Read Time: 3 minutes
For the daughter of a Rwandan dissident, it was one of the most horrifying moments of her life: the discovery that her cellphone was under constant surveillance by the regime that had jailed her father.
Months later, Carine Kanimba is still haunted by it – and by a new revelation that her nephew was under surveillance with the same secret software.
“I was mortified, and I am terrified,” she told a U.S. congressional committee on Wednesday, just days after the latest findings by the University of Toronto’s Citizen Lab, a research group.
“I am frightened by what the Rwandan government will do to me and my family next. It keeps me awake that they knew everything I was doing, where I was, who I was speaking with, my private thoughts and actions at any moment they wanted.”
In a rare open session, the House of Representatives intelligence committee heard testimony from a Citizen Lab researcher and a Google threat-analysis expert on the rapid proliferation of commercial spyware that allows authoritarian regimes to monitor the phones of dissidents and journalists without anyone’s knowledge and without even an accidental click from the target.
“Your phone can be on your bedside table at 2:00 in the morning – one minute your phone is clean, the next minute the data is silently streaming to an adversary a continent away,” Citizen Lab researcher John Scott-Railton told the committee on Wednesday.
“It can access your texts and phone calls, it can access your encrypted chats, your pictures, your voice notes, anything you can do on your phone … and some things you can’t, like silently enabling the microphone and camera, or gaining access to your cloud accounts,” he said, describing one of the most notorious examples, the Pegasus spyware of Israeli company NSO Group.
The committee’s chairman, Adam Schiff, described the growth of spyware as an “acute and rapidly evolving threat” that could affect people worldwide.
EU found evidence employee smartphones compromised with spyware: letter
“It’s a game-changer for autocratic regimes that are looking for new means to surveil, intimidate, imprison or even kill dissidents, journalists and others who they view as a threat,” he said.
A decade ago, only a small number of powerful states had the capacity to spy on cellphones and computers. But now, with the rise of what Mr. Scott-Railton calls “the mercenary spyware industry,” sophisticated surveillance technology is being sold to dozens of countries worldwide.
STORY CONTINUES BELOW ADVERTISEMENT
“This industry appears to be thriving,” said Shane Huntley, senior director of Google’s threat-analysis group, in testimony to the committee.
He said his group is tracking more than 30 vendors of commercial spyware “with varying levels of sophistication and public exposure” selling surveillance technology to state-sponsored organizations.
Last December, his group uncovered evidence that NSO Group’s technology could install spyware on phones by sending an iMessage to a target, even if the target did not click on a link.
“Short of not using a device, there is no way to prevent exploitation by a zero-click exploit; it’s a weapon against which there is no defence,” Mr. Huntley said.
“Based on our research and findings, we assessed this to be one of the most technically sophisticated exploits we had ever seen.”
Other victims of NSO spyware have reportedly included nine U.S. diplomats and officials, and a number of independent activists – including the Saudi journalist Jamal Khashoggi, who was killed at Saudi Arabia’s consulate in Istanbul in 2018.
Ms. Kanimba told the committee that she still does not feel safe, since her phone could be reinfected without her knowledge.
Her father, Paul Rusesabagina, gained fame from the Hollywood film Hotel Rwanda, which told the story of how he rescued more than 1,200 people during the Rwandan genocide in 1994 when he was a hotel manager in the capital, Kigali.
Later he became an outspoken critic of Rwandan President Paul Kagame. In 2020, he was lured onto a chartered airplane in Dubai and illegally flown to Kigali, where he was sentenced to 25 years in prison on terrorism charges. Independent legal experts said his trial was unfair, and the United States considers him a victim of wrongful detention.
Rwanda’s use of spyware allowed it to “always stay a step ahead” of the family’s efforts to fight her father’s imprisonment, Ms. Kanimba said.
She said she has lost all sense of personal security in her private actions and surroundings. “The fact that the same government that tortured my father, that is holding him hostage and has been trying to silence him for all these years, now also has access to my private messages and my conversations and my location – it is very, very scary.”
Members of the congressional committee said her testimony was powerful and troubling. Some said the United States should suspend the US$145-million in annual aid that it provides to Rwanda.
“Much of what we know about mercenary spyware abuses come from brave victims stepping forward, despite the risks,” Mr. Scott-Railton said in his testimony. “We owe them a great debt.”