“Digital targeting has a serious impact on the well-being of victims, undermines their ability to engage in transnational advocacy work, violates fundamental rights such as the right to privacy, freedom of expression and peaceful assembly, and increases the dangers victims face. family members and friends who remain in the country of origin,” the report concluded.
Countries identified by Citizen Lab as some of the more frequent perpetrators of digital transnational repression include Yemen, as well as Afghanistan, China, Iran, Rwanda and Syria. No-click software hacks, which allow an attacker to break into a phone or computer even if the user does not open a malicious link or attachment, of particular concern, says Noura Al-Jizawi, a researcher at Citizen Lab and co-author of the report. That’s because “they can avoid digital hygiene practices,” she says.
In 2021, hackers used such code to infiltrate and install spyware on the mobile phone of Saudi women’s rights activist Loujain al-Hathloul, who was then living in British Columbia. In that case, the perpetrators mistakenly left an image on her phone that allowed researchers to find the source of the code. The digital plan led to the NSO Group, an Israeli technology firm that made headlines for selling spyware to authoritarian nation states.
Some forms of digital repression aim to shame doxx as well. One unnamed interviewee in the Citizen Lab report, who moved from China to Canada, revealed that fake nude photos of her were being circulated among attendees of a conference she was planning to attend. Her personal information was also published in online ads for sex.
Victims of this type of harassment experienced distress, anxiety and fear for their family’s safety, the report said. “There is also a sense of resignation among those who have continued their activism, like the realization that this type of targeting will continue,” says co-author Siena Anstis, senior legal counsel at Citizen Lab.
Many activists have become paranoid about the messages they receive. Kaveh Shahrooz, an Iraqi lawyer who lives in Canada and lobbies on behalf of dissidents, checks each e-mail separately. Shahrooz says that he once received a message from an alleged organizer of a human rights conference in Germany inviting him to speak and asking him to fill in personal information through a given link. He researched more about the conference and found that he was not invited, even though the personalized email sounded professional.
“It’s one end of the spectrum,” says Shahrooz, “where you might be tricked into clicking on a link. But then the other end they get threatening messages about my activist work – things like ‘We know what you’re doing and we’ll deal with you later’.”

CAROLYN DRAKE VIA MAGNUM
There are few legal remedies. Several victims of spyware attacks in the UK have brought (or are bringing) civil lawsuits against state-owned operators and NSO Group, Anstis says. She adds that such cases can be expected to be contested, as they mostly focus on lawsuits against companies outside the jurisdiction of the host country.