Dubai ruler used Pegasus spyware to hack princess, U.K. court rules

The ruling offers strong confirmation for key elements of the Pegasus Project, an investigation published in July by The Washington Post and 16 other news organizations into NSO Group, the Israeli surveillance giant that sells its powerful spyware to government agencies around the world.

The phone numbers for Princess Haya and members of her legal and security teams were on a list of 50,000 numbers that formed the basis for the investigation. Reporters were able to identify more than 1,000 people whose numbers were on the list, including 85 human rights activists, 189 journalists, and more than 600 politicians and government officials. Forensic examination of 67 phones included on the list found 37 had been targeted by Pegasus.

The phones of Haya and her inner circle were not examined as part of the news outlets' investigation, but the numbers had been added to the list around the time Haya fled to London with her two young children following a campaign of harassment and threats from her then-husband, one of the Persian Gulf's most powerful men.

The U.K. High Court of Justice ruling found that Haya, her personal assistant, two of her lawyers and two members of her security team had been subjected to "unlawful surveillance" carried out by agents of Sheikh Mohammed bin Rashid al-Maktoum, who, in addition to ruling Dubai, serves as the vice president, prime minister and defense minister of the United Arab Emirates.

The court's family division has been investigating the surveillance amid a bitter custody battle over Haya and the sheikh's children. The division's president, judge Andrew McFarlane, said in the ruling that the findings represent not only "serial breaches of domestic criminal law" but a vast "abuse of power" by a head of state and a "total abuse of trust."

In a statement, Sheikh Mohammed denied the allegations and said the matters concern "supposed operations of State security."

The judgment, he added, was an "incomplete picture" and "unfair" because it was based on evidence not disclosed to him or his advisers. He also asked that the media "respect the privacy of our children and do not intrude into their lives in the U.K."

Princess Haya's attorney, Fiona Shackleton, declined to comment, saying the proceedings are ongoing. Her phone was among those hacked, the ruling found.

Haya's legal team told the court that she "has been living in fear of her life, frankly, and in fear of the children's security" since leaving Dubai in April 2019. "It feels as if I am being stalked, that there is literally nowhere for me to go to be safe" from him, she told the court.

The High Court judgment, which was written in May but released to the public only Wednesday, also found that Cherie Blair, the wife of former British prime minister Tony Blair, had alerted Haya's attorneys to the invasion after being notified by a top official at NSO, where she served in an advisory role. Blair declined to comment.

Pegasus is one of the world's most formidable spyware tools, allowing operatives to take over a phone without its owner even clicking a link. The spyware can silently send back vast amounts of data stolen from an infected phone, including call logs, emails, GPS coordinates, text messages and recordings from its cameras and microphones.

NSO officials have said Pegasus is licensed to governments solely for use in tracking terrorists and criminals, and that it investigates reports of misuse and can revoke contracts if the tool's surveillance powers are abused.

On Wednesday, a person familiar with the operations of NSO, who spoke to The Post on the condition of anonymity to discuss internal operations, said that the company terminated its contract with Dubai after it learned the spyware had been used to surveil Haya and her allies. The deal would have been worth roughly $150 million over the next few years, the person said.

Haya's phone was hacked 11 times during the summer of 2020 on Sheikh Mohammed's "express or implied" orders, the judgment found. During one of the hacks, the ruling found, more than 250 megabytes of data were "covertly extracted" from the phone - a bundle big enough to include hundreds of photos, hours of video or audio recordings, and reams of text messages or emails.

The judgment, which was first reported by The Guardian, said the hacks had occurred during a "particularly busy" time of Haya's life, in which she was preparing for critical custody hearings related to the long-term care of herself and her children.

The ruling also said that agents of Sheikh Mohammed had attempted to buy a sprawling 77-acre estate overlooking Haya's new home, so close that it would have been "in prime position for direct or electronic surveillance."

The person familiar with NSO operations said a confidential informant had told the company in August 2020 that the spyware was being used to target Haya and her attorneys. According to the judgment, a senior member of NSO's management team called Blair, who advised the company on business and human-rights issues, around midnight Israel time on Aug. 5 to seek her help in alerting Haya and her legal team to the fact that their phones had potentially been compromised.

The NSO manager also urged Blair to advise the lawyers to restart their phones, as a way to block the spyware's interception, the person familiar with NSO operations said. In witness statements provided to the court, Blair said the NSO manager told her the company had taken steps to ensure the phones could not be accessed again.

The person familiar with NSO operations told The Post that phone numbers with the U.K. country code of +44 have been blocked from searches by foreign governments since August 2020. NSO has said that numbers with the United States' +1 country code also cannot be hacked.

The person said phones in NSO's home country of Israel as well as in the "Five Eyes" - the intelligence-sharing alliance of the U.S., U.K., Canada, Australia and New Zealand - are now blocked from foreign surveillance, but that law enforcement and government agencies inside of those countries can still use Pegasus to target their own citizens.

Sheikh Mohammed said in his statement that it had not been appropriate for him, as a head of government, to provide evidence as part of private family proceedings in a foreign court. But McFarlane, the High Court judge, has disputed that argument, noting that the sheikh had submitted witness statements and directed his international legal team not to engage in the proceedings.

"At no stage has the father offered any sign of concern for the mother, who is caring for their children, on the basis that her phones have been hacked and her security infiltrated," McFarlane wrote. "Instead he has marshaled a formidable forensic team to challenge the findings . . . and to fight the case against her on every point."

Haya, the daughter of the late King Hussein of Jordan, had angered Sheikh Mohammad by questioning how he had behaved toward his daughter, Princess Latifa, previous U.K. judgments showed. Before fleeing Dubai, Haya said she had faced threats of exile to a desert prison and twice found a pistol in her bed.

In 2018, Princess Latifa had staged a dramatic escape from Dubai but was apprehended at sea in what her father declared was a "rescue." Numbers for Latifa and her closest friends were also found on the list that included Pegasus targets.

The judgment follows a separate fact-finding ruling by the High Court last year that determined Sheikh Mohammed had ordered Latifa's abduction and orchestrated an intimidation campaign against Haya.

The Post reported in August that one of Princess Haya and Latifa's close allies, the human-rights activist David Haigh, also had his phone hacked by Pegasus, according to a forensic analysis by researchers with Amnesty International's Security Lab. Those tests found that the hacks occurred on Aug. 3 and 4, 2020 - only days before NSO blocked the foreign targeting of U.K. numbers, the person familiar with the company's operations said.

Bill Marczak, a researcher with the University of Toronto's Citizen Lab who has helped investigate Pegasus use around the world and whose work on the Haya case is cited in the high court's ruling, noted in a statement to The Post the unusual nature of NSO's actions in the case.

"The actions that NSO Group took in this case, including sending letters to the court that accorded with my technical findings, notifying Princess Haya's lawyers shortly after I did, and disconnecting one of their customers, are really quite unusual and extraordinary," Marczak said.

"In our research at Citizen Lab, we see cases all the time of abusive surveillance of dissidents and journalists with NSO Group's Pegasus spyware, but rarely if ever do we see NSO take actions resembling the ones they seem to have taken here. I wish they treated journalists and activists the way they treat Princesses and Baronesses."