OTTAWA -- A new report suggests a controversial commercial spyware was used to infect the cellphone of a prominent Saudi political refugee and activist in Quebec shortly before Saudi authorities arrested the man's brothers and friends back home.
The explosive allegation follows an which has been raising alarms about the spyware known as Pegasus.
Pegasus is an Israeli-made surveillance program, one of several marketed to governments as a tool against terrorists and criminals, but which Citizen Lab says have been used by repressive regimes against human-rights workers, journalists and others.
The suspected target is Omar Abdulaziz, who was granted asylum in Canada in 2014, has a massive following on social media, and says Saudi authorities have been waging an intimidation campaign against him for his criticism of the government in Riyadh.
That campaign included the arrest of his two brothers and several friends in August -- during which time Citizen Lab believes his phone was infected with Pegasus and being monitored from Saudi Arabia.
Abdulaziz, who has still not heard from his brothers and friends, says he is now considering legal action against the company behind Pegasus, NSO Group, which has previously disputed Citizen Lab's findings, as well as the Saudi government.
And he hopes the Canadian government, which has been locked in a diplomatic spat with Saudi Arabia after criticizing the kingdom's human-rights record, also takes action.
"Spying on someone on Canadian soil, on Canadian ground, that violates Canadian sovereignty," Abdulaziz said in an interview from Sherbrooke, Que., where he is studying at Bishop's University.
"So Canada should do something because some of their citizens, some of their people might be harmed or might be exposed because of what happened."
Citizen Lab has tracked the growing use of commercial spyware such as Pegasus by repressive regimes for years by reverse engineering such intrusive technology and through sophisticated internet scanning.
"What we have found in our research is that when you look at cyberwarfare and cyberespionage as it's practised, the principle victims are civil society: journalists, human-rights defenders, activists, lawyers," said Citizen Lab director Ron Deibert.
Abdulaziz, who first arrived in Quebec as a student in 2009 and became a permanent resident last year, is the first person in Canada to have been positively identified as a suspected target.
Researchers suspect Abdulaziz's phone was infected in June when he ordered a package online and then opened a text message he believed was sent by the courier company transporting the parcel.
It was while scanning the entire internet on a regular basis for servers associated with the Pegasus spyware that Citizen Lab noticed the Canadian-based phone checking in with a Saudi server.
"When we saw the connections checking in from Canada, from Quebec, we thought: 'Is it possible we could identify who the target is?"' Deibert said.
"So through a process of deduction and also by reaching out to the Saudi diaspora community and the human-rights community in Quebec, we happened to identify the target."
Abdulaziz, who boasts 250,000 followers on Twitter and produces frequent YouTube commentaries that garner up to a million views, says he has no doubt Saudi authorities were spying on him.
That includes in the days before his brothers and friends were arrested, when he frequently commented in the media on the Canada-Saudi diplomatic dispute that started when Foreign Affairs Minister Chrystia Freeland criticized the arrest of a prominent women's rights activist.
"I'm pretty sure they were listening to every single word I was saying (to friends and family)," he said. "They've been watching everything. That helped them to hit me more."
While he has not heard from his family and friends and worries about their safety, Abdulaziz insists he won't stop calling for change in Saudi Arabia.
Deibert said the case nonetheless underlines the need for the federal government -- and international community -- to take a closer look at regulation and controls on commercial spyware.
"If governments can reach across borders in this way with impunity, then really no one is safe," said Deibert, whose group recently reported Pegasus infections in 45 countries.
"Especially in a country like Canada where you have such a large population of immigrants and diaspora populations that connect back to authoritarian regimes."
NSO Group long insisted that it works in full compliance with all countries' applicable laws, that its products have saved thousands of lives, and says Citizen Lab's findings are inaccurate.