A joint investigation published in February 2024 by Access Now, Citizen Lab, and partners including Human Rights Watch documented the systematic targeting of at least 35 journalists, activists, human rights lawyers, and civil society representatives in Jordan with NSO Group’s Pegasus spyware.
The campaign spanned more than four years, from August 2019 through December 2023, and targeted individuals including prominent Palestinian-American journalist Daoud Kuttab - who was successfully hacked three separate times in 2022 and 2023, with seven additional failed infection attempts documented on his devices - and two Human Rights Watch employees: Adam Coogle and Hiba Zayadin.
Key Facts
- WhatNSO Group Pegasus spyware deployed against Jordanian civil society (2019-2023).
- Who35+ journalists, activists, and HRW employees in Jordan.
- Data ExposedMessages, contacts, GPS locations, camera/microphone access on phones.
- OutcomeNo formal attribution; no judicial oversight of state surveillance exists.
What Happened
The Pegasus campaign against Jordanian civil society spanned more than four years, from August 2019 through December 2023. The infections were delivered through NSO Group's zero-click exploit capabilities, meaning targets did not need to click a link or open an attachment - the spyware was installed silently through vulnerabilities in iOS services such as iMessage, often without leaving visible traces on the device. Once installed, Pegasus provided the operator with complete access to the target's communications, contacts, GPS location, camera, and microphone.
Apple's threat notification system, introduced in November 2021, began alerting Jordanian targets that their devices had been subjected to state-sponsored attacks. These notifications prompted affected individuals to submit their devices for forensic analysis through Access Now's Digital Security Helpline and the University of Toronto's Citizen Lab. Using the Mobile Verification Toolkit and analysis of device backup files, researchers confirmed Pegasus infections across at least 35 individuals.
Journalist Daoud Kuttab was successfully infected on three separate occasions in 2022 and 2023, with seven additional failed infection attempts documented on his devices - a pattern indicating sustained, determined targeting by an operator who repeatedly invested resources in maintaining access.
The investigation published in February 2024 by Access Now, Citizen Lab, and partners including Human Rights Watch did not formally attribute the operations to a specific Pegasus operator. However, the concentration of all 35 targets within Jordanian civil society - 16 journalists, human rights lawyers, activists, and two Human Rights Watch employees (Adam Coogle and Hiba Zayadin) - strongly suggested a Jordanian government customer.
The campaign continued through December 2023 despite the Pegasus Project revelations of July 2021, the U.S. Entity List designation of NSO Group in November 2021, and waves of international lawsuits and investigations.
What Was Exposed
- Complete communications histories across all messaging platforms on infected devices - including iMessage, WhatsApp, Signal, Telegram, and encrypted email - with content captured after decryption at the device level, rendering end-to-end encryption irrelevant
- Contact databases and communication networks of journalists and activists, enabling the identification of sources, informants, and the professional and personal relationships of targeted individuals
- Draft articles, unpublished investigations, confidential source materials, and legal case files for the human rights lawyers among the targets - categories of data whose exposure directly endangers third parties who trusted the targeted individuals with sensitive information
- Real-time and historical GPS location data enabling continuous physical surveillance, tracking of movements across Jordan and internationally, and the identification of meetings with sources or colleagues
- Camera and microphone access, enabling silent ambient recording of meetings, interviews, and private conversations without the target’s knowledge
- Credentials and authentication tokens for professional and organizational accounts, potentially enabling access to the databases, communications systems, and membership records of the civil society organizations to which targets belonged
- For HRW employees Adam Coogle and Hiba Zayadin: potential exposure of the organization’s internal communications, investigation databases, and contacts with sources across the MENA region
- For Daoud Kuttab: journalistic source networks, correspondence with editors and news organizations, and potentially sensitive reporting on Jordanian political and security affairs developed over a multi-decade career
Daoud Kuttab is among the most prominent Palestinian journalists working in the region.
A co-founder of Community Media Network in Amman, a former adjunct professor at Princeton, and a contributor to major international media outlets, Kuttab has spent decades reporting on Palestinian affairs, Jordanian politics, and the broader Arab world.
His documented infection on three separate occasions in 2022 and 2023 - with seven additional failed attempts - indicates not a casual opportunistic targeting but a sustained, determined campaign by an operator who repeatedly invested resources in attempting to maintain access to his devices even after infections were cleared.
This level of persistence is characteristic of intelligence operations against targets deemed to have ongoing operational significance.
The targeting of Human Rights Watch researchers Adam Coogle and Hiba Zayadin carries implications that extend far beyond the individuals themselves. HRW’s research on Jordan, the West Bank, and the broader Middle East depends on the ability of its researchers to communicate confidentially with sources, maintain the security of investigation files, and protect the identities of individuals who speak to the organization at personal risk.
A successful Pegasus infection of an HRW researcher’s device potentially exposes every source who communicated with that researcher via the compromised phone, every document stored on the device, and every meeting attended while the device was infected. This is not merely a personal privacy violation; it is an attack on the institutional capacity of one of the world’s most significant human rights documentation organizations.
The four-year timeline of the documented campaign - August 2019 to December 2023
- is significant for several reasons. It demonstrates that the Jordanian civil society Pegasus operation was not a short-duration tactical response to a specific event but a sustained strategic intelligence program. It also spans the period during which NSO Group faced increasing international scrutiny: the Pegasus Project revelations of July 2021, the U.S. Entity List designation of NSO Group in November 2021, and the subsequent waves of lawsuits and government investigations that placed NSO under unprecedented pressure. Despite this scrutiny, the Jordan campaign continued through December 2023, suggesting that the operator assessed the operational value of the surveillance program as outweighing the reputational and political risks of continued use.
Apple’s threat notification system, which began alerting users in November 2021, catalyzed the investigation by prompting targets to seek forensic assistance. The system represents one of the few scalable mechanisms through which commercial spyware victims can receive actionable warning of targeting. Without Apple’s notifications, the majority of the 35 confirmed victims would likely have remained unaware that their devices had been compromised.
The notifications did not stop the targeting - as Kuttab’s continued infections demonstrate - but they provided the evidence trail that enabled Citizen Lab and Access Now to document the campaign and bring it to public attention. The forensic methodology employed by Citizen Lab, including the Mobile Verification Toolkit (MVT) analysis of device backup files, is the current gold standard for Pegasus detection on iOS devices.
The concentration of media workers among the targets - 16 of 35 confirmed victims
- reflects a global pattern in Pegasus deployments where journalists covering sensitive topics are prioritized targets. Jordan has a restricted media environment:
Freedom House consistently rates Jordan’s press freedom as “Not Free,” and the Jordanian government has used the Cybercrime Law and other legislation to prosecute journalists for online publications. The use of Pegasus against journalists represents a technological escalation of a pre-existing pattern of press freedom restriction, enabling surveillance of journalistic activities that occur beyond the reach of conventional monitoring - encrypted communications, in-person meetings, and foreign travel.
Regulatory Analysis
The Pegasus targeting of Jordanian civil society creates a regulatory paradox that is structurally similar to the Bahraini Pegasus case: the primary suspect operator of the spyware is the government itself, the same entity responsible for enforcing the laws that the surveillance violates. Jordan’s Cybercrime Law No. 17/2023, while comprehensive in its treatment of unauthorized system access and data interception, contains exceptions and prosecutorial discretions that effectively exempt government intelligence activities from the law’s scope.
The public prosecutor’s new powers under the 2023 law to initiate proceedings without victim complaints for government-related offenses are not designed to be used against the government itself.
Jordan’s constitutional framework provides the most principled basis for challenging state surveillance of this type. Article 18 of the Constitution guarantees privacy of communications, requiring judicial authorization for interception. Pegasus infections that capture all communications from a target’s device without judicial oversight engage this constitutional guarantee directly.
However, the absence of a judicial oversight mechanism for executive surveillance operations - and the absence of an independent constitutional court with the mandate and willingness to adjudicate complaints against intelligence agencies - means that Article 18’s protection is declaratory in nature for most affected individuals. Civil society organizations have raised Article 18 arguments in public advocacy, but no Jordanian court has issued a ruling on the constitutionality of Pegasus-type surveillance.
The international human rights framework provides a more tractable avenue for analysis.
Jordan is a party to the International Covenant on Civil and Political Rights (ICCPR), Article 17 of which prohibits arbitrary interference with privacy.
The UN Human Rights Committee’s General Comment No. 16 and subsequent interpretations establish that surveillance must be prescribed by law, necessary, proportionate, and subject to independent oversight to comply with Article 17. The targeting of journalists, human rights lawyers, and civil society representatives for surveillance - absent any publicly articulated legal basis or demonstrated national security justification - would fail this standard under established ICCPR jurisprudence.
Jordan’s periodic reviews before the Human Rights Committee have included recommendations to strengthen privacy protections, though implementation has been limited.
The targeting of HRW employees creates additional dimensions of legal exposure under international law. Human Rights Watch conducts its operations under the protection of the Declaration on Human Rights Defenders, which establishes the right of human rights defenders to conduct their work without interference, and under the Vienna Convention protections applicable to staff of international organizations operating in Jordan.
While these instruments do not create directly enforceable legal rights in Jordanian courts, they establish the international normative framework against which Jordan’s conduct is assessed in UN human rights mechanisms and diplomatic contexts. The targeting of an international NGO’s researchers also engages the bilateral relationships between Jordan and HRW’s member states, whose governments have formally protested Pegasus targeting of their own nationals in similar contexts.
What Should Have Been Done
Addressing Pegasus-class threats requires a layered response combining individual device security measures, organizational security protocols, civil society capacity building, and international regulatory and legal pressure. No single measure provides complete protection against a zero-click exploit backed by a state-level budget, but the combination of multiple defenses significantly raises the cost and risk of sustained surveillance campaigns.
Apple’s Lockdown Mode, introduced in iOS 16 in September 2022, is the single most effective available defense against Pegasus zero-click exploits. Lockdown Mode disables the attack surfaces most commonly exploited by NSO Group, including most iMessage attachment types, link previews, FaceTime calls from unknown contacts, and several web browsing features. Every journalist, activist, lawyer, and civil society representative who is a plausible target of state-sponsored surveillance should enable Lockdown Mode on their iOS devices as a baseline requirement, not an optional enhancement.
Organizations such as HRW and the Community Media Network should adopt formal policies mandating Lockdown Mode for all staff devices used in Jordan or other high-risk operational environments.
Organizational security training for journalists and activists must be specific to the Pegasus threat model, not merely general digital hygiene. The Access Now Digital Security Helpline and similar resources provide forensic device analysis and tailored security guidance for at-risk civil society members. Organizations operating in Jordan should establish formal relationships with these services, conduct regular collective security workshops, and create internal protocols for what to do when an Apple threat notification is received.
The notification should trigger immediate device submission for forensic analysis and transition to a temporary clean device, not merely a precautionary update.
Communication security must be designed on the assumption that any smartphone may be compromised. Sensitive source communications, investigation planning, and legal advice should not be conducted on devices that are routinely connected to mobile networks, even when using end-to-end encrypted applications. Physical separation of sensitive discussions from all mobile devices - placing phones in Faraday bags or in a separate room - provides meaningful protection against microphone activation.
The use of air-gapped computers for drafting sensitive documents, with manual transfer of non-sensitive outputs only, creates a separation between the communication devices (which may be compromised) and the document processing environment.
At the policy level, Jordan should establish a judicial authorization requirement for all forms of electronic surveillance, including the use of commercial spyware.
This would bring Jordan’s legal framework into alignment with its ICCPR obligations and the constitutional guarantee in Article 18. An independent oversight body - potentially a parliamentary committee with security clearance or a specialized judicial panel - should be established to review surveillance authorizations and audit the use of surveillance tools. Jordan’s National Cybersecurity Strategy 2024-2028 should explicitly address the regulatory framework for state use of surveillance technology, establishing proportionality requirements and independent oversight as core principles.
The four-year Pegasus campaign against Jordan’s journalists and civil society exposes the fundamental inadequacy of treating privacy as a constitutional aspiration without enforcement mechanisms - without a judicial authorization requirement, an independent oversight body, and a data protection authority with the mandate to investigate state surveillance, Article 18 of Jordan’s Constitution offers no more protection to a targeted journalist than the paper it is written on.
ZERO|TOLERANCE Advisory
The Pegasus campaign against Jordanian civil society is not a conventional cybersecurity incident with a patch or a firewall solution. It is a state-capability threat that exploits zero-click vulnerabilities in consumer devices to achieve surveillance objectives that no technical control can fully prevent. The difference between a journalist who is compromised indefinitely and one who detects and contains the infection is not the absence of targeting - it is the presence of specific, layered countermeasures that raise the cost and reduce the duration of each successful infection.
The first and most effective available defense is Apple's Lockdown Mode, introduced in iOS 16 in September 2022. Lockdown Mode disables the attack surfaces most commonly exploited by NSO Group: most iMessage attachment types, link previews, FaceTime calls from unknown contacts, and several web browsing features. Every journalist, activist, lawyer, and civil society representative who is a plausible target of state-sponsored surveillance should enable Lockdown Mode on all iOS devices. This is not an optional enhancement - it is a baseline requirement.
Organizations such as Human Rights Watch, Reporters Without Borders, and Community Media Network should adopt formal policies mandating Lockdown Mode for all staff devices used in high-risk operational environments.
The second control is an organizational protocol for responding to Apple threat notifications. When a notification arrives, it should trigger immediate device submission for forensic analysis through Access Now's Digital Security Helpline or Citizen Lab, transition to a temporary clean device, and review of all sensitive communications conducted on the compromised device during the suspected infection window. The notification is not an invitation to update and continue - it is evidence of active targeting that requires forensic response. Without this protocol, the notification is wasted.
The third control is physical separation of sensitive activities from mobile devices. Pegasus captures everything on the device - encrypted messages, drafts, source materials, GPS location, ambient audio. Sensitive source communications, investigation planning, and legal advice should not occur on devices connected to mobile networks, even when using end-to-end encrypted applications. Placing phones in Faraday bags or in a separate room during sensitive meetings provides meaningful protection against microphone activation.
Air-gapped computers for drafting sensitive documents, with manual transfer of non-sensitive outputs only, create a physical boundary that spyware cannot cross.
The fourth control is regular forensic device audits for all staff at organizations operating in Pegasus-target environments. The Mobile Verification Toolkit is publicly available and can be run against iOS device backups to detect indicators of Pegasus infection. Quarterly forensic audits for high-risk individuals, combined with immediate analysis when Apple threat notifications are received, transform detection from a reactive accident into a systematic practice.
The fifth control is policy advocacy: Jordan must establish a judicial authorization requirement for all electronic surveillance, an independent oversight body to audit surveillance tool deployments, and a data protection authority with the mandate to investigate state use of commercial spyware. Without these institutional mechanisms, the constitutional privacy guarantee in Article 18 remains declaratory - a right on paper that provides no protection in practice.