Front Burner - How a Canadian watchdog turned the tables on an undercover operative
Episode Date: February 5, 2019In December a digital privacy watchdog began receiving mysterious emails from businessmen who didn't seem to exist. John Scott-Railton from the Citizen Lab joins us to try and understand why his group... was targeted by what they believe to be undercover operatives.
Transcript
Discussion (0)
Hey there, I'm Kathleen Goltar and I have a confession to make. I am a true crime fanatic.
I devour books and films and most of all true crime podcasts. But sometimes I just want to
know more. I want to go deeper. And that's where my podcast Crime Story comes in. Every week I go
behind the scenes with the creators of the best in true crime. I chat with the host of Scamanda, Teacher's Pet, Bone Valley, the list goes on.
For the insider scoop, find Crime Story in your podcast app.
This is a CBC Podcast.
Hey, I'm Michelle Parisi, the woman behind Alone, A Love Story.
Season 3 is coming out on February 5th.
Love, sex, travel, motherhood, it's all in there.
You don't expect anything less from me by now, do you?
So put on some tea, make some space under the blankets,
and get ready to hunker down with the final season of Alone, A Love Story.
Hello, I'm Jamie Poisson.
There's a watchdog group here in Toronto.
It's called the Citizen Lab.
And their whole job is looking into cybersecurity.
They write big reports about issues like hacking and spying and privacy.
Governments who shut down the internet and spy on their citizens,
they are not big fans of the Citizen Lab.
Well, a few weeks ago, a couple guys at the Citizen Lab started getting these unusual emails
from people claiming to be wealthy businessmen and asking to meet up to discuss possible collaborations.
It turns out these businessmen, they didn't actually exist.
The companies they worked for, they weren't real.
But the Citizen Lab people, they took the meetings and they recorded one of them.
On the show today, we have John Scott
Railton from the Citizen Lab. He's going to tell us what went down, and you're going to hear it too,
because he's given us the recording. That's today on FrontBurner.
Hi, John.
Hi, how are you?
Good. Thank you so much for joining us today.
The pleasure is mine. So your group is at the University of Toronto, and you look into issues like privacy and hacking.
Is that a fair description of what you do?
Sure. So Citizen Lab is a group that's been around for a while, and we're concerned with a couple of questions.
a while, and we're concerned with a couple of questions, but one of the things that we've worked on for a long time is to try to understand how civil society, so journalists, human rights
defenders, and others, get targeted digitally for what they do. And we spend a lot of time
trying to understand how that happens and trying to expose who's responsible.
And last year, the Citizen Lab, it published a report about the murder of Jamal
Khashoggi. This made big headlines. What did you find out? So our report was actually about a
Canadian permanent resident named Omar Abdulaziz, who's a close confidant of Jamal Khashoggi.
Citizen Lab discovered the alleged surveillance of Abdulaziz and others. The University of
Toronto Citizen Lab had discovered that his cell phone had almost certainly been hacked.
And in our report, which was led by my colleague Bill Marzak,
we demonstrated that a very sophisticated piece of spyware sold exclusively to governments
and developed by an Israeli company named NSO Group,
had been used to target Omar's phone while he was attending university in Quebec.
Data from that phone was streaming back to whoever was operating.
The infection, of course, that data would have included a lot of communications
between him and Jamal Khashoggi,
because they were working very closely together, according to Omar,
on some projects that the Saudi government would have seen as a
big threat. We were working on short documentaries. And also we were working to do some things for the
activists who've been imprisoned in Saudi Arabia. And what kind of things does this software allow
whoever's operating it to see? In some ways, it's actually more powerful than what you have available to you
as the user of your own phone.
So if your phone is infected,
of course, you know, the pictures can be stolen
and your WhatsApp chats,
even your encrypted messages can be siphoned off.
Wow.
The phone can also be turned into
sort of a bug in your pocket.
Wow.
Using the microphones and the cameras
to turn it into a listening and recording device, sending the data and the location data back to whoever's operating the spyware.
And you mentioned that Omar had been working closely with Jamal Khashoggi, who we know now was murdered and dismembered in the Saudi consulate in Turkey.
And there's a lot of evidence to suggest that this was ordered by very high up in the Saudi government, potentially the crown prince of Saudi Arabia.
by very high up in the Saudi government,
potentially the crown prince of Saudi Arabia.
Omar has said that he believes this hacking of his phone played a major role in Khashoggi's death.
Played a major role in what happened to Jamal.
I'm really sorry to say that.
We were trying to teach people about human rights,
about freedom of speech. That's it.
This is the only crime that we've committed.
What a horrible thing to have to feel.
Yeah.
What was the response after your report?
Like many of our reports, it was met with denials.
One feature about our reporting, when we report on companies that sell spyware technology,
is that they often say that our methods are unsound or there are plenty of errors.
But good luck getting them to specify what those errors actually are.
There was another component to what was happening, and we weren't aware of it at the time,
and that was an elaborate international effort by undercover operatives to figure out what we really knew,
what else we were doing, and to try to get some dirt on us,
and maybe even to put us in situations where we would say things that could be used against the Citizen Lab or to damage our
credibility. Okay, so let's talk about that, because this is where the story gets bananas,
as far as I'm concerned. That was the word I was going to use, too.
So your report comes out last year, and then in December of last year, your colleague gets an
email from a guy who calls himself Gary Bowman. What does it say? And Gary is interested in talking to my colleague Bahar
about doing some work on banking for refugees. Now, of course, this is relevant to Bahar for a
couple reasons. Bahar is Syrian and, of course, is a refugee of the conflict. He's also a tremendously
talented researcher. And so Bahar thought, well, this is interesting.
You know, refugees certainly have trouble with the banking sector and trouble even getting credit cards.
This is really important.
After some communication, Bahar agreed to a meeting, which took place at the Shangri-La Hotel in Toronto last December.
And what happens during that meeting with Gary Bowman?
And what happens during that meeting with Gary Bowman?
For a conversation that's supposed to be about financial technology for refugees from a Madrid-based startup run by a South African, the conversation took a very strange turn.
So some paper was sort of pushed across the table to Bahar.
You know, here's an application form for a job, but with a lot of pretty specific sort of personal questions in it. Then the conversation was maneuvered by this Gary Bowman identity.
He's talking about the Citizen Lab and of all the different projects that we've worked on,
the only one that he was really interested in, I was talking to Bahar about NSO Group.
And he had some very specific questions.
The Israeli company that creates that software that we were talking about
that was used on Omar Abdulaziz's phone.
And many other people as well.
And we should note, you know,
this software has also been used in Mexico against journalists
and in Panama too, I believe.
So yeah, we have more than 23 cases that we've found so far.
During the meeting, he also tries to ask some questions
that Bukar recalls
as things like, do you hate Israel? And some other pretty offensive and direct and blunt stuff. So
Bahar walks out of that meeting and he gives me a call. I think something really strange has
happened. So my colleagues and I begin to investigate. We investigate the online persona,
Gary Bowman, and decide very quickly that this is some kind of an elaborate
fake. How do you know that it's fake? Well, we conclude pretty quickly that this is something
that exists in a very small number of places on the internet. You know, anybody knows now that
digital exhaust that a normal human generates is such that, you know, bits of your life are all
over the internet. Not so with Gary Bowman and not so with his company, which was called Flame Tech.
It seemed to exist in only a couple places,
a LinkedIn page, a Crunchbase profile,
and a few other things.
We then dug further
and determined that one of the photographs
used by another supposed employee of this company
was borrowed from a stock photograph,
then determined that the address
looked like it belonged to a virtual office.
And we were pretty close to releasing a story when in January of this year, I got a message.
So what is the message that you get? And what does it say? Is it also from Gary Bowman? It is not from Gary. It's from a different individual who at the time was representing himself as Michel Lombert. that I'd used for PhD studies a long time ago, which was I used to put robotic cameras on kites
and fly them over the West African coast to look at flooding.
Oh, interesting.
And I thought so.
And Lombert clearly thought that I still found this interesting enough
that if he asked me about that,
maybe I wouldn't think that this was related to my primary work.
Okay.
Lombert gets in touch and he sort of says,
look, I'm this head talent scout slash director of this company
with a bunch of investments in Africa.
We're interested in climate change and a few other buzzwords
that appeared to have been sort of mad-libbed
from some of the things that I'd written myself.
And he wanted to get in touch.
Maybe this technology could be used in his projects.
So you get the email from Michel Lambert and you started digging.
What do you find out about him and the company that he says that he works for?
So one of the first things that we found was, man, the thinness of this cover sure looks a lot like the thinness of the Gary Bowman cover.
And as we kept digging, sure enough, you know, we felt like we were looking at something pretty virtual. Addresses that didn't seem to be real, companies that
weren't registered anywhere, and a few other things. My primary goal was, let's see how long
we can play this. And let's see if we can get this guy into an in-person meeting.
And so how did you go about doing that?
Well, I had to play along, didn't I? And so
I decided that the type that I was going to play for this interaction was the, you know, excited
PhD student who just would really like someone to be interested in this crazy methodology that
he's got. Right. And you just want to talk about kites. I just want to talk about kites. I'm
sending him academic papers about kites. I'm talking extensively about kites. I'm sending him academic papers about kites. I'm talking extensively about kites.
I messaged the guy on LinkedIn. I really am interested in kites. So we set up a phone call.
And so we have a charming, you know, laughter-filled conversation.
You meet him, obviously.
So we schedule a meeting for the coming week,
and I decide that it would be a good idea to have this meeting in New York.
Obviously, no red flags go off for him because he meets you.
Well, if he did have red flags,
they clearly weren't too much to prevent the meeting from taking place.
So we agree to this meeting.
Voilà .
OK, très bien.
And it feels, as I'm heading over to this meeting, that it might not work.
I had spent the night before in a hotel room making a camera, a video camera, in my necktie.
How did that work?
So I've gone undercover before as a reporter, and those cameras are a lot trickier than you think they are.
I've used one in a button, and all of a sudden it's pointing up to the ceiling.
In the end, I got some great footage in my lap.
But the challenge was I didn't have a lot of time and I didn't have a lot of materials.
And so I bought, you know, some nail scissors and some super glue.
And then I got like a nanny cam and sort of took it apart and turned it into something that could fit in a necktie without creating a bulge.
You know, used some fabric that I had cannibalized from one of the hotel slippers to create the package for it.
So I'm going to this meeting, and I'm thinking, there's no way this is going to work.
And I'm running late because it's a torrential rainstorm in New York.
But I arrive at this place, the Peninsula Hotel, and I do my best to not look over my shoulder.
And among the other things that I'm not looking for, I am
absolutely not looking for the team that the Associated Press, by my invitation, has sent
to be at that venue at the same time so that we can actually run this as a sting. So that when I
send them the signal, they can come over and ask Mr. Lambert some questions of their own. So you guys are all in place at the Peninsula Hotel, although you're
trying to pretend like you do not know the ATP reporters. Well, and in fact, the funny thing is
everyone is in place but me. I'm running late because it's pouring rain. You're soaking wet.
And I'm thinking, man, you know what? I'm already like six minutes late. He's going to smell a rat and he's going to
leave. Right. All of my hard work. And here we are. So I show up dripping wet. And of course,
ask the person at the front, you know, I'm here to meet Michel Lambert. I'm shown to the back of this restaurant. And there, sitting at a table behind a pillar, is Mr. Lambert, who gets up.
And boy, is he happy to see me.
And we have a charming little couple of minutes of French conversation as he guides me to another table.
This one with my back to the whole restaurant.
Oh, interesting.
And his back to the wall in a nook by a window.
He guides me to this table and sits me down.
The charm offensive begins immediately.
So tell me about this lunch.
Well, one of the strangest things about this, I'm immediately offered a martini from the
head waiter who informs me that, you know, the gentleman insists that you have a martini
and I graciously decline.
No martini for me.
That's great. I still don't want it. decline. A gentleman is present at another table and is pretty clearly trying to unobtrusively
photograph me by holding a cell phone canted in his hand while, you know, pretending to study the
menu. And since I don't recognize him as part of the Associated Press group, I'm pretty sure that
this is one of Michel's cooperatives. About four minutes into the conversation,
and Michel, in French, is already saying some pretty racist things in French,
and I think is trying to get me to laugh along.
So a racist term about Africans.
For me, the expression is a bit...
I mean, you're recording him, but is there a sense that he's recording you?
In true spy versus spy fashion, Michel has produced this pen, a big fat pen with a hole in the top, which during the course of the meeting, he mostly has pointed at me.
You're very cognizant that everything that you're doing and saying, he is recording.
Listen, after staying up until two in the morning trying to stuff a camera into a necktie, I'm looking at this guy and I'm like, where is his camera tie?
But then didn't you think to yourself, like, damn, I should have got myself a pen.
Well, actually, I was really glad I hadn't gotten a pen
because I thought that that would have probably been a bit much.
I thought about some props that I could stuff a camera in or something.
And I realized, like, you know, if I have a pen like this guy is a professional,
he's going to recognize a camera pen.
He's going to think that I wouldn't, right?
So although it would be a humorous moment if we were both, you know, sort of pointing our pens at each other.
We banter.
We talk.
The conversation ranges widely.
He says a bunch of things about himself, about his family, about his love for a certain kind of cigar.
But he also made some mistakes.
So during the phone call with me,
he said, well, you know,
I've got a son about your age, John.
Okay.
During the meeting, he's telling me,
you know, I've got a daughter right around your age.
And I begin wondering whether, you know,
he was mixing fact and fiction
so that he could keep his story straight.
So for the first hour, we're pandering.
He tells me about, you know,
he's met all these African leaders.
Who knows if any of this is true.
I guess if you lie for a living,
you can just make up a life that's much more interesting
than your life might really be and just tell it to these strangers.
But then about an hour into this conversation,
after we talked about kites, after we talked about business,
he makes the pivot.
And suddenly,
he's asking me some very focused questions.
And some of those questions are things like, do you think that
the work that Citizen Lab has done, do you think that some of the response to that work is motivated by anti-Semitism?
So you're working against hacking, as far as I understand.
So you are working against hacking, as far as I understand.
You know what it is?
It's interesting because you come from a kite to fighting an active.
What kind of companies? What do you mean by abuse?
And, oh, I see, you know, tell me about the methodology and the logic of the use of these things.
And then he's sort of saying these things that sound an awful lot like industry talking points.
Like, you know, well, but isn't it the case that this stuff is being used to, you know,
catch criminals and catch terrorists and against cartels?
But isn't it the case that this stuff is being used to, you know, catch criminals and catch terrorists and against cartels?
I'm hearing this and I'm thinking, wow, this sounds an awful lot like the quotes that people in this industry sometimes give to reporters when explaining what it is that they do.
And he's asking me why I think these people develop this, you know, spyware. Are they bad people? What's the deal? And I say, well, you know,
I think, I believe that they did it because, you know, they probably wanted to help. And so he's
sort of asking me, well, you know, does that make you feel not so good in your job or what? Is there a conflict of interest? I say, ah, well, there is work drama.
Aha, he laughs.
Work drama.
Tell me.
I like drama.
Work drama?
Yeah.
Tell me.
I like drama.
Because, and you have to remember, this is just two people sitting down over food.
He's got his Wagyu beef and I've got my salmon.
He's holding cue cards. He's got his Wagyu beef and I've got my salmon. He's holding cue cards.
He's holding cue cards?
Yeah. Not just any cue cards. These are index cards. And he's got them in three colors.
What?
Green and yellow and red.
Why?
Well, only he knows. But what I will observe is during the first hour of that conversation, when we were on kind of harmless topics about kites in Africa, we were on the green cue cards.
And then when we started moving towards Citizen Lab, the yellow cue cards are in play.
And finally, for the really sensitive stuff, he's working from the red cue cards.
And I have to tell you, I couldn't resist when the cue cards came out, sort of, you know, making a little
comment just to see how you would respond. And his answer was like, well, you know, it's kind
of an anachronistic thing. I'm an older guy. You know, I'm not technological like you.
But it's rude to have a phone. So this is what I like.
But at one point, he's so kind of working from these cards that he has these cards propped up
against a glass so that he's reading from the cards as he's talking to me.
He's sort of holding this pen in his hand, pointed at me.
Why are they asking you these questions?
Well, that's a good question.
I think you'd have to ask them.
And, you know, if I had more time with Michel, I might have wanted to ask him myself.
My sense is that he had a difficult job.
He seemed to be tasked to get me to say something offensive, to get some kind of information,
anything he could get, any dirt, any drama on the Citizen Lab.
So assuming this guy was a spy, you know, would you say he was a good spy?
This does not seem like high-level spycraft to me.
Who knows?
My theory is that this is somebody who is professional and who's done this a lot
and for whatever reason was in a pretty complacent frame of mind during his interaction with me.
As a result, he was also he was also, you know,
at a tremendous disadvantage, which is I walked into that, you know, he came rolling in with a
team and so did we, but we walked into that knowing, having a very good idea of what he
was going to try to do. So you've just had lunch with this guy.
He's asked you about all of these controversial things, anti-Israel sentiments, Jamal Khashoggi specifically.
And then you're ready for the AP reporter to come in.
At one point, you literally asked the guy to look out the window so that the reporters can come.
So I got this message from the reporters like, you know, our batteries are running low on
our microphones.
I have been there before.
Not a good feeling.
So I got to play this one by ear.
And so when I do send the signal for the team to come over, I try to distract him first
by drawing his attention to the window.
You look out here, right?
And you'd think, like, how could you even use a kite out in this?
And the answer is, it's still possible.
You get on the rooftops.
Suddenly I'm talking about flying kites off rooftops,
and if you just look out here, sir.
Back to the kites, yeah.
Back to the kites, right?
Let's go back to those green note cards for a minute.
AP reporter Raphael Satter and his camera emerge,
and the guy's completely blindsided.
Suddenly this reporter is pulling up a chair to his left, and there he is. My name's Raphael Satter and his camera emerged, and the guy's completely blindsided. You know, suddenly this reporter is pulling up a chair to his left, and there he is.
My name's Raphael Satter. I'm a journalist with the Associated Press in London.
I'd like to speak to you about your company.
Okay, and what happens?
He obviously is pretty flustered by the situation, as I think we all would be,
independent of whether we were doing something wrong, having a reporter and a big camera pointed in your face like,
this is not the usual fare for a Thursday afternoon lunch at the Peninsula Hotel.
The reporter, Raphael, begins asking him questions like,
well, you know, Michel, it seems like your company doesn't exist.
I don't have to speak with you.
Excuse me?
I don't have to speak with you.
Well, actually, I think you'll want to,
I don't have to speak with you.
Well, actually, I think you'll want to,
because my colleague was visiting your company this morning,
and, you know, it's very strange.
She says it doesn't exist.
You know, this guy's just saying,
well, you know, I know what I'm doing.
I don't need to tell you anything.
I know what I'm doing.
What are you doing?
He sort of pops up after a moment, bumps over a chair,
and walks in a big circle around the restaurant,
I think, trying to figure out what to do with himself and which way to exit.
We just want to...
For various reasons, doesn't go out the front exit,
and at one point stands for a little bit,
facing the wall, refusing to talk to anybody,
claiming that everything is fine, he knows what he's doing,
he works for this company.
What about the other circle? You don't work with anybody. You don't work with anybody. refusing to talk to anybody, claiming that everything is fine, he knows what he's doing, he works for this company.
And then he sort of spots his out, makes a boogie for a back room,
a back door that's open, walks through it,
tells the hotel staff who's in there that he's being bothered. Michel.
Those people disturbed the door, I would like to help you.
And tries to close the door.
And he's clearly so full of adrenaline that he can't get the door to close.
So the hotel staffer has to get up and kick the door jamb out of the way and then close
the door.
That's the last we saw of Michel.
Not James Bond stuff, I'll tell you that.
So what do we know about Michel Lambert now?
There was a brief period of time when Michel was Michel.
And no one really knew who he was.
And then the New York Times, in collaboration with some very talented Israeli reporters, put a real name to the face of Michel.
His real name is Ahon Almog Asulin, and he's an Israeli.
He'd actually been for a while a neighborhood council mayor.
That's very weird.
He had a background as an officer in the defense establishment
and had been previously linked to a case in Canada
that was connected to Black Cube, this private spying operation.
And I should add, the New York Times made this connection to Black Cube because they
found a court case in Toronto, where one side admitted to engaging a company that subsequently
hired Black Cube as a subcontractor.
And the Times is quoting an unnamed source involved in that lawsuit, who says he or she
was approached by a man in 2017 who used a different pseudonym
and was also asking a bunch of questions about the lawsuit.
And this New York Times source recognized the man
as the same man who called himself Michel Lambert,
the same man who the Times is saying is actually Almog Asselin.
The CBC has not independently confirmed the Times' reporting,
and Black Cube itself says the story is false,
that they have nothing to do with these men approaching the Citizen Lab.
Just a quick 101 on Black Cube itself.
Black Cube is this Israeli private company, private investigative company,
and it made headlines in 2017 when it was connected to the Harvey Weinstein case.
Harvey Weinstein hired Black Cube, and they used operatives.
Essentially, one operative, I remember, was posing as a women's rights advocate to try and get information out of one of the accusers against Weinstein.
So that's what Blackheave does.
And we should also note the other company here, the other Israeli company here is the company NSO, who created Pegasus.
Because you were receiving all these questions about Jamal Khashoggi and this software, were there also some questions that maybe this company could have been behind this?
Well, I think that the transcript and recording of the interaction speaks for itself.
It's pretty clear that, you know, Citizen Lab does a lot of different projects.
But the only thing that these people seem to be particularly interested in is Citizen Lab's work as it pertains to NSO Group.
And I should also note that NSO also has said that they have absolutely nothing to do with this.
That's right.
Have you gone to the authorities with this information, John?
So what I can tell you is that Citizen Lab is cooperating with
all relevant authorities in all relevant jurisdictions.
Okay. Before I let you go today, this story is just, it's wild. Does what happened
here change how you and your colleagues at the Citizen Lab do your work from now on?
So for a long time, Citizen Lab has been working with other people who are the victims of this kind
of stuff, people who are targeted digitally or in person for what they do and for having the
courage to act on their convictions or simply having the misfortune that people with resources
and power regard them as trouble. I think that this case gives us sort of a new sense of how it
feels sometimes to be targeted. I think it's also true, though, that if you wanted, I don't think you could find a better motivator for a group of investigators than to target them.
What happened next here?
I think that a lot of very talented investigators and investigative reporters are on the case.
I think that if I had been responsible for that operation or were in some way linked to it, I'd probably be pretty concerned about what revelations were coming next.
or were in some way linked to it,
I'd probably be pretty concerned about what revelations were coming next.
John, thank you so much for taking the time to walk us through what happened today and to help us understand this really insane story,
but also incredibly important.
So thank you.
Thank you very much. It's been a pleasure.
We'll be back in a second.
Discover what millions around the world already have. We'll be back on a jog.
The first 30 days of the Audible membership are free, including a free book.
Go to www.audible.ca to learn more. Okay, so there's a lot going on in this story, and we reached out to a bunch of players for comment.
As I mentioned in my conversation with John, the Israeli company NSO that makes the surveillance software
says they have nothing to do
with these mysterious men approaching the Citizen Lab employees, and that there is no evidence they
were responsible for anything to do with this, a fact that the Citizen Lab has itself acknowledged.
About their surveillance technology more generally, a NSO spokesperson added that the company licenses
its technology to governments and law enforcement agencies
to help them investigate terrorism and crime, and that thousands of lives have been saved because of it.
The company says they won't discuss which countries use the technology because of, quote, security reasons.
But they do not agree with the Citizen Lab's methodology.
We also reached out to BlackQ, the Israeli private investigative company.
We received a response from their legal representative.
He said Black Cube had nothing to do
with the men approaching Citizen Lab employees
and that the Citizen Lab has also acknowledged
they have no evidence Black Cube was involved.
And finally, we also emailed the man
who met with John from a Michelle Lambert email account.
That email bounced back.
So we reached out to CPW Consulting, Michelle's supposed employer.
That email also bounced back.
Their LinkedIn page has since been taken offline.
I'm Jamie Poisson.
Thanks for listening to FrontBurner.
For more CBC Podcasts, go to cbc.ca slash podcasts.
It's 2011 and the Arab Spring is raging.
A lesbian activist in Syria starts a blog.
She names it Gay Girl in Damascus.
Am I crazy? Maybe.
As her profile grows, so does the danger.
The object of the email was, please read this while sitting down.
It's like a genie came out of the bottle and you can't put it back.
Gay Girl Gone. Available now.