On December 15, 2022, as part of our regular re-analysis of past cases to find additional spyware infection indicators and details, we discovered that a researcher had misread the labels assigned to two individuals’ results, leading to a confusion between phones owned by two people with the same initials who were part of the same group of potential targets in the CatalanGate investigation.
The error originates solely from a single mistake in interpreting a system of working labels, which we used to protect the privacy of research participants during the research process, and to reduce potential researcher bias.
We have exhaustively reviewed other cases analyzed and published by the Citizen Lab where any similar research participant labeling system was used. We found no similar errors either in the other 64 cases in the CatalanGate report, or in other Citizen Lab publications.
The number of infected individuals does not change.
We have corrected the CatalanGate report text and accompanying materials, and informed the individuals referenced below, as well as other stakeholders.
We are providing a detailed explanation for the sake of transparency of how the error occurred, how it was discovered, and how any similar mistake will be prevented in the future.
This misidentification is not an issue with the Citizen Lab’s technical methodology for determining whether a device is infected with Pegasus. It does not affect any other cases.
What Happened
During investigation and report writing, we use various labeling systems to minimize the handling of personally identifiable information, and to help mitigate against potential analytical biases that may arise when researchers are conscious of the name of the target while performing analyses.
We made use of a working labeling system to discuss cases during the CatalanGate report write up (we have since moved to a different schema). Those working labels used a combination of the subject’s initials and a group designation (referring to an organization, political group, sub-grouping, etc.) which was combined into the following prefix:
In a single case, a researcher misread a label on a device’s results when re-joining the results to a real name, leading to a confusion between phones owned by two individuals with the same initials that were part of the same group of potential targets:
Antoni Comín
And
“A…. C….”
The researcher misinterpreted the working label “AC-YYYY” to refer to device results for Antoni Comín. In fact, the results belonged to a member of the same group as Comín, with the same initials: A…. C…. To avoid confusion, Comín’s results had been labeled with “TC-YYYY” in order to create a unique designation, but this was not observed by the researcher at the time.
In summary, Antoni Comín was incorrectly identified as the owner of a Pegasus-infected iPhone when in fact it belonged to A…. C…, whom we are not naming at this time. Our technical analysis had found that A…. C…. ’s phone was infected with Pegasus sometime between 2019-08-16 – 2020-01-18.
While we have no forensic indication of infection in Comín’s devices that we have checked, the primary device used during a period when others were targeted has never been available for analysis due to the owner not recalling the password.
We also note that Comín’s lawyer, Gonzalo Boye, was determined to be hacked, which could have resulted in surreptitious access to Comín’s communications.
Actions Taken
We first identified and confirmed the error on December 15th, 2022. We then began an exhaustive search for any additional errors related to labeling schemes and found none in this or any other Citizen Lab investigation into Pegasus.
- We manually reviewed all of the 65 cases documented in the CatalanGate report featuring a forensic confirmation and found no other errors of this type. Our review also discovered a single typo due to an error of European versus U.S. date formatting resulting in a month-day reversal, which we have now also corrected.
- We manually re-analyzed all forensic indicators in other recent Citizen Lab investigations where a similar labeling scheme was used and found no similar errors.
Technical Methods For Finding Pegasus Unaffected
There is no change in the number of cases in the CatalanGate report.
There is no issue with the technical methods or indicators used to determine Pegasus infections. In this case, we had correctly determined, based on analysis of forensic indicators, that a device was targeted and infected with Pegasus. Our test did not produce a “false positive” result. When a test produces a “false positive” result, it incorrectly indicates that a sample is positive for a condition being tested for.
In this case, the technical testing and manual analysis correctly indicated that the device was positive. However, because the working label was misinterpreted, we associated correct positive results with the wrong individual.
Going Forward
We re-analyzed all data from all reports in which similar working labels were used during drafting and have determined that this was a one-off error that does not affect any other Citizen Lab reports, or infection confirmations within this report.
However, we have taken steps to ensure that such an error does not occur in the future. First, we have moved to a unique working labeling scheme that does not make use of participant initials.
Second, in the period after the Catalangate report, we implemented an additional step in which a second researcher reviews and confirms the re-joined device owner’s name against uniquely identifying information within the forensic artifacts prior to a publication.
Taken together, we believe that these measures will prevent any such error from occurring in the future.
We apologize for this error and commit to continuing to be transparent about any issues we find in the future.