), and accommodate Amnesty Tech’s research mandate, which focuses on civil society cases.”
What Olivas-Osuna wrote:
“There are 27 presumed victims of attacks for whom Citizen Lab was unable to determine any date (or time interval) of infection.”
This is false. Appendix A lists 65 individuals targeted by or infected with spyware. 51 of 65 were “forensically confirmed” to be infected with Pegasus. Citizen Lab lists infection dates for 37 of 51 cases, and says it was “unable to determine” specific dates for the remaining 14.
What Olivas-Osuna wrote:
“The information provided by Citizen Lab does not allow readers to know how many of these victims had their phones forensically analysed, or what the results were.”
This is false. Appendix A provides this information for all 65 cases.
What Olivas-Osuna wrote:
“In this case, it is apparent that only telephones of independentist politicians and activists were submitted to analysis.”
This is false. Appendix A includes lawyers, journalists, businessmen, a businesswoman, and members of the European Parliament.
What Olivas-Osuna wrote:
“Citizen Lab only considers the hypothesis of illegal espionage by the Spanish government and security forces.”
This is false. Citizen Lab’s report identifies individuals targeted by or infected with spyware, but does not discuss whether the espionage was legal or illegal.
What Olivas-Osuna wrote:
“The decision of Citizen Lab not to physically analyse in their Lab any of the CatalanGate victims is not justified in their report.”
This is false. The report does not say how the devices were analyzed. As such, it’s incorrect to say that Citizen Lab chose “not to physically analyze” any of them.
What Olivas-Osuna wrote:
“The lack of transparency…is also illustrated by the modifications that Citizen Lab introduced in the report after publication.”
This is false. The report clearly indicates when, where and how modifications were made. The top of the report also links to a statement about correcting a case.
What Olivas-Osuna wrote:
“Errors in IOCs were detected in the samples that Citizen Lab sent to [Amnesty Tech] for validation, which also confirms that Citizen Lab methods are ffar [sic] from infallible.”
This is false. Olivas-Osuna points to a report written by Jonathan Scott, but that report does not say what he’s claiming here.
What Olivas-Osuna wrote:
“As part of a similar investigation in India regarding a request from the Supreme Court, an independent Technical Committee examined 29 phones that, according to Citizen Lab, were attacked with Pegasus spyware.”
This is false. The Supreme Court formed a committee to investigate the use of Pegasus and other spyware following the Pegasus Project revelations in July 2021. Citizen Lab was not part of the Pegasus Project. As for the 29 phones; it appears those were phones voluntarily provided to authorities for forensic analysis. It’s not clear who, if anyone, claimed those 29 phones were “attacked with Pegasus spyware,” as Olivas-Osuna states here.
What Olivas-Osuna wrote:
“Mr Torrent alludes in his book Pegasus L’estat ens espia that on 21 July 2020 he was told that: ‘Scott-Railton and Campo are working on the final report of the case in conjunction with an American communications company.’”
This is false. In a letter addressed to Cañas and other members of the European Parliament, Citizen Lab said that “no research report regarding the use of Pegasus spyware in Spain was written by the Citizen Lab in 2020. The [CatalanGate] report was written in 2022. Citizen Lab did not collaborate with an ‘American communication agency’ in writing the report.”
What Olivas-Osuna wrote:
“Mr Campo may have examined some of them physically but he was not part of Citizen Lab until January 2022.”
This is false. In a letter addressed to Cañas and other members of the European Parliament, Citizen Lab said that Campo provided “outreach assistance for the Citizen Lab between 2020 and 2022.”
What Olivas-Osuna wrote:
“Citizen Lab has not explained when or how they discovered that Mr Campo’s phone had been attacked by spyware.”
This is false. The report says the “continuing investigation into Candiru in connection with Catalonia revealed at least three other individuals were targeted with Candiru spyware via email messages,” including Campo. Citizen Lab also found that Dr. Elias Campo, the father of Elies Campo, was infected with Pegasus. The report states that “targeting friends, family members, and close associates is a common practice for some hacking operations.”
What Olivas-Osuna wrote:
“According to several testimonies, pro-independence political parties and organizations were directly involved in conducting technical analyses on the phones of the presumed victims that appear in the CatalanGate report.”
This is false. In a letter addressed to Cañas and other members of the European Parliament, Citizen Lab said that “no Catalan political party or secessionist organization was involved in writing the report or in the technical analysis conducted by the Citizen Lab for this report.”