Times Insider explains who we are and what we do, and delivers behind-the-scenes insights into how our journalism comes together.
BEIRUT, Lebanon — In Mexico, the government hacked the cellphones of journalists and activists. Saudi Arabia has broken into the phones of dissidents at home and abroad, sending some to prison. The ruler of Dubai hacked the phones of his ex-wife and her lawyers.
So perhaps I should not have been surprised when I learned recently that I, too, had been hacked.
Still, the news was unnerving.
As a New York Times correspondent who covers the Middle East, I often speak to people who take great risks to share information that their authoritarian rulers want to keep secret. I take many precautions to protect these sources because if they were caught they could end up in jail, or dead.
But in a world where we store so much of our personal and professional lives in the devices we carry in our pockets, and where surveillance software continues to become ever more sophisticated, we are all increasingly vulnerable.
As it turned out, I didn’t even have to click on a link for my phone to be infected.
To try to determine what had happened, I worked with Citizen Lab, a research institute at the Munk School of Global Affairs at the University of Toronto that studies spyware.
I hoped to find out when I had been hacked, by whom and what information had been stolen. But even with the help of professional internet sleuths, the answers were elusive.
What the investigation did find was that I had a run-in with the growing global spyware industry, which sells surveillance tools to governments to help them fight crime and track terrorists.
But the companies that sell these tools operate in the shadows, in a market that is largely unregulated, allowing states to deploy the technology as they wish, including against activists and journalists.
In 2018, I had been targeted with a suspicious text message that Citizen Lab determined had likely been sent by Saudi Arabia using software called Pegasus. The software’s developer, the Israel-based NSO Group, denied its software had been used.
This year, a member of The Times’s tech security team found another hacking attempt from 2018 on my phone. The attack came via an Arabic-language WhatsApp message that invited me by name to a protest at the Saudi Embassy in Washington.
Bill Marczak, a senior fellow at Citizen Lab, said there was no sign that either attempt had succeeded since I had not clicked on the links in those messages.
But he also found that I had been hacked twice, in 2020 and 2021, with so-called “zero-click” exploits, which allowed the hacker to get inside my phone without my clicking on any …….