Taking on a tech giant

A

mong Thai human rights defenders, Jatupat Boonpattararaksa is practically a titan among titans. 

From anti-mining to constitutional reform, the multiawarded activist has been at the forefront of various movements in Thailand since his student days. Unsurprisingly he’s had frequent run-ins with authorities, who have arrested him no less than five times between 2015 to 2021 over charges of sedition and lèse-majesté.

Some of his cases dragged on, but Pai Dao Din – as Jatupat is affectionately called – somehow prevailed over each case every time. One even had him imprisoned for nearly three years for sharing a BBC profile criticizing King Maha Vajiralongkorn. He eventually received a royal pardon for that case in 2019. 

But in 2022, when he sued the Israeli cyberarms company NSO Group, the manufacturer of a powerful spyware tool targeting him and other activists, Jatupat felt like David staring down Goliath.   

The lawsuit – filed with the help of law and cyberforensics groups Internet Law Reform Dialogue (iLaw), DigitalReach, Amnesty International’s Security Lab, and the University of Toronto’s Citizen Lab – alleged that the company enabled his surveillance, violating his rights.

It was a potentially landmark case that would have illuminated how the spyware, which is licensed to several governments supposedly to help them target terrorists and criminals, is being used to crack down on civilians.  

“I am just a normal citizen and NSO Group is a big company,” Jatupat said in Thai during a press briefing hosted by DigitalReach on Nov. 22. “But it’s an important lawsuit and I didn’t care about the money. I wanted this lawsuit to act like a standard for ongoing cases that happened outside Thailand.”

Unfortunately, the day before, a Thai civil court had thrown out his case on procedural grounds, including the plaintiff’s supposed inability to prove infection beyond hearsay.

Jatupat’s lawyers and the cyber-rights groups that have supported his case said that the decision was riddled with questions about procedure and a lack of understanding of complex digital forensics – and thus raised serious concerns about the erosion of digital rights in Thailand and the ability of individuals to seek justice in the face of state-sponsored surveillance.

“The ruling tells us that Thai law somehow protects the perpetrator,” Jatupat said. “And this is actually a very dangerous setting because this means that in the future if Pegasus is used again against pro-democracy activists, human rights defenders … it’s going to be very hard to make them accountable for what happened.” 

Zero-click spyware

As governments and corporations increasingly wield digital tools to suppress dissent, Jatupat’s story serves as a cautionary tale about the dangers of unchecked surveillance, particularly with powerful and unregulated private spyware tools like Pegasus. 

The Pegasus Project, a collaborative investigation by 17 news organizations, first exposed the widespread use of the spyware in July 2021. The groundbreaking investigation uncovered evidence of the software being used to target journalists, activists, politicians, and business leaders in numerous countries.

Pegasus is a zero-click exploit – that is, it requires no action from the target – designed to be covertly and remotely installed on mobile phones. Once installed, it can access a wide range of sensitive information, including call logs, messages, location data, as well as photos and videos.

While NSO Group markets Pegasus as a tool to combat terrorism and crime, its use by governments around the world has raised significant concerns among human rights groups. In Thailand alone, many activists and journalists deemed critical of the monarchy have been targeted by the sophisticated spyware program.

The first comprehensive documentation of this “extensive espionage campaign” in Thailand was in 2022, when Canada-based Citizen Lab and DigitalReach confirmed that at least 30 individuals had their gadgets infected with the spyware.

Many of the victims were either repeatedly detained, arrested, and imprisoned for their political activities; or became the subject of lèse-majesté prosecutions by the Thai government.

The infections are believed to have occurred between October 2020 and November 2021, coming to light after U.S. technology company Apple issued notifications about a “state-sponsored attacker” targeting the victims’ devices. Jatupat himself was targeted at least three times in July 2021 alone. 

Chatmanee Traisondhi, Jatupat’s legal counsel, said that these findings were the key documents used to prop up Jatupat’s case. But she said that it was difficult to find cyberforensics experts in Thailand who could explain the attacks – and therefore the report itself “was deemed as hearsay evidence and therefore inadmissible under the Thai Civil Procedural Code.”  

Ideally, the report from Citizen Lab “should have been enough,” Chatmanee said. They also had witnesses that testified and certified the reliability of their report. Chatmanee explained Citizen Lab experts themselves did not testify at the hearing for good reason: “They cannot just come and openly expose how they do the testing, what their methods are, because the spyware developers are listening.

“So,” she continued, “it’s very alarming that the court did not use the exceptions in this case.” 

Citizen Lab senior researcher John Scott-Railton said that currently, there are only a few groups – including those involved in Jatupat’s case – that re able to handle these kinds of research and work.

He pointed out that the lack of available experts especially in Thailand only “highlighted the value … in seeking support and to build an ecosystem of technical capacity to support cases like this around the world so that it doesn’t all fall on a small number of researchers.

“We carried a very big disadvantage since the start,” said Yingcheep Atchanont, iLaw director and himself a victim of the spyware. “We’re fighting against a very big and rich company that developed sophisticated spyware we didn’t understand. [By contrast, NSO] had a lot of human resources, they had a lot of knowledge.

“The most crucial point that stood out from the verdict,” Yingcheep added, “is that the court insists too much as we, as a victim, as an activist, and as the plaintiff in the case, bear a big burden of proof to prove everything, that we are really infected.” 

In fact, he said, the court could have compelled NSO Group to produce its own burden of proof. 

“(NSO Group) insisted many times in the court that they have a system to check how their spyware is used by their customers and they have the technological capability and contractual capability to check who are actually being targeted,” noted Yingcheep. “But they said nothing. They never said the plaintiff was not infected. They also failed on the burden of proof that they are innocent.” 

Scott-Railton, meanwhile, stressed that the spyware “is designed to be hard to detect. And the many corporate practices of NSO and similar companies are designed to obscure and hide both the infections [and] the wrongdoing committed with their technology.

“We feel very strongly that if NSO and similar companies were in fact responsible companies, they would do everything in their power to undo the powers that this secrecy has to hide abuse,” he said. “And unfortunately, we have seen the opposite again and again.”

Moving forward

For now, iLaw and Digital Reach plan to continue their work on identifying victims of Pegasus spyware, particularly among activists and human rights defenders in Thailand and the rest of Southeast Asia. 

“Even though we didn’t get a good court ruling for this country and for the global fight, we can say that we will continue checking more phones of people who are at risk, and we will do more investigations even though we only have few resources,” Yingcheep said. “If we can find new infections within the statute of limitations according to the law, maybe we can still have the next case.” 

Jatupat’s legal team is considering an appeal against the court’s dismissal. But there are significant procedural constraints, as no new witnesses or evidence can be submitted. According to Yingcheep, the case must rely on the existing testimony and documentation presented in the initial trial. 

“The main question is how we can move past this and build a better case next time,” said Chatmanee. “Considering the nature of this case, it’s not a level playing field.” 

Scott-Railton, however, sought to underline the silver lining: “There are cases around the world in many jurisdictions involving Pegasus and other spyware abuses. And no case was as far along, specifically as a case brought by a victim, talking about the forensic analysis of a victim’s device to NSO.”

He added, “I think what this case shows is that a scrappy group of non-profits and some talented lawyers in Thailand can both pave the way forward and give us a lot to learn about what the weaknesses are when you’re trying to bring cases, and what things need to get addressed, but also techniques that work.” ◉