Saudi rights activist Loujain al-Hathloul sues ex-US contractors

Prominent Saudi women’s rights activist Loujain al-Hathloul has sued three former United States intelligence contractors, accusing them of helping hack her cell phone prior to her 2018 arrest and imprisonment.

The Electronic Frontier Foundation on Thursday filed the lawsuit on behalf of al-Hathloul in the US federal court against former US officials Marc Baier, Ryan Adams and Daniel Gericke, as well as a cybersecurity company called DarkMatter that has contracted with the United Arab Emirates (UAE).

“Companies that peddle their surveillance software and services to oppressive governments must be held accountable for the resulting human rights abuses,” EFF Civil Liberties Director David Greene said in a statement.

“The harm to Loujain al-Hathloul can never be undone. But this lawsuit is a step toward accountability.”

The lawsuit alleges that the surveillance operation run by the three ex-contractors and DarkMatter led to al-Hathloul’s arrest by the Emirati security services. From there she was extradited by private plane to Saudi Arabia, “where she was detained, imprisoned and tortured”, it states.

DarkMatter assigned her the codename “Purple Sword”, the lawsuit also says, citing a 2019 investigation by the Reuters news agency that first detailed the hacking of al-Hathloul.

Al-Hathloul, who pushed to end a ban on women driving in Saudi Arabia, was imprisoned in 2018 alongside several other Saudi women’s rights advocates.

She was sentenced to an almost six-year jail term on terrorism-related charges in a case that drew international condemnation, and held for 1001 days, with stints in pre-trial detention and solitary confinement, before being released in February.

Rights organisations say some of the women, including al-Hathloul, were held in solitary confinement for months and subjected to abuse including electric shocks, flogging and sexual assault.

According to al-Hathloul family members, some of the torture sessions have been in the presence of Saud al-Qahtani, a close associate of Saudi Crown Prince Mohammed bin Salman, known as MBS. Saudi officials have denied torture allegations.

“No government or individual should tolerate the misuse of spy malware to deter human rights or endanger the voice of the human conscious,” al-Hathloul said in a statement as part of her lawsuit, which was shared by EFF.

BIG NEWS: the fight to #FreeLoujain is not over.

Our sister Loujain, represented by @EFF sues spyware maker DarkMatter for violating US anti-hacking and international human rights laws.

All the best my dear, you’re the best ❤️🌻

Full complaint here : https://t.co/gY5GJcTs9Y

— Lina Alhathloul لينا الهذلول (@LinaAlhathloul) December 9, 2021

“This is why I have chosen to stand up for our collective right to remain safe online and limit government-backed cyberabuses of power. I continue to realize my privilege to possibly act upon my beliefs,” she said.

“I hope this case inspires others to confront all sorts of cybercrimes while creating a safer space for all of us to grow, share, and learn from one another without the threat of power abuses.”

Push to tackle spyware

The lawsuit comes amid a global push to hold companies and individuals involved in electronic spyware accountable for how their products are used.

Last month, US President Joe Biden’s administration blacklisted Israeli firm NSO Group, accusing the technology company of developing and supplying spyware to foreign governments “that used these tools to maliciously” target a range of actors, including journalists and activists.

NSO Group sparked outrage from rights groups earlier this year after an investigation by international media outlets revealed the firm’s Pegasus spyware was used by security forces and authoritarian governments in several countries.

Apple Inc, as well as messaging app WhatsApp, have sued NSO Group over its spyware. The Israeli firm has rejected recent criticism, stressing that its products are used to target criminals and “terrorists”.

The three former American contractors named in al-Hathloul’s lawsuit this week admitted in September to providing sophisticated computer hacking technology to the UAE.

The US Justice Department said at that time that Baier, Adams and Gericke were “hackers-for-hire” who provided a company in the UAE with “zero-click” computer hacking services “that could compromise a device without any action by the target”.

The trio agreed to pay $1.68m in penalties in what is known as a “deferred prosecution agreement” that allows them to evade criminal charges in the US so long as they abide by the deal, the department said.

“Hackers-for-hire and those who otherwise support such activities in violation of US law should fully expect to be prosecuted for their criminal conduct,” Acting Assistant Attorney General Mark Lesko said in a September 14 statement. “Left unregulated, the proliferation of offensive cybercapabilities undermines privacy and security worldwide.”

A request for comment on al-Hathloul’s lawsuit to the Saudi and Emirati embassies in Washington, DC, was not immediately answered on Thursday, Reuters said. Requests for comment sent to representatives for Gericke, Baier, Adams and DarkMatter also were not immediately answered.