It was almost immediately after the release of DeepSeek’s large language model that users began sharing reports of disturbing censorship. The episode reminded me of a personal memory from 2006. As a 19-year-old student at the University of Toronto, sitting in the balcony of Convocation Hall, I watched my professor bring to life his course about human rights online by demonstrating a tool he had helped build that could compare search results from google.com and its Chinese counterpart, google.cn. Typing in terms like “Tank Man” and “Tiananmen Square” — and seeing the real-time divergence in results — brought a spotlight onto a world many of us had not seen before.
Since then, that professor, Ron Deibert, director of the Citizen Lab, has moved from one project to another that has not only drawn attention to human rights abuses in digital realms but also worked tangibly to make the online world safer for us all.
Since a groundbreaking 2012 study in which a live spyware attack was forensically analyzed and traced back to a specific company, the Citizen Lab’s work on spyware, in particular, has captured news headlines around the world and influenced politics in places like Catalan, Greece, Poland and Mexico.
Deibert’s new book, Chasing Shadows: Cyber Espionage, Subversion, and the Global Fight for Democracy, takes readers behind these headlines, exploring the “ancient arts of espionage, sabotage, assassination, and subversion” in their new digital expressions. The book builds on many vignettes found in Reset: Reclaiming the Internet for Civil Society, Deibert’s 2020 Massey Lecture series. But where Reset took a horizons approach, showing deep concern for the climate crisis externalities of the material infrastructure of communication technologies, Chasing Shadows reads like a thriller about a spyware industry that is increasingly professionalized and commercialized — and running amok.
In mapping out and helping to thwart this burgeoning industry, the Citizen Lab has used “tools, methods, and open-source investigative techniques — network scanning, field research, forensics, reverse engineering, access to information requests, and corporate document analysis — to gather the incriminating evidence that bad actors inevitably leave behind them” in the digital realm when they commit malicious acts against vulnerable persons using spyware technology.
The Citizen Lab’s work has spurred governments and corporations around the world into action. In November 2021, the US Department of Commerce designated several spyware groups on an “entity list” that prevented them from buying American parts or components, largely due to the Citizen Lab helping to expose their malfeasance. Shortly thereafter, Apple launched a lawsuit against NSO Group, complementing a lawsuit that WhatsApp had also filed against NSO Group in California. Both lawsuits were largely due to the Citizen Lab’s work.
How has the Lab been so successful? Chasing Shadows is a story of accomplishments, but it is also, more quietly, a story about building capacity to work on behalf of the public interest. The Citizen Lab’s capabilities are unparallelled when it comes to working with deep technical skill, using highly collaborative approaches, leveraging media pressure and reckoning with complex ethical questions in a modern university environment not normally known for making that easy.
Throughout the book, Deibert casually recounts how his team has refused to accept corporate money, even when millions of dollars are offered to them. By reporting several zero-day vulnerabilities to Apple for free (despite their normally hefty price tag in bug bounty programs), the Lab has acted selflessly to protect almost a billion iPhone users. Chasing Shadows also recounts how the Lab has exhibited this moral steel while standing up to actors who have used direct and indirect measures to surveil them and issue darkly personalized death threats.
The malicious actors committing these injustices do not come out well in this book. But neither do governments, including Canada’s. When Deibert recounts the publication of the Lab’s 2018 report about a dissident in Canada being targeted by spyware used by Saudi Arabia, the federal government’s conduct is appalling. An access request for records eventually reveals that the Royal Canadian Mounted Police only contacted the Citizen Lab in advance of the report’s publication to be able “to say they are investigating when the story breaks.” When Deibert attempts to gain information about a government meeting that he was invited to attend, the response comes up null — no records exist.
Elsewhere in the book, Deibert recounts how Canadian national security and intelligence agencies have attempted to turn into assets vulnerable persons targeted by spyware who bravely come forward to report those experiences. In another incident, the Canadian Security Intelligence Service tries to recruit one of the Lab’s employees behind Deibert’s back andinforms the Lab that a covert operation against it is “still ongoing,” without providing any information.
This lack of transparency speaks to a bigger problem with the Canadian government when it comes to spyware: saying one thing and doing another. The Communications Security Establishment, Canada’s signals intelligence agency, has declined to disclose any information — even so much as an acknowledgement — about its use of spyware. This silence betrays Canada’s commitments in a September 2024 joint statement with various countries to counter the proliferation and misuse of spyware — to say nothing of Canada’s unfortunate status as an origin country for spyware technology that has been used by authoritarian governments to target dissidents.
With eight billion people on the planet — and with three-quarters of them possessing a phone — governments around the world must take seriously the harms of spyware that touch some of the world’s most vulnerable people. As Deibert explains, it has been the Lab’s mission to serve these people — to undertake, as he puts it, “counterintelligence for civil society.” Where governments and private actors have failed at this task, Deibert and his team have worked inside and outside the shadows to protect us.
All we can say is thank you.
