One evening in July 2018, Abdellatif Hamamouchi, a 28-year-old journalist and activist with the Moroccan Association of Human Rights, fell victim to a violent assault by a group of men he describes as members of Morocco’s political police. He said he was “beaten and thrown to the ground” by them, before they seized his mobile phone. “Thanks to that, they were able to access my emails, my list of contacts, my exchanges with sources,” he recalled.

Repression by the Moroccan authorities against opponents of the ruling regime is intensifying, and a number of other journalists and activists have recounted similar incidents in which their mobile phones were confiscated during arbitrary arrests. According to them, the incidents were all aimed at gaining personal information to heighten the surveillance of those presumed to be opponents of the regime. It now appears that, since 2019, such practices may have been facilitated by technological and financial support provided by the European Union (EU).

This joint report in partnership with German weekly news magazine Der Spiegel reveals how the EU has delivered powerful data surveillance systems to the Moroccan authorities using software developed by two companies, MSAB and Oxygen Forensics, both of which are specialised in the phone hacking and the capture of data. The systems were provided to Morocco by a French-Lebanese company called Intertech Lebanon, under the supervision of an organisation called the International Centre for Migration Policy Development (ICMPD).

The transfer of the technology was financed out of the budget of the EU’s “Border Management Programme for the Maghreb Region” with the aim of combatting irregular migration and people trafficking to the continent.       

According to documents obtained from EU institutions by Disclose and Der Spiegel, MSAB, a company headquartered in Sweden, provided the Moroccan police with software, called XRY, which is capable of unlocking data on all types of smartphones, revealing the records of calls made, of geo-positioning, and text messages sent or received by SMS and via the WhatsApp and Signal platforms.

Meanwhile, US-based company Oxygen Forensics provided a data extraction and analysis system called “Detective“. This can get past a locked phone screen to retrieve information that is stored on cloud computing systems, like those managed by Google, Microsoft and Apple, and also to hack supposedly secure applications used by any mobile phone or computer.

The notable difference between these software systems and the Pegasus spyware developed by Israeli company NSO Group is that it is necessary to gain physical access to the targeted mobile phones.

Training the Moroccan police in hacking

The EU, as well as financing the purchase of the surveillance software and the computers required to operate it, also funded training courses to the Moroccan police on how to use the spyware. The courses were led by employees of Intertech and staff from MSAB and Oxygen Forensics.

Furthermore, according to documents obtained by Privacy International, a UK-based NGO for the protection of private data, the EU also sent members of its Agency for Law Enforcement Training, CEPOL, to lead a four-day training course held in the Moroccan capital Rabat between June 10th and 14th 2019. The programme agenda for the course included collecting information from the internet, reinforcing digital investigation capacities, and an introduction to “social hacking” – which consists of extracting information from an individual using social media. 

Absence of controls

It remains to be established whether these surveillance tools are really used exclusively for the purposes of countering illegal immigration. This investigation found no evidence of any controls carried out to ensure this, neither by the manufacturers of the software nor by EU officials. That would mean that the Moroccan authorities could in theory decide to use the newly acquired software for internal repression without the EU being aware. That danger is all the more serious, according to digital security experts questioned by Disclose, given that the XRY and Detective software leave no trace of their hacking, and which is another difference with the Pegasus software that infects phones from a distance. The Moroccan authorities massively employed the Pegasus system to spy on journalists, human rights activists and international politicians, as was revealed in 2021 by the journalistic consortium  Forbidden Stories.

In the case of XRY and Detective, once physical access to a phone is gained “you have access to everything“, underlined Edin Omanovic, Advocacy Director for Privacy International. He said that was particularly concerning in a context where authorities might target rights activists and journalists.

The European Commission (EC) insisted that an official document intended to serve as a guarantee that the spyware would not be used beyond its official purpose was signed by the Moroccan authorities. However, it did not provide Disclose with a copy. A spokesman for the EC told Disclose that the document stipulates that the surveillance software would only be used to combat human trafficking, and that the EU was confident that Morocco would respect that engagement, which he said was its “responsibility”.  

“Deliberate and morally unacceptable negligence”

In reality, the transfer of such spyware by the EU demands particular precautions because the software in question falls into a category called “dual use” technology, a term designating systems that can be used for both civil and military purposes. Exports of that type of equipment are the subject of a common EU Regulation established in 2008 and which bans exports of dual-use technology in the case that “there is a clear risk” that it could be used for internal repression. That risk is largely established in the case of Morocco, as demonstrated by the revelations of the use of the Pegasus spyware.

Contacted by Disclose, MSAB and Oxygen Forensics declined to answer our questions, as did also the Swedish and US regulatory bodies responsible for exports of dual-use technologies. The Moroccan authorities failed to respond to questions submitted to them. However, Alexandre Taleb, CEO of Intertech, responsible for the deployment of the software systems, for which it was paid almost 400,000 euros, did agree to comment. “My clients know what they are buying, it is not for me to judge them” he said. “They have more than 400 million inhabitants who can do so. If Morocco has problems with democracy, that’s one thing, but our tools are not the cause of these problems.“.  

Markéta Gregorová, a Czech Member of the European Parliament (MEP) who is affiliated to the Greens-European Free Alliance group, denounced the export of the surveillance software. “Using the pretext of securing our borders, we cannot simply rely on the promise that the Moroccan police will not target innocent opposition figures and journalists“, she said. “This is deliberate negligence by the European Union, in order to secure its borders and stop illegal migration“. That negligence is all the more placed into question given that MSAB has been accused of selling spyware tools to the police in Myanmar in 2019, at a time when abuses and suppression by the authorities were known and documented.

Zach Campbell and Lorenzo D’Agostino