CatalanGate explained
CatalanGate is a 2022 political scandal involving accusations of espionage using the NSO Group's Pegasus spyware, against figures of the Catalan independence movement. Targets of the supposed espionage included elected officials (including the four presidents of the Generalitat of Catalonia since 2010, two presidents of the Parliament of Catalonia, and MEPs), activists, lawyers, and computer scientists; in some cases, families of the main targets were also purportedly targeted.[1]
The scandal was unleashed by the publication of an article[2] in the New Yorker magazine, quoting studies by the University of Toronto's Citizen Lab, in which they examined the use of Pegasus spyware by different countries (Pegasus is only sold to governments who, according to Israel's own government, follow rule of law), and alleged to have found evidence of its use in phones owned by several Catalan politicians and their entourage.[3]
The Citizen Lab report was published on April 18, 2022. The report identified up to 65 alleged victims, consummated or attempted. The number of targets exceeded previous cases of espionage studied by Citizen Lab, far surpassing those of Al Jazeera (36 victims) and El Salvador (35 victims).[4] [5] Citizen Lab did not definitively attribute the responsibility for the attacks to a particular perpetrator, however, it went on to state that circumstantial evidence strongly suggests the perpetrator to be the Spanish Government. The term CatalanGate was used as title of the Citizen Lab report.[6] Despite the scandal's dissemination as CatalanGate, it also allegedly affected two prominent Basque pro-independence figures.
Background
Citizen Lab is a Canadian interdisciplinary laboratory, based at the Munk School of Global Affairs at the University of Toronto, which focuses on research, development, strategic policy and high-level legal engagement at the confluence of information and communication technologies, human rights and global security.[7] [8]
In April 2019, Citizen Lab worked on a case involving Pegasus infections that exploited a WhatsApp security bug that enabled infiltration of at least 1,400 terminals. Among the people alerted to the problem was the President of the Catalan Parliament, Roger Torrent.[9] [10] Among the politicians affected by the breach were Ernest Maragall, Anna Gabriel, and Basque leaders like Arnaldo Otegi and Jon Iñarritu.[11] [12]
MEP Jordi Solé started an investigation in June 2020, when he suspected that he was a victim of cell phone spying and contacted the security researcher Elies Campo, a former WhatsApp employee and collaborator of Citizen Lab.[13] [14] [15]
Most of the Catalan officials affected by the surveillance belong to the Catalonia pro-independence parties.[16]
Scandal
Collaboration between potential victims and Citizen Lab helped identify at least 65 people supposedly attacked or infected with the spyware, 63 of them with Pegasus and 4 with Candiru (two victims were targeted using both). The actual figure could be higher as Citizen Lab's tools are developed for use with iOS systems and, in Spain, Android devices predominate (80% of the total in 2021). A selection of the cases was also analyzed by Amnesty International's Tech Lab, and the results independently validated the forensic methodology used. Virtually all incidents correspond to the period between 2017 and 2020 (although Jordi Sànchez suffered an attempted infection via SMS in 2015).
In its report, Citizen Lab states that "while we do not attribute the operation to a specific government entity at this time, the circumstantial evidence shows a strong link to the Spanish government, especially given the nature of the individuals targeted, the timing of the attacks, and the fact that Spain is listed as a client of NSO Group".
Once the scandal reached Spanish parliament, government officials produced documentation to certify that 29 people were indeed subject to government surveillance, fully approved by the Supreme Court of Justice and according to legal procedure.[17] The surveilled people included past and serving elected officials and regional authorities belonging to parties involved in the 2017 Catalan Independence referendum.
Methods of infiltration
In some cases (and as is often the case), the attack was carried out by an intermediary: infecting, or attempting to infect, the terminal of family members or people close to the target to be spied on.
Pegasus
A peculiarity of this case for Citizen Lab was the discovery of a new iOS zero-click vulnerability, which they called HOMAGE, that had not previously been seen used by NSO Group, and which was effective against some versions prior to 13.2.
Candiru
Citizen Lab identified four victims of espionage involving Candiru. Candiru spyware was used to infiltrate the targets' personal computers. The targets were sent emails containing malicious links and enticed to click on them, with their personal computers becoming infected with Candiru spyware once they clicked on the link. A total of seven such emails were identified. Some of the emails appeared to be messages from a Spanish governmental institution with public health recommendations in connection to the 2019 coronavirus epidemic.[18]
List of victims
With the exception of four people who requested anonymity, this is the list of victims of the CatalanGate espionage case:[19]
- Alba Bosch (activist)
- Albano-Dante Fachín (journalist and former member of Parliament for Catalunya Sí que es Pot)
- Albert Batet (president of the parliamentary group Junts)
- Albert Botran (deputy of the CUP in the Congress)
- Andreu Van den Eynde (lawyer of Junqueras, Torrent, Romeva and Maragall)
- Anna Gabriel (former deputy of the CUP in the Parliament)
- Antoni Comín (Junts MEP)
- Arià Bayé (member of the ANC)
- Arnaldo Otegi (secretary general of EH Bildu)
- Artur Mas (President of the Catalan government 2010-2015)
- Carles Riera (politician, CUP)
- David Bonvehí (president of PDeCAT)
- David Fernández (politician, CUP)
- David Madí (ex-Secretary of Communication of CDC)
- Diana Riba (ERC MEP)
- Dolors Mas (businesswoman)
- Elías Campo (doctor) (father of Elies Campo Cid)
- Elena Jimenez (lawyer and member of Òmnium Cultural)
- Elies Campo Cid (ex-director of Telegram and WhatsApp)
- Elisenda Paluzie (president of the ANC)
- Elsa Artadi (deputy of Junts per Catalunya)
- Ernest Maragall (president of the ERC group in the Barcelona City Council)
- Ferran Bel (deputy in Congress for PDeCAT)
- Gonzalo Boye (lawyer of Puigdemont, Torra and Comín)
- Jaume Alonso-Cuevillas (lawyer and deputy of Junts)
- Joan Matamala (businessman) (close to Carles Puigdemont)
- Joan Ramon Casals (politician, former director of the office of President Torra)
- Joaquim Jubert (politician)
- Joaquim Torra (president of the Generalitat 2018-2020)
- Jon Iñarritu (deputy of EH Bildu in the Congress)
- Jordi Baylina (developer)
- Jordi Bosch (ex-director of Òmnium Cultural)
- Jordi Domingo (ANC member)
- Jordi Sánchez (ex-president of the ANC and secretary general of Junts)
- Jordi Solé (ERC MEP)
- Josep Costa (politician, former vice-president of the Parliament)
- Josep Lluís Alay (director of the Office of Carles Puigdemont)
- Josep Maria Ganyet (businessman and professor at the UPF)
- Josep Maria Jové (deputy of ERC in the Parliament and former secretary general of the vice-presidency of Economy)
- Josep Rius (vice-president and spokesman of Junts, member of Parliament)
- Laura Borràs (president of the Parliament)
- Marc Solsona (former deputy of PDeCAT in the Parliament)
- Marcel Mauri (former vice-president of Òmnium Cultural)
- Marcela Topor (journalist and partner of Carles Puigdemont)
- Maria Cinta Cid (senior consultant Hospital Clínic, professor and doctor) (mother of Elies Campo Cid)
- Marta Pascal (secretary general of the Nationalist Party of Catalonia)
- Marta Rovira (general secretary of ERC)
- Meritxell Bonet (journalist and partner of Jordi Cuixart)
- Meritxell Budó (former Minister of the Presidency)
- Meritxell Serret (deputy of ERC in the Parliament)
- Míriam Nogueras (deputy of Junts al Congrés)
- Oriol Sagrera (general secretary of Enterprise and Labor, ERC)
- Pau Escrich (developer)
- Pere Aragonès (President of the Generalitat)
- Pol Cruz (parliamentary assistant in the Eurochamber)
- Roger Torrent (President of the Parliament 2018-2020, Minister of Enterprise and Labor)
- Sergi Miquel (PDeCAT deputy in the Congress, Council for the Republic)
- Sergi Sabrià (Director of the Office of Strategy and Communication of the government, former deputy of ERC in the Parliament)
- Sonia Urpí (member of the ANC)
- Xavier Vendrell (politician, ERC)
- Xavier Vives (developer)
Reactions
Press coverage
On the same day that saw the publication of CitizenLab's technical report, The New Yorker published an extensive report entitled "How democracies spy on their citizens" (of which the Catalan case occupied a seventh part) as their cover story.[20]
Catalan government response
On April 19 (one day after the initial publication of the revelations), Carles Puigdemont and Oriol Junqueras appeared in the European Parliament to denounce the spying perpetrated upon the pro-independence leaders, an intervention that was joined by the Popular Unity Candidacy, the Catalan National Assembly, and Òmnium Cultural. John-Scott Railton, from Citizen Lab, also took part, detailing "circumstantial evidence": that agencies linked to the structure of the Spanish State would have used Pegasus and Candiru to infiltrate the cell phones of the victims for political purposes.[21] The previous March, the European Parliament had approved the creation of a committee of inquiry called Committee to investigate the use of Pegasus surveillance spyware on the alleged use of Pegasus surveillance spyware against journalists, politicians, security agents, diplomats, lawyers, businessmen, civil society actors and other citizens in, among other countries, Hungary and Poland, and whether such use had infringed European Union law and fundamental rights. The first meeting of the committee was held the same day that Puigdemont and Junqueras denounced the spying.[22] [23]
Criticism
Spanish general media argued that study completely overlooked the publicly-known fact that many of those politicians had been involved in (and in some instances found guilty of) several crimes and misdemeanors, from embezzlement to sedition, and were in fact under judicially-approved government surveillance, under Spanish law.[24] [25] [26] Regarding the naming of the scandal, the domain catalangate.cat was registered by Òmnium Cultural on 28 January 2022 - months before the scandal came to light. The name itself was coined by targeted politician Ernest Maragall.
On the other hand, despite the fact that third partied checked methodologies, some alleged deficiencies in the research methodology where denounced, including the fact that one of the main researcher was a Catalan developer affected by the surveillance.[27] [28] The right wing teachers collective like "Foro de Profesores" collective denounced that the whole scandal was essentially a publicity stunt.[29] [30] [31] to discredit the Spanish government's investigations into past and continuing criminal activity by the surveilled people, and to cover earlier surveillance by the regional secessionist government of opposition politicians.[32]
References
- Web site: 2022-04-19 . Hauek dira Pegasus eta Candiru programekin ustez espiatu dituzten independentistak . 2022-04-23 . EITB . eu.
- 2022-04-14 . How Democracies Spy on Their Citizens . The New Yorker . en-US . 2022-04-21.
- Web site: 2014-01-24 . Puig admite que el CNI catalán espió a petición de los Mossos . 2022-10-23 . El Diario Vasco . es-ES.
- News: 2020-12-21 . Al Jazeera journalists 'hacked via NSO Group spyware' . en-GB . BBC News . 2022-04-21.
- News: Pérez . José de Córdoba and Santiago . 2022-01-13 . Pegasus Spyware Deployed Against El Salvador Journalists and Activists . en-US . Wall Street Journal . 2022-04-21 . 0099-9660.
- 2022-04-18 . CatalanGate: Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru . 2022-04-21 . The Citizen Lab . en-US . Scott-Railton . John . Campo . Elies . Marczak . Bill . Razzak . Bahr Abdul . Anstis . Siena . Böcü . Gözde . Solimano . Salvatore . Deibert . Ron .
- About the Citizen Lab . 2022-04-21 . The Citizen Lab . en-US.
- Web site: 2022-04-18 . Espanya va espiar l'independentisme amb Pegasus, segons 'The New Yorker' . 2022-04-21 . ElNacional.cat . ca.
- News: Gil . Joaquín . 2020-07-14 . El mòbil del president del Parlament va ser objectiu d'un programa espia que només poden comprar Governs . 2022-04-21 . EL PAÍS . ca.
- Web site: 2020-07-13 . Phone of top Catalan politician 'targeted by government-grade spyware' . 2022-04-21 . the Guardian . en.
- Web site: Otegi: "Aquí algunos salieron de rositas de 40 años de dictadura y ese Estado profundo sigue funcionando al margen" . 2022-04-23 . www.publico.es. 20 April 2022 .
- Web site: Lete . Irati Urdalleta . Pegasus: zelatari isila norbere poltsikoan . 2022-04-23 . Berria . 20 April 2022 . eu.
- Web site: Pegasus ha espiat quatre presidents de la Generalitat i més de seixanta polítics i activistes independentistes . 2022-04-21 . VilaWeb . ca.
- Web site: 25 April 2022 . El factótum catalán, rico y proindepe tras la denuncia del espionaje con Pegasus . 26 April 2022 . . es . subscription .
- Web site: 24 April 2022 . El independentismo oculta que el autor del informe sobre Pegasus tiene vínculos con la Generalitat . 26 April 2022 . The Objective . es .
- News: 2017-10-17 . Spain's top court rules Catalonia's independence referendum illegal . en-AU . ABC News . 2022-10-23.
- Web site: 2022-05-05 . El CNI admite haber espiado a Aragonès y el entorno de Puigdemont con autorización . 2022-10-23 . ElNacional.cat . es.
- 2022-04-18 . CatalanGate: Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru . 2022-04-26 . The Citizen Lab . en-US . Scott-Railton . John . Campo . Elies . Marczak . Bill . Razzak . Bahr Abdul . Anstis . Siena . Böcü . Gözde . Solimano . Salvatore . Deibert . Ron .
- Web site: 2022-04-18 . La llista de totes les persones espiades en el CatalanGate . 2022-04-21 . dBalears . ca.
- 2022-04-14 . How Democracies Spy on Their Citizens . 2022-04-21 . The New Yorker . en-US.
- Web site: NacióDigital . Els investigadors de l'espionatge a l'independentisme estableixen un "nexe sòlid" amb l'Estat NacióDigital . 2022-04-21 . www.naciodigital.cat . 19 April 2022 . ca.
- Web site: European Parliament Multimedia Platform . 2022-04-21 . multimedia.europarl.europa.eu . en.
- Web site: NacióDigital . Es constitueix la comissió del Parlament Europeu que investiga Pegasus en ple "Catalangate" NacióDigital . 2022-04-21 . www.naciodigital.cat . ca.
- Web site: 2022-06-01 . Sobre espías, corporaciones, omisiones y desidia . 2022-10-23 . ELMUNDO . es.
- Web site: 21 April 2022 . Òmnium preparó hace meses una campaña contra el 'Catalan Gate' . 26 April 2022 . . es.
- Web site: 2022-04-24 . El independentismo oculta que el autor del informe sobre Pegasus tiene vínculos con la Generalitat . 2022-05-19 . The Objective Noticias exclusivas y opiniones libres en abierto . es.
- Web site: Olivas . José Javier . May 2022 . Methodological and ethical issues in Citizen Lab's spyware investigation in Catalonia . 2022-10-23 . ResearchGate.
- Web site: Olivas . Jose Javier . 2022-06-06 . Los descuidados peritos del "Catalangate": el valor del informe de Citizen Lab . 2022-10-23 . HayDerecho . es-ES.
- Web site: de Profesores . Foro . 5 July 2022 . Letter to University of Toronto by Foro de Profesores 5 July 2022 . 2022-10-23 . Foro de Profesores.
- Web site: 2022-04-28 . 'CatalanGate': escándalo útil, investigación teledirigida . 2022-10-23 . ELMUNDO . es.
- Web site: Òmnium preparó hace meses una campaña contra el 'Catalan Gate' . 2022-10-23 . Crónica Global . 21 April 2022 . es.
- Web site: 2022-10-22 . La Guardia Civil sitúa a empresarios e informáticos en el 'CNI catalán' que se reunió con CDR para aupar la república . 2022-10-23 . Europa Press.