THIS INVESTIGATION IS PART OF THE JUSTICE FOR JOURNALISTS FOUNDATION INVESTIGATIVE GRANT PROGRAMME AND WAS ORIGINALLY PUBLISHED BY DARAJ).
In July 2019, Sabbagh discovered, for the first time, that her phone had been hacked. She got to know this from her colleague, Dumas, who had informed her via text that her phone and personal email had been hacked.
This investigation was produced with support from the Justice for Journalists organization.
“I became depressed; I cried a lot, and I was shocked.”
“After the shock, I asked myself if this was even real.”
These were the reactions of Jordanian journalists Rana Sabbagh, the senior editor for the Middle East and North Africa at the Organized Crime and Corruption Reporting Project (OCCRP), and Lara Dumas, an investigative journalist at the OCCRP, when they discovered that they had fallen victim to the Pegasus spyware program developed by the Israeli NSO Group. This happened between 2019 and 2020.
During this period, international media organizations were working on the Credit Suisse project, which revealed leaked banking data related to figures associated with regimes in Egypt, Libya, Syria, Jordan, and other locations, who they had been investigating.
Among the clients of Credit Suisse were heads of state, royal families, brokers, intelligence chiefs, and government-linked businessmen from across the Arab world. This included King Abdullah II of Jordan and his wife Queen Rania, who had six Swiss bank accounts.
This investigation was conducted in partnership with Justice for Journalists(JFJ), a non-governmental organization based in London. JFJ funds investigative journalism into crimes of violence against media workers and assists professional journalists and citizens in mitigating risks.
When they were hacked, the OCCRP was also working on the Pandora Papers, which is an investigative project in a larger cross-border context involving around 600 journalists from around the world, under the supervision of the International Consortium of Investigative Journalists (ICIJ). It investigates millions of documents revealing the secrets of tax havens, particularly in the British Virgin Islands (BVI).
The projects, for the first time, revealed secrets related to ruling families in Arab countries, especially Jordan, and the involvement of presidents and influential figures in corruption allegations and resorting to tax havens. Both Sabbagh and Dumas were surprised by notifications from Apple, informing them that their phones had been hacked. At that moment, their digital lifestyles changed significantly.
Mohammed Najem, the executive director of the SMEX, which specializes in digital security, considered Pegasus to be one of the most important programs used in the Arab world, especially. One of its key advantages is that it does not require any interaction from users and relies on vulnerabilities in certain applications, including a vulnerability in Apple’s system.”
“I became depressed; I cried a lot, and I was in shock,”… “After the shock, I asked myself if this was even real.”
A Different Life
“I live my life assuming that I’m under 24/7 surveillance, and nothing I do on my phone leaves any traces. There’s nothing I say to a sensitive source. I try to use other phones or see people in different places rather than communicate with them through my phone. I try to turn off the GPS; I leave my phone at home. Unfortunately, those who are monitoring us force us to take steps that may seem suspicious to them.” This is how Rana Sabbagh’s life turned upside down upon discovering she was being spied on. Her private life is no longer as private as she once believed. She has lost her privacy.
The situation for Lara Dumas is not any different. After her phone was hacked, she decided to follow steps that isolate her from the digital world. She explained that she no longer uses her cell phone much, not even for what she considers “trivial” matters, because she deals with her phone as if it’s hacked and that her communications are monitored at all times. It’s not limited to her private communications; it extends to family and work-related meetings.
“Even when I’m present with people, I notice my phone’s location and whether the speaker is uncovered. I always try to put it in another room,” Dumas told Daraj.
She continued, “The same applies to my work life. I apply all security protocols, like making messages disappear on Signal or using an encrypted email if I receive calls on my laptop. I leave my phone in another room, and I don’t want it to be anywhere near where the call is taking place.”
This hack had a noticeable psychological impact on Sabbagh, and she experienced unprecedented sadness, even suffering from nightmares out of fear for her sources and loved ones.
Phone Hacking
In July 2019, Sabbagh discovered, for the first time, that her phone had been hacked. She got to know this from her colleague, Dumas, who had informed her via text that her phone and personal email had been hacked.
Sabbagh reported the matter to her manager, who asked her to send both her and Dumas’s phones to a European country for security reasons. When the phones were examined, it was revealed that Dumas was hacked with the purpose of spying on her colleague Sabbagh. In other words, Dumas and Sabbagh were “collateral damage” due to OCCRP’s work on these cross-border projects.
After Dumas’s phone was first hacked in July 2019, her second phone was hacked several times between February 2021 and October of the same year.
The hack was carried out through iMessage, an application limited to Apple devices. However, Sabbagh states that the starting point for the hack remains unknown, as she didn’t click on any links.
This highlights the “zero-click” technology, which allows hacking of technological devices without forcing the victim to click on a specific link. According to Mohammed Najem, we cannot avoid such hacks, especially if someone chooses to be a public figure.
As for Dumas, she received notifications in her email with the content: “Users who may be affected by the source of the attack on their phones.” This happened in November 2021, while she was working on high-precision and sensitive projects.
The OCCRP team analyzed Dumas’s phone after taking multiple copies of it and erasing the data in an attempt to identify the date and the identity of the hacker. It appears that the hack took place at the end of 2021.
Filing a Complaint Against the Government
“How can I present a report on my phone to the government when I want to file a complaint against [it]? So, in that case, I’ll be going to an entity that is both the opponent and the judge at the same time,” explained the Jordanian lawyer Hala Ahed, emphasizing her decision not to turn to the Jordanian government to report the hacking of her phone.
As for pursuing legal action outside her homeland, Ahed elaborated on the difficulties, stating, “Unfortunately, since we hold only Jordanian citizenship and no other nationalities, the possibility of litigation in courts outside Jordan is not available.” She added, “Big companies like Pegasus’ don’t have offices outside the occupying entity. We don’t hold other nationalities. So, there would be no judicial jurisdiction in French courts, for example.”
In early 2023, specifically in February, Ahed experienced the last failed hacking attempt on her phone. During the period of hacking, which began in 2021, Ahed and her colleagues at the Defense of Detainees and Political Detainees Conference were working. She handled several cases related to agricultural labor and independent workers’ unions.
Is There a Solution?
“The first shock was that I hadn’t harmed the sources talking to me because, for me, protecting the source is a duty before protecting myself. I must protect my source,” said Rana Sabbagh. This was her primary goal, as it is to many other journalists. Her priority is to protect her sources and provide guarantees to respect their confidentiality. Therefore, the primary concern for Sabbagh and Dumas was not revealing their sources’ identities or any sensitive information they had provided.
The protection of sources has become an obsession for them, especially at the beginning of every new investigative project. “If you work with sensitive sources, I believe [protecting your sources] is the main thing. Well, you don’t want to reveal them, you don’t want to expose them. You work with many people who don’t use their real names, and you don’t want it to be revealed because you were not cautious enough on your phone, and you know that you might be hacked,” according to Dumas .
Sabbagh changed her approach to gathering information from her sources: She no longer records any interviews on her phone and relies on traditional methods like taking notes on papers that she does not keep at home. However, sometimes, when she writes the story on her computer, she feels anxious that someone might be monitoring her or working with her at the same time, even if she couldn’t see them.
While there may not be foolproof protection against hacking and surveillance, it is essential to take precautionary steps that can provide minimal security. Additionally, Mohammed Najem highlights the importance of using “two-step authentication,” which includes two consecutive authentication steps to verify a person’s login on platforms.
According to Najem, using a VPN can offer the required protection, as it is a Virtual Private Network, allowing two devices connected to a public network, such as the internet, to exchange private data with each other. The word “private” means that the data shared between the devices is confidential and only accessible to the parties involved. Dumas uses this feature to ensure the protection of information and sources.
Constant hacking attempts against journalists may continue, but taking precautionary measures can provide the minimum required protection. Moreover, Rana Sabbagh emphasizes that media organizations should bear more significant responsibility. They should train journalists in safeguarding their phones and data, and acquire the most critical programs to protect them from hacking.