In August 2021, the University of Toronto's Citizen Lab published "From Pearl to Pegasus," a landmark investigation documenting the Bahraini government's systematic deployment of NSO Group's Pegasus spyware against at least nine activists, including members of the Bahrain Center for Human Rights, Waad political society, and Al Wefaq Islamic Society.
A Bahraini government operator, tracked by Citizen Lab under the codename "LULU," used two distinct zero-click exploit chains - KISMET (targeting iOS 13.5.1 and 13.7 via a JPEG ICC profile vulnerability) and FORCEDENTRY (targeting iOS 14.4 and 14.6, bypassing Apple's BlastDoor sandbox) - to silently compromise iPhones without any user interaction.
Key Facts
- WhatNSO Group Pegasus deployed via zero-click iPhone exploits.
- Who12+ Bahraini activists, lawyers, and human rights defenders.
- Data ExposedMessages, contacts, GPS location, photos, and live microphone access.
- OutcomeNSO placed on U.S. Entity List; UK lawsuit filed by victims.
What Was Exposed
Pegasus represents the most invasive surveillance capability commercially available.
Unlike conventional data breaches that expose structured databases, a Pegasus infection transforms the target's smartphone into a comprehensive surveillance device, providing the operator with access that exceeds what even the device owner can see on their own screen.
- Complete iMessage, WhatsApp, Signal, and Telegram message histories, including messages in end-to-end encrypted applications - Pegasus captures content at the device level, after decryption, rendering encryption irrelevant
- Full contact databases and call logs, revealing the social networks, professional relationships, and communication patterns of each target - metadata that intelligence agencies consider more valuable than content
- Email accounts and their contents, including any accounts configured on the device (personal, professional, and organizational)
- Complete photo libraries and videos, including metadata containing GPS coordinates, timestamps, and device identifiers
- Real-time and historical GPS location data, enabling continuous physical surveillance of the target's movements
- Silent activation of the device's camera and microphone, turning the phone into an ambient listening and recording device even when not in active use
- Stored passwords, authentication tokens, and credentials for online accounts, potentially enabling access to cloud services, financial accounts, and organizational systems beyond the device itself
- Browser history, bookmarks, and search queries, revealing the target's interests, research activities, and digital behavior patterns
The technical evolution of the exploits used against Bahraini targets is significant.
The KISMET exploit, deployed in 2020, targeted a vulnerability in iOS's handling of ICC (International Color Consortium) profiles embedded in JPEG images sent via iMessage. The exploit was "zero-click" - the target did not need to open, view, or interact with the message in any way. The mere receipt of the iMessage triggered the exploit chain, which escalated privileges, escaped the iMessage sandbox, and installed the Pegasus implant. This technique worked against iOS 13.5.1 and 13.7, both of which were current versions at the time of deployment.
When Apple introduced BlastDoor in iOS 14 - a dedicated sandbox for processing incoming iMessage content, specifically designed to mitigate the class of attacks exemplified by KISMET - NSO Group developed FORCEDENTRY to bypass it.
FORCEDENTRY exploited a vulnerability in Apple's CoreGraphics PDF parser, using a technique that constructed a virtual machine from logical operators within the JBIG2 image compression codec to achieve arbitrary code execution. This exploit bypassed BlastDoor entirely and worked against iOS 14.4 and 14.6, demonstrating NSO's ability to defeat defensive measures within months of their deployment. The sophistication of FORCEDENTRY was such that Google's Project Zero described it as "one of the most technically sophisticated exploits we've ever seen."
The targeting pattern in Bahrain reveals a systematic campaign against civil society.
The nine initial victims identified by Citizen Lab included three members of Waad (a secular political society), three members of the Bahrain Center for Human Rights, one member of Al Wefaq (the largest Shia political society, dissolved by the government in 2016), and two exiled dissidents living abroad. The subsequent identification of Mohamed al-Tajer - a lawyer who had represented torture victims and political prisoners - among the targets confirmed that the campaign extended to the legal profession, a particularly chilling implication for attorney-client privilege and access to justice.
The extraterritorial dimension of this campaign is critical. Several targets were located in the United Kingdom at the time of infection, meaning the Bahraini government was conducting surveillance operations on the sovereign territory of a close ally. This led to the filing of a UK lawsuit in December 2022, in which affected Bahraini activists sought legal remedies under UK data protection and human rights law. The case represents one of the first attempts to hold a foreign government accountable for Pegasus surveillance conducted on UK soil.
The implications for the broader Bahraini civil society extend far beyond the confirmed 12 victims. Citizen Lab identified the LULU operator as active since at least 2017, suggesting a multi-year campaign with potentially hundreds of targets.
The confirmed victims represent only those whose devices were forensically analyzed -- the actual scope of surveillance is almost certainly far larger. The chilling effect on free expression, political organizing, and human rights advocacy is incalculable: when activists know that any iPhone in their community may be compromised, the resulting self-censorship achieves the surveillance objective even without additional infections.
Regulatory Analysis
The deployment of Pegasus by a Bahraini government operator against citizens and residents creates a profound regulatory paradox under the PDPL (Law No. 30 of 2018).
The law establishes data protection obligations that, if applied consistently, would render the Pegasus campaign unlawful. However, the operator of the spyware is the government itself - the same entity responsible for enforcing the law.
" The data collected by Pegasus falls squarely within this definition and encompasses virtually every category of personal data the law was designed to protect. Messages, contacts, location data, photographs, and biometric data (voice recordings captured via microphone activation) are all personal data under Article 3. The collection of this data without the knowledge or consent of the data subjects constitutes processing under the PDPL.
Article 5 establishes the conditions for lawful data processing, requiring either the consent of the data subject or a legitimate legal basis. The PDPL does include an exemption in Article 2 for processing "necessary for the purposes of national security" and law enforcement. However, this exemption is not unlimited.
International standards, including the jurisprudence of the European Court of Human Rights and the UN Human Rights Committee, require that surveillance measures be prescribed by law, necessary and proportionate to a legitimate aim, and subject to adequate safeguards against abuse. The targeting of human rights defenders, journalists, and lawyers - rather than individuals suspected of criminal activity or terrorism - raises serious questions about whether the national security exemption was applied in good faith.
Article 8 requires appropriate security measures to protect personal data. In the context of government surveillance, this article creates an obligation to secure the collected data against unauthorized access by third parties. NSO Group's architecture routes surveillance data through its servers (despite claims to the contrary), creating exposure to potential interception by NSO employees, Israeli intelligence, or third-party threat actors who might compromise NSO's infrastructure.
The use of a foreign commercial spyware vendor to collect the most sensitive personal data of Bahraini citizens introduces third-party risk that the PDPL's security requirements would not permit in any other context.
Article 15 addresses cross-border data transfers, requiring that personal data transferred outside Bahrain receive adequate protection. Pegasus infections involve data transmission to command-and-control infrastructure hosted in multiple jurisdictions, with portions of the data passing through servers operated by NSO Group in Israel.
This constitutes a cross-border transfer of the most sensitive personal data imaginable - including information about political activities, religious associations, and legal consultations - to a jurisdiction that the Bahraini government does not formally recognize. The irony of a Bahraini government operator routing its citizens' most intimate data through Israeli servers is not lost on data protection analysts.
The practical reality is that the PDPL will never be enforced against the government for Pegasus deployment. The Personal Data Protection Authority lacks the independence and mandate to investigate state surveillance operations. This represents a fundamental structural limitation: data protection laws that exempt or cannot reach government surveillance effectively protect personal data from everyone except the entity with the greatest capacity to misuse it.
The UK lawsuit filed by Bahraini activists may ultimately prove more consequential than any domestic regulatory action, as it subjects the Pegasus campaign to the scrutiny of an independent judiciary applying the UK Data Protection Act 2018 and the Human Rights Act 1998.
What Should Have Been Done
Addressing the Pegasus threat requires action at multiple levels: individual device security, organizational security practices, platform-level protections by Apple, regulatory and legal frameworks, and international export control mechanisms. No single measure is sufficient against a threat actor deploying zero-click exploits backed by a nation-state budget.
At the individual level, Apple's introduction of Lockdown Mode in iOS 16 (September 2022) represents the most significant defensive measure against Pegasus-class attacks. Lockdown Mode disables several attack surfaces exploited by NSO Group, including: blocking most iMessage attachment types (eliminating the KISMET and FORCEDENTRY vectors), disabling link previews, blocking incoming FaceTime calls from unknown contacts, restricting web browsing features commonly exploited by commercial spyware, and preventing configuration profile installation.
Every individual at risk of state-sponsored surveillance should enable Lockdown Mode and accept the functionality trade-offs. Bahraini activists and civil society organizations should mandate Lockdown Mode on all organizational devices.
Organizations at risk should implement a mobile device management (MDM) strategy that enforces automatic updates, requires devices to run the latest iOS or Android version, and enables organizational-level security policies. The KISMET exploit worked against iOS 13.5.1, which was superseded by iOS 13.6 within weeks of the infections being deployed. While FORCEDENTRY targeted then-current iOS versions, timely updates remain the most accessible defense against the majority of mobile threats.
Organizations should configure MDM policies to restrict device enrollment to devices running supported OS versions and require updates within 48 hours of release.
Regular forensic analysis of devices belonging to at-risk individuals should be institutionalized. Amnesty International's Mobile Verification Toolkit (MVT), released as open-source software, enables the detection of Pegasus indicators on both iOS and Android devices. Organizations should conduct quarterly MVT scans of high-risk individuals' devices, with immediate analysis of any device exhibiting anomalous behavior (unexpected battery drain, unexplained data usage, device overheating).
Citizen Lab's detection of the Bahraini campaign was possible because activists submitted their devices for forensic analysis -- this practice should be systematized rather than ad hoc.
Communication security practices should assume device compromise and implement defense-in-depth accordingly. Sensitive conversations should occur in environments where phones are not present (Faraday bags or physically separate rooms). Organizations should use air-gapped computers for the most sensitive document handling, maintaining strict separation between communication devices (which may be compromised) and document processing systems. The "assume breach" mindset is not paranoia when the threat actor is deploying zero-click exploits backed by a government budget.
At the platform level, Apple should expand iMessage's contact key verification system and make Lockdown Mode more granular, allowing users to disable specific attack surfaces without losing all advanced functionality. Apple should also invest in automated detection of exploitation attempts, building on its existing threat notification system that alerts users when Apple detects state-sponsored targeting of their devices. The notification system should be expanded to include more detailed guidance on immediate steps to take when a notification is received.
At the regulatory and legal level, the Bahraini PDPL should be amended to establish an independent data protection authority with the mandate and resources to investigate government data processing activities, including surveillance. The national security exemption in Article 2 should be narrowed to require judicial authorization for surveillance, proportionality assessments, and mandatory oversight by an independent body.
International models exist: Germany's G10 Commission provides independent oversight of intelligence surveillance, and the UK's Investigatory Powers Tribunal adjudicates complaints about surveillance activities. Without independent oversight, the PDPL provides no protection against the most invasive form of personal data collection.
At the international level, the export of commercial spyware should be subject to the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, with surveillance technologies classified as dual-use items requiring export licenses. The placement of NSO Group on the U.S. Entity List in November 2021 was a significant step, but enforcement remains incomplete.
An international moratorium on the sale, transfer, and use of spyware technology, as called for by the UN High Commissioner for Human Rights, should be pursued until adequate international regulatory frameworks are established.
The Bahrain Pegasus campaign demonstrates that commercial spyware has fundamentally altered the threat landscape for civil society. When a government can purchase zero-click exploitation capabilities that bypass every security measure an individual can take, the defense must shift from technical controls to legal and institutional safeguards. Bahrain's PDPL, with its national security exemption and lack of independent oversight, provides no meaningful protection against the most invasive data collection tool ever deployed against its citizens.