Cyber Security

Khashoggi’s friends, other foreigners, are being watched. The U.S. can do little about it

For years, Ali Al-Ahmed felt grateful to be in the United States, enjoying a safe life, much like his friend, the slain writer Jamal Khashoggi did. Now the dissident Saudi says he is “freaked out.”

Al-Ahmed feels hounded even in his suburban Washington home. He’s been sent dozens of emails tainted with malware. He grows uneasy every time he turns on his car’s ignition. And he blames the Saudi monarchy, which U.S. intelligence has concluded killed Khashoggi while The Washington Post columnist visited his country’s consulate in Istanbul in October.

“This morning, when I was putting on my socks, I thought, I could be killed in a matter of weeks or days,” Al-Ahmed told McClatchy.

It is a nervousness shared by many migrants who fled their homelands because of fears of persecution, only to find themselves subjects of surveillance in a country they thought would offer them protection. Increasingly, they worry that their cell phones are hacked, their computers hijacked and their communications intercepted.

Governments around the globe have obtained electronic surveillance tools, and some are using them to spy on their nationals inside the United States. Researchers say there is strong reason to believe Mexico, Ethiopia and Saudi Arabia have done so. But Chinese, Iranians, Tibetans, Uighurs, Vietnamese and other groups say they believe they have been targeted as well.

As such spying increases, it follows a certain logic. The U.S. government claims the right to conduct vast electronic surveillance outside its own borders in the name of national security. Other countries say they have the same right to snoop here. And a U.S. court ruling last year gives them cover.

“What we’re essentially doing is we’re giving other countries carte blanche to surveil not just their own nationals (inside the United States) but our nationals within the United States,” said Nate Cardozo, senior staff attorney on the civil liberties team at the Electronic Frontier Foundation, a group that advocates for privacy and free expression in the digital age.

The United States is a traditional haven for those demanding political change in their homelands. Foreign nations sometimes view these communities as sources of instability.

“Many states have historically been paranoid about diaspora communities and have used various means to track them,” said John Scott-Railton, senior researcher at the internet watchdog group Citizen Lab. “With the plummeting barrier to entry for conducting some kind of monitoring, many states have just said, ‘Great. This is exactly what we need to sort of claw back visibility of our diaspora.’”

One national security lawyer described the international legal status quo as “anomalous” but said he expected little change.

“Persons in the United States are legally and effectively protected against unlawful surveillance by American government at every level, but are not legally or effectively protected from surveillance … by foreign governments or persons. Intuitively, this is a peculiar state of affairs,” said Joel Brenner, a former senior counsel at the National Security Agency, the top-secret body that sweeps the globe for electronic signals.

“The practical reality is that neither the United States nor our own surveillance targets abroad can do much about this state of affairs, anomalous though it may seem,” Brenner said.

khasoggi.jpg
A demonstrator holds a poster of Jamal Khashoggi outside the Saudi Arabia consulate in Istanbul. Getty Images

Since the U.S. government is arguably better at surveillance than any other government, including Russia and China, it is not eager to wade into any debate about establishing a global legal doctrine limiting such snooping.

Some migrant communities have taken to public education to warn members that one click on a malicious link or email attachment could install spyware to read their chats, listen to their calls on Skype, activate their microphones and cameras and take their files.

“We worked on a lot of simple memes. ‘Detach from Attachments’ is one of our most successful,” said Ladhon Tethong, director of the Tibet Action Institute, which teaches safe technology practices. She said the slogan worked “because of the Buddhist concept but also because everybody could relate to, ‘Oh, I’m getting all these strange emails and attachments, and I clicked on that one and something strange happened.’ … Just don’t open them.”

Tethong said Tibetans are subject to constant surveillance in their homeland, which China claims as its own. Tibetans in the United States and Canada are deeply concerned over Chinese electronic monitoring within North America as well.

It is the case of Ethiopia, though, that has drawn attention to the gap between U.S. criminal law and judicial remedies for those saying they have been spied on from abroad.

The Wiretap Act bars anyone from intruding on another person’s communications, and the Computer Fraud and Abuse Act prohibits unauthorized breaching into a person’s computer. But federal prosecutors are swamped by other computer crimes, and a federal court ruling last year gives foreign governments some cover, leaving victims with the option of seeking civil remedies.

Under most circumstances, foreign governments are exempt from civil lawsuits under principles designed to maintain good relations between nations.

Still, an Ethiopian-American who filed suit in 2014 under the pseudonym of Kidane charged Ethiopian agents with infecting his computer at his Silver Spring, Maryland, home with spyware. Forensic experts found that the spyware was operated from the Ethiopian capital.

A federal court rejected Kidane’s claim and the D.C. Circuit in 2017 upheld the ruling that he did not have grounds to sue Ethiopia because the African nation sent no agents to U.S. soil, and its hackers operated from Addis Ababa, the Ethiopian capital.

Sarah McCune, a U.S. lawyer and independent consultant for Amnesty International, called the ruling “problematic” and said: “Any foreign government that sees that, or is aware of that, will feel that they are relatively free to be engaging in that type of abusive behavior.”

Others in the Ethiopian diaspora say they believe they’ve been targeted as well.

Seenaa Jimjimo, an activist in Chicago, said she was bombarded with suspicious email prior to political change in April, when a new prime minister took over and relaxed political control and free-speech restrictions.

“I frequently got different spearphishing (email) that is trying to have me open some kind of link, some kind of document,” Jimjimo said. “It’s scary but you just learn to live with it.”

Spearphishing is when hackers send a tailored email or text message to a target, hoping that the victim will click on a link that will load malicious software onto their computer or cell phone.

Private firms that make surveillance tools, ostensibly only for law enforcement and counter-terrorism purposes, are increasingly coming under pressure.

A Saudi dissident based in Montreal, Omar Abdulaziz, sued an Israeli spyware company last week in Israeli court, saying the NSO Group’s Pegasus surveillance tool was employed by the Saudi government to monitor his communications with Khashoggi

Al-Ahmed said he was particularly unnerved that electronic and physical surveillance of him seemed to blend together.

In late May, Al-Ahmed, who is a director at the Institute for Gulf Affairs, attended a forum at the American Enterprise Institute. Afterward, he received an email purportedly from a photo vendor showing him at the event. It contained a prompt to see more photos. The email was a spearphishing attempt, according to an analysis by Citizen Lab, which is based at the Munk School of Global Affairs at the University of Toronto.

Al-Ahmed, 52, who said he has U.S. permanent residency but has lost his Saudi citizenship, essentially making him stateless, now worries as much about physical surveillance as spyware.

“There are what I call eyeballs here,” Al-Ahmed said. “They are surveilling.”

Saudi Embassy spokeswoman Fatimah Baeshen acknowledged a query seeking Saudi response but did not immediately offer one.

Another case of electronic espionage targeted one of the most recognized journalists in Mexico, Carmen Aristegui, and her teenage son, Emilio, who attended a prep school in the Berkshires of western Massachusetts.

Aristegui and her investigations team uncovered some of the biggest corruption scandals under the former government of President Enrique Peña Nieto, including that his wife accepted a custom-built $7 million mansion from a government contractor on extraordinarily generous terms.

Aristegui’s son began getting dozens of text messages to his cell phone in Massachusetts in early 2016, his mother said. Some messages appeared to be from childhood friends, or referenced purported events near his home in Mexico City, she said. All contained malicious links that would trigger installation of Pegasus spyware on his cell phone.

“This was despicable conduct by people seeking private information from an adolescent boy … with the only aim of damaging me,” said Aristegui, who hosts a news program on CNN en Español, a radio program and an online news site in Mexico.

Several texts appeared to be from the U.S. Embassy in Mexico City telling Emilio that there was an urgent problem with his student visa.

“Imagine a boy who is studying in the U.S. and gets this kind of message. What a fright,” she said.

In a Nov. 27 report, Citizen Lab said it has identified 24 cases in Mexico of journalists, lawyers, politicians, corruption fighters and others targeted by Pegasus spyware. While Citizen Lab did not attribute the spying to the Mexican government, Aristegui said she is sure that is the source of the electronic surveillance.

Those who follow electronic surveillance said they expect foreign nations to increase monitoring of people of interest – even when the subjects are in the United States.

“Governments clearly realize that they can pursue these operations with very little repercussions and it is a source of significant intelligence for them. So why wouldn’t they do it?” McKune said.

Tim Johnson, 202 383-6028, @timjohnson4
Stuart Leavenworth, 202 383-6070, @sleavenworth
  Comments