A member of the House of Lords is among more than 400 people whose UK mobile phone numbers appear in a leaked list of numbers identified by NSO Group’s client governments between 2017 and 2019, the Guardian can reveal.
The principal government responsible for selecting the UK numbers appears to be the United Arab Emirates, according to analysis of the data. The UAE is one of 40 countries that had access to the NSO spyware that is able to hack into and secretly take control of a mobile phone.
Dubai, the emirate city ruled by Sheikh Mohammed bin Rashid al-Maktoum, is also believed to have been an NSO client.
The phones of Sheikh Mohammed’s daughter Princess Latifa, who launched a failed bid to escape Dubai in 2018, and his ex-wife Princess Haya, who fled the country and came to the UK in 2019, both appear in the data.
So too do the phones of several associates of both women – including, in the case of Haya, mostly UK-based numbers.
In multiple statements, NSO said that the fact that a number appeared on the leaked list was in no way indicative of whether a number was targeted for surveillance using Pegasus. “The list is not a list of Pegasus targets or potential targets,” the company said. “The numbers in the list are not related to NSO group in any way.”
But the Guardian and other media partners that had access to the data as part of the Pegasus project, a media consortium, believe the list indicates persons of interest selected by government clients of NSO. It includes people across the world whose phones showed traces of NSO’s spyware, Pegasus, according to forensic analysis of their devices.
Those with UK numbers appearing on the list include:
Lady Uddin, an independent member of the House of Lords, whose number appeared on the data in both 2017 and 2018. She said if there was spying on members of parliament it would amount to “a great breach of trust” which “contravenes our sovereignty”.
A lawyer working for a London law firm advising Princess Haya. Haya is embroiled in a bitter custody battle with Sheikh Mohammed in the family division of the high court of justice.
John Gosden, a leading horse trainer based in Newmarket, who is also friend of Princess Haya, herself an international equestrian rider. Numbers for other people working for Haya’s security and PR team also appear in the data.
John Chipman, the chief executive of the defence thinktank the International Institute for Strategic Studies, which runs an annual conference in Bahrain, one of the UAE’s allies.
Matthew Hedges, a Briton detained in the UAE for seven months in 2018, whose number first appears in the data while he was in the UK, before embarking on his trip. “I want to know what the British government is doing about it,” he said.
Other high-profile UK names who appear on the list have already been named, such as Roula Khalaf, the editor of the Financial Times, who was deputy editor when her number appeared in the data in 2018. NSO later said there were no attempted or successful Pegasus infections of Khalaf’s phone.
Earlier this week, the Guardian also revealed the listing of the number of the human rights lawyer Rodney Dixon QC, who has acted for both Hedges and the fiancee of the murdered Saudi journalist Jamal Khashoggi, Hatice Cengiz. Analysis of the data suggests his number was among a small group of UK numbers that appear to have been selected by Saudi Arabia.
Lawyers for NSO suggested it was “technically impossible” for Dixon’s phone to be targeted by Saudi Arabia. Forensic analysis of Dixon’s device conducted by Amnesty International’s Security Lab showed Pegasus-related activity but no successful infection.
Amnesty examined two other UK phones in the data. One showed the same kind of Pegasus activity discovered on Dixon’s iPhone. The second, an Android phone, showed no evidence of an attempted or successful infection.
Neither the United Arab Emirates, Dubai nor Saudi Arabia responded to requests for comment. Till Dunckel, a German lawyer representing Sheikh Mohammed, told the newspaper Süddeutsche Zeitung: “Our client emphatically denies having attempted to ‘hack’ the phones of the persons named in your request, or having instructed others to do so.” Representatives of the sheikh have also previously said he feared Latifa was a victim of a kidnapping and that he had conducted “a rescue mission”.
NSO Group has always said it does not have access to the data of its customers. In statements issued through its lawyers, NSO said the Pegasus project reporting consortium had made “incorrect assumptions” about which clients used the company’s technology.
Exiled dissidents and supportive activists in the UK also appeared on the leaked list, which is bound to raise questions about the UAE, which is traditionally considered a British ally, and whose leading family, the rulers of Abu Dhabi, own the Premier League champions, Manchester City.
The UAE has become a fast-emerging cyber power, whose powerful surveillance capability is controlled by the family of its ruler, Sheikh Mohamed bin Zayed, and in particular his brother, the national security adviser, Sheikh Tahnoon bin Zayed.
Three sources familiar with NSO’s operations confirmed that within the past year the company had stripped Dubai of its Pegasus licence. They said the decision had been informed primarily by human rights concerns, but did not dispute that the possibility Sheikh Mohammed was wielding the software against his own family members had also been a factor.
It is unclear whether MI5 was aware of any UAE spying activity. Generally if the spy agency becomes aware a Briton is subject to foreign surveillance, it will take action to alert the victim if it believes there is a threat to life or other serious danger in the UK.
But the British government issued a coded rebuke to the country this week following the revelations of the Pegasus project.
A government spokesperson said: “It is vital all cyber actors use capabilities in a way that is legal, responsible and proportionate to ensure cyberspace remains a safe and prosperous place for all.”
Why certain people may have been listed is hard to determine. Uddin was the first Muslim woman to serve in the upper house, but is not considered a foreign policy specialist. “If espionage is taking place against the highest of sovereign British institutions, questions arise regarding whether our government was aware,” she said.
Matthew Hedges, a Durham University PhD student specialising in security, was first listed on the database in March 2018, two months before he was detained and tortured for seven months, accused of spying for MI6. The initial listing of his number in the data took place before Hedges had travelled to the UAE for his research.
MI6 denies he was acting as an agent, in a high-profile case that strained relations between London and Abu Dhabi. Hedges was subject to repeated interrogations that lasted hours and was injected with a cocktail of drugs on which he is partly dependent today, but was only charged after being held for five months.
It was not possible to conduct forensic analysis of Hedges’ UK phone from the time because UAE authorities confiscated his device.
Mohammed Kozbar, the chair of the Finsbury Park mosque, arguably the best-known mosque in Britain, also appeared on the leaked list. His number appeared in the data in 2018, apparently because of the UAE. The mosque was comprehensively reformed in 2015 under his leadership, and is considered a model of community relations, acting recently as a public vaccination centre.
Kozbar said he was baffled as to why he might have been of interest to the Gulf state, saying he had “never been in the UAE” nor had any involvement with the country. He said he feared that “British citizens will be open to abuse from every country in the world” unless the UK spoke out against apparent abuses of NSO spyware worldwide.
Dissidents – some of whom focused on Saudi Arabia or Bahrain – and at least one British activist have also appeared in the list. They include the Emirati-born Alaa al-Siddiq, 33, the executive director of the Saudi campaign group ALQST, who was killed in a car crash in Oxfordshire last month. After talking to the police her organisation said there was “no suggestion of foul play”.
Another person who appears in the data in 2018 was the leading Bahraini dissident and human rights campaigner Sayed Alwadaei, who has political asylum in the UK. He was also selected by a customer understood to be the UAE, although he campaigns for democracy and rights in Bahrain, particularly around the time of the grand prix, held that year in April.
He called on the UK government to “speak out and stop defending these abusive governments”.
A number belonging to Rori Donaghy was selected by UAE throughout 2017 and 2018, according to analysis. He was previously reported to have been a target of a UAE hacking campaign unrelated to NSO.
He worked for three years until 2016 for Middle East Eye, a UK-based news organisation that regularly criticised the UAE regime. But at the time his number appeared in the data he was working for a specialist Middle East consultancy, writing reports about Syria and the refugee crisis.
The number of the president of the Muslim Association of Britain, Raghad Altikriti, the first female head of the organisation, also appears on the list. She was previously a vice-president and head of media, and her brother Anas Altikriti, who runs the Cordoba Foundation thinktank, which promotes intercultural dialogue, was listed between 2017 and 2019.
The numbers of several employees of three London corporate intelligence firms also appeared on the list. In one case, it appears the head of the firm was selected by the UAE along with two numbers belonging to his wife. All three firms work for Gulf state clients.
• This article was amended on 22 July 2021 to correct a misspelling of the name of Sayed Alwadaei.