Over the last month, two Citizen Lab staff members were contacted by two separate individuals in what appears to be an attempt to compromise our work. Each of the contacts purported to show an interest in the staff members’ personal, non-Citizen Lab related interests, and presented themselves as serious and professional. In each case, the interactions turned to Citizen Lab’s research on commercial spyware, and specifically our research on NSO Group. We have no evidence NSO Group itself is responsible for the outreach.

The first contact occurred as a series of approaches to Citizen Lab staff member Bahr Abdul Razzak, both electronically and in person. Fortunately, Mr. Abdul Razzak, sensed something was awry and notified his colleagues at Citizen Lab. After a preliminary investigation, it became clear to us that the representations being made to Mr. Abdul Razzak were false, and manufactured for the specific purpose of targeting him directly and deceiving him. We concluded that this was part of a malicious effort intended to gather information about the Citizen Lab and our staff.

During our ensuing investigation, a second, separate outreach using different cover identities targeted Citizen Lab senior researcher John Scott-Railton. We allowed the deceptive approach to play out, and the operatives to propose an in-person meeting. This meeting took place in New York on January 24, 2019 — and was recorded.

During our investigation, we worked closely with the Associated Press. Associated Press journalists observed the meeting from afar, and then intervened at the signal of Mr. Scott-Railton and questioned the person about his true employer and fictitious company. The full details are available in Associated Press’ report, here.

This failed operation against two Citizen Lab researchers is a new low. Citizen Lab research is public, and the evidence that we use to draw our conclusions is public as well. We have always welcomed debate and dialogue about our work, but we condemn these sinister, underhanded activities in the strongest possible terms. Such a deceitful attack on an academic group like the Citizen Lab is an attack on academic freedom everywhere.

This episode should serve as an important lesson for all groups who, like Citizen Lab, work in areas that expose wrongdoing through evidence-based research. Risks are not always easy to calculate and can come in many unpredictable forms. This attempt — by whatever organization was responsible for this operation — used an indirect approach involving human intelligence gathering and nefarious means. The tactics bear a striking resemblance to the type of intelligence gathering undertaken by private security firms, such as those reported on here and here.

At Citizen Lab, we take all security risks seriously. I want to congratulate the two researchers for being alert and taking immediate appropriate action in response. Citizen Lab is fully cooperating with authorities in the relevant jurisdictions. Read the Associated Press article here.