Report
Mexican digital rights organization R3D, with technical support from the Citizen Lab, has determined that Mexican journalists and a human rights defender were infected with Pegasus between 2019 and 2021. The infections occurred years after the first revelations of Pegasus abuses in Mexico, and after Mexico’s current President assured the public that the government no longer used the spyware, and that there would be no further abuses.
We find that mass DNA collection in Tibet is another mass DNA collection campaign conducted under the Xi Jinping administration (2012–present), along with the mass DNA collection campaign in the Xinjiang Uyghur Autonomous Region and the police-led national program of male DNA collection.
Our investigation uncovered an extensive Pegasus hacking operation against pro-democracy campaigners in Thailand. At least 30 forensically-confirmed victims of NSO Group’s Pegasus spyware between October 2020 and November 2021.
We consistently found that Bing censors politically sensitive Chinese names over time, that their censorship spans multiple Chinese political topics, consists of at least two languages—English and Chinese—and applies to different world regions, including China, the United States, and Canada.
The Citizen Lab, in collaboration with Catalan civil society groups, has identified at least 65 individuals targeted or infected with mercenary spyware, including members of the European Parliament, Catalan Presidents, legislators, jurists, and members of civil society organisations.
The IATA Travel Pass (ITP), a global, opt-in app to receive, store, and share digital COVID-19 test certificates for flights, has a critical flaw in its registration process which allows an attacker to impersonate another user, needing only to know the user’s passport details but not possess the passport itself.
Phones belonging to four Jordanian human rights defenders, lawyers, and journalists were hacked with NSO Group’s Pegasus spyware between August 2019 and December 2021. We assess that at least two of the four targets were hacked by Pegasus operators primarily focused on Jordan, based on SMS messages containing Pegasus links that map to a cluster of domain names focusing on Jordanian themes.
Since our report in August 2021, we find that Apple has eliminated their Chinese political censorship in Taiwan. However, Apple continues to perform broad, keyword-based political censorship outside of mainland China in Hong Kong, despite human rights groups’ recommendations for American companies to resist blocking content.
In this report, we describe how activists and dissidents living in Canada are impacted by digital transnational repression. We conclude that digital transnational repression has a serious impact on these communities, including their ability to undertake transnational advocacy work related to human rights. Yet, there is little support for victims who experience such targeting and policy efforts by the Canadian government to date have been insufficient.
MY2022, an app mandated for use by all attendees of the 2022 Olympic Games in Beijing, has a simple but devastating flaw where encryption protecting users’ voice audio and file transfers can be trivially sidestepped. Health customs forms which transmit passport details, demographic information, and medical and travel history are also vulnerable. Server responses can also be spoofed, allowing an attacker to display fake instructions to users.
