This is a joint report between Front Line Defenders and the Citizen Lab.
● The devices of four Jordanian human rights defenders, lawyers, and journalists were hacked with NSO Group’s Pegasus spyware between August 2019 and December 2021. The targets include those working against corruption in Jordan.
● We assess that two of the four targets were hacked by Pegasus operators primarily focused on Jordan, based on SMS messages containing Pegasus links that map to a cluster of domain names focusing on Jordanian themes.
● We identify two Pegasus operators that we believe are likely agencies of the Jordanian government. The first, MANSAF, has been active since at least December 2018, and the second, BLACKIRIS, has been active since at least December 2020.
● One of the targets’ iPhones was successfully hacked on December 5, 2021, showing that NSO Group has remained active on Apple’s platform even after Apple sued NSO Group and notified Pegasus targets in November 2021.
● Our findings build on an earlier report from Front Line Defenders, which found that the phone of Hala Ahed Deeb, a Jordanian lawyer and woman human rights defender, was infected with Pegasus.
Human Rights Context in Jordan
The Hashemite Kingdom of Jordan is a constitutional monarchy ruled by King Abdullah II bin al Hussein. The King retains wide executive and legislative power under the constitution of 1952 which guarantees him the power to appoint the Senate, the prime minister, and the ministers.The Monarch is also the commander-in-chief of the armed forces. The parliament (Majlis al-Umma) consists of two chambers: the House of Representatives (Majlis al-Nuwwab), elected by the public, and the Senate (Majlis al-Ayan), appointed by the monarch.
Human rights defenders (HRDs) in Jordan operate in a restrictive environment. Since 2011, however, waves of grassroots protests have erupted – often catching the authorities by surprise – as increasing frustration over government corruption and the widening gap between rich and poor fuels discontent. Recent international investigations as part of the Pandora papers confirmed suspicions about corruption at the very highest levels of the state, and in response to popular protest, authorities have taken harsher measures to crackdown on activists.
Jordanian authorities have exploited the global COVID-19 pandemic to further curtail individual freedoms, including freedom of expression and assembly. In response to the pandemic, King Abdullah issued a royal decree on March 17, 2020 activating a 1992 defence law, which gives the Prime Minister (Omar Razzaz) broad powers to restrict basic rights. On April 15, 2020, the authority issued an emergency decree that prohibits the publishing, republishing or circulating any news about the epidemic that would terrify people or cause panic among them through the media, telephone or social media. Breaking the order, can result in a jail sentence of up to three years, a fine of 3,000 Jordanian Dinars (US$4,230), or both. The emergency decree has had chilling effects on freedom of expression and freedom of online discussion around the pandemic.
Human Rights Watch documented various arrests related to spreading misinformation about the COVID-19 pandemic.
Despite the government’s countermeasures, large-scale protests organised by public school teachers emerged in July 2020. While the protests were initially motivated by issues around teachers’ wages, the discontent swiftly extended to broader economic and political issues. Jordanian security forces intervened to suppress protesters and around 1000 teachers were arrested in August 2020. Further, the government used the judicial system to target and dissolve the Jordanian Teachers’ Syndicate (JTS). The Amman Magistrate Criminal Court made a contentious ruling on December 31 2020 authorizing the dissolution of the Jordan Teachers’ Syndicate and the imprisonment of its board members. United Nations human rights experts condemned the government’s actions and called on Jordan to annul the decision and free the detained board members. However, on October 31, 2021, the Amman Court of Appeal decided to annul the decision of the Court of First Instance regarding the dissolution of the JTS’ Council and the case is still pending in the Amman Court of First Instance.
In March 2022, in an attempt to prevent protests, the Jordanian authorities arrested 29 activists on the anniversary of Jordan’s 2011 Arab Spring protests.
Jordanian Teachers’ Syndicate Case
JTS is a labor union formed in the aftermath of 2011 protests in Jordan. It is considered the largest independent union in Jordan. In 2019 , Jordanian public school teachers led the longest public sector strike in the nation’s history. After four weeks of strikes, the government was forced to agree to a deal over wages to end the strike. Despite the hardship caused by the strike – delaying the start of the school year by a month for the vast majority of students – the teachers enjoyed wide popular solidarity and support.
In April 2020, the government announced a freeze on all public sector pay rises, including for teachers, citing the COVID-19 pandemic. On July 25, 2020, Amman’s prosecutor-general ordered the – Teachers Syndicate’s national headquarters, as well as its branches and offices, to close for two years and security forces arrested all of the 13 syndicate board members. Moreover, a gag order has been issued by the prosecutor on investigations into this case. Following the closure, authorities cracked down on demonstrations across the country protesting the closure..
The Jordanian Hirak Movement
The Jordanian Hirak emerged as a youth social movement in 2011 (Hirak means movement in Arabic). Hirak mobilized a new wave of social movements in Jordan. Unlike traditional political opposition groups that historically focus on electoral and political parties’ legislations reform, many Hiraki youth activists believed that true change was not the reform of a powerless Lower House. Instead, they advocated for economic transformation, which they saw as central to political decision-making and sovereignty.
Activists associated with the movement have experienced years of government persecution, including multiple arrests, termination of employment and travel bans.
A new wave of crackdown on Hirak activities emerged in February 2022 when Jordanian security forces arrested nine Hirak reform activists from their residences late on February 13 and another activist from his workplace in Zarqa on February 14. On February 24, they detained an eleventh activist, Ahmad Neimat, when he paid bail for one of the inmates, Abed Tawahie, a 65-year-old engineering professor (although Tawahie was arrested again on February 25). Each of the detainees has been charged with “spreading false news” under article 15 of the Cybercrime Prevention Law and “inciting strife” under article 150 of the Penal Code.
Jordan’s Nongovernmental Organization Law
In December 2019, Jordanian authorities amended the pre-approval process for local Jordanian nongovernmental organizations (NGOs) to receive funding from foreign sources (although this amendment excluded international organizations). This significantly limited NGOs; work and local NGO leaders stated that the new process was not transparent and forced them to reconsider their operations in order to continue their work.
Internet Censorship in Jordan
The Jordanian authorities have been pursuing to expand its monitoring and restricting access to online platforms and content.
In 2019, Jordan blocked local access to a website run by exiled activists alurdunyya.net. The authorities imposed restrictions on social media networks during the Teachers’ Syndicate’s protests and strikes in July and August 2020, Facebook Live stream was restricted on multiple occasions, especially during larger demonstrations. Similarly, the authority responded to the mass protests in the aftermath of Covid-19 patients’ death in al-Salt Hospital due to oxygen shortage, by restricting access to Facebook Live streaming and Clubhouse.
Denial of access to platforms or websites has been a common practice in Jordan. www.archive.org is among these examples, as the Citizen Lab report concluded. Further, the online LGBTQ magazine My.Kali has been blocked in Jordan since 2016, later in 2017, The Jordanian Audiovisual Commission issued an order to block access to the website. Recently, on October 2, 2021, hours before the release of Pandora papers, Jordan blocked access to the ICIJ website.
Several circumvention techniques were reported by service providers in 2021, resulting in restrictions on virtual private networks (VPNs). Furthermore, in order to be able to use the internet in an Internet café, clients must provide personal identity information. Under the Cybercrime law of 2010, Internet café have been ordered to install surveillance security cameras and to retain the browsing histories of users for at least six months.
In January 2022, Front Line Defenders published a report finding that the phone of Hala Ahed Deeb, a Jordanian lawyer and woman human rights defender, was infected with Pegasus. Following publication, Front Line Defenders received numerous requests from Jordanian human rights defenders, journalists and other civil society activists to check their devices. Front Line Defenders checked 60 iPhones, with case referrals from the Jordan Open Source Association, in collaboration with the Citizen Lab. Three of the victims consented to be identified (listed below), while one wished to remain anonymous.
Hacking of Jordanian Targets
Victim: Ahmed Al-Neimat
Ahmed Al-Neimat is a human rights defender, an anti-corruption activist, and a member of the Hirak movement. Because of his activism, Al-Naimat was exposed to various issues with the Jordanian security forces; including multiple arrests and the imposition of a travel ban and a ban on employment.
On May 30, 2018, Al-Neimat was among the organizers and supporters of a general strike to reject a proposed bill on income tax that had been submitted to the parliament. Most institutions and industrial and commercial sectors joined the strike, including the engineers’ union, the lawyers’ union, the nurses’ union, and the journalists’ union.
Al-Neimat’s activism was partly motivated by the As-Salt Hospital incident, where news spread of a lack of oxygen for patients with COVID-19 in the governorate of Balqa. According to local media outlets citing the government, the incident occurred in a department where more than 150 patients were being treated and resulted in the deaths of at least seven patients.
In 2020, Al-Neimat was arrested when he was leaving the National Centre for Human Rights, which he had visited to file a complaint against his mistreatment by the Jordanian authorities. He was then later released.
In February 2022, Al-Neimat was again arrested due to a court ruling issued against him regarding the hospital protests.
Al-Naimat’s phone logs show that his phone was hacked on or around January 28, 2021 for a period of approximately two days. The logs indicate that this was a zero-click exploit, likely the FORCEDENTRY exploit. We had not previously seen any cases of FORCEDENTRY deployed before February 2021. So far, this is the earliest suspected FORCEDENTRY case.
Victim: Malik Abu Orabi
Malik Abu Orabi is a human rights lawyer and a member of The National Forum for the Defense of Liberties and part of the legal team defending the JTS. In 2021. Orabi was arrested at protests that occurred in the Ministry of Interior Roundabout (Gamal Abdel Nasser Square) for the commemoration of the 10th anniversary of the Arab Spring in Jordan. He was detained for five days before he was released with personal bail until a conviction against him was issued.
The court decided to fine him 100 Jordanian dinar (approximately 128 euro) for violating the defense law relating to the health situation in the country. He has been arrested several times due to his participation in several demonstrations. He was also summoned more than once by security authorities.
We identified the following text messages on Abu Orabi’s phone that contain links to Pegasus servers.
Victim: Suhair Jaradat
Suhair Jaradat is a human rights defender and a trainer specializing in investigative reporting as well as feature and editorial writing. Jaradat received the al-Hussein Prize for creative journalism in 2018. She is a former member of the Jordanian Journalists’ Syndicate Council and Member of the Executive Committee of the International Federation for Journalists (IFJ) in Brussels.
We identified the following SMS message on Jaradat’s phone containing a link to the Pegasus spyware:
We also identified the following WhatsApp messages on Jaradat’s phone, impersonating a popular anti-government Twitter user in Jordan https://twitter.com/GeneralInspect2:
Victim: WHRD and Journalist A
WHRD and Journalist A is a Jordanian Woman Human Rights Defender (WHRD) and journalist, who has chosen to remain anonymous due to the risks that she may face. Her phone was hacked at the following times:
Spyware in Jordan
The Jordanian Government appears to have used spyware for a number of years, including FinFisher spyware, which Citizen Lab detected in December 2014. However, no civil society targets of this spyware were publicly identified at the time.
Pegasus in Jordan
Based on our Internet scanning and monitoring of NSO Pegasus servers at the Citizen Lab, we believe that there are two Pegasus customers that are primarily focused on spying in Jordan.
One of the customers, which we name MANSAF, appears to be spying primarily in Jordan, with limited additional operations in Iraq, Lebanon, and Saudi Arabia. We believe that MANSAF has been operating since December 2018.
The other customer, which we name BLACKIRIS, appears to be spying almost exclusively in Jordan, and has been active since at least December 2020. An April 2021 report in Axios mentioned negotiations between NSO Group and Jordanian authorities “in recent months”, with one source mentioning a contract had been signed.
Targets in This Case
Both Jaradat and Abu Orabi received text messages (Figures TKTK, TKTK) that included links to Pegasus websites. The websites matched our Internet scanning for Pegasus servers, and appear to all have been registered by Dreamhost. We have typically observed different Pegasus customers’ infrastructure set up with different hosting providers.
We provide a list of all Dreamhost websites that we detected in scanning below. We redact several names below given that they contain themes suggestive of targeting terrorist groups:
|Domain Name||What is it?|
|al-taleanewsonline[.]net||May impersonate Jordanian news website al taleanews[.]net|
|al7erak247[.]com al7erak247[.]com||May be a reference to the Jordanian Hirak movement|
|alrainew[.]com||May impersonate Jordanian news website alrai[.]com|
|cozmo-store[.]net||May impersonate Jordanian retailer Cozmo|
|mangoutlet[.]net||May be a reference to Mango, a Spanish clothing retailer with stores in dozens of countries around the world|
|talabatt[.]net||May impersonate Talabat food delivery service that operates in the Middle EastMay impersonate Talabat food delivery service that operates in the Middle East|
|www.al7eraknews[.]com||May be a reference to the Jordanian Hirak movement|
|www.hona-alrabe3[.]com||May be a reference to the Fourth Circle ( الدوار الرابع (area of Amman, which was a main area for protests in the Hirak movement|
While we cannot directly connect these names to any specific Pegasus operator (because of the way the domain names are set up), we do believe that this cluster of domains shows a focus indicative of Jordan.
In this report, we find once again that a government client of NSO Group has used Pegasus to spy on civil society targets that are neither terrorists nor criminals. This case adds to the large number of other cases of abuse of Pegasus worldwide, which amount to an indisputable indictment against NSO Group, and its ownership, for their inability or unwillingness to put in place even the most basic human rights-respecting safeguards. The fact that the targeting we uncovered happened after the widespread publicity around Apple’s lawsuit and notifications to victims is especially remarkable; a firm that truly respected such concerns would have at least paused operations for government clients, like Jordan, that have a widely publicised track record of human rights concerns and had enacted emergency powers giving authorities widespread latitude to infringe on civil liberties.
Export Control Failures
This case is also noteworthy with respect to failures around Israel’s export control and licensing regime. NSO Group’s sales are overseen by the Israeli Ministry of Defense, although it is unclear to what extent human rights considerations are actually factored into granting licences, if at all. In November 2019, the Israeli government reportedly slashed the number of countries to which NSO Group could sell Pegasus, possibly in response to Apple’s notifications to victims that included U.S. government personnel. However, that list did not include Jordan, a country with a problematic human rights history and a known track record of abusing Pegasus to hack the phone of a woman human rights defender in November 2019, as documented by Front Line Defenders, Access Now, and verified by the Citizen Lab.
Gender-based Online Harms
The targeting of women HRDs merits special attention. Our research, and that of a growing number of others, has documented a disturbing rise in gender-based digital repression practices. Women are also disproportionately vulnerable to online harms, blackmail and digitally-related acts of violence or technology-facilitated gender-based violence, especially in countries where misogyny is pronounced. The impacts of this repression on women are multifold and severe, such as loss of employment, loss of voice, a negative impact on self-worth and dignity, and harms to physical and emotional wellbeing, among others. As Sarah Sobieraj writes, “[e]ntering and using digital publics to share work, ideas, opinions, and experiences often comes at a great cost for women” who “bear the brunt of digital hate.”
As Access Now and Front Line Defenders noted in a previous report regarding the targeting of women HRDs in Bahrain and Jordan with Pegasus spyware, the impacts for women are particularly severe, causing women to “live in a perpetual state of fear, become socially isolated and restricted in their social lives, work, and activism.” Our latest report adds yet another troubling indicator to the NSO Group file and to the deeply harmful impact that the use of Pegasus spyware has on women activists. The fact that Jaradat and Journalist A are also both women journalists compounds and amplifies these concerns. There can be no doubt that NSO Group has become one of the world’s leading purveyors of these harms, and its continued use will invariably contribute to further discrimimation against women and marginalized groups. Going forward, further research into the impact of digital repression on women HRDs in the Global South is critical. Amplifying the voices of women in the Global South targeted by Pegasus spyware, as well as other forms of digital repression, is important to showing how severe the impacts of digital repression are–particularly in regions where human rights are routinely disregarded–and bringing accountability to an industry running wild.