Dubai’s billionaire ruler targeted ex-wife with NSO’s Pegasus spyware

UAE’s Sheikh Mohammed authorised agents to use military-grade software during court battle over welfare of children

Jane Croft, Mehul Srivastava, Financial Times
October 6, 2021

Sheikh Mohammed bin Rashid al-Maktoum, the billionaire ruler of Dubai, targeted the phone of his estranged wife Princess Haya with a military-grade spyware tool during a London court battle over their two children, a High Court judge has found.

Sheikh Mohammed permitted his “servants or agents” to use an Israeli manufactured and commercially sold covert surveillance weapon called Pegasus to target the phones of Princess Haya and her divorce lawyer Baroness Fiona Shackleton, according to a High Court ruling.

Pegasus spyware, the military-grade software licensed by the Israeli company NSO Group, is only supposed to be deployed by sovereign states to prevent terrorism and serious crime, according to the company, and is sold only with approval of the Israeli government. It is licensed to the United Arab Emirates.

But rights groups such as Amnesty International and the Citizen Lab have traced the spyware to the smartphones of dozens of journalists, politicians and human rights activists across the world.

This is the first known ruling by a court in any jurisdiction on the abuse of Pegasus, though the software is the subject of legal action in the US and Israel. The High Court ruling that the spyware was misused to snoop on Princess Haya during a court case about the welfare of their two children is also highly embarrassing for Sheikh Mohammed, the vice-president and prime minister of the UAE. The case is still ongoing and has been largely ignored by UAE media.

Over the past quarter of a century, Sheikh Mohammed has overseen the development of Dubai into the region’s dominant trade, finance and tourism hub. His Godolphin stable is a dominant force in horseracing and he has been a regular fixture alongside Queen Elizabeth in the royal box at Ascot, one of Britain’s most prestigious sporting events.

Sir Andrew McFarlane, president of the High Court’s family division, concluded in a fact-finding ruling, which can now be reported for the first time, that “it is more probable than not” that the phone hacking “was carried out by servants or agents of the father, the Emirate of Dubai or the UAE and that the surveillance occurred with the express or implied authority of the father”. 

Sheikh Mohammed “is the probable originator of the hacking” and he is “prepared to use the arm of the State to achieve what he regards as right”, the judge concluded, adding that the royal had “harassed and intimidated” Princess Haya, who is a half-sister of Jordan’s King Abdullah, even after she fled to England with her two children in 2019.

Queen Elizabeth presents Dubai’s ruler Sheikh Mohammed bin Rashid al-Maktoum with a trophy as the winning owner of the Diamond Jubilee Stakes at Ascot in June 2019

The High Court noted that Sheikh Mohammed filed no evidence in response to the allegations and he did not confirm or deny that the UAE has or had any contract with NSO for the Pegasus system. His legal team also chose to “float various suggestions” including that other states such as Jordan were responsible for the hacking, according to the ruling. The case has been heard in private but a number of judgments have now been made public.

McFarlane noted in his ruling that Shackleton, Haya’s divorce solicitor, was first tipped off about the phone hacking on August 5 2020 by two separate lawyers — one of whom was Cherie Blair QC, a barrister and the wife of former UK prime minister Tony Blair.

Blair, who advises NSO on human rights issues, had alerted Shackleton, previously divorce lawyer for Prince Charles and Sir Paul McCartney, about the phone hacking after receiving a call from a senior NSO manager.

Blair, who gave a witness statement to the fact-finding hearing, testified that NSO was “very concerned” and “it had come to the attention of NSO that their software may have been misused” to monitor the mobile phones of Shackleton and Haya, according to the ruling.

Blair was never told about the identity of the NSO customer suspected of carrying out surveillance but testified: “I recall asking whether their client was the ‘big state’ or the ‘little state’. The NSO senior manager clarified that it was the ‘little state’, which I took to be the state of Dubai,” according to the judgment.

The emirate of Dubai is one of seven members of the UAE, the capital of which is oil-rich Abu Dhabi. Dubai retains significant autonomy within the federation, including its own security service.

In a December 2020 letter to the court, NSO said it could not disclose its clients but its investigation into the phone hacking recommended that “the contract with the customer should be terminated”, according to the ruling.

An NSO spokesperson on Wednesday said: “Whenever a suspicion of misuse arises, NSO investigates, NSO alerts, NSO terminates,” adding that the company had already cancelled contracts worth $300m with various clients. The company did not fall within the jurisdiction of the UK courts, it said.

In his fact-finding judgment, McFarlane concluded there had been hacking or attempted infiltration by Pegasus of six phones and in the case of Princess Haya’s phone “a very substantial amount of data” had been “covertly extracted”.

Pegasus is designed to mirror a phone’s contents surreptitiously, thus defeating the encryption of apps such as WhatsApp or Signal, and can turn on cameras and microphones to record conversations and track the location of the device.

Bill Marczak, senior research fellow at Citizen Lab, said in this case the targets were members of high society, and while he welcomed the fact that NSO took action he added that it would have been “nice if they afforded that due process to journalists and activists who get hacked all the time using their technology”.

Sheikh Mohammed in a statement denied the allegations. He said that neither Dubai nor the UAE were party to the court proceedings and added: “The findings are therefore inevitably based on an incomplete picture.” He said the findings were also based on evidence “that was not disclosed to me or my advisers” and that “they were made in a manner which was unfair”. Baroness Shackleton, Blair and Princess Haya have declined to comment.

London’s Metropolitan Police said its central specialist crime command had launched a probe last year after it received allegations about the interception of digital devices. Officers investigated for five months and explored all possible lines of inquiry but closed their probe in February 2021 due to “no further investigative opportunities”. It said any new evidence would be reviewed.