Cyber Surveillance in the United Arab Emirates: Updated Assessment

image

Since the First Arab Spring in 2011, the government of the United Arab Emirates (UAE) has restricted freedom of expression and association, from in-person protests to online activism. In 2023, the UAE ranked 145th out of 180 countries in the World Press Freedom Index, which measures media freedom in the respective countries. The UAE’s position has lowered by 7 places since the previous year and by 26 places since 2019, demonstrating an alarming trend towards complete media censorship by the government.

In the past decade, the UAE has notoriously used cyber surveillance to infringe on the privacy of internet users, specifically by gathering information on human rights activists to unlawfully persecute them. It is important to note that the UAE is a signatory of the Arab Charter on Human Rights, in which Article 26 states that everyone should have the “freedom of opinion and expression, as well as the right to seek, receive and impart information and ideas through any medium”. Therefore, the UAE’s use of cyber surveillance to restrict the freedom of opinion of people and persecute them for it, is antithetical to the Charter they are legally bound to respect.

The most noteworthy scheme was when the  UAE employed former US National Security Agency and CIA employees at DarkMatter, an Emirati cyber-security firm, to hack into the phones of hundreds of human rights activists and political opponents in 2016 and 2017. The ex-employees were part of Project Raven, which the Emirati government used to hack phones and computers across the Middle East and Europe. The news of this cyberattack only came to light in January 2019, three years after the project was thought to have launched. Three former U.S. Intelligence Community employees, Ryan Adams, Marc Baier and Daniel Gericke, admitted their involvement on September 15, 2021, resulting in them relinquishing their security clearance and paying $1.68 million in exchange for their criminal charges being dropped. DarkMatter has not to date been prosecuted, although Saudi activist Loujain AlHathloul, who had been targeted by the program, did unsuccessfully file a lawsuit against them.

In December 2019 the New York Times unveiled that the Emirati messaging app ToTok was being used as spyware for mass surveillance. This app allowed the government to misuse the information that millions of users voluntarily, yet unknowingly, gave by accepting the privacy terms when downloading the app. The result was that the government was able to access conversations, both via messages and calls, locations, and contacts of the users to spy on them. 

In the past five years, there have been escalations in the use of cyber surveillance, along with stricter cyber laws, which have led to severe concerns about human rights violations and the safety of activists and political opponents. In January 2022, another inquiry was led by the New York Times to investigate the connection between Israel’s cyber-intelligence firm NSO Group’s Pegasus spyware, and the UAE. It was revealed that Israel had sold Pegasus to the UAE to reinforce their diplomatic relations, resulting in the UAE using Pegasus to hack the phone of a civil rights activist. This demonstrates a pattern of misuse of cyber-surveillance technologies by the UAE.

The UAE fortified its relations with Israel through the Abraham Accords in 2020, leading them to have access to Israel’s advanced spyware. This poses a potential threat for non-allies and human rights activists as the strengthened cyber surveillance, along with the stricter cyber laws, will likely lead to forced censorship and increased unlawful persecution. The lack of transparency and accountability of the Emirati government regarding their use of cyber surveillance is a significant threat to human rights in the UAE and must continue to be addressed.

Recommendations

Given the dire human rights violations caused by the UAE’s cyber surveillance, the following recommendations should be taken into consideration:

  1. An international regulatory body must be set up to monitor cyber surveillance globally to ensure an ethical standard is set so that it is not misused to spy on citizens.
  2. The UAE’s NHRI must advocate for increased transparency and accountability of the government’s use of spyware on residents and citizens.
  3. The other signatories of the Arab Charter on Human Rights must keep the UAE accountable for its transgressions and ensure it abides by the Charter.
  4. Governments and companies globally must stop dealing with the UAE in the sector of cybersecurity to avoid buying spyware and sharing intel with the UAE.
  5. The UAE’s Cybersecurity Council must set up a detached and independent branch that monitors the use of spyware on residents, including by government and UAE companies.
  6. Human rights organisations must work together to advocate for the freedom of journalists and human rights activists unlawfully detained for peacefully voicing their concerns online.
  7. The UAE government must ensure that its cybercrime laws are in line with international and regional standards on freedom of expression and media freedom.
  8. In regards to the UN Cybercrime Treaty, the member states must remain committed to strong human rights standards. It is imperative that safeguards are put in place to ensure that repressive governments cannot take advantage of this treaty.

 

To read the full report click on this file: Cyber Surveillance in the UAE.