Earlier this year, Reuters broke a stunning story. It disclosed that intelligence services from the United Arab Emirates had hired ex-U.S. operatives from the National Security Agency to hack into the iPhones of Emirati citizens in order to access their personal phone numbers, emails, passwords and even follow their location. The operation, code-named “Project Raven,” was supposed to track Islamic State cells. But Reuters uncovered a much more sinister pattern of surveillance. Under the guise of national security, Raven contractors broke into the personal communications of scores of human rights activists, civil society leaders and investigative journalists, both in the United Arab Emirates and in the United States, including American citizens.
One of the targets was Emirati activist Ahmed Mansoor, a public critic of the UAE’s human rights record; in 2015, he won the Martin Ennals Award for Human Rights Defenders, considered by some the Nobel Prize for human rights. Using an advanced surveillance tool named “Karma,” Raven operatives downloaded troves of material from Mansoor’s personal computer—email screenshots, private phone numbers, personal photos. The Emirati government then used this material to convict Mansoor in a secret 2017 trial, nominally for “damaging the country’s unity” after taking photos of a prisoner he visited in an Emirati jail, and sentenced him to 10 years in solitary confinement.
What makes Karma so insidious is that it does not require users to click on a link in order to activate malware that will compromise an individual’s computer or phone. Instead, Karma remotely provides access to iPhones “simply by uploading phone numbers or email accounts into an automated targeting system,” as Reuters reported. Where did Karma originate from? And how did former NSA operatives become involved in assisting Emirati subterfuge against legitimate government critics?