Friday, June 9, 2023 | Back issues
Courthouse News Service Courthouse News Service

Federal judge to consider phone hacking case of Saudi human rights activist

Prominent human rights activist Loujain al-Hathloul argues DarkMatter’s hackings are “inextricably linked” to the U.S, as they were carried out with cyber-technology developed in the U.S. by domestic companies, and the technology specifically targeted Apple’s U.S. servers to infect her phone with malware.

PORTLAND, Ore. (CN) — Attorneys for Saudi human rights activist Loujain al-Hathloul met before a federal judge Tuesday on a motion to dismiss against an Emirati cyber-surveillance company and three former U.S. intelligence operatives, asserting they aided Saudi Arabia in hacking al-Hathloul’s iPhone before her arrest in 2018, leading to her imprisonment and torture for her activism.

Al-Hathloul, 33, rose to prominence after launching a campaign to give Saudi women the right to drive — a right they were denied until June 2018. Yet, al-Hathloul’s activism did not come without dire costs to her safety.

According to al-Hathloul’s complaint filed in December 2021, DarkMatter Group and its former senior executives — former U.S. intelligence operatives Marc Baier, Ryan Adams and Daniel Gericke — hacked her iPhone to surveil her movements and used her confidential communications against her by the security services of the United Arab Emirates, leading to her arrest and extradition to Saudi Arabia, where she was “detained, imprisoned and tortured.”

The three operatives were a part of the same DarkMatter surveillance unit called Project Raven, also known as the “Development Research Exploitation and Analysis Department” or “Project DREAD.” As first reported by Reuters in 2019, Project Raven aided the UAE in spying on human rights activists, academics, journalists and government critics, with the source later revealing the project assigned al-Hathloul the codename “Purple Sword.”

In 2021, the three men entered into a deferred prosecution agreement with the U.S. Department of Justice, where they admitted to hacking into computer networks in the U.S. and exporting cyber intrusion tools without necessary permission from the U.S. government.

Al-Hathloul is now suing DarkMatter and the three men for computer fraud violations and crimes against humanity under the Alien Tort Statute.

Right off the cusp, Judge Karin J. Immergut addressed Tuesday's video hearing stating that she was inclined to dismiss the case for lack of jurisdiction, but noted that she had concerns about the issue brought forth and interested to learn what tortious conduct specifically occurred in Oregon.

Al-Hathloul argues the hackings are inextricably linked to the U.S., as they were carried out with cyber-technology developed in the country by domestic companies, and the technology specifically targeted Apple’s U.S. servers to infect al-Hathloul’s phone with malware.

Going back further, the complaint alleges the UAE sought out U.S. corporations in 2008 to build a cyber-surveillance program to hack perceived dissidents from the UAE and Saudi Arabia. Around 2009, CyberPoint International became the UAE’s primary contractor, recruiting Americans, including those from the National Security Agency and others in the U.S. intelligence community. Then, around December 2015, the UAE transitioned services under Project Raven from CyberPoint to DarkMatter — bringing Baier, Adams and Gericke with it — who went on to upper management positions within the company at various levels.

Under the operative’s direction, DarkMatter developed a new exploit to target al-Hathloul, “exploit” meaning computer code that exploits a vulnerability to install undetectable malware. The “zero-click” exploit, which can run without a target taking any action, such as clicking a link, browsing a website or installing an app, allowed DarkMatter to hack hundreds of iPhones to obtain emails, location data, messages and photographs.

On behalf of DarkMatter, al-Hathloul claims Baier acquired two “zero-click” iMessage exploits from two U.S. companies around May and October 2016 to create and upgrade an espionage system known as “Karma” to overcome evolving iOS security upgrades. From there, DarkMatter paid $750,000 and $1.3 million for each exploit by transferring funds from bank accounts outside the U.S. to accounts belonging to companies in the U.S.

It is through these accounts, al-Hathloul says, that the men and DarkMatter created the Karma hacking system “that relied on the obtained exploits and other U.S. technology, including anonymization services and computer hardware located or built in the United States.”


DarkMatter attorney James Tysse dismissed these claims in the complaint immediately, arguing al-Hathloul failed to pass the purposeful direction test to show personal jurisdiction, particularly as she didn’t allege any personal harm and only alleged harm to Apple.

Additionally, as noted in DarkMatter’s motion to dismiss, Tysse pointed out that al-Hathloul cannot show that DarkMatter purposely directed transmissions through U.S. servers and that al-Hathloul incorrectly states Adams is domiciled in Oregon, conceding the only U.S. connection she has is that “certain text messages allegedly sent by DarkMatter from a location abroad passed through U.S. servers, which allegedly later caused her to suffer harm in foreign countries.”

Such allegations are insufficient to establish jurisdiction in the U.S., DarkMatter argued while citing Hungerstation LLC v. Fast Choice LLC, which would otherwise allow the U.S. to become a forum for a limitless number of claims involving electronic communications between foreign parties.

Additionally, DarkMatter argued that al-Hathloul failed to state a claim for relief, noting her “information and belief” allegations didn’t connect defendants to the hacking and “cannot satisfy the statutory loss standard,” while also arguing her second claim of conspiracy to violate Computer Fraud Abuse Act is also barred.

As for her third claim under the Alien Tort Statute, DarkMatter argued the court lacks jurisdiction because “it is impermissibly extraterritorial and because it seeks an unprecedented expansion of liability that would force this court to adjudicate the legality of the actions of foreign sovereigns taken in their own territories.” Tysse added to this argument in court, noting that al-Hathloul had not yet shown there is no other court in the world more appropriate for the suit to be adjudicated.

Of course, al-Hathloul’s attorney Mukund Rathi disagreed with every bit of this, adding to his client’s arguments that because the malware was developed and sold in the U.S., it is ripe for jurisdiction. Rathi explained that defendants spent years creating inauthentic Apple accounts to overcome upgrades in Apple’s iOS system to transmit exploits within the U.S., eventually creating a custom program designed as an iMessage — “a Trojan horse” — so effective Apple didn’t notice it.

Moreover, Rathi argued the U.S. is the only place al-Hathloul will get a remedy “where the hacking system was developed and where the malware was transmitted.”

The attorney further argued his case for jurisdiction, stating DarkMatter didn’t simply “transmit ‘something’" over a server, they transmitted malware over a U.S. server, and that tortious conduct in the forum is ripe for jurisdiction.”

As to whether DarkMatter and the three operatives harmed al-Hathloul, Rathi insisted the harm came from malware.

“Doesn’t the harm have to happen in the U.S.?” Immergut asked.

“Not with the transmission of malware,” said Rathi, explaining that al-Hathloul, despite never having been to the U.S., had an interest in using those secure Apple servers that are only accessible through the U.S.

During rebuttals, Tysse and DarkMatter attorney Anthony Pierce further asserted the case lacked a connection to the U.S., let alone to Oregon. Later on, before closing, Tysse said he believed the court would be creating new law if it were to say virtual harm is sufficient in these circumstances for personal jurisdiction.

With that, the judge adjourned the hearing, stating that she would take matters under advisement.

Bridget Donegan of Boise Matthews LLP also represents al-Hathloul, who was present on Tuesday in addition to Ryan Adams’ attorney Clifford Davidson.

Categories:Government, International, Law, National

Read the Top 8

Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.