Living under surveillance: "I've had four mobile phones in four years"

BarcelonaMonths ago – in some cases years – the research group Citizen Lab, from the University of Toronto, contacted dozens of individuals linked to the Independence bid to see if they could analyse their mobile phones. They wanted to check whether they had been victims of Pegasus, a virus devised by Israeli company NSO only sold to states which could be used to access all information on a cell phone can be obtained without the affected party knowing about it. The results came back positive: their phones had been infected, yet they had all been acting as if they were being spied on for some time. As many as nine victims explained their experience to ARA.

Former Catalan president Artur Mas does not know when or how he became a victim of Pegasus, but just a week ago the research group Citizen Lab contacted him to see if they could analyse his mobile phone. He provided them with his old device – he now has a new one – and they did indeed notify him that he had been infected with the virus. In his case, they were unable to determine the dates he was spied on or for how long, but he believes that what has come to light is just the tip of the iceberg. "This may go further," he says, asserting that he will continue to make restricted use of his cell phone as he has done for years: "In 2010, when I became president of the Generalitat, I already left my mobile phone outside meetings to the surprise of my collaborators".

The attack on Jordi Sànchez's phone was the first to be recorded. As a key figure in the Independence bid, an attempt was made to hack into his device as early as September 2015 through a link he received by SMS about a fake news article that could interest him: "New interference by Spanish prosecutors. Junts pel Sí and CUP under threat." He relates it to the context – after the September 11 demonstration – but also to the investigation already opened in 2015 by the High Court's Prosecutor's Office against the Independence bid. Sànchez received 25 attacks between 2017 and 2020 and recalls that the attempts coincide with key dates: in April 2017 when there was a decisive meeting for the October 2017 referendum, or in July 2020, just when he obtained parole and was preparing the founding congress of JxCat. He found out about all this ten days ago, but he will not take new measures because he assures that "he has been acting for some time" taking into account the possibility that he was being spied on.

Josep Rius is one of former president Carles Puigdemont's closest collaborators. He explains that he had always had the feeling that he was being "spied on", but that it was not until now that he became aware of it. His phone was hacked in July 2019, a time at which he had a meeting scheduled with lawyer Gonzalo Boye on the former president's legal strategy: he was then acting as a liaison between prison and exile. There is no record of any attack registered in 2017 because Rius changed his phone, but he remembers messages from that time linked to attacks: he would receive links with alleged news on Puigdemont which he, chief of staff of the president, could easily click on for professional reasons. He never noticed anything except once, when his phone stopped working for two weeks and he had to change device several times.

ERC MEP Jordi Solé became aware that he had been spied on when Canadian experts from Citizen Lab contacted him last March. He was not surprised, given the precedents in his party: "Just because I wasn't surprised doesn't mean I'm not outraged". His phone was attacked twice in June 2020, just a few days before taking office as a member of parliament. He clicked, without being aware, on a text message supposedly sent to him by the Treasury of the Social Security. Result: his phone was bugged. He is not worried compromising information was obtained, since he assures that the spies will not find anything other "beyond family photos". He immediately bought a new mobile phone, but kept the old one in case "it ever has to serve as evidence". "We will go all the way," he assures.

The former vice president of Òmnium, Marcel Mauri, knew that his cell phone had been hacked into when news broke out that Roger Torrent and Ernest Maragall had been put under surveillance in July 2020: "In order not to raise the alarm and not to say anything until the report was published, we agreed to carry out a collective action to collect more information and to make a stronger case". He admits that they have taken extreme protection measures, but reveals that under Muriel Casals important meetings were already held without mobile phones. "You can never be too careful," concludes Mauri, who received 19 attacks via SMS but only ended up getting infected on 3 occasions, after clicking on the news stories "out of curiosity".

Elisenda Paluzie knows that she has been spied on since she became president of the ANC in 2018: "It was discovered the microphone was being activated remotely and a programme transmitted what I typed on my mobile phone". She exchanged her Android phone for an iPhone, which was also infected. "Then I went back to having an Android and now an iPhone, I've had four phones in four years, two of which were infected," she explains with resignation. Now, when she receives any suspicious SMS, she forwards them, to Elies Campo, one of the Citizen Lab researchers, without opening it. "In August 2020, he gave us a session with examples of SMS attack vectors for us to monitor and had us install a VPN to detect intrusions." She does admit that she suspects that some internal ANC information published by Madrid media could have been passed on by the police forces after being obtained using spyware.

A year ago Citizen Lab contacted the CUP to track the phones of some of its leaders due to suspicions of espionage. Member of the Spanish Parliament Albert Botran was one of those affected, although he had not noticed anything strange. "I received the attack before the investiture of Pedro Sánchez because we were meeting JxCat and ERC and they must have wanted to know how we would position ourselves," he opines. He has not taken any new precautions since he found out he was being watched. In fact, he uses the same cell phone that was infected and given to him by the Congress when he was elected because "the harm has already been done". Be that as it may, Botran will ask for a new phone: "They only change it once and I already asked for another one because the screen of the first one broke".

It was the summer of 2020 and the secretary general of ERC, Marta Rovira, was looking for training courses on peace processes and political conflict resolution from her Swiss exile. She received an SMS from the Swisspeace institute, a specialist in the field, and clicked on it. It was a fake: her phone was infected. "I didn't think it was a malicious message. [...] They knew perfectly well that it would fall for it," she explains. The Republican leader is aware of two infections at that time, which she believes are due to the fact that the party leadership had "strategic meetings" and also that she had two "highly confidential" meetings with people with a diplomatic profile. Even today she does not want to reveal their identity. It wasn't until a few months later that Citizen Lab confirmed the spying and two thoughts came to her mind. The first: "They have my whole life". The second, that she had "exposed other people." She complains that her case is particularly serious, since the espionage took place on Swiss territory and, therefore, "outside Spanish law".

In October 2019, the businessman and IT writer Josep Maria Ganyet received a message on his cell phone with a news item about the Independence bid that he found interesting. "He clicked and immediately thought, hello no, Google can't send news," he recalls. He analyzed the URL and saw that it wasransomware:"I realised right away that someone was spying on me," he says. He explains that he was a target because of his role as a communicator on issues such as cybersecurity and also because of his relationship with leaders such as Toni Comín. His advice is not click on suspicious links, not to download pirate apps and always update software. But he adds: "If you have a state against you, it is very difficult to protect yourself".