A member of the House of Lords is among more than 400 people whose UK mobile phone numbers appear in a leaked list of numbers identified by NSO Groupâs client governments between 2017 and 2019, the Guardian can reveal.
The principal government responsible for selecting the UK numbers appears to be the United Arab Emirates, according to analysis of the data. The UAE is one of 40 countries that had access to the NSO spyware that is able to hack into and secretly take control of a mobile phone.
Dubai, the emirate city ruled by Sheikh Mohammed bin Rashid al-Maktoum, is also believed to have been an NSO client.
The phones of Sheikh Mohammedâs daughter Princess Latifa, who launched a failed bid to escape Dubai in 2018, and his ex-wife Princess Haya, who fled the country and came to the UK in 2019, both appear in the data.
So too do the phones of several associates of both women â including, in the case of Haya, mostly UK-based numbers.
In multiple statements, NSO said that the fact that a number appeared on the leaked list was in no way indicative of whether a number was targeted for surveillance using Pegasus. âThe list is not a list of Pegasus targets or potential targets,â the company said. âThe numbers in the list are not related to NSO group in any way.â
But the Guardian and other media partners that had access to the data as part of the Pegasus project, a media consortium, believe the list indicates persons of interest selected by government clients of NSO. It includes people across the world whose phones showed traces of NSOâs spyware, Pegasus, according to forensic analysis of their devices.
Those with UK numbers appearing on the list include:
Lady Uddin, an independent member of the House of Lords, whose number appeared on the data in both 2017 and 2018. She said if there was spying on members of parliament it would amount to âa great breach of trustâ which âcontravenes our sovereigntyâ.
A lawyer working for a London law firm advising Princess Haya. Haya is embroiled in a bitter custody battle with Sheikh Mohammed in the family division of the high court of justice.
John Gosden, a leading horse trainer based in Newmarket, who is also friend of Princess Haya, herself an international equestrian rider. Numbers for other people working for Hayaâs security and PR team also appear in the data.
John Chipman, the chief executive of the defence thinktank the International Institute for Strategic Studies, which runs an annual conference in Bahrain, one of the UAEâs allies.
Matthew Hedges, a Briton detained without trial in the UAE for five months in 2018, whose number first appears in the data while he was in the UK, before embarking on his trip. âI want to know what the British government is doing about it,â he said.
Other high-profile UK names who appear on the list have already been named, such as Roula Khalaf, the editor of the Financial Times, who was deputy editor when her number appeared in the data in 2018. NSO later said there were no attempted or successful Pegasus infections of Khalafâs phone.
Earlier this week, the Guardian also revealed the listing of the number of the human rights lawyer Rodney Dixon QC, who has acted for both Hedges and the fiancee of the murdered Saudi journalist Jamal Khashoggi, Hatice Cengiz. Analysis of the data suggests his number was among a small group of UK numbers that appear to have been selected by Saudi Arabia.
Lawyers for NSO suggested it was âtechnically impossibleâ for Dixonâs phone to be targeted by Saudi Arabia. Forensic analysis of Dixonâs device conducted by Amnesty Internationalâs Security Lab showed Pegasus-related activity but no successful infection.
Amnesty examined two other UK phones in the data. One showed the same kind of Pegasus activity discovered on Dixonâs iPhone. The second, an Android phone, showed no evidence of an attempted or successful infection.
Neither the United Arab Emirates, Dubai nor Saudi Arabia responded to requests for comment. Till Dunckel, a German lawyer representing Sheikh Mohammed, told the newspaper Süddeutsche Zeitung: âOur client emphatically denies having attempted to âhackâ the phones of the persons named in your request, or having instructed others to do so.â Representatives of the sheikh have also previously said he feared Latifa was a victim of a kidnapping and that he had conducted âa rescue missionâ.
NSO Group has always said it does not have access to the data of its customers. In statements issued through its lawyers, NSO said the Pegasus project reporting consortium had made âincorrect assumptionsâ about which clients used the companyâs technology.
Exiled dissidents and supportive activists in the UK also appeared on the leaked list, which is bound to raise questions about the UAE, which is traditionally considered a British ally, and whose leading family, the rulers of Abu Dhabi, own the Premier League champions, Manchester City.
The UAE has become a fast-emerging cyber power, whose powerful surveillance capability is controlled by the family of its ruler, Sheikh Mohamed bin Zayed, and in particular his brother, the national security adviser, Sheikh Tahnoon bin Zayed.
Three sources familiar with NSOâs operations confirmed that within the past year the company had stripped Dubai of its Pegasus licence. They said the decision had been informed primarily by human rights concerns, but did not dispute that the possibility Sheikh Mohammed was wielding the software against his own family members had also been a factor.
It is unclear whether MI5 was aware of any UAE spying activity. Generally if the spy agency becomes aware a Briton is subject to foreign surveillance, it only takes action to alert the victim if it believes there is a threat to life or other serious danger in the UK.
But the British government issued a coded rebuke to the country this week following the revelations of the Pegasus project.
A government spokesperson said: âIt is vital all cyber actors use capabilities in a way that is legal, responsible and proportionate to ensure cyberspace remains a safe and prosperous place for all.â
Why certain people may have been listed is hard to determine. Uddin was the first Muslim woman to serve in the upper house, but is not considered a foreign policy specialist. âIf espionage is taking place against the highest of sovereign British institutions, questions arise regarding whether our government was aware,â she said.