Skip to main content

Pegasus: UK has 'no intention' of holding Gulf allies accountable, says MP

Layla Moran says inaction against Saudi Arabia, UAE and Bahrain allows state users of spyware to act with impunity
Britain's Prime Minister Boris Johnson greets the Crown Prince of Abu Dhabi Mohammed bin Zayed Al Nahyan during a visit to London in September 2021 (AFP)

The UK government has "no intention" of holding three Gulf states accused of hacking British citizens' phones accountable, according to a member of parliament who has called for sanctions to be imposed on Israel's NSO Group in the wake of ongoing Pegasus revelations.

Layla Moran, the Liberal Democrat foreign affairs spokesperson who was among 10 MPs and peers pressing Prime Minister Boris Johnson in a November letter to blacklist the firm and cut off millions in funding to the Gulf countries, said the government's inertia since then would only encourage lawlessness.

"The government has absolutely no intention of holding these Gulf states accountable - namely Saudi Arabia, the UAE and Bahrain - who have been misusing cyber technology to target and attack dissidents on British soil," Moran told Middle East Eye.

"The government is sending a clear message to these regimes that despite this, they can continue to conduct business as usual with complete impunity.”

'The government is sending a clear message to these regimes that despite this, they can continue to conduct business as usual with complete impunity'

- Layla Moran MP

Around 400 UK mobile telephone numbers were found on a leaked list with 50,000 phone numbers which governments using NSO Group's Pegasus spyware - including the three Gulf states - reportedly identified as potential targets.

They include two members of the House of Lords, heads of British think tanks, leading lawyers, academics, activists, journalists and civil society and faith leaders, all with connections to the Middle East.

As the Pegasus scandal was making headlines last summer, the British government disclosed that it had repeatedly complained to the Israeli government about the NSO Group.

But it has declined to answer questions about what sparked those complaints and when they were made. Digital rights advocates have warned that the government's tepid public response to the Pegasus revelations will invite further attacks.

In November, a week after the US Commerce Department blacklisted NSO Group and a second Israeli firm, Candiru, Moran and the group of MPs and peers called on Johnson to follow suit and suspend all UK spyware licences and cybersecurity contracts to Gulf countries pending investigation.

They also said the UK government should cut off the three Gulf allies from the Gulf Strategy Fund, a £53.4m taxpayer-funded programme that MPs have complained is run without transparency or accountability, including whether human rights risk assessments are conducted for the activities involved.

Among the fund's activities is a UK cyber-ambassador who will help the Gulf allies - accused of hacking British citizens - to defend themselves from cyber-security attacks.  

'Smoke and mirrors'

Responding to their letter, James Cleverly, still serving as Middle East minister before he became Europe minister last week, wrote in a one-page letter in late December seen by MEE: "While the UK does not have an equivalent to the US entity listing process, we have an extremely robust export control regime. We do not issue export licences when there is a clear risk that items might be used for internal repression."

He said that the UK had not granted licences to NSO Group and there were no current licences permitting export of spyware from the UK.

The UK, he added, was "instrumental" in persuading the Wassenaar Arrangement - a multilateral effort to control the export of technologies that have dual civil and military uses - to adopt controls in 2014 on intrusion software tools and IP network surveillance equipment and software.

Pegasus spyware row is really about who controls cyber weapons
Read More »

He ended saying that the Gulf Strategy Fund "is subject to rigorous risk assessments to ensure all work meets our human rights obligations and our values. We discuss the range of cyber issues with partners and allies".

Oliver Feeley-Sprague, Amnesty UK's programme head covering military, security, and policing, said Cleverly's letter was "a classic smoke and mirrors response".

It is Israel, he said, not the UK, which would be responsible for issuing export licences to the NSO Group.

Meanwhile, Amnesty has been pushing the UK to adopt a licensing requirement for companies that want to market intrusion software within the country. Currently, NSO Group can promote its spyware at any UK arms fair without restriction, he said.

"The government are trying to say there's no problem here because we have not issued an export licence to NSO Group as if the UK is following the United States by tightening our own controls," he said.

"It is really doing nothing of the kind because there is no UK licensing requirement on an Israeli company anyway and that's the problem."

In Cleverly's letter, he said the UK is committed to work with international partners to counter "the proliferation of high end cyber capabilities", something Feeley-Sprague said he thought was a positive sign.

"The idea that they're open and willing to work with international partners to further strengthen the controls is a good thing, but it clearly hasn't committed to strengthening [the UK's] own controls in the meantime."

Sayed Ahmed Alwadaei, director of the Bahrain Institute for Rights and Democracy whose number was among those found on the leaked list of potential targets, said Cleverly's response showed that Gulf states would continue to be rewarded "even if they harm British nationals and exiled activists seeking protection".

“Despite recent forensic evidence demonstrating the UAE, Bahrain and Saudi Arabia were involved in hacking scandals against lawyers, parliamentarians and activists on UK soil, the British government continues to secretly channel taxpayers’ money to fund these abusive states’ cyber capabilities," he said.