Digital Front Lines

Behind the growing research about cyber mercenaries—behind the statistics, the politics, and the debates about accountability—are the people around the globe who have been directly targeted by malicious spyware. Activists, journalists, political dissidents, and others have unwittingly had their phones infiltrated with spyware by governments who take control of cameras and microphones, listen to conversations, stalk maps and calendars, and steal private information.

And over the past decade, civil society organizations have become key to exposing these breaches, supporting victims, and ensuring that the human toll is part of the global conversation.

“I think the peace of mind, the psychological impact, and the mental health aspect are oftentimes left behind because there’s so much focus on technicalities; for example, forensic analysis of the device, in all of this,” said Carine Kanimba. Her phone was infected with Pegasus spyware by the Rwandan government in 2020 and 2021 while she advocated for her father, Paul Rusesabagina, during his imprisonment. Rusesabagina—who inspired the movie Hotel Rwanda—had been speaking out against longtime Rwandan leader Paul Kagame when he was kidnapped and imprisoned by the country’s government.

Several civil society groups helped Kanimba confirm the breach and guided her through the aftermath, including the Citizen Lab at the Munk School of Global Affairs & Public Policy, University of Toronto, which studies the effects of technology on human rights and whose work exposed the Israeli-based NSO Group and its Pegasus spyware. “Citizen Lab walked me through all the things I needed to know about my phone, about security, about safety, about mental health, about taking time out,” Kanimba said. “They were very present.”

FP Analytics interviewed Professor Ron Deibert, founder and director of the Citizen Lab, and Kanimba, a human rights activist based in the United States and Belgium, about the human toll cyber mercenaries inflict and how civil society plays a key role in helping victims. The following transcripts have been edited for length and clarity.


FP Analytics (FPA): How does spyware relate to the broader cyber mercenary market? Do you see it as a distinct problem with distinct solutions, or as just one part of a broader problem?

Ron Deibert (RD): It’s both. It’s distinct, but it’s also a subset within a spectrum of mercenary surveillance technologies, which are very sophisticated products and tools that allow government security agencies to undertake surveillance of targets. It’s unique because getting inside a person’s phone provides extraordinary insights into their entire pattern of life: their private life, their social networks, their movements.

FPA: Governments are often the consumers of these products, but do you know of any private buyers?

RD: It’s difficult to say. Most known firms claim they only sell to governments. That said, there are several cases of spyware where it seems likely nonstate actors were involved. In Mexico, for example, many people who were in the crosshairs of the cartels wound up having spyware on their devices.

FPA: What can the international community—including the public, private, and multilateral sectors—do to address the risks and impacts of commercial spyware or cyber mercenaries?

RD: I think civil society’s job is to do what groups like Amnesty International, Access Now, the Citizen Lab, and others have been doing, which is to investigate and surface cases of abuse and describe the impact on victims. I spend a lot of time with victims, and I understand the impact this has on their lives. Civil society has a job to do as a watchdog, as an advocate, and to put pressure on the private sector and government.

In the private sector, a lot of the espionage that’s undertaken with spyware and other mercenary surveillance technology operates through the ecosystem that tech platforms control. If you think about how spyware works, it’s taking advantage of vulnerabilities in tools and applications and operating systems that we all rely on that are owned and operated by the private sector. So, they have a responsibility to make sure their systems are secure, that they’re protecting their customers, their users, but they could also go further here. I would signal out what both WhatsApp and Apple have done. Both of those companies made the decision to notify victims of spyware. Apple has routinely sent out a series of notifications to customers they know have been hacked with either Pegasus or another spyware. That’s a really important service they’re doing.

With governments, remarkable measures were taken by the Biden administration: The president’s executive order [in 2023, restricting the use of commercial spyware by U.S. agencies]; the coalition statement that the United States helped engineer that I think now more than 20 countries have signed on to; and sanctions and designated entity lists. I think that’s a model for other governments. The problem is a lot of governments want this type of technology. They have stakeholders and constituencies that are pressing within the government to be able to have the latest capabilities. So, they’re conflicted, and that’s why it’s hard to get them on board.

FPA: What is the human impact of spyware?

RD: We’re talking about people’s lives being impacted in profound ways. The most important one to consider is the chilling effect. These are people who once looked to the internet, to social media, to their mobile phone in their pocket as tools they can use to undertake advocacy and activism or just go about their day-to-day life. After having experienced this type of targeting, they look at them as something dangerous, as something toxic, and something that brings them psychological trauma, because they’ve been connected to such extensive personal harm—not just for them, but for their family and friends and wider networks.

If you have an unregulated, proliferating marketplace of these tools in the hands of despots and dictators and oligarchs, and they’re turning them on whoever they see as an inconvenience to their illegitimate or corrupt rule, and the impact is for [the victims] to withdraw from political and civic life, those people win. And that’s the most insidious effect of what we’re talking about here. We talk a lot about zero days [i.e., software vulnerabilities] and technical things, but the human impacts, the psychological, the emotional harms connected to this are profound.

FPA: What do you see as the role of civil society organizations like the Citizen Lab in combating this issue?

RD: Our mission at the Citizen Lab, from the get-go, was to act as counterintelligence for civil society. Governments have counterintelligence, even private firms do counterintelligence, but who’s doing this on behalf of human rights organizations and non-governmental organizations? That’s why groups like Amnesty International and Human Rights Watch and Access Now exist. If there is a positive part of this story, it is the remarkable flourishing of a community of civil society around this area. There’s an enormous community of very talented people dedicated to this topic, focusing on different aspects, too. There are investigators who are really technical, like at Amnesty Tech. You have Access Now and its helpline. You have people who specialize in law and policy in Europe, in North America, and elsewhere.

FPA: What international processes are promising to build consensus on the impact of spyware and the role of cyber mercenaries?

RD: It’s always good when you have people getting together and talking about this topic and signaling that they desire a more responsible, properly regulated space. But when I think about that process, I also worry a bit that there is a normalization that’s happening there and that it could lead to a condoning of a marketplace that is seriously flawed.


FP Analytics (FPA): How did you come to be targeted by Pegasus spyware, and how did you find out?

Carine Kanimba (CK): In [August] 2020, my father, Paul Rusesabagina, was kidnapped and taken to Rwanda in an intelligence operation. The Rwandan government had sent a priest for two years to gain his trust and invite him to Burundi. But, in fact, it wasn’t a real priest but an agent of the regime. And upon arriving in Rwanda, my father was tortured, he was jailed, and he was accused of terrorism and subjected to a sham trial. When my dad was kidnapped, I decided to go back to Belgium, because we have a home in Brussels and needed to be able to advocate with the Belgian authorities for his release or at least get the Belgian Foreign Ministry involved.

I was very critical of the regime in the media, doing as many interviews as I could to talk about what had happened to my father, trying to get attention on his case, trying to get the authorities in Europe and the United States to hold Rwanda to account and get them to release my father as quickly as possible.

In February 2021, a journalist from Forbidden Stories [an international collective of journalists that protects the work of targeted reporters] approached me and said they had reasons to believe my phone had been infected. I knew that, in the past, the Rwandan government had used spyware technology.

The initial forensics and follow-up testing showed that my phone was repeatedly infected from as far back as September of 2020—around the time I really started speaking out against the regime—and it lasted through July 2021.I received an iMessage, which I never saw—it completely disappeared. So, I never would have known that my phone was infected or that I received the message, because it never appeared on my screen. But that message is what infected the phone. Every time I turned off my phone or updated the software, they would send me a message again to reinfect my phone.

FPA: While this software was on your phone, what sort of information did the hackers have access to?

CK: I was holding meetings with the U.S. State Department, members of Congress, the Belgian foreign minister, many others, and during that time, I was being surveilled unknowingly. What was most shocking was the precision and timing of the forensics details, which showed that the moment I walked into the meeting with the foreign minister until the moment I walked out, the spyware had been activated. They had been obviously following my calendar, probably listening to the meeting itself, and were very, very aware of my actions, my communications, my conversations, my location. My whole privacy was essentially exposed. It was obviously deeply invasive, intrusive, but very scary, considering what I was fighting at the time, which was for my father’s release. It strengthened my resolve to continue this fight for justice, not only on behalf of my father, but also for all those other Rwandans who had been targeted by the regime.

FPA: This kind of targeting can have a chilling effect, not just on the person who’s targeted but their community, their family, their broader support system. How did you overcome it in order to continue your advocacy?

CK: There are all these security measures I had to take to protect myself. I had to stop using my phone. And that was the most crucial part, because I was using my phone to contact all these government officials, and that was almost like a lifeline, not only for the fight for my father’s release, but also that’s how I tweeted. That’s how I sent messages and emails, and everyone who I really sought out for help was through the phone. And so, it took a huge psychological toll to feel like all of a sudden, I had no weapons—my phone was like a weapon, was my way of fighting back. . . . So, my focus and my decision to continue to advocate was really based on the life-or-death situation where I felt that if I stopped, I could never see my father again. [Kanimba’s father was released in 2023 after two and a half years in captivity.]


Dr. Ron Deibert is Professor of Political Science and Director of the Citizen Lab at the Munk School of Global Affairs & Public Policy, University of Toronto. As Director of the Citizen Lab, Dr. Deibert has overseen and been a contributing author to more than 170 reports covering pathbreaking research on cyber espionage, commercial spyware, internet censorship, and human rights. Dr. Deibert was a co-founder and a principal investigator of the OpenNet Initiative (2003–2014) and Information Warfare Monitor (2003–2012) projects. In 2022, Deibert was appointed Officer of the Order of Canada, the country’s second-highest merit, for his work on digital security and human rights. .

Carine Kanimba is a spokesperson for the World Liberty Congress, the largest global movement of pro-democracy leaders representing 60 countries ruled by autocratic governments. A survivor of Rwanda’s 1994 genocide, she was adopted by Paul Rusesabagina, who saved more than 1,200 lives during the genocide—an act portrayed in the film Hotel Rwanda. In 2020, when her father was forcibly rendered to Rwanda and unjustly imprisoned for speaking out against the regime, Carine and her family led the international #FreeRusesabagina campaign, securing his release in 2023. As a target of Pegasus spyware, she testified before the U.S. House Intelligence Committee and the European Parliament, advocating for regulation of the spyware industry. Carine is a recipient of the Heroes of Democracy Award from the Renew Democracy initiative and the Global Magnitsky Human Rights Award for Young Human Rights Activists.