Thai activists to sue government over Pegasus spyware use
A man uses his phone on an escalator at train station in Bangkok, Thailand July 29, 2019. REUTERS/Soe Zeya Tun
What’s the context?
Planned lawsuits against Thai government and NSO Group for hacking mobile phones of 30 activists with Pegasus spyware could set precedent
- Thai activist lawyers to sue government, NSO Group over surveillance
- It is the first such case in the country
- Victims of Pegasus hacks say they have to live with surveillance risk
BANGKOK - Activists in Thailand are suing the government for using spyware technology to monitor dissidents, the first such case in the country that they hope will help raise awareness and better protect citizens subject to increasing surveillance.
Legal non-profit iLaw told Context it is preparing a lawsuit against the Thai government for its alleged use of Israeli firm NSO Group's Pegasus spyware to hack into the mobile phones of at least 30 activists and lawyers in 2020-21.
It is the first such case against state surveillance in the nation's Administrative Court, which tries cases involving government agencies or officials, said Yingcheep Atchanont at iLaw, who is also filing a separate civil lawsuit against NSO.
"It is a difficult case, as we don't have evidence of who bought the software and who deployed it," said Yingcheep, 36, whose phone was infected 10 times with Pegasus.
"We are also not confident in the judicial system, but it is all we have. Even if we get a verdict saying our rights were violated, that would be very significant," he said in an interview in his office.
The ministry of digital economy and society did not respond to a request for comment.
NSO, which did not respond to a request for comment, has said its technology is intended to help catch terrorists, paedophiles and hardened criminals, and is sold to "vetted and legitimate" government clients.
Across Asia, governments are tightening their hold over the internet with laws aimed at curbing critical social media posts and so-called fake news, while also increasing surveillance with facial recognition and other technologies.
Apple sent an email alert to Yingcheep and dozens of others in Thailand in November 2021, warning that "state-sponsored attackers" may be targeting their mobile phones.
While Apple did not specify the technology used, the U.S. firm had just that week filed a lawsuit against NSO Group and its parent company for alleged surveillance and targeting of U.S. Apple users with Pegasus spyware.
Tightening control
Pegasus - which turns a mobile phone into a surveillance device, using its microphone and cameras and accessing and exporting messages, photos and emails without the user's knowledge - is among the most invasive of spyware technologies, rights experts say.
"It was so shocking to me that the government could take control of my phone - it is a bigger violation of my privacy than a policeman watching my house," said Yingcheep.
"Even if NSO goes away, they will use another company, another technology. It's not going to stop unless some serious action is taken," he said.
Many of the victims in Thailand had been detained, arrested, and imprisoned several times for their political activism, or for participating in pro-democracy protests in 2020-21.
The actual number of victims is likely to be much higher, as only iPhones can be tested, and not every victim had their phone examined, according to an investigation by iLaw, with digital rights group DigitalReach and Toronto-based Citizen Lab.
In response to their reports in July, a Thai minister admitted in parliament that the country uses surveillance software - without specifying which programme - to track people in cases related to national security or drugs.
He then walked back his comments just days later, denying that such technology was used.
Besides Thailand, officials in Indonesia and activists, journalists and lawyers in India have also been reported to have been targeted with Pegasus.
In 2021, India's Supreme Court ordered an independent inquiry after the government said it cannot be made to answer if it uses spyware, as that would compromise "national security."
In Europe, a committee is investigating the use of Pegasus and other surveillance technology, while members of the U.S. Congress have called for preventing the abuse of spyware.
There is no such recourse for victims in Thailand, said Sutawan Chanprasert, executive director of DigitalReach.
"There is really no mechanism at any level that those who have been infected can rely on," she said, adding that this is why the legal actions by iLaw are significant.
"If they win, it will be historic, and it will become a case study for other countries, especially those in Southeast Asia that lack mechanisms to prevent the abuse of spyware. It will pave a way for better protection against this kind of abuse."
Flight mode
In Thailand, Citizen Lab identified Pegasus use as far back as May 2014 when the army took charge after a coup, and reported on a potential Pegasus operator in the country in 2018.
Thai authorities have not commented on those reports. The country passed a personal data protection law in 2019, but it largely exempts government agencies.
The use of Pegasus against activists during pro-democracy protests in 2020-21 was aimed at monitoring their online activities, tracking the demonstrations, and getting information on their funding sources, according to iLaw and DigitalReach.
A lawsuit filed by iLaw in November against NSO on behalf of eight of the 30 hacking victims, was dismissed by the Civil Court in Bangkok on grounds that the cases could not be combined.
Yingcheep now plans to file a suit with himself as the plaintiff.
Its chances are slim, admits Golda Benjamin, Asia-Pacific campaigner at digital rights group Access Now, which uses litigation as a way to push against state surveillance worldwide.
"Litigation is not as commonly used in Asia. But it's also a way to educate the public, and even a tiny victory is worth a shot," she said.
Meanwhile Panusaya Sithijirawattanakul, a Thai student protest leader whose phone was infected at least four times, said she has learned to live with the constant risk of surveillance.
Panusaya, 24, has been charged under lese majeste (royal insult) and other crimes, and may face life imprisonment if convicted. She was in prison when Apple sent the alert that her phone may have been hacked.
"I have been thinking about how to defend myself from such attacks - we leave our phones behind during important meetings, or switch them off or put them in flight mode," she said.
"But I can't not use my phone, and I can't keep buying new phones after each hack. I'm still using the same phone."
(Reporting by Rina Chandran; Editing by Zoe Tabary)
Context is powered by the Thomson Reuters Foundation Newsroom.
Our Standards: Thomson Reuters Trust Principles
Tags
- Tech regulation
- Social media
- Data rights