Technical ReportPDF Available

Abstract

This document, that was sent to the University of Toronto outlines a series of potential methodological and ethical issues that would suggest the need to launch an independent investigation and re-assess the findings of the report: “CatalanGate; Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru”, published on 18 April 2022, by Citizen Lab at the Munk School of Global Affairs and Public Policy, University of Toronto. This document is based on a careful examination of the report and the public statements of the authors of the report, as well as some of the participants in it. The public responses made by Prof. Ronald Deibert, Director of Citizen Lab to the questions posed by a group of European MPs, do not dissipate most of the doubts publicly expressed earlier. This document signals many serious inconsistencies and questionable choices at different stages of Citizen Lab’s investigation.
1
Methodological and ethical issues in Citizen Lab’s spyware investigation in
Catalonia
Executive summary
This document outlines a series of potential methodological and ethical issues that would suggest the
need to launch an independent investigation and re-assess the findings of the report: CatalanGate;
Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru,published on
18 April 2022, by Citizen Lab at the Munk School of Global Affairs and Public Policy, University of
Toronto.. This document is based on a careful examination of the report and the public statements of
the authors of the report, as well as some of the participants in it. The public responses made by Prof.
Ronald Deibert, Director of Citizen Lab to the questions posed by a group of European MPs, do not
dissipate most of the doubts publicly expressed earlier. This document signals many serious
inconsistencies and questionable choices at different stages of Citizen Lab’s investigation such as:
A variety of apparent conflicts of interests (political and economic), involving the authors of
the report and the individuals collaborating with its fieldwork, remain undisclosed.
According to key participants, Citizen Lab’s investigation in Spain sought evidence to feed court
cases against NSO by WhatsApp, Apple and Catalan secessionist politicians. Apple’s
announcement of a $10 million contribution to researchers for their support gathering
evidence against NSO (that mentioned explicitly Citizen Lab) seems to confirm this.
Findings reported in this non-peer reviewed study are not replicable and the authors refuse to
provide samples that would allow any serious independent validation.
Contrary to what the literature on forensic analysis (and usual scientific procedures) suggest,
Prof. Deibert claims 100% reliability of their analytical processes and refuses to consider the
possibility of false positives or other errors. However, several sources explain how to
manufacture false positives.
There is a very unusual lack of transparency concerning methodology. The authors refuse to
report when, where and by whom the digital forensic analyses were conducted. It seems that
no non-digital or non-remote analysis was conducted to verify infections.
The authors refuse to report the number of devices investigated or the ratio of positives.
There were no control groups.
Citizen Lab’s authors express very serious accusations against the Spanish government for
“illegal espionage” based on what the report claims to be “circumstantial evidence” (many of
them in media interviews and social media). Most of the evidence pointing at Spanish
authorship of illegal espionage is extremely weak at best.
Meanwhile the report does not consider any of the other plausible alternative hypotheses. It
is surprising how the possibility of legally sanctioned surveillance, false positives, or espionage
by the secret services of Russia, Morocco or Western countries is not even mentioned.
Participants and some authors were quite evidently trying to maximise the number of
positives. The reluctance to submit samples for external validation seems to confirm this. No
conflict of interest or issues concerning the obvious lack of neutrality were acknowledged.
Fieldwork was coordinated by a pro-independence activist and a presumed victim of
espionage, without any prior research experience or completed higher education degree. This
2
author also made false claims about his employment status and was not affiliated to Citizen
Lab for most of the investigation period.
No explanation has been given on why he was tasked with highly sensitive fieldwork or
whether he was respectful of basic research ethic protocols.
Only the devices of pro-independence politicians and activists were analysed. The authors do
not explain the criteria used in the snowball sampling. There is very strong evidence suggesting
that the cases submitted to analysis were filtered by two political parties.
There are many contradictions and ethical concerns on how the fieldwork investigation in
Spain started in July 2020. Then an unusually strong communication campaign coordinated by
Catalan secessionist political parties and a lawsuit were launched within a week of the first
analysis and before confirmation of any infection.
Participants were alerted that they were likely being spied without consideration that this
warning would mean interference with Spanish court sanctioned investigations. Many
participants were legally monitored by Spanish security services when contacted and
explained how to avoid surveillance. Others were awaiting trial, and some were even in prison.
There are also serious doubts concerning the relationship between Citizen Lab and Amnesty
Tech. They claim to work independently and theoretically “peer-review” each other’s methods
and provide “external validation”. However, both organisations work together most of the
time. Prof. Deibert acts as advisor for Amnesty Tech, and for several years (including part of
this investigation) there was one Amnesty employee working within Citizen Lab.
The name “CatalanGate” for the report (published on 18 April 2022) was chosen to match the
slogan of the propaganda campaign that Catalan secessionist parties and organisations were
preparing months before the publication of the report. The largest secessionist organisation
registered the domain “CatalanGate.cat” in January 2022. Moreover, a Twitter account
(182.6K-follower) currently named @catalangate” has been used for years to promote
secessionist communication campaigns.
Several of the participants in the investigation were investigated by their known ties with
Russian intelligence services. Six of the participants, including the coordinator of fieldwork are
suspected of collaborating with Russian secret services to create in 2019 the Tsunami
Democratic blockchain-based platform to dodge Spanish security forces (it served to
coordinate violent riots and blockades of roads, train stations and airports) Surprisingly, these
well documented ties with Russia and Russian attempts to destabilise Spain and the EU by
supporting Catalan secessionists are completely omitted from the report.
The responses of Prof. Deibert regarding the fieldwork investigation are contradicted by many
of the spoken and written statements of several participants in the investigation.
The authors have been called to provide expert testimony in parliamentary commissions and
court cases launched by secessionist politicians (involved in this investigation).
Given the lack of scientific rigour and the severity of the methodological and ethical issues noted in
this document, an independent investigation of the research processes is recommended to ensure that
potential mistakes or malpractice do not have unintended negative impacts on third parties or taint
the excellent reputation of the University of Toronto.
3
Observations on Prof. Deibert’s responses to Renew Europe MEPs questions
The observations in this document follow the same order as the original exchange between Renew
Europe MEPs and Prof. Deibert. Comments and new questions are numbered to facilitate reference
in future exchanges (e.g., 1a, 1b, 2a, 2b, 2c, etc.). Therefore, their order does not reflect in any way
the degree of potential severity of the problems raised.
1. Prof. Deibert’s response to the question: “Was the “CatalanGate report peer-reviewed?
suggests that the CatalanGate report was not peer-reviewed. Given that he referred to the
external validation of 4 out of the 65 positive cases.
a. Would it be possible to know when these validations took place (month and year)?
b. Why does the report refer to the validation of the findings on 4 participants but shares
the name of only 3 of them? Was the fourth one an anonymous participant?
2. Prof. Deibert’s response to the question “Are the results of the forensic analysis replicable?
suggests that the report’s findings are theoretically replicable, but independent experts cannot
replicate them in this specific investigation as it would require consent from research
participants. However, most victims have voluntarily and publicly come forward to have their
devices examined, and as clearly explained by Prof. Deibert, in other spyware investigations
Citizen Lab shared infection samples with Microsoft, Apple and Google.
a. Why didn’t Citizen Lab request permission in this report investigation to make samples
available for trusted independent peer-reviewers?
b. Should the participants grant permission, would Citizen Lab be willing to share their
samples with other independent peer-reviewers?
c. Given that Citizen Lab did share a sample of 4 cases with Amnesty Tech, could other
independent peer-reviewers have access to these four samples?
In his response to the second question, Prof. Deibert’s also refers to the credibility of Citizen
Lab and reputation of Dr. Bill Marczak, which we would not question. He also mentions that
“To date, no reputable technical analysis has contradicted our findings”. However, we believe
that credibility of scientific progress does not rely on authors (or critics) personal or
professional reputation, but on following transparent and replicable processes, which
customarily includes peer-review.
d. Have any of your spyware investigations been formally peer-reviewed or published in
an academic journal with a formal review process?
e. If your reports cannot be falsified / validated, how do you ensure they do not contain
any relevant errors?
3. We value that disclosure of conflicts of interest is part of the research ethics protocols at the
University of Toronto.
a. Hence why didn’t this report include statements acknowledging (or rejecting) conflicts
of interests by the authors?
4
4. Prof. Deibert claims that there was no conflict of interest raised by Mr. Elies Campo’s work
with the Citizen Lab, and that Mr. Campo acted under his supervision and authority. Prof.
Deibert stresses that Mr. Campo did not work independently.
a. How could Prof. Deibert claim that Mr. Campo was not working independently when
there was no formal affiliation to Citizen Lab until February 2022?
b. Why wasn’t he granted the status of Fellow in 2020 when his work for Citizen Lab
started?
c. How can outreach activities taking place in Catalonia be effectively supervised from
Canada? (In particular given that Mr. Campo had no contract or formal obligation with
Citizen Lab)
d. Since Mr. Campo had no known scientific research expertise or completed any
university degree, did he receive some formal training before being assigned the task
of coordinating outreach? If so, when (month and year)?
e. How did Prof. Deibert ensure Mr. Campo’s compliance with the University of Toronto’s
research ethics protocols, and his adherence to standard social scientific research
procedures involving human subjects?
f. Did anyone in Citizen Lab express concerns regarding potential conflicts of interests by
Mr. Campo, given that he presented himself as an employee of Telegram, and Citizen
Lab was theoretically assisting WhatsApp (Telegram’s competitor) in reaching out to
potential victims?
g. Did anyone in Citizen Lab express concerns regarding potential conflicts of interest by
Mr. Campo, given that he was a vocal pro-independence activist and acquaintance of
many of the victims that were emerging?
5. Prof. Deibert explains the distribution of work for the report attributing Mr. Campo
responsibility in coordinating outreach. At the same time, the report states: “…the Citizen Lab,
in collaboration with civil society organisations, undertook a large-scale investigation into
Pegasus hacking in Spain.
a. Did any member of the team express concerns about potential selection bias due to
Mr. Campo’s responsibility in selecting cases?
b. Could Citizen Lab name the civil society organisations that collaborated in the
investigation, their involvement, and the timeline of this collaboration?
6. Prof. Deibert does not fully respond to the question about when Mr. Campo was trusted with
fieldwork in Catalonia; he just notes that he worked between 2020 and 2022. In a television
interview, Mr. Campo claims that in October 2019 WhatsApp and Citizen Lab sent notifications
to potential victims of a security breach in WhatsApp, and that some of these victims, knowing
that he had worked for WhatsApp, contacted Mr. Campo to ask for confirmation of the attacks.
Mr. Campo claims that he contacted his former colleagues at WhatsApp, who confirmed that
messages were genuine and that he should contact Citizen Lab to find out more.
a. Could Citizen Lab specify the date when Mr. Campo first contacted anyone in their
team? (Or at least the month and year).
b. In a context of highly sensitive investigations like this one, is it common to trust
important areas of the investigation to people that approach Citizen Lab?
c. Did anyone express concerns or surprise when Mr. Campo contacted Citizen Lab and
volunteer for the investigation?
5
7. Prof. Deibert claims that outreach and research activities began in fall 2019 and continued
until the time of publication. In a television interview ,Mr. Campo claimed that Mr. Scott-
Railton was contacting the activists in the list issued from the 2019 WhatsApp security breach.
a. Could Citizen Lab specify when the team contacted the first of the Catalan victims?
b. Did WhatsApp/Facebook suggest contacting potential Catalan victims?
According to the report, Mr. Roger Torrent was the first pro-independence leader publicly
known to be notified by Citizen Lab and WhatsApp.
c. Did WhatsApp/Facebook suggest contacting Mr. Roger Torrent?
d. Did Mr. Scott-Railton or someone else in Citizen Lab ask journalists Ms Stephanie
Kirchgaessner, Mr. Sam Jones (The Guardian) and/or Mr. Joaquín Gil (El País) to
contact Roger Torrent and warn him that he could be a victim of cyberespionage?
Contrary to what the CatalanGate report states, Mr. Torrent claims in his book Pegasus: L’Estat
que ens espia (page 14) (published in January 2021, Barcelona: Ara Llibres) and in an interview
published on 5 April 2021, that he did not receive any notification before and that the first
notification of his suspected Pegasus attack was made by the abovementioned journalists on
8 July 2021 .
e. Why were these journalists involved in making the first contact with Torrent? Was it a
decision by WhatsApp or Citizen Lab?
f. Why did Mr. Scott-Railton tell El País (14 July 2020) that Mr. Torrent gave Citizen Lab
their phone without having been asked to do so? (Torrent in his book, page 23, claims
that the journalists insisted on Torrent contacting him).
g. Out of the 65 confirmed cases, how many of them were contacted in 2020, 2021 and
2022?
h. How many of the participants’ analyses took place in 2021? And in 2022?
8. Prof. Deibert claims that, to protect the privacy of research participants, he cannot provide
information regarding where the technical analyses for the report were conducted:
a. Why would revealing where expert work analysing devices took place be a problem
from the point of view of participants privacy?
According to the academic literature, digital-only forensic analyses present many limitations
and challenges (e.g., Krishnan et al. 2019; Montasari et al. 2019; Yaacoub et al. 2021) that
suggest the need to complement them with non-remote analyses. However, Roger Torrent in
his book (page 37) explains that the examination of his telephone was made only remotely
from Toronto: on 10 July he was asked to connect to a VPN by Mr. Scott-Railton.
b. Were the other analyses by Mr. Scott-Railton, Dr Marczak and Mr. Bahr Abdul Razzak
also conducted remotely?
c. How many of the 65 devices travelled to Canada or elsewhere to be physically/on-site
examined? (We are not asking whether participants travelled, or whose devices did).
Ms Niamh Sweeney, former Director of Public Policy of WhatsApp, claimed the following in
her official statement to The Guardian (28 July 2020):
“Based on the information available to us, we are not in a position to confirm whether Mr
Torrent’s device was compromised as this could only be achieved through an exhaustive
forensic analysis of the device”
6
d. What type of “exhaustive forensic analysis” could be made in addition to the remote
exploration made by Mr. Scott-Railton?
e. Was any other analysis made on Mr. Torrent’s telephone? If so, by whom, and when
(month and year)?
9. Prof. Deibert claims that no other institutions or groups were involved in the forensic analysis
conducted for the report, beyond the examination of four sample by Amnesty Tech. However,
this seems to contradict the same report, that claims that the “Candiru” infection was
identified on the campus of the University of Girona, and suggests that Mr. Joan Matamala
was “patient zero” (Mr. Matamala was the cofounder, alongside Mr. Jordi Baylina, of the
Fundació Nord that promotes blockchain technology for electronic voting and creation of
online structures for an independent Catalonia). The CatalanGate report states:
“Matamala’s colleagues asked him to step away from the computer and into the hallway.
Once the situation had been explained, he consented to a forensic analysis of the device. We
were able to successfully forensically extract the malicious spyware and determine that it was
persistently installed on his device.”
a. Who conducted that physical examination at the University of Girona?
b. How many devices were (physical/on-site) examined in Catalonia?
c. Did the Centre Blockchain de Catalunya (CBCat) or Fundació Nord conduct some of the
examinations? If so, when (month and year)?
d. Who conducted the physical examinations, if any, in Catalonia?
e. How many devices (phones or computers) were sent to Toronto for non-remote
confirmatory analyses?
Joan Matamala is referred to as “patience zero” in the CatalanGate report. Also: “While
conducting a preliminary investigation into Candiru spyware we identified evidence of a live
Candiru infection on an institutional network backbone used by a consortium of Catalan
universities.”
f. Why were the Candiru infections in Catalonia omitted in your Hooking Candiru
report (July 2021), and later included in the “CatalanGate” report? (CatalanGate report
states that).
g. When were the Candiru infection attempts on Mr. Pau Escrich, Mr. Xavier Vives and
Mr. Elies Campo discovered by Citizen Lab (month and year)?
h. When were the infection attempts on Mr. Jordi Baylina discovered?
More importantly, Mr. Roger Torrent explains in his book (pages 141-142) that his party
Esquerra Republicana de Catalunya (ERC) had, by 24 July 2020, become “expert trackers” and
that they could differentiate suspicious messages. Mr. Oriol Sagrera (Torrent’s Chief of
Cabinet) was compiling suspicious SMS to pass them to Mr. Scott-Railton and Mr. Campo. He
also claims that Junts per Catalunya (JxCat) was doing it too, and Mr. Gonzalo Boye was
creating an inventory.
i. Did anyone in Citizen Lab express concerns about the involvement of secessionist
political parties in the identification of suspicious attacks?
7
j. Did anyone in Citizen Lab express any concerns regarding the interest that these
political parties, involved in a secession attempt, could have in inflating the number of
positives?
k. Did anyone in Citizen Lab express concern with the possibility that secessionist activists
with advanced IT expertise such as Mr. Sergi Miquel, Mr. Baylina, Mr. Escrich, Mr. Vives
and Mr. Campo (the four of them IT entrepreneurs and experts working on the area
of blockchain technology) could potentially manipulate the evidence?
10. Prof. Deibert does not respond to the question about the number of devices investigated,
claiming that to protect the privacy of research subjects, the Citizen Lab does not comment on
the cases that are not published or publicly disclosed. We believe the question may have been
misunderstood. The question does not imply any threat to privacy, but the standard practice
in scientific research reporting. To have a better sense of the magnitude or severity of a
problem, it is important to understand the approximate incidence or ratio of positives (e.g.,
percentage of positives / tests). For instance, 65 positives out of 100 tests would be much more
worrisome than 65 positives out of 1,000 tests.
a. How many devices or individuals were investigated in total?
b. How many of those investigations resulted in negative results?
11. Prof. Deibert does not respond to the question on whether devices of non-secessionist leaders
or activists were also investigated, claiming that to protect the privacy of research subjects,
the Citizen Lab does not comment on the cases that are not published or publicly disclosed.
Again, we believe this question should be addressed. Revealing if non-secessionist subjects
have been studied does not imply revealing their names. Explaining the logic behind sampling
is standard in scientific research.
a. Was there any control group in the investigation on Catalonia? Did Citizen Lab run
analyses on people who were not connected to secessionist movements?
b. Did WhatsApp request Citizen Lab support to contact only Catalan secessionist leaders
or activist or were some other Spanish citizens among the 1,400 users in WhatsApp’s
list? (We do not ask for names).
c. Did you rule out Pegasus attempts on other non-secessionist political leaders or
activists?
d. Did you rule out that other states or organisations (linked to states) would be
interested in targeting Spanish politicians and activists with Candiru or Pegasus?
12. Prof. Deibert explains that the four cases chosen for validation by Amnesty Tech were selected
using a variety of indicators and to accommodate Citizen Lab’s research mandate,
whichfocuses on civil society cases: Mr. Jordi Sànchez, Ms Meritxell Bonet and Dr. Elizenda
Paluzie were selected. The fourth case sent for validation is not announced in the report.
a. Was Citizen Lab aware that Mr. Jordi Sànchez was a politician, and that he led the
candidature of Junts per Catalunya for the 2019 General Elections, as well as being a
former member of the Catalan Parliament, sentenced to prison on charges of sedition
for the events in 2017?
b. Was Citizen Lab aware that Ms. Meritxell Bonet is Mr. Jordi Cuixarts partner? Mr. Jordi
Cuixart was the leader of the secessionist organisation Omnium who was imprisoned
alongside Mr. Jordi Sànchez.
8
c. Was Citizen Lab aware that Dr. Elizenda Paluzie was the person that replaced Jordi
Sànchez as leader of the 80,000 members strong secessionist organisation, Assemblea
Nacional Catalana, that openly calls for breaking the law and making effective a
unilateral declaration of independence ?
d. Did anyone suggest testing any of the cases in which a legal investigation was not as
clearly expected as for these 3 cases of potential espionage? (Usually, borderline cases
are included in scientific validation tests, both Mr. Sànchez and Dr. Paluzie were
monitored by Spanish secret services following a court mandate).
e. Would Citizen Lab agree to submit to external validation other participant samples
(after obtaining written authorisation from them)?
13. Prof. Deibert claims that the external validation was conducted independently by Amnesty
Tech in March-April 2022. The report was launched on 18 April 2022 in a perfectly coordinated
communication campaign with professional infographics in 3 languages, a long planned
exclusive in The New Yorker by Mr. Ronan Farrow, videos and a dedicated website and social
media accounts (all requiring months of preparation).
a. Given that the first cases were identified and announced publicly in July 2020, why did
Citizen Lab wait until March-April 2022 to conduct external validation of cases?
(Usually, early detection of errors is used to calibrate instruments).
b. Would Citizen Lab have revised its report and cancelled the communication campaign
had any of the samples tested by Amnesty Tech tested negative?
During the investigation on Catalonia, Citizen Lab discovered the HOMAGE exploit (that
theoretically was used with Pegasus between 2017 and 2020).
c. Did Citizen Lab send cases of HOMAGE exploit to Amnesty Tech or other external
institution to validate these findings early on?
The CatalanGate report acknowledges that our methods have limited insight into Android
infections. Mr. Torrent suggest that his telephone was an Android.
d. Did you seek external validation for any of the cases detected on Android devices
(such as Torrent’s)? If not, why not?
Prof. Deibert also claims not to be aware of wether or not Mr Etienne Maynier was the person
who conducted the analyses within Amnesty Tech. Mr. Maynier worked at Citizen Lab between
2016 and April 2021. Mr. Maynier was involved in several Citizen Lab reports concerning
Pegasus (supposedly with a double affiliation with Amnesty International and Citizen Lab). The
investigation on Catalonia started no later than July 2020.
e. Would you consider that Mr. Maynier’s double affiliation and work in Citizen Lab
during the Catalan investigation makes him a suitable expert to conduct an external
independent validation?
It is worth noting that Prof. Deibert acts also as technical advisor for Amnesty International,
and that, on 18 July 2021, Citizen Lab published an Independent Peer Review of Amnesty
International’s Forensic Methods for Identifying Pegasus Spyware (authored by four of the
co-authors of the CatalanGate report).
f. If Citizen Lab reviews and validates Amnesty Tech forensic methods for Pegasus, can
Amnesty Tech validation of Citizen Lab work be considered truly independent?
9
14. Prof. Deibert claims that Citizen Lab can reliably distinguish Pegasus infection attempts from
other spyware attacks and refers to six years of published research as well as independent
validations. However, in Citizen Lab’s publication list we do not find a single peer-reviewed
article. The external validation of forensic analyses is in most of the reports conducted by
Amnesty. For instance, in Peace through Pegasus”, “Project Torogoz”, Pegasus vs. Predator,
Devices of Palestinian Human Rights Defenders Hacked with NSO Group’s Pegasus Spyware,
Breaking the News, and From Pearl to Pegasus. We have also noted that many of the other
reports by Citizen Lab do not refer to any process of external validation (e.g., FORCEDENTRY”,
Privacy and Security Analysis of the IATA Travel Pass Android App”, Engrave Condition”,
Pandemic Privacy, No Access, Hooking Candiru).
a. Has anyone in Citizen Lab or in the University of Toronto suggested transforming
Pegasus reports into peer-reviewed journal articles?
b. Has anyone in Citizen Lab or the University of Toronto suggested submitting Pegasus
findings for external validation to a truly independent external organisation (meaning
without organisational ties or common interests)?
c. Why don’t Citizen Lab reports (including the “CatalanGate” or the “Independent Peer-
Review report for Amnesty International”) include any acknowledgment of the
existing relationships between both institutions?
15. When questioned about what expertise or skills served as the basis for choosing Mr. Elies
Campo as coordinator of the fieldwork in Catalonia, Prof. Deibert claims that no special
technical expertise is required to help coordinate outreach to high-risk groups. However,
sampling and outreach in the context of highly sensitive research, involving people
investigated for criminal activity within a democracy (Spain was ranked 9th in the world by the
prestigious V-Dem’s democracy index in 2020) requires an understanding of both
methodology and research ethics.
a. Was there any selection process or collegiate decision to appoint Mr. Campo as
outreach coordinator?
b. Were the members of Citizen Lab aware that Mr. Campo had not completed any
university degree and had no experience conducting academic research?
c. Did any member of Citizen Lab express concerns about Mr. Campo’s sampling and
outreach role when they found out that he was being presumably investigated?
Although the CatalanGate report still refers to Mr Campo as an employee of Telegram,
Telegram has already twice formally rejected this claim:
“Mr. Elies Campo has never been employed by Telegram in any capacity, let alone as the
head of anything”
In an interview with La Vanguardia, in 2014, Mr. Campo admitted that he had met with
governments, operators and journalists pretending to be an employee of WhatsApp, before
being hired. Elies Campo was openly and notoriously involved in the organisation of the 2017
illegal referendum, as the CatalanGate report acknowledges, associated to the Vocdoni
initiative (alongside other participants in the investigation). This initiative attempted to use
Ethereum blockchain technology to create voting systems beyond the control of the Spanish
government to facilitate the creation of a Catalan Republic.
10
d. Was any background check conducted on Mr Campo before trusting him with
responsibility on fieldwork?
e. Did anyone at Citizen Lab express concerns about commissioning work to someone
who lied about his professional life?
f. Did anyone at Citizen Lab express concerns about commissioning work to someone
who was an activist involved in a secession attempt against an European democracy?
Prof. Deibert claims that outreach in Catalonia was supervised by himself:
g. How many times did Prof. Deibert travel to Catalonia to supervise outreach during the
duration of the project?
h. How can proper supervision of fieldwork be guaranteed when the person undertaking
the outreach work lives in another country and has no affiliation with Citizen Lab?
16. When asked “When Citizen Lab trusted field work to Mr. Elies Campo, did they already know
that he was being monitored by Spanish intelligence services for his alleged implication in
several illegal secessionist activities?Prof. Deibert claims that “The Citizen Lab only became
aware of allegations made against Mr Campo after the publication of the Report. However,
Citizen Lab has repeatedly expressed publicly, from July 2020, that spyware attacks in
Catalonia likely came from one or several State agencies, and the CatalanGate report also
suggests that Spain’s intelligence services were involved.
a. When did Citizen Lab discover that Mr. Elies Campo’s phone was attacked by spyware?
(month and year)
b. When Mr Campo was found to be a victim of government-grade spyware, did anyone
in Citizen Lab express concerns about Mr Campo’s potential involvement in illicit /
illegal activities? Otherwise, what did they think was the reason for such surveillance?
17. Professor Deibert acknowledges that Mr. Elies Campo first contacted the Citizen Lab in 2020.
a. Did Mr. Campo first contact Citizen Lab in July 2020 or earlier?
b. Did Mr. Campo justify this contact and his will to help in the investigation referring to
his personal contacts within WhatsApp?
c. Did Mr. Campo justify this contact and his will to help in the investigation referring to
his personal links with secessionist parties and leaders?
d. Did Mr. Campo justify this contact and his will to help in the investigation referring to
his personal links with IT experts in Catalonia?
e. Did Mr. Campo justify this contact and his will to help in the investigation referring to
suspicion of being the target of spyware?
f. Did any of the members of the Citizen Lab team propose Mr. Campo’s participation?
18. Prof. Deibert claims that no company suggested to the Citizen Lab launching a specific
investigation in Spain and that Citizen Lab also investigated Togo and Rwanda among other
countries regarding the 2019 WhatsApp breach. However, in WhatsApp Inc formal complaint
against NSO Group there was no mention of Spain or Catalonia (although several mentions to
dictatorships). Moreover, Forbidden Stories journalism consortium, which has also been
investigating Pegasus and obtained a leak of more than 50,000 phone numbers selected for
surveillance by the customers of NSO Group since 2016, only mentions one case of a Spanish
journalist targeted, Mr. Ignacio Cembrero, Maghreb correspondent.
11
a. Who was the proponent of the idea of a report focusing on Catalonia? Was it Mr.
Campo? Was it any secessionist leader?
b. What was the motivation for choosing Spain ahead of many other countries, with far
worse records of human rights and rule of law, such as those mentioned by WhasApp
and Forbidden Stories?
On 27 July, according to Mr. Roger Torrent’s book (page 150), Citizen Lab confirmed to ERC
that none of the telephones analysed where infected (just some had suffered infection
attempts). On 28 July WhatsApp also expressed in an article in The Guardian that they had no
evidence of successful hacking. According to the Appendix of the CatalanGate report, none of
the cases in the list supposedly notified by WhatsApp was a forensically confirmed Pegasus
infection: Ms. Anna Gabriel, Mr. Ernest Maragall, Mr. Jordi Domingo, Mr. Roger Torrent and
Mr. Sergi Miquel.
c. Given the lack of any confirmed infections in Catalonia by the end of July 2020, why
did Citizen Lab decide to devote resources to search for positive Pegasus cases in
Spain? (Meanwhile, there were many suspected cases of Pegasus infections in
dictatorships and countries with poor human rights records).
d. Did the journalists Ms. Stephanie Kirchgaessner, Mr. Sam Jones (The Guardian) and
Mr. Joaquín Gil (El País) encourage Citizen Lab to pursue this line of investigation?
e. Did any of the secessionist parties or civil society organisations collaborating with Mr.
Scott-Railton and Mr. Campo suggest that the investigation should continue despite
the absence of infection evidence in the phones of the leaders in WhatsApp’s list?
f. Was WhatsApp informed that Citizen Lab was continuing the investigation despite the
lack of evidence of infections?
19. Prof. Deibert claims that “The Citizen Lab has never been commissioned to find evidence for a
lawsuit by any parties to any litigation, including Apple. Under no circumstances would we
undertake commissioned research. However, this contradicts what Mr. Roger Torrent’s book
on Pegasus (published in January 2021) claims: that on 21 July 2020, Mr. Oriol Sagrera (his
chief cabinet officer, who was liaising with Mr. Campo and Mr. Scott-Railton, and who is
included as a victim in the report) told Mr Torrent:
Elies Campo ... has contacted John Scott-Railton and they will work together on our case. He
does this on behalf of Apple, which is also very interested in clarifying who is behind the
attacks (Torrent 2021: page 135)
Those at Citizen lab are interested in closing the folder so that we can provide ammunition
to WhatsApp, Apple and ourselves, so that we have solid material to present in court.”
(Torrent 2021: p. 135)
On 23 November 2021, Apple sued NSO Group based on the evidence collected by Citizen Lab
and Amnesty Tech, after discovering FORCEDENTRY exploit in March 2021.
Mr. John Scott-Railton claimed on Twitter that same day:
I see @Apple's lawsuit as partly triggered by findings & efforts of so many of our @citizenlab
peers:
12
E.g. @AmnestyTech @accessnow @RSF_inter @EFF @pressfreedom @R3Dmx @article19org
& many more.
a. How did the participants in the Catalan investigation know about the Apple lawsuit
against NSO in July 2020?
b. Is providing ammunition for court cases a constraint or a goal when designing Citizen
Lab investigations?
c. If Mr. Campo was not working independently but under the supervision of Prof.
Deibert, why did he claim to be working on behalf of Apple?
d. When did Apple contact Citizen Lab for the first time to seek technical support
concerning iOS spyware infections? When did Citizen Lab find out about Apple’s
intention to sue NSO?
e. After the first few cases in WhatsApp’s list, why did Citizen Lab focus the investigation
in Catalonia almost exclusively on Apple devices (despite the higher utilisation rate of
Android phones)? Was this exclusively linked to technical difficulties?
On 14 July, Mr. Torrent, Mr. Sagrera and Mr. Andreu Van den Eynde (lawyer of ERC secessionist
leaders, and who was also included into the report as a victim) started working on a narrative
for a lawsuit, according to Mr. Torrent’s book:
We help Andreu to limit the story: first, we have the attack on the mobile accredited by
Citizen Lab; second, Pegasus, the software that is officially only sold to government
intelligence services. Andreu says that with the Citizen Lab report we have enough to support
the complaint, but that we would also like to have the confirmation of WhatsApp (Torrent
2021: p.71)
Well, now we just have to define who we are targeting with the complaint”. (Torrent 2021:
p.72)
On 16 July 2020, before having confirmation of any infection, Mr. Roger Torrent and Mr. Ernest
Maragall (leader of ERC in Barcelona’s city council and Pegasus victim according to the report)
filed a complaint against the former director of the Spanish secret services, Mr. Félix Sanz
Roldán, for espionage with Pegasus (based on the evidence provided by Citizen Lab). On 18
July 2020, according to Mr. Torrent’s book (pages 113-114) Mr. Van den Eynde explained that
after contacting WhatsApp’s legal team, he found crucial to get data from WhatsApp to
substantiate their complaint.
f. Did anyone in Citizen Lab find surprising that the ERC members they had contacted
had filed a complaint before even getting any formal confirmation of any infection?
On 17 July 2020, Mr. Scott-Railton put Mr. Joan Serra, Mr. Torrent’s press secretary, in touch
with Mr. Luis Fernando García, lawyer and director of R3D, the organisation that collaborates
with Citizen Lab in Pegasus investigations in México, so that they provided advice on the legal
actions, to detect attacks, and to find avenues for judicial and media complaints (Torrent 2021:
pp.110-111).
On 18 July 2020. Mr. Scott-Railton claimed, according to Roger Torrent’s book:
13
Your topic is the opportunity to open a case in the European Union. I think there are enough
elements to make your issue a European issue(Torrent 2021: p.114).
g. Since no infections had yet been confirmed, why was Mr. Scott-Railton so interested
in helping Catalan secessionist leaders to build a court case?
More recently, on 3 May 2022, Mr. Boye has filed a complaint against NSO, in which he
proposes all co-authors of the CatalanGate report for expert testimony (except for Mr. Campo,
who is not mentioned), request the testimony of Mr. Marczak as witness, and cites Citizen Lab
and its reports 14 times. On 18 May 2022, Mr. Joaquim Torra and Mr. Josep Costa have filled
another complaint against the Spanish Prime Minister, Pedro Sánchez, based on the findings
presented in the CatalanGate report.
h. When was Citizen Lab aware that Mr. Boye was filing a complaint in Spain?
i. Did the members of Citizen Lab agree to act as expert witnesses in the lawsuit?
j. If so, when did they agree to participate in the trial?
k. Why do you think Mr. Campo is the only author that is not invited to testify?
l. Does Citizen Lab believe that the circumstantial evidence presented in the
CatalanGate report is sufficiently solid to condemn the Spanish Prime Minister or any
other individual for illegal espionage?
20. Prof. Deibert categorically affirms that The Citizen Lab has never received payments or
donations from Apple, WhatsApp, or Facebook. However, in the official press release that
announced that Apple was suing NSO, they also announced a 10 million dollars contribution
to support cybersurveillance researchers and advocates. Apple officially specifies:
Apple commends groups like the Citizen Lab and Amnesty Tech for their groundbreaking
work to identify cybersurveillance abuses and help protect victims. To further strengthen
efforts like these, Apple will be contributing $10 million, as well as any damages from the
lawsuit, to organisations pursuing cybersurveillance research and advocacy.
Apple will also support the accomplished researchers at the Citizen Lab with pro-bono
technical, threat intelligence, and engineering assistance to aid their independent research
mission, and where appropriate, will offer the same assistance to other organisations doing
critical work in this space.
a. What share of the amount announced do Citizen Lab or its researchers expect to
receive?
b. Why would Apple cover any damages from the lawsuit to researchers, if they were
never commissioned to find evidence for any litigation?
21. Prof. Deibert acknowledges that all researchers within the Citizen Lab are required to follow
applicable ethics protocols.
a. Was Mr. Campo trained on the University of Toronto Ethics protocols?
b. Did he adhere formally to them?
c. Would lying about employment status be a breach of the University of Toronto’s Ethics
code?
d. Would keeping undisclosed personal or political interests that could endanger
neutrality in an investigation be a breach of the University of Toronto’s Ethics code?
14
e. Would conducting research driven by non-disclosed rewards from private
corporations or foundations linked to them be a breach of the University of Toronto’s
Ethics code?
f. Would tailoring sampling processes and research design to the interests of private
corporations or political parties be a breach of the University of Toronto’s Ethics code?
g. Would leaking to the press confidential information considered a breach of the
University of Toronto’s Ethics code?
h. Would delaying publication of a report to meet the interests of political parties be a
breach of the University of Toronto’s Ethics code?
The report claims that “The Citizen Lab assisted WhatsApp in notifying civil society victims and
helping them take steps to be more secure.” According to the New Yorker article, in February
2021, Citizen Lab identified an active infection on a Laptop belonging to Mr. Joan Matamala
(one of the 18 leaders that were monitored by Spanish secret services with judicial
authorisation). The independent investigation of the Spanish ombudsman acknowledges that
these phone hackings with Pegasus were extensively justified in the judicial authorisations.
“Mr. Campo called Matamala and instructed him to wrap the laptop in aluminium foil, a
makeshift way of blocking the malware from communicating with servers”
i. Is assisting in evading and preventing a judicial investigation in a democracy a breach
of ethics protocols at the University of Toronto?
j. Since July 2020, Citizen Lab publicly suggested that spyware attacks in Catalonia were
likely conducted by Spanish security services. Did anyone in Citizen Lab express any
concerns regarding the potential interference of their fieldwork with the course of
Spanish justice?
k. Did the University of Toronto give permission to Citizen Lab to train Spanish citizens
so that they would prevent further government-grade spyware attacks?
Ms Anna Gabriel was one of the first secessionist leaders warned by Citizen Lab, following the
2019 WhatsApp security breach. She was a well-known fugitive from Spanish justice with an
arrest warrant. Many of the participants in the investigation were either fugitives, jailed or
undergoing trial at the time Citizen Lab’s investigation took place. For instance, Ms. Marta
Rovira, Mr. Antoni Comín and Ms. Meritxel Serret were fugitives with arrest warrants. Mr. Jordi
Sànchez was imprisoned. Mr. Artur Mas, Mr. David Madi, Mr. Xavier Vendrell and Mr. Gonzalo
Boye were defendants in court trials during the CatalanGate investigation fieldwork. Some of
the other participants were monitored with judicial authorisation: Ms. Elsa Artadi, Mr. Albert
Batet, Mr. David Bonvehí, Mr. Marc Solsona, Mr. Carles Riera, Mr. Sergi Miquel, Mr. Jordi
Baylina, Mr. Pau Escrich, Mr. Xavier Vives, Mr. Marcel Mauri, Dr. Elisenda Paluzie, Mr. Jordi
Bosch, Mr. Joan Matamala, Mr. Josep Lluis Allay, Mr. Xavier Vendrell and Mr. Pere Aragonès.
l. Was the University of Toronto informed that many of the participants were
undergoing trial or had arrest warrants by the Spanish justice before they were first
contacted?
m. Did the University of Toronto give permission to Citizen Lab to warn the secessionist
leaders about the presumed surveillance by the Spanish security services?
15
n. Did Citizen Lab ask the participants in the investigation to maintain confidentiality and
only warn people selected by the team, to prevent interference with the course of
justice in Spain?
o. Did any member in Citizen Lab express concerns that their assistance to the
abovementioned network of secessionist leaders could have a negative impact in the
stability of Spain?
22. Prof. Deibert states that Citizen Lab has never received any funding from Spanish
organisations.
a. Has the Citizen Lab received pro-bono technical, engineering, or communication
support from any Catalan individual or organisation for this investigation? If so, should
their names be disclosed in the report?
b. Has Citizen Lab received donations by Spanish individuals since 2019? (We are not
asking from whom specifically).
23. When asked about how fieldwork in Catalonia was funded, Prof. Deibert explains that all
participation in the research program by victims of Pegasus spyware is voluntary and non-
remunerated. He also states that all the Citizen Lab sources are publicly listed. Munk School of
Global Affairs & Public Policy includes the “Citizen Lab Fund, where donors can make gifts to
Citizen Lab. These can be made anonymously.
a. Why are not all the companies providing in-kind donations mentioned in the website?
b. What part of Citizen Lab funding comes from private donations?
c. Does the University of Toronto audit the private donations/gifts received by research
institutes such as Citizen Lab?
24. Prof. Deibert explains that the visual story that accompanied the CatalanGate report was paid
for by the Citizen Lab.
a. Has the Citizen Lab ever before produced such professional and sophisticated
infographics, in three languages, for any report?
b. How much did they cost?
25. Prof. Deibert explains that no person in the Citizen Lab received payments or other benefits
from external organizations whilst conducting research and technical analysis for the Report.
a. Did anyone in Citizen Lab receive payment or other benefits (e.g., free flights,
accommodation) from any external organisations or individuals during the write up
process or the communication campaign that followed?
b. Did anyone in Citizen Lab receive payments or other benefits from Spanish citizens
during the period of research and technical analysis for the report?
26. Prof. Deibert claims that no Catalan political party or secessionist organization was involved in
writing the Report or in the technical analysis conducted by the Citizen Lab for this Report.
a. Were Catalan individuals involved in writing the report or in the technical analyses
conducted in this investigation (including preliminary technical analysis for shortlisting
cases passed over to Toronto)?
b. Were Catalan individuals, political parties or secessionist organisations involved in
defining the project timeline and the communication strategy?
16
c. Was the Research Ethics Board informed of the collaboration with secessionist political
parties?
27. Prof. Deibert explains that participants were selected based on snowballing sampling following
specific research criteria.
a. Was being a pro-independence activist one of the specific research criteria followed
by Citizen Lab?
According to Mr. Torrent’s book (pages 31-32) ERC created a team, on 9 July 2020, that worked
on a parallel Pegasus investigation to that of Citizen Lab. It was only after Mr. Torrent’s visit to
Oriol Junqueras (former leader of ERC) in the Lledoners prison on 10 July 2020 that he gave
permission to Citizen Lab to investigate his phone (Torrent 2021, pp. 36-37). Torrent explains
that on 24 July:
Now that we know what all this is all about, we almost don't need computer scientists to
discern suspicious messages from harmless ones. We have become expert trackers [...] We are
counting and gathering all the information to pass it to Elies Campo. In the case of JxCat they
are doing the same. Boye is making an inventory. (Torrent 2021, pp. 36-37)
b. Was Citizen Lab aware that ERC and JxCat had a team conducting a parallel Pegasus
investigation and selecting the cases they passed on to Mr. Campo and Mr. Scott-
Railton?
c. Would this be considered an interference in the snowball sampling methodology
referred to by Prof. Deibert to the Research Ethics Board?
d. Would this be considered a methodological problem for the investigation of spyware
attacks in Catalonia by Citizen Lab?
e. Could this involvement of ERC and JxCat in the sampling process be the reason why all
reported positive cases in Catalonia in the CatalanGate report were associated to the
secessionist movement?
f. Given the cases of espionage revealed to other non-secessionist politicians and
journalists in Spain, would Citizen Lab consider expanding the sample and including in
the snowballing process also non-secessionist leaders and activists?
28. Prof Deibert claims that Citizen Lab decided the time of publication of the report to coincide
with Mr. Farrow’s piece in the New Yorker.
a. When did Citizen Lab finish writing up the report?
b. Who suggested giving the exclusive to Mr. Farrow? Why?
c. Do you know if Mr. Farrow’s publication date was agreed with any of the secessionist
parties, organisations or activists involved in the CatalanGate communication
campaign (such as Omnium, ANC, JxCat or ERC)?
29. Prof. Deibert claims that the Citizen Lab did not collaborate with an “American communication
agency” in writing the Report. Mr. Sagrera told Mr. Torrent that:
Aside from the autopsy on my cell phone, you should know that Scott-Railton and Campo are
working on the final report of the case in conjunction with an American communications
company(Torrent 2021, pp. 36-37).
17
a. Did Mr. Scott-Railton or Mr. Campo collaborate with a professional lobby or
communication agency/company in July 2020? If so, why, and who paid for their
services?
b. Did any of the members of Citizen Lab collaborate with a professional lobby or
communication agency/company in 2022 to coordinate the report communication
strategy? If so, who paid for their services?
30. Prof. Deibert claims no external direction in naming the Report CatalanGate. That he decided
to use that name after learning that victims were using the term to refer to the case.
a. Did anyone in Citizen Lab express concerns about using a notvery academic term that
was the slogan of a partisan propaganda campaign?
The secessionist civil society group Assemblea Nacional Catalana registered the domain
CatalanGate.cat, on 10 January 2022 and the other large secessionist organisation Omnium is
currently the owner of the domain. This propaganda website directly accuses Spain of political
espionage and requests people to put pressure on the EU Commission to launch an
investigation on Spain. It was published in English and Catalan alongside the report. The twitter
account named “@catalangate” has 182.6K followers and has been used for years to promote
secessionist smear campaigns against Spain. According to Mr. Torrent’s book (page 80) the
utilisation of the term CatalanGate was proposed by Mr. Ernest Maragall to establish a link
with the Watergate, on 15 July 2020. However, this term did not reach the public domain until
the publication of the report on 18 April 2022.
b. How did these secessionist organisations find out about the results of the investigation
before January 2022?
c. How did they know that CatalanGate was going to be the name of the report?
d. Is it common to use such hyperbolic titles in Citizen Lab reports?
e. Is Citizen Lab comfortable with the distortion and overstretch of the findings in its
report in the propaganda campaign launched by secessionist parties and organisations
internationally?
31. Prof. Deibert suggests that there is no planned internal investigation on the report and that
the members of Citizen Lab regularly review their own protocols and practices. Moreover, in
an interview with El País on 15 May 2022, he claims that that he can guarantee 100%
reliability of the registered attacks” and when asked if there could be “false positives”, he
categorically responds: “No, our methods are very accurate, developed during years”.
a. Is the University of Toronto aware of any other scientific investigation with 100%
reliability and where there is zero risk of “false positives”?
b. If Citizen Lab research methods are 100% reliable and there is no possibility of false
positives, why did they submit four cases for external validation?
c. Does someone with a background in Political Science (such as Prof. Deibert and Mr.
Scott-Railton) possess sufficient technical expertise to rule out any margin of error and
false positives in a digital forensic investigation?
d. Is accepting infallibility of research processes in non-peer reviewed work common at
the University of Toronto?
However, the academic peer-reviewed literature in digital forensics and malware detection
deals constantly with the problem of “false positives” (e.g., Abela et al. 2013; Alherbawi et al.
18
2013; Pandey et al. 2018) , which also entails important research ethics considerations. In the
context of increasing pressure to publish there is little incentive to test for false positives. As
for the specific case of Candiru detection it seems that false positives are a possibility. When
it comes to Pegasus there are several sources claiming that false positives can emerge in
forensic analysis. There is even a video tutorial that explains how to purposefully produce
“false positives”. Moreover, the spyware detection tool MVT released by Citizen Lab and
Amnesty Tech, is claimed to be easily induced to error (false positive).
e. Since the scientific community seems less convinced about the infallibility of Citizen
Lab and Amnesty Tech methods, could they try to get independent experts to validate
the 65 positive cases of the report to rule out, in a scientific manner, false positives?
In the abovementioned El País interview, Prof. Deibert requests an independent investigation
on what is happening in Spain and claims:
This report is not just about espionage on Catalan politicians. It is a story about the extensive
and disproportionate use of surveillance technologies, presumably by one or more agencies of
the Spanish government. It is a crisis of democracy in this country
When Prof. Deibert is told that Spanish secret services had only recognised the espionage of
18 out of the 65 cases mentioned in the report. He responds:
“How can we verify this? What have they shown in the Official Secrets Congressional
committee? Would you believe it?”
This seems a healthy although somewhat inconsistent scepticism.
f. Why does Dr. Deibert expect the scientific community to believe his accusations
towards Spain, based on non-peer reviewed and non-replicated “circumstantial
evidence” (as literally expressed in the report, and when it is in the hand of Citizen Lab
to submit findings to external review), and at the same time doubt of the response of
Spain’s government, for revealing only partial information, given that it is bound by
the Official Secrets Law?
g. Does Citizen Lab believe that the onus of proof lies on the defendant, Spain in this
case?
h. Is basing public accusations (and backing groups engaged in a smear campaign) on
circumstantial evidence something endorsed by the University of Toronto’s Research
Ethics Board?
32. Dr. Deibert acknowledges that the Citizen Lab became aware of the allegations concerning the
collaboration of Catalan secessionist leaders with Russian security services in the Fall of 2021.
Suspicions of Russian backing of the Catalan secessionist movement can be traced back at least
to 2017. This relationship was reported often by the international press. For example, Politico
(September 2017) The Washington Post (September 2017) El País in September 2017, BBC
News (in November 2017). In December 2019 Russian hackers had hacked Spanish public TV,
+24 channel to broadcast an interview with Mr. Puigdemont; this was reported by Mr. Sam
Jones at The Guardian, who months later alerted Mr. Torrent that he was being spied,
presumably on behalf of Citizen Lab. Other media also inform about this link later on, such as
19
New York Times (September 2021), Centre for European Policy Analysis (September 2021), and
The Times (September 2021).
a. Did Mr. Jones or anyone else remind Citizen Lab that, at the time the investigation
started in 2020, there were allegations of collaboration between Russian secret
services and Catalan secessionist activists and political leaders to destabilise Spain?
b. Were any special precautions taken concerning Mr. Alay, Mr. Boye or any of the other
leaders who were suspected of collaboration with Russia?
c. Did Mr. Campo make any reference to Russian emissaries throughout the
investigation?
At least three of the participants in Citizen Lab’s investigation, Mr. Alay, Mr. Boye and Ms
Artadi, had contacts with Russian emissaries regarding the backing of an independent
Catalonia. According to the Organized Crime and Corruption Reporting Project, a Putin
representative met with the president of the Generalitat Mr. Carles Puigdemont the day
before he unilaterally declared the independence of Catalonia in 2017. He was promised $500
billion (is this accurate? Please check) and 10,000 soldiers if they committed to turning
Catalonia into a haven for cryptocurrencies. Please note that at least six of the participants in
the Citizen Lab report worked promoting Ethereum (cryptocurrency) blockchain technology:
Mr. Campo, Mr. Miquel, Mr. Baylina, Mr. Escrich, Mr. Matamala and Mr. Vives. These
independence activists, experts in blockchain technology, were suspected of collaborating
with Russian secret services in the design of Tsunami Democratic, a platform allegedly led by
Mr. Xavier Vendrell (another participant in the report, currently investigated by justice).
Tsunami Democratic operated via Telegram and had a dedicated Android mobile app that was
launched in October 2019, the same month that Citizen Lab contacted Mr. Miquel several
times to notify him of spyware attacks (Mr. Miquel is currently investigated for his possible
participation in Tsunami Democratic). Tsunami Democratic was inspired by blockchain-style
decentralization and allowed anonymity of its participants. Only months before the launch of
the CatalanGate investigation, acts of sabotage, violent riots and illegal blockades of roads,
airports and train stations were coordinated by Tsunami Democratic apps causing millions of
euros in losses. Repeated meetings with Putin’s emissaries took place in Switzerland and
Moscow in the following years.
d. Did anyone at Citizen Lab suspect that Russian secret services could be collaborating
with any of the abovementioned participants?
e. Would American, British, or other Western secret services be interested in spying
Catalan activists believed to collaborate with Russian secret services?
f. Would secret services of European Member states be interested in spying those who
could be helping Russian secret services in operations to politically destabilise the EU?
g. Why were these possibilities not mentioned in the report?
On 28 October 2020, Spanish police forces arrested 21 secessionist activists suspected of the
diversion of public funds to finance Tsunami Democratic. Among those arrested there were at
least three of the participants in Citizen Lab’s investigation: Mr. Josep Maria Alay, Mr. David
Madi and Mr. Xavier Vendrell. On 4 November 2020, Spanish press published excerpts of
conversations intercepted by Spanish police between Mr. Victor Terradellas (a businessman
and personal friend of Mr. Puigdemont), Mr Madi (politician and businessman) and Mr.
Vendrell (politician and businessman, as well as a former member of the terrorist group Terra
Lliure). Mr. Terradellas and Mr. Madi speak about Russia’s interest on cryptocurrencies.
20
Russia’s sole condition for backing an independent Catalonia was passing legislation to adopt
a cryptocurrency-based decentralised model. Mr. Terradellas claims that he was in touch with
one of the Russian founders of cryptocurrencies and that Mr. Puigdemont (in Waterloo)
explained him all the things they were doing with cryptocurrencies. Mr. Madi mentions that
three teams were working on it. Meanwhile, in the published audio of the exchange between
Mr. Terradellas and Mr. Vendrell, there are explicit references to the 10,000 Russian soldiers,
to controlling the airport and other infrastructures and, to the need of 100 people dead to
justify Russian involvement. Mr. Terradellas claims that if you gather 1 million people in Sant
Jaume Square (where Catalan Government and City Hall are located), [Spanish security forces]
would have to kill people to enter. Mr. Vendrell expresses that they missed the opportunity,
and that they didn’t have the guts to do it. Mr. Tarradellas adds that the world’s situation will
provide a new opportunity and that “Europe will fall”. Mr. Terradellas has confirmed to the
judge the conversations about potential civil casualties and the fact that Puigdemont did not
decline Kremlin’s emissaries offer, but ask to keep discussing the possibility.
h. When did Citizen Lab select Mr. Vendrell and Mr. Madi as participants?
i. When did Citizen Lab communicated to Mr. Vendrell and Mr. Madi that they had been
“victims” of espionage attempts?
j. Since the information regarding these attempts to get Russia military involved in a
Catalan separatist effort was already published in 2020, why did Citizen Lab decide to
invite these individuals (charged for involvement in criminal activities) to be part of
their study?
k. Since vital information concerning Russian’s efforts to destabilise Spain was being
legally obtained by Spanish security services (some of which was even disclosed to the
press), why did Citizen Lab continue alerting secessionist activists about Spain’s
potential attempts to monitor them?
l. Was the Ethics Research board informed that Citizen Lab’s fieldwork in Catalonia could
interfere with the legitimate work of Spanish security services to defend the country
against Russian interference?
Citizen Lab was aware that some victims were indeed being prosecuted, and some for
serious crimes. The section of the report “Unrestrained, Unnecessary, and Disproportionate”
acknowledges indirectly:
Many of the victims were not charged with serious crimes, and most were neither criminals
and certainly not terroriststhe typical justifications mercenary surveillance companies
employ for sales of their spyware to government clients.
m. Why did Citizen Lab omit that several of the participants were spied with publicly
known judicial authorisation (such as Mr. Madi and Mr. Vendrell)? Why was this
hypothesis ruled out in the Conclusion or Key Findings sections?
n. Has Citizen Lab any evidence proving that Spain’s presumed espionage on secessionist
leaders was “unrestrained”?
o. Has Citizen Lab any evidence proving that Spain’s presumed espionage on secessionist
leaders was “unnecessary”?
p. Has Citizen Lab any evidence proving that Spain’s presumed espionage on secessionist
leaders was “disproportionate”?
21
q. Was Citizen Lab aware that at least two of the participants had been in their youth
convicted for terrorism?
r. Is there any specific ethical or security protocol in place at the University of Toronto
concerning the involvement in research of subjects who are suspected and/or formally
investigated for involvement in criminal activities?
s. Were participants’ known criminal charges disclosed to the Ethics board?
Mr. Boye, another participant in the study who was convicted in 1996 to 14 years of prison on
terrorist charges (helping ETA kidnap a businessman), has been recently appointed lawyer of
two suspected Russian spies. First, he represents Mr. Pablo Gonzalez, a Spanish journalist that
was arrested on 4 March 2022 in the Polish-Ukrainian border, suspected of being an GRU agent
and who is currently in prison expecting trial. Secondly, he represents Mr. Anatoliy Shariy, pro-
Russian blogger detained in Spain, on charges of high-treason, on an international arrest
warrant issued by Ukraine’s SBU security services on 5 May 2020. Mr. Boye was a central figure
in selecting suspicious cases within JxCat (Torrent 2021, p. 142). Mr. Boye was also connected
to Alexander Dmitrenko, an entrepreneur and presumed Russian spy, who lives in Catalonia
and is also a pro-independence activist. Mr. Dmitrenko is investigated for organising some of
the meetings between Russian emissaries and secessionist leaders. Mr. Dmitrenko recently
claimed on Twitter that he suffered 9 Pegasus infection attempts that were confirmed by
Amnesty International’s software.
t. When did Citizen Lab know about the presumed collaboration between Mr. Boye, Mr.
Alay, and Russian secret services?
u. Was Citizen Lab aware of their ties with Russian secret services when accepting them
as participants in the investigation?
v. Would Citizen Lab consider submitting the Pegasus and Candiru infections that were
not reported by Spanish secret services to independent validation, now that the
relationship between Russian secret services and some of the participants involved in
the snowball sampling has been discovered?
w. Was Mr. Dmitrenko a participant in the Citizen Lab investigation?
x. If not, given his activist profile and close ties with Mr. Alay, Mr. Boye and other
secessionist leaders, why was he not selected via the snowball sampling technique?
Additionally, a recent data leak suggests that more than 200 Spanish mobiles were selected as
possible targets for surveillance by an NSO Group client, believed to be Morocco.
y. When did Citizen Lab find out about the utilisation of Pegasus by Moroccan secret
services?
When asked in the abovementioned interview if the Catalan government could have spied on
itself through Pegasus, Prof. Deibert claims that he does not have evidence about it. Citizen
Lab report “Attribution to a Government” states:
At this time the Citizen Lab is not conclusively attributing these hacking operations to a
particular government, however a range of circumstantial evidence points to a strong nexus
with one or more entities within Spanish government, including:
The targets were of obvious interest to the Spanish government;
The specific timing of the targeting matches events of specific interest to the Spanish
government;
22
The use of bait content in SMSes suggests access to targets personal information,
such as Spanish governmental ID numbers; and,
Spain’s CNI has reportedly been an NSO Group Customer, and Spain’s Ministry of
Interior reportedly possesses an unnamed but similar capability.
z. Did anyone at Citizen Lab consider that Russian secret services could be interested in
spying on the pro-independence activist that presumably were collaborating with
them?
aa. Does Citizen Lab think that the espionage political crisis in Spain, triggered by the
report, benefits Russian interests?
bb. Does Citizen Lab think that the espionage political crisis in Spain, triggered by the
report, benefits Catalan secessionists and helps divert the attention away from their
highly unpopular connection with Russia, particularly after the Ukrainian invasion?
cc. Did anyone at Citizen Lab suspect that Russian secret services could be interested in
helping Catalan secessionist activist to infect devices with Pegasus or Candiru spyware
so that the report would be more impactful and destabilising for Spain?
dd. Could Russian secret services disguise spyware infections in fake official notifications,
such as those mentioned in the report?
ee. Could Catalan activist with sufficient technical skill, assisted by Russian experts,
simulate a Pegasus or Candiru infection?
ff. Could Morocco’s secret services be interested in spying Catalan politicians, given their
great political influence in Spain?
gg. Could Morocco benefit from a crisis in the Spanish intelligence services as that
triggered by the report (for instance, to gain leverage in the conflict around Western
Sahara, or regarding the border issues at Ceuta and Melilla)?
hh. Could Moroccan secret services disguise spyware infections in fake official
notifications, such as those mentioned in the report?
Finally, long before publication of the report, Citizen Lab knew about Russian involvement
in the Catalan secessionist movement, and about the ties with several of the participants.
ii. Why wasn’t the potential involvement of Russia or other countries considered as a
potential alternative hypothesis for authorship?
20 May 2022, (v.2 updated 23 May 2022)
Corresponding author:
Dr. José Javier Olivas Osuna
Principal Investigator Populism and Borders: a Supply- and Demand-Side Comparative Analysis of Discourses and Attitudes
(PBSDCA). Principal Investigator Interdisciplinary Comparative Project on Populism and Secessionism (ICPPS)
Department of Political Science and Administration, Universidad Nacional de Educación a Distancia (UNED)
Research Associate, LSE IDEAS, The London School of Economics and Political Science
Emails:
jjolivas@poli.uned.es
j.j.olivas-osuna@lse.ac.uk
1
Appendix: Additional evidence since 20 May 2020 concerning
malpractice in Citizen Lab’s CatalanGate investigation and report.
In addition to the 22 pages document sent on 20 May, new evidence concerning malpractice
have surfaced in the last few weeks. The following are just some new examples (to add to
those in the attached document):
1. In an interview with a major newspaper in Barcelona, the Director of the Catalan
Cibersecurity Agency office Mr. Oriol Tortuella contradicted Prof. Deibert declaration in
the response made to the European Parliament letter. Prof. Deibert claimed: "No other
institutions or groups were involved in forensic analysis". However, Mr. Tortuella
explained that this agency worked closely with Citizen Lab in the initial forensic
examinations. More importantly he also confirms what Roger Torrent had revealed in his
book, this is that secessionist parties ERC, Junts and CUP, and political organisations
Omnium and ANC where institutionally collaborating in the selection of the devices that
needed to be tested by Citizen Lab. Torrent wrote that they wouldn't even need
computer scientists to filter the suspicious messages and that they "had become expert
trackers." Hiding this key information from those reading the report (and lying in the
response sent to the European Parliament MPs) can be considered as
2. More than 10 of the participants were being investigated by Spanish security forces, due
to participation in the illegal actions associated to Tsunami Democratic (in late 2019 that
cost millions of euros to Spain) at the time Citizen Lab contacted them and warn them
about possible government monitoring. This could be potentially raised in court as a case
of obstruction of justice (and therefore something the Ethics Committee should have
been warned about).
3. Those in Amnesty involved in "external validation" (or what in his letter Prof. Deibert
called "peer review of the report") are two former Citizen Lab Fellows: Etienne Maynier
and Claudio Guarnieri, who are also the creators of MVT toolkit that Citizen Lab
externally peer-reviewed.
5. We found out Prof. Deibert himself published in 2017 a piece questioning a DHS/FBI
report on Russian Hacking for a series of severe methodological misdeeds that are
equally applicable to the CatalanGate study. This also indicates that he was aware and
2
did not acknowledge the serious methodological limitations of the CatalanGate report,
and that they completely omitted from the report a potential involvement of Russia
(whose foreign hacking operation, he and citizen lab had previously showed to be aware
of in this article and in a different report) as means single out Spain as only potential
culprit of "illegal" espionage.
6. Citizen Lab has modified the report online without declaring these modifications. As a
precaution we had downloaded the version amended on 20 April but on 25 May we
realised that Citizen Lab had removed a footnote that said "Elies Campo would go on to
help organize the outreach process for this investigation and is currently a fellow at the
Citizen Lab. He is also listed as author on this report". They also added a paragraph adding
nuance to a clearly misleading statement from the previous version that claimed that
"The 2013 Snowden disclosures revealed that the NSA had intercepted 60 million calls in
Spain between December 2012 and January 2013"
7. The Organized Crime and Corruption Reporting project has made public documents
leaked that confirm and expand further the connections between several of those
involved in data collection and preliminary forensic analysis for the project (and not
acknowledged as such), with Russian secret services and attempts to destabilise Spain
and the EU. Court hearings in Spain further confirm these connexions. These connexions
were public and published in mainstream press during the research period. These
collaborators were not mentioned, as explained above, as such and no potential impact
on the data quality or potential for fabrication of evidence or conflict of interest is
acknowledged.
8. One of the participants, Sonia Urpi, provided a testimony in a video concerning her case
that also contradicts some of the explanations given by Citizen Lab on how and when the
investigation started, and why if according to Mr Torrent, Citizen Lab was working in the
final report by July 2020, they decided to withhold its publication until April 2022. In the
video she claims that she found out she had been spied on in July when her partner, Jordi
Baylina (on of the IT participants investigated by security forces for Tsunami Democratic)
found out about his phone being hacked in a routinary security check and asked her to
get her own phone checked. It is very unclear how this resonates with the version of how
the investigation was by the Journalists in El País and The Guardian (that claimed that
3
Citizen Lab had been commissioned by WhatsApp to investigate those cases of politicians
and civil society experts in the 2019 security breach).
9. An IT PhD student published an extensive White Paper
https://www.researchgate.net/publication/361738419_UNCOVERING_THE_CITIZEN_LA
B_-AN_ANALYTICAL_AND_TECHNICAL_REVIEW_DISPROVING_CATALANGATE
documenting several serious technical flaws in the forensic approach reported by Citizen
Lab in the “CatalanGate” report. Among the many issues unveiled he found that 86% of
domains reported by Citizen Lab as indicators of security compromise (hence of attempts
of infection) did not exit, where expired or where mistakenly attributed.
10. Apple revealed on a press release on 6 July 2022
https://www.apple.com/uk/newsroom/2022/07/apple-expands-commitment-to-
protect-users-from-mercenary-spyware/ that the $10 million they pledged last
November 2021 to Citizen Lab, Amnesty Tech and similar organisations
https://www.apple.com/uk/newsroom/2021/11/apple-sues-nso-group-to-curb-the-
abuse-of-state-sponsored-spyware/ will be allocated by the Dignity and Justice Fund at
the Ford Foundation. Coincidentally Prof. Ron Deibert is one of the 5 people who will
decide on how these funds will be spent (alongside representatives of Amnesty Tech,
Access Now, The Engine Room and Apple). This seems at odds the formal statement that
Prof. Deibert made recently to the European Parliament where he claimed Citizen Lab
never to have received payments or donations from Apple WhatsApp or Facebook.
11. Citizen Lab is funded by many different companies and foundations (one of them like
Psiphon was even created by Prof. Deibert, others are competitors of NSO Group) as well
as by private and anonymous donations) seems to indicate that Citizen Lab may have
indirectly received payment from big corporations and other actors via intermediary
organisations (what resonates with Roger Torrent’s book, published in 2021, page 135,
that stated that Citizen Lab was already working in July 2020 on behalf of Apple and trying
to get “ammunition” for WhatsApp, Apple and Catalan secessionist court cases.
José Javier Olivas Osuna, 7 July 2022
1
20 May 2022
Professor Lorraine E. Ferris
Associate Vice President, Research Oversight and Compliance,
University of Toronto
Dear Prof. Ferris,
Re: Observations on the CatalanGate exchange and petition for an independent investigation
We are a group of academic researchers that have been following the Pegasus espionage scandal since
the publication of the Citizen Lab report CatalanGate; Extensive Mercenary Spyware Operation
against Catalans Using Pegasus and Candiru on 18 April 2022. The topic of cyber-surveillance and civil
rights is of the utmost importance. Social scientists and policymakers should take very seriously the
risks of illegal surveillance by states and non-governmental organisations. We greatly appreciate the
work that activist organisations are playing in revealing abuses and requesting accountability from
different states and private organisations involved in non-regulated espionage of citizens and civil
society organisations.
The Pegasus spyware investigation has made many people aware of the potential threats to their
privacy and caveats in governments’ transparency. It has had an impact on political dynamics in Spain
and its security policies. The Spanish and European Parliaments have initiated investigations to
understand the magnitude of the problem. Therefore, it is very important to guarantee that the
sources of information feeding into this public assessment of the Pegasus espionage are as rigorous
and reliable as possible.
We appreciate the questions made by Renew Europe MEPs to the University of Toronto on 11 May
2022, and the responses swiftly provided by Prof. Deibert on 13 May 2023 (that he shared publicly on
Twitter and uploaded to the internet). We want to thank him for his disposition to assist with shedding
light into this complex issue. However, after a close examination of this exchange, of the report, and
of other publicly available relevant resources, we would like to pose further questions and
observations and share them with the key stakeholders involved at the University of Toronto, the
European Parliament, and beyond.
We firmly believe that Prof. Deibert’s responses do not properly address many of the issues raised over
the last few weeks, in the press and in social media, concerning the rigour of the Citizen Lab
investigation on Catalonia. On the contrary, they raise additional research ethics issues that may affect
the validity and reliability of the report and its findings.
Based on the observations and unresolved questions compiled in the document Methodological and
ethical issues in Citizen Lab’s spyware investigation in Catalonia(attached to this letter), we would
like to formally request the University of Toronto an independent investigation, as soon as possible.
Such assessment would help increase the confidence on certain findings and/or rule out some
2
conclusions that may result from potential research design flaws and fieldwork problems. This is
particularly relevant given the authors of this report have been recommended as experts to provide
testimony in different commissions and trials.
We assume that Citizen Lab, an institution notoriously committed to defending transparency and
public accountability, frequently demanding governments, and other organisations to be
independently investigated, would not oppose our equivalent request.
Our observations are organised following the same order of the original questions and responses (we
attach the PDF with Prof. Deibert’s responses and the letter of the Renew EMPs as reference). Most of
the questions expressed are similar to those that Citizen Lab would have faced had they submitted the
report to a normal peer-review process.
Please do not hesitate to contact us if you require additional clarification on the observations and
questions expressed in the attached document.
We hope that the University of Toronto and the other stakeholders affected find our observations and
questions useful.
We look forward to hearing from you,
Sincerely,
Dr José Javier Olivas Osuna, Department of Political Science and Administration, National Distance
Education University & LSE IDEAS, The London School of Economics and Political Science.
Prof. Natividad Fernández Sola, Department of Public Law, University of Zaragoza.
Prof. Charles Powell, Director of Elcano Royal Institute.
Prof. David Ruiz Aguilar, Department of Mathematical Analysis, University of Granada.
Dr. Mira Milosevic, Senior Analyst for Russia and Eurasia, Elcano Royal Institute
Dr. Anar Ahmadov, Governance and Global Affairs, Leiden University.
Dr. Kenneth Dubin, IE Business School, Madrid.
Prof. Encarnación Hidalgo Tenorio, Department of English and German Philology, University of
Granada.
Prof. Manuel Arias Maldonado, Department of Political Science, University of Málaga.
Dr. Ashikur Rahman, Senior Economist, Policy Research Institute of Bangladesh.
Prof. Rafael Martínez, Department of Political Science and Constitutional Law, University of Barcelona.
Dr. Clara-Alexandra Volintiru, Department of International Business and Economics, The Bucharest
University of Economic Studies.
Prof. Ricardo García Manrique Department of Political Science and Constitutional Law, University of
Barcelona.
Dr. Corina Lacatus, School of Politics and International Relations, Queen Mary University of London.
Dr. Ninfa M. Fuentes Sosa, Division of International Studies, Center for Research and Teaching in
Economics (CIDE).
Prof. César Nombela, Former President of the Spanish Council for Scientific Research, CSIC.
3
CC:
Dr. Rachel Zand, Director of Human Research Ethics Research Oversight & Compliance Office
Mr. Moritz Körner, Third Vice-Chair of the EP inquiry committee for Pegasus
Mr. Adrián Vázquez Lázara, MEP
Mr. Alex Matos, Director of Internal Audit
Mr. Jeroen Lenaers, MEP, Chair of the EP inquiry committee for Pegasus
Mr. Sándor Rónai, MEP, First Vice-Chair of the EP inquiry committee for Pegasus
Ms. Diana Riba i Giner, MEP, Second Vice-Chair of the EP inquiry committee for Pegasus
Ms. Maite Pagazaurtundúa, MEP
Ms. María Soraya Rodríguez Ramos, MEP
Ms. Susana Solís Pérez, MEP
Prof. Luis Garicano, MEP
Prof. Meric Gertler, President of the University of Toronto
Prof. Peter Loewen, Director of the Munk School of Global Affairs & Public Policy
Prof. Ronald Deibert, Director of Citizen Lab
Prof. Ted Hewitt, President of the Social Sciences and Humanities Research Council
(This version has been amended on 23 May 2022 as one of the authors of the letter was left out in the
previous version)
... Another (Farrow, 2022 (Olivas, 2022)." Clear research and ethical issues exist in all of these associations, but none is more evident than that of the relationship between The Citizen Lab and Amnesty International. ...
Technical Report
Full-text available
The Citizen Lab has become one of the most “trusted”, and “credible” sources in the niche discipline of mobile spyware research. Globally known for their Pegasus spyware investigations, this Toronto University organization was founded in 2001. For years The Citizen Lab has been publishing research about high value individuals that have been infected with Pegasus spyware, but similarly for years they have never provided any samples for the general public to view, research, or challenge their claims. Citizen Lab’s report on the hacking of human rights defender Ahmed Mansoor, concludes that they have been researching, and “confirming spyware infections” since 2011. In the past 11 years, reproducible evidence to corroborate attribution of The Citizen Lab’s mobile spyware research cannot be found. There have not been any in-depth technical documents written by The Citizen Lab that confirm conclusively, The NSO Group is the alleged spyware product owner frequently targeted by The Citizen Lab. Furthermore, The Citizen Lab has not produced any evidence to affirm the accusation that multiple nations around the world have been deploying Pegasus spyware, and targeting human rights defenders, politicians, journalists, and public figures. The purpose of this white paper is to analyze the limited technical research Citizen Lab has provided, and present a working proof of concept that contests their claims of never receiving false positive results in their research. I will focus on the details related to their recent report “Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru,” or, “CatalanGate,” published April 18th, 2022. I will be reviewing key findings, assessing mobile forensic methodologies, conducting an analysis of the indicators of compromise, highlighting test results submitted by research participants, and raising questions about unknown quantitative data. I will not go into forensics details about Candiru spyware as it is Windows OS based and not mobile. Lastly, I will be discussing the ethical considerations that could impact technical results involving The Citizen Lab, and Amnesty International as their primary source of validation for their findings.
Article
Full-text available
Recensión de Amy B. Zegart (2022): Spies, lies, and algorithms. The history and future of American Intelligence. Princeton: Princeton University Press.
ResearchGate has not been able to resolve any references for this publication.