Ron Diebert, the founder and director of the University of Toronto’s renowned Citizen Lab, sat down with iMEdD in Athens to talk about the crisis he perceives in liberal democracy and the future of digital spyware.
Featured image: Evgenios Kalofolias
The year is 1973, and the Watergate hearings are being broadcast on public television channels across North America. In Vancouver, Canada, a ten-year-old Ron Deibert has been glued to the screen for months, riveted by the drama of illegal break-ins, a secret White House taping system, and the exposing of a cover-up that ultimately led to the resignation of then-U.S. President Richard Nixon.
As he told iMEdD, this was the formative experience that awakened a lifelong passion for governmental accountability and, as Deibert puts it, “counterintelligence for civil society.”
But for a community college rejection, the founder and director of the University of Toronto’s Citizen Lab would have attended journalism school to become an investigative journalist like the Watergate reporters he so admired. Instead, he went into academia, getting a PhD in international relations and founding an interdisciplinary research unit that, decades later, has found itself at the heart of investigative journalism stories with the suffix ‘–gate’ all over the world. Over the years, Citizen Lab researchers have helped verify targeted cyber espionage and mobile phone hackings of journalists and activists in China, Spain, Hungary, Greece, Italy, Mexico, Poland, and Russia, to name but a few.
It was because of Greece’s very own Predatorgate that Deibert was in Athens, invited by Eteron – Institute for Research and Social Change to make the keynote address at their event Who Watches the Watchers?
There, Deibert recounted Citizen Lab’s role in exposing the surveillance of financial journalist Thanasis Koukakis and dozens of other Greek journalists, politicians, and public servants.
In his talk, Deibert said that Koukakis and the other Greek investigative journalists who reported extensively on the surveillance scandal – most of whom were in the audience –were the actual “heroes” of this story, not him and his researchers who played a “marginal,” mainly technical role. And while some have tried to paint Citizen Lab as being biased or politically motivated, Deibert says that’s just not what they do. He stressed that his team are academics who examine “violations to human rights in the world around us through the lens of digital technologies” through a systematic, rigorous and peer-reviewed methodology.
And, he says, they’ve never been busier.
How did the Citizen Lab start out? Has the mission statement changed over the last 25 years?
I was hired at the University of Toronto in 1996 […] doing very traditional academic desktop research around information technology, the internet and international security […] I was struck by this idea of using technical means to monitor governments to prevent them from cheating. And I had a student who took one of my courses around the year 2000 and he wrote a very unconventional paper, where he connected to proxy servers in China to compare what it was like to surf the internet in China versus Toronto. And it was like a light bulb went off. I was like, oh my God, this is exactly what I’m thinking – there’s a way to actually […] use technical methodologies in an ethically responsible way to monitor what governments are doing in cyberspace. And so I put together a proposal for an interdisciplinary research lab that would do this type of work […] and the mission that I described is very, very close to what we do now. I actually use the language “counterintelligence for civil society” and I didn’t think that we would actually be doing that […] and fast forward to today, that’s exactly what we did.
Eliot Higgins: Algorithms, spies and Trump in the mix
The founder of the investigative platform Bellingcat speaks about algorithms and democracy in the 21st century, the world of intelligence services, and how investigative journalism is funded in the era of Trump.
In your keynote, you said that there is a crisis in liberal democracy right now. Why do you think that is?
Well, I think that the spyware scandals that we’ve surfaced are symptomatic of a much deeper problem. And the deeper problem is really around the rising trend of authoritarianism and despotism, the decline of checks and balances and the rule of law. And […] certainly a major factor, I believe, is the business model of social media that got us here in the first place. It’s like a self-propagating feedback loop and it’s hard to get out of the more it deepens, and that’s why I think a lot of it has to do with the underlying business model that we live in today, which is surveillance capitalism. I’m not a Marxist or anything – it’s just obvious.
I think that the spyware scandals that we’ve surfaced are symptomatic of a much deeper problem. A major factor is the business model of social media that got us here in the first place… which is surveillance capitalism.
Ron Deibert, founder and director of the University of Toronto’s Citizen Lab
In your talk, you referred to ADINT (advertising intelligence) as the thing that keeps you up at night. Can you tell me more about how it works and why it is the newest part of the surveillance industry?
So, ADINT – advertising intelligence – is a new sector of the surveillance economy that is built parasitically off of the proper surveillance economy. The digital personal marketplace is grounded in a very basic model: every application you use today is designed to gather information about you to push targeted advertisements in your direction. […] All of this data is just circulating out there in this advertising space, very poorly regulated.
So along come these surveillance companies and they look at this and they go, well, this is perfect, let’s take advantage of it. […] And they combine the data that they can get from advertising beacons and all the identifiers with open-source data that they can collect to create a dossier about anybody. That dossier could include where you and I are right now; if someone was interested, it would be trivial for them to say I know exactly who they are, and they would produce a long intelligence dossier on my home address in Toronto, the Airbnb I’m staying at, my last credit card transaction, where I was yesterday, where I was six months ago.
So that’s why I think that spyware, is getting more sophisticated but I also think there’s a trend away from it. Because the device manufacturers are getting better at security, the (Citizen) Lab is getting better at doing this, and more organizations are fluent in investigating spyware. So […] the noose is tightening around the spyware companies.
From a government perspective, you’re probably looking at this going, why would I hack a phone, when I can go over here? It’s not like if there’s something that you can, as an investigator, find on someone’s device to show that this happened to them, because it’s all passively collected data that happens behind the scenes automatically on your phone. There’s nothing you can do short of not using a phone that can insulate you from it.
And what we found in that last investigation (Uncovering Webloc) was there’s so many countries that appear to be clients; it’s a very secretive market. A lot of the governments don’t want it to be known they’re using it because they know it’s likely in violation of GDPR. I bet you, I would put money down here on the table that there are Greek agencies that use that technology right now. And they’re tracking people with it. Hopefully they’re tracking bad people, but I’m sure given the history of this country, they’re also tracking journalists and activists and others.
I would put money down here on the table that there are Greek agencies that use that technology right now, and they’re tracking people with it.
Ron Deibert, founder and director of the University of Toronto’s Citizen Lab
You called the Greek journalists in the audience last night ‘heroes.’
100%. It’s incredible. I mean, Thanasis Koukakis is an extraordinary person. It takes individuals like (him) and Eliza (Triantafyllou, of Inside Story) – like, these are heroes. Honestly, our role in this whole play is like a side player, a marginal player. We’re not responsible for much here at all. It’s really their work, and it’s extraordinary to see in spite of all the corruption and abuse of power in this country, and the targeted surveillance, these journalists continue to dig up stuff and serve the public interest. We need more of that – journalism is in crisis worldwide.
With the exposure from the work you do, have you personally been threatened or has your phone ever been hacked?
You can’t do this type of work without that – it’s part of the territory. Sometimes it’s a bit more daunting than at other times. So, if you try to locate us at the University of Toronto, we’re not easy to find. We’re not listed anywhere. That’s part of our risk matrix and we calculate, like, how are we doing in terms of protecting ourselves from all of those risks? It helps when I check somebody’s phone, I’m checking my own at the same time.
Social media can support or undermine democracy – It comes down to how it’s designed
The design of a social media platform is an invisible pilot that steers human behaviour. Most major platforms optimise their design with profit in mind, rather than community or democracy.
Can you describe your methodology? If someone contacts you and says, I think I’m being followed or my phone has been hacked – can you break down the process for me?
There are two ways that we can do research on mercenary spyware and targeted hacking. One is by examining remotely the infrastructure of the spyware companies; they set up, usually for their clients, a very complicated server infrastructure that’s meant to hide how the data gets from the hacked phone to the spies on the other end. You can interrogate that in various ways because they don’t always set it up in an invisible fashion. You can begin to piece together who their government clients are and so forth.
Now, there are notifications that go out (from) Apple, WhatsApp, Google. This was done on our encouragement, by the way – we said to them you should be doing this as a public service.
Say I determine your phone was hacked. First thing I do is sit down with you and go, okay, within your office or your community, who else would likely be hacked? Can you introduce me to them? Once we gather forensic logs from somebody’s phone, we’re essentially looking at a bug report. The same type when an application crashes and you send it to Apple – that’s what we’re looking at. And we’re trying to identify two different things.
One is, is there a match in the bug report to signatures that we have, that we don’t publish, that are associated with one or more spyware vendors? It’s like a fingerprint; sometimes we can look at it and go, this person was hacked with Pegasus on October 21st, 2022, at 09:41 a.m. – it’s that specific. Or we’re looking for anomalies: like, those bug reports should follow a certain structure and if there’s something in there that’s unusual we’ll go, that looks suspicious. And then […] we might ask threat intelligence teams in different companies. Not always does that work, but sometimes we get information back.
And once we gather the data, say we have a positive infection, then we think about, well, what does the person want to do? We don’t determine if we publish or not – it’s up to the person. That’s part of the ethics process. So there are many, many, cases that we don’t publish.
What should journalists be doing when looking into stories like these?
Right now, what we are telling people is: if you hear about anybody receiving an Apple notification or a notification from WhatsApp or Google, […] take those very seriously. That’s almost certainly proof positive that someone has been hacked or targeted. If I was a journalist in that country, I’d be using my sources and my antennas to try to see, has anyone in this vicinity got a notification? If you have, let me know right away and I’ll dig further. That’s usually the best indicator that something is going on.
What we are telling people is: if you hear about anybody receiving an Apple notification or a notification from WhatsApp or Google, take those very seriously – that’s almost certainly proof positive that someone has been hacked or targeted.
Ron Deibert, founder and director of the University of Toronto’s Citizen Lab
So if I was a journalist and I met somebody that got this Apple notification, I would advise them to go to Amnesty [International] or Citizen Lab or Access Now for the technical follow-up, and then I would start talking to them: “Okay, who are you? What’s your profession? Who’s likely to want to hack your phone? Who do you think did it? When did this happen?” […] With the forensic analysis, you can see the exact time and date when someone’s phone was hacked. So the first thing you do is you ask them “do you have a diary?”. What were you doing on that day? Because someone was interested in you at that time.
One of your latest reports is about “relentless” phishing attacks on Chinese pro-democracy activists, minorities, as well as journalists. Can you describe some of the methods used to do these phishing scams and also – why do they target journalists, do you think?
Journalists are perennial targets in mercenary spyware, Chinese espionage, Russian cyber espionage. Why? Because they’re doing investigations into issues that usually the actors don’t want people knowing about. So they’re trying to get at the journalists to prevent them or to know about their sources. They want to find out what the journalists know about.
Journalists are perennial targets in mercenary spyware. Why? Because they’re doing investigations into issues that usually the actors don’t want people knowing about.
Ron Deibert, founder and director of the University of Toronto’s Citizen Lab
In this case, it all started after ICIJ (International Consortium of Investigative Journalists) published […] China Targets, […] about digital transnational repression, China reaching across borders to silence dissent, wherever it is. And after that report came out, one of the main journalists notified us that she had received this suspicious outreach. The way it looked was not like a message that you click on that’s going to infect your computer –instead it was a very credible looking type of outreach, like, I am a dissident or I’m a whistleblower, the type of thing that as a journalist you’d go okay, this looks very interesting I’m going to engage. This is actually also what the Russians appear to do a lot.
But because we were on it, we’re like no, this is not who they say they are. Let’s –this was really kind of fun and interesting to do – let’s play along […] to get as much (information as we can) from them, and that’s what we did.
This interview was edited for length and clarity.
Ron Diebert was the keynote speaker at the public event “Who Watches the Watchers?“, organized by Eteron – Institute for Research and Social Change, in Athens, Greece. The event took place on Thursday, May 21, 2026.
