Disturbing Accounts of US-Trained Phone Spies Working for UAE

Reuters has published an exclusive account of Project Raven, an electronic surveillance program that monitored dissidents, journalists and foreign leaders on behalf of the rulers of the United Arab Emirates (UAE), and which was staffed by Americans trained by the National Security Agency (NSA). In a separate article they also reveal details of a spying tool called ‘Karma’ which allowed the Raven team to monitor the iPhones of hundreds of targets without needing to trick victims into installing spyware:

[Karma] could remotely grant access to iPhones simply by uploading phone numbers or email accounts into an automated targeting system. The tool has limits — it doesn’t work on Android devices and doesn’t intercept phone calls. But it was unusually potent because, unlike many exploits, Karma did not require a target to click on a link sent to an iPhone…

Amongst the victims of the spying was Rori Donaghy, a young British journalist who wrote articles for the Guardian which criticized the lack of respect for human rights in the UAE.

Reached by phone in London, Donaghy, now a graduate student pursuing Arab studies, expressed surprise he was considered a top national security target for five years…

“I’m glad my partner is sitting here as I talk on the phone because she wouldn’t believe it,” he said. Told the hackers were American mercenaries working for the UAE, Donaghy, a British citizen, expressed surprise and disgust. “It feels like a betrayal of the alliance we have,” he said.

Hardened professionals will not be surprised that national governments have the ability to spy on user’s phones, nor that governments like the UAE abuse such powers by surveilling far more people than is necessary to maintain security. What is striking about the article is the moral immaturity of the American spies who were employed by the UAE. The main source for the Reuters story is Lori Stroud, who was originally trained as an NSA employee, then joined the private sector when her NSA role was outsourced, and who began working as a contract intelligence operative for the UAE in 2014. Time and again she uses such basic concepts to rationalize her actions that she should be considered unfit to perform any job requiring the exercise of moral judgment.

At one time Stroud hired Ed Snowden to her team, which answered to the NSA but had long been outsourced. I take the involvement of Snowden as a sure sign that Stroud’s work already exceeded the moral boundaries that the US government was willing to discuss with voters. Two months after he was recruited, Snowden fled the USA in order to share his now infamous revelations about the widespread abuse of surveillance. Instead of taking the opportunity to reflect on whether she and her team should regret their chosen careers, Stroud merely observed that her team’s “brand was ruined”, and that she would now find it easier to make a fat salary by working as an outsourced spy in the Middle East instead. Hired by a business with a contract with the UAE government, Stroud sometimes found she was given objectives that were “hard to swallow”, such as spying on a 16 year old kid who had used insulting language on Twitter. But this dullard did not worry that the UAE might use the Raven program to ***gulp*** spy on US citizens!

Time and again Stroud describes the prohibition against spying on US citizens as if it is the only line she would not cross, presumably because she believes it is the only rule that other American spies care about. It never seemingly occurred to Stroud that spying might sometimes be morally wrong. Stroud only left Project Raven when the repeated evidence of spying on US citizens – including journalists – had piled so high that she could no longer rationalize it away.

…she found the work exhilarating. “It was incredible because there weren’t these limitations like there was at the NSA. There wasn’t that bullshit red tape,” she said.

Even Stroud’s interest in obeying US laws appears tenuous. Consider whether a decent law-abiding citizen would respond to valid FBI questions in the way that Stroud admits during this passage:

Two agents approached Stroud in 2016 at Virginia’s Dulles airport as she was returning to the UAE after a trip home. Stroud, afraid she might be under surveillance by the UAE herself, said she brushed off the FBI investigators. “I’m not telling you guys jack,” she recounted.

Stroud was finally booted out of Project Raven, at which time she seemingly decided to become a hero/whistleblower in the Snowden mode, offering this justification for why she was happy to spy on any and every target arbitrarily selected for monitoring by the unelected rulers of an Arab country:

“I don’t think Americans should be doing this to other Americans,” she told Reuters. “I’m a spy, I get that. I’m an intelligence officer, but I’m not a bad one.”

Perhaps ‘good’ spies should be given some basic training in ethics, to ensure they have a well-rounded understanding of what it means to be good or bad.

During their few interactions with the media, Western intelligence services emphasize how careful and moral they are in all the decisions they make. Lori Stroud unintentionally shows that the outlook adopted by NSA operatives is far less nuanced than spy chiefs publicly admit. Far from being morally cautious and measured in her decisions, Stroud followed one simplistic rule – do not spy on US citizens – but otherwise recognized no need for other limits to her work. The brief description of the 16 year old target who had posted an insulting tweet confirms that the UAE conducted surveillance on targets chosen at the whim of fickle and brittle rulers who misuse surveillance to indulge their petty grievances.

In the final denouement Stroud was shocked – shocked! – to discover that arbitrary rulers might also choose to spy on US journalists. Stroud is either a fool or a liar, and possibly both. That being the case, we all must continue to fear the ongoing abuse of electronic surveillance technologies, because the public’s faith in human controls has been misplaced.

The Reuters story on Project Raven can be found here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.