Dubai ruler used Pegasus spyware to hack princess, U.K. court rules

The ruling offers a major confirmation of the Pegasus Project’s reporting, which revealed evidence that Princess Haya and her inner circle had been targeted for surveillance after her flight from Dubai.

The ruler of Dubai used NSO Group’s Pegasus spyware to hack the phones of his estranged wife, Princess Haya, and her inner circle, a U.K. high court judgment released Wednesday shows.

The ruling offers strong confirmation for key elements of the Pegasus Project, an investigation published in July by The Washington Post and 16 other news organizations.

The phone numbers for Princess Haya and members of her legal and security teams were among those found on a list of 50,000 numbers that included phones targeted by the surveillance software.

The numbers had been added to the list around the time Haya fled to London with her two young children following a campaign of harassment and threats from her then-husband, one of the Persian Gulf’s most powerful men, the investigation found.

The ruling found that Haya, her personal assistant, two of her lawyers and two members of her security team had been subjected to “unlawful surveillance” carried out by agents of Sheikh Mohammed bin Rashid al-Maktoum, the billionaire prime minister of the United Arab Emirates.

The U.K. High Court’s family division has been investigating the case amid a bitter custody battle over their children. The division’s president, judge Andrew McFarlane, said in the ruling that the findings “represent a total abuse of trust, and indeed an abuse of power, to a significant extent.”

In a statement, Sheikh Mohammed denied the allegations and said the matters concern “supposed operations of State security.”

The judgment, he added, was an “incomplete picture” and “unfair” because it was based on evidence not disclosed to him or his advisers. He also asked that the media “respect the privacy of our children and do not intrude into their lives in the U.K.”

Princess Haya’s attorney Fiona Shackleton declined to comment, saying the proceedings are ongoing. Her phone was among those hacked, the ruling found.

The High Court judgment, which was delivered in May but only released to the public Wednesday, also said that Cherie Blair, the wife of former British prime minister Tony Blair, had alerted Haya’s attorneys to the invasion after being notified by NSO Group, the Israeli surveillance company that makes Pegasus. Blair declined to comment.

An NSO official said in a statement Wednesday, “Whenever a suspicion of a misuse arises, NSO investigates, NSO alerts, NSO terminates.” The official said NSO “chooses ethical standards over revenues” and “did not hesitate to shut down systems of past customers” worth more than $300 million.

NSO officials have said the company’s spyware tool Pegasus is licensed to governments solely for use in tracking terrorists and criminals, and that it investigates reports of misuse and can revoke contracts if the tool’s surveillance powers are abused. A person familiar with the operations of NSO who spoke to The Post on the condition of anonymity to discuss internal operations said in July that the company had terminated its contract with Dubai after it learned of the princess’ surveillance and other human-rights concerns.

That person also told The Post that phone numbers with the U.K. country code of +44 were blocked from searches earlier this year but declined to share further detail, including whether the ban was a response to this case. NSO has said that numbers with the United States’ +1 country code also cannot be hacked.

Pegasus can install itself on a phone without the owner doing anything, such as clicking a link, and can copy practically everything of value on the phone, including recording from its cameras and microphones and sending location data, messages, call logs and emails back to an NSO client.

The judgment said Haya’s phone had been hacked 11 times last summer on Sheikh Mohammed’s “express or implied” orders. During one of the hacks, the ruling found, more than 250 megabytes of data were “covertly extracted” from the phone — a bundle big enough to include hundreds of photos, hours of video or audio recordings, and reams of text messages or emails.

The hack, the judgment found, occurred during a “particularly busy” time of Haya’s life, in which she was preparing for critical custody hearings related to the long-term care of herself and her children.

Sheikh Mohammed also said in his statement that it had not been appropriate for him, as a head of government, to provide evidence as part of private family proceedings in a foreign court. But McFarlane, the High Court judge, has disputed that argument, noting that the sheikh had submitted witness statements and directed his international legal team not to engage in the proceedings.

The Guardian first reported the judgment.

Numbers for the sheikh’s daughter, Princess Latifa, and her friends were also found on the list that included Pegasus targets. She staged a dramatic escape from Dubai but was apprehended at sea in what her father declared was a “rescue.”

The ruling follows a fact-finding judgment released by the High Court last year ruling that Sheikh Mohammed had ordered Latifa’s abduction and orchestrated an intimidation campaign against Haya.

The Post reported in August that one of Princess Haya and Latifa’s close allies, the human-rights activist David Haigh, also had his phone hacked by Pegasus, according to a forensic analysis by researchers with Amnesty International’s Security Lab.

Leave a Reply

Your email address will not be published. Required fields are marked *