Activists in Thailand are suing the government for using spyware technology to monitor dissidents, the first such case in the country that they hope will help raise awareness and better protect citizens who are subject to increasing surveillance.
The legal non-profit gropup iLaw said it is preparing a lawsuit against the government for its alleged use of Pegasus spyware developed by the Israeli firm NSO Group to hack into the mobile phones of at least 30 activists and lawyers in 2020-21.
It is the first such case against state surveillance in the Administrative Court, which tries cases involving government agencies or officials, said Yingcheep Atchanont of iLaw, who is also filing a separate civil lawsuit against NSO.
“It is a difficult case, as we don’t have evidence of who bought the software and who deployed it,” said Mr Yingcheep, 36, whose phone was infected 10 times with Pegasus.
“We are also not confident in the judicial system, but it is all we have. Even if we get a verdict saying our rights were violated, that would be very significant,” he said in an interview in his office.
The Ministry of Digital Economy and Society did not respond to a request for comment.
NSO, which did not respond to a request for comment, has said its technology is intended to help catch terrorists, paedophiles and hardened criminals, and is sold to “vetted and legitimate” government clients.
Across Asia, governments are tightening their hold over the internet with laws aimed at curbing critical social media posts and so-called fake news, while also increasing surveillance with facial recognition and other technologies.
Apple sent an email alert to Mr Yingcheep and dozens of others in Thailand in November 2021, warning that “state-sponsored attackers” may be targeting their mobile phones.
While Apple did not specify the technology used, the US firm had just that week filed a lawsuit against NSO Group and its parent company for alleged surveillance and targeting of US Apple users with Pegasus spyware.
Pegasus — which turns a mobile phone into a surveillance device, using its microphone and cameras and accessing and exporting messages, photos and emails without the user’s knowledge — is among the most invasive of spyware technologies, rights experts say.
“It was so shocking to me that the government could take control of my phone — it is a bigger violation of my privacy than a policeman watching my house,” said Mr Yingcheep.
“Even if NSO goes away, they will use another company, another technology. It’s not going to stop unless some serious action is taken,” he said.
Many of the victims in Thailand had been detained, arrested, and imprisoned several times for their political activism, or for participating in pro-democracy protests in 2020-21.
The actual number of victims is likely to be much higher, as only iPhones can be tested, and not every victim had their phone examined, according to an investigation by iLaw, with the digital rights group DigitalReach and Toronto-based Citizen Lab.
In response to their reports in July, Digital Economy and Society Minister Chaiwut Thanakamanusorn admitted in parliament that the country uses surveillance software — without specifying which programme — to track people in cases related to national security or drugs.
He then walked back his comments just days later, denying that such technology was used.
Besides Thailand, officials in Indonesia and activists, journalists and lawyers in India have also been reported to have been targeted with Pegasus.
In 2021, India’s Supreme Court ordered an independent inquiry after the government said it cannot be made to answer if it uses spyware, as that would compromise “national security”.
In Europe, a committee is investigating the use of Pegasus and other surveillance technology, while members of the US Congress have called for preventing the abuse of spyware.
There is no such recourse for victims in Thailand, said Sutawan Chanprasert, executive director of DigitalReach.
“There is really no mechanism at any level that those who have been infected can rely on,” she said, adding that this is why the legal actions by iLaw are significant.
“If they win, it will be historic, and it will become a case study for other countries, especially those in Southeast Asia that lack mechanisms to prevent the abuse of spyware. It will pave a way for better protection against this kind of abuse.”
In Thailand, Citizen Lab identified Pegasus use as far back as May 2014 when the army took charge after a coup, and reported on a potential Pegasus operator in the country in 2018.
Thai authorities have not commented on those reports. The country passed the Personal Data Protection Act in 2019, but it largely exempts government agencies.
The use of Pegasus against activists during pro-democracy protests in 2020-21 was aimed at monitoring their online activities, tracking the demonstrations, and getting information on their funding sources, according to iLaw and DigitalReach.
A lawsuit filed by iLaw in November against NSO on behalf of eight of the 30 hacking victims was dismissed by the Civil Court in Bangkok on grounds that the cases could not be combined.
Mr Yingcheep now plans to file a suit with himself as the plaintiff.
Its chances are slim, admits Golda Benjamin, Asia-Pacific campaigner at the digital rights group Access Now, which uses litigation as a way to push against state surveillance worldwide.
“Litigation is not as commonly used in Asia. But it’s also a way to educate the public, and even a tiny victory is worth a shot,” she said.
Meanwhile, Panusaya “Rung” Sithijirawattanakul, a student protest leader whose phone was infected at least four times, said she has learned to live with the constant risk of surveillance.
Ms Panusaya, 24, has been charged with lese-majeste and other crimes, and may face life imprisonment if convicted. She was in prison when Apple sent the alert that her phone may have been hacked.
“I have been thinking about how to defend myself from such attacks — we leave our phones behind during important meetings, or switch them off or put them in flight mode,” she said.
“But I can’t not use my phone, and I can’t keep buying new phones after each hack. I’m still using the same phone.”