On June 14 of last year, the daughter of Paul Rusesabagina, a former hotel manager credited with saving hundreds of lives during the genocide in Rwanda who is now in prison in the country, met with the Belgian foreign affairs minister to discuss her father’s situation. On the same day, her phone was hacked using tools made by spyware vendor NSO Group, according to forensic analysis of her phone.
On Wednesday, the daughter, whose name is Carine Kanimba, testified in front of Congress in a hearing on the threat of the proliferation of commercial spyware made by companies like NSO Group. In front of the House Permanent Select Committee on Intelligence committee, Kanimba shared her experience as the victim of sophisticated government spyware.
“I was mortified, and I am terrified,” Kanimba said.
Kanimba said she believes NSO Group’s spyware was used by the Rwandan government to keep an eye on her and her family’s efforts to secure the release of her father, who in 2020 was abducted in Dubai and later convicted in Rwanda on terrorism charges. Kanimba explained the psychological pain she’s suffered because of the surveillance.
“I am frightened by what the Rwandan government will do to me and my family next,” she said. “It keeps me awake that they knew everything I was doing, where I was, who I was speaking with, my private thoughts, and actions at any moment they wanted.”
Even now that her case is public, Kanimba said the Rwandan government could still “reinfect” her phone.
“So I still do not feel safe,” she said. “On a personal level, I am a 29-year-old woman and I use my phone quite often, not only in the efforts to secure my father's release, but in my social, my private conversations with my friends. And the fact that the same government that tortured my father, that is holding him hostage, and that has been trying to silence him from all these years, now also has access to my private messages and my conversations and my location—it is very, very scary.”
Do you have information similar cases of government spyware abuse? We’d love to hear from you. From a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email email@example.com
Kanimba is one of dozens of victims who were hacked with NSO Group’s spyware and have been identified as part of the Pegasus Project, an investigative effort conducted by Amnesty International and a group of media partners including the Guardian and The Washington Post.
Activist groups such as Amnesty International and Citizen Lab have for years been detailing cases where governments around the world have allegedly used spyware made by companies like NSO Group or the now-defunct Hacking Team to target human rights defenders and journalists.
In the last year, the US government has taken steps to address these abuses.
In November of last year, the Commerce Department put NSO Group and Candiru, another Israeli spyware maker, on a list that bars American companies or individuals from selling or providing services to them. Then in February of this year, the Department of Justice indicted a Mexican citizen who used to work as a reseller of Hacking Team’s spyware in the country. The citizen, Carlos Guerrero, pleaded guilty to selling the hacking tools to government clients knowing that they “could and likely would” use it for “political purposes, not just for law enforcement purposes.”
According to experts, as well as a source with knowledge of that investigation, this case may be the beginning of a larger effort by the U.S. government to curb the use of commercial spyware by foreign countries.
“Thank you for letting me share my story and the story of my father Paul Rusesabagina,” Kanimba said at the end of her introductory statement during the hearing. “I hope that you find it useful in considering how to regulate the type of tools used to target my family, and my father.