On November 21, 2024, the Thai Civil Court dismissed the case of Jatupat Boonpattararaksa vs. NSO Group, stating that the evidence failed to meet legal thresholds on critical points. According to the plaintiff’s evidence, the Citizen Lab’s certification memo only stated that Jatupat had been attacked by Pegasus spyware. It did not clearly explain the process of investigation such as the specific technical analysis methods that were used by Citizen Lab to analyze the data set and details of code samples or indicators of Pegasus spyware extracted from the compromised devices.
Two of the plaintiff’s witnesses who testified in the court were not eyewitnesses. The other documents were merely case studies and circumstantial witnesses. Moreover, the plaintiff’s lawyer did not bring an expert witness from Citizen Lab to testify before the court. Thus, the Citizen Lab’s confirmation letter was considered hearsay according to section 95/1 of the Thai Civil Procedure Code.
Court’s assessment of evidence
In this case, the plaintiff presented 61 pieces of documentary evidence to the court. Regarding to Jatupat’s attacking incident, there are documents to confirm that he had been targeted by State-sponsored attacker and he were targeted by Pegasus spyware such as document no.4 : Threat Notification on Apple ID and document no.5 : Certification memo from University of Toronto indicating that Jatupat’s device was compromised with NSO Group’s Pegasus spyware.
In its decision, the court indicated that the plaintiff’s submitted document no.4 contained significant discrepancies and raised concerns about the credibility of this evidence. Thus, it did not believe that the plaintiff had received a warning from Apple.
Regarding the document no.5, the court stated it only indicated that Jatupat’s device was infected by Pegasus spyware. The plaintiff did not adequately explain how forensic evidence was obtained after data extraction from the device, the specific technical analysis methods employed by Citizen Lab in analyzing the data set, details of code samples or indicators of Pegasus spyware extracted from the compromised devices and confirmation of whether Jatupat’s log files were stored on the Internet Service Provider’s servers.
The plaintiff did not present evidence about who is the Citizen Lab researcher responsible for analyzing the data. There was no eyewitness from Citizen Lab, demonstrating how they found the plaintiff’s data set to be altered by the Pegasus spyware. There was no written and oral testimonies on technical analysis and synthesis of the data set. As a result, the court considered document No. 5 as hearsay evidence. The court also noted there was no apparent reason why witnesses could not have been brought in to testify.
Burden of Proof and Court’s Decision
Since 2015, Citizen Lab researchers have discovered the use of Pegasus spyware against political dissidents and developed deep specialized knowledge in spyware through their forensic investigative work. The organization has continued to research and advocate against surveillance spyware to this day. For victims, Citizen Lab has become a last resort to obtain definitive confirmation and a gateway to pursuing justice.
On November 24, 2021, Apple sent warning emails to Thai activists, politicians, and academics. Two iLaw staff members also received warning emails. In March 2022, iLaw partnered with DigitalReach and Citizen Lab to investigate the use of Pegasus spyware in Thailand. By July 2022, Citizen Lab confirmed that at least 35 individuals had been targeted by the spyware.
During the investigation, the investigative team was required to sign a confidentiality contract to protect the spyware detection method. This secrecy is crucial because if the method was leaked, the spyware developer could develop techniques to avoid detection, potentially affecting future spyware detection efforts worldwide. Citizen Lab is recognized as the most specialized organization in this field. This situation parallels the Apple lawsuit against NSO Group in the United States. In 2021, Apple initially filed a lawsuit, but in September 2024, the company filed a motion to dismiss the case. This action appeared to be motivated by concerns about potential exposure of sensitive “threat intelligence” information during legal proceedings.
On July 13, 2023, Jatupat Boonpattararaksa filed a lawsuit against NSO Group, alleging that the company used Pegasus spyware to hack his device and extract his personal information. During the proceedings, Jatupat’s legal team directly contacted John Scott-Railton, a Citizen Lab researcher, requesting him to serve as an expert witness. However, Scott-Railton raised concerns about potential sensitive data exposure and decided not to testify and Citizen Lab decided not to be present in Thai Court.
Revealing that Citizen Lab’s investigation was confidential might raise doubts about the authenticity of the investigation results. In parallel, another organization conducted an independent investigation – in the case of Thailand, this was Amnesty Tech. These factors represented significant limitations in not bringing the Citizen Lab researcher to court.
While John Scott-Railton, a Citizen Lab researcher, did not testify in court, the legal team expected that Sutawan Chanprasert, who is one of the authors of the Geckospy report, would provide sufficient testimony.
However, the court ruled to dismiss the case on the technical evidence ground.
iLaw Stance on Court’s Decision
Our organization has two victims of Pegasus spyware. As victims, we have faced two significant challenges: first, managing the emotional toll of being targeted by spyware, and second, handling these issues professionally as human rights defenders. In 2022, we, iLaw, decided to expand our work to investigate the use of spyware in an attempt to improve privacy rights in Thailand. In the next year, iLaw supports information and provides manpower doing research on Jatupat’s litigation case.
However, the court’s decision had shown two significant barriers. First, the technical complexity of proving spyware infection. Second, Ironically the Citizen Lab method and its confidential nature that was designed to protect the future spyware detection efforts turn into the mechanisms denying justice to the victim.
This surveillance spyware case revealed that victims always pay the highest price. Their privacy is invaded, and they bear the overwhelming burden of proving their own victimization. The technical complexity of spyware, compounded by the confidential nature of surveillance technologies, creates barriers for individuals seeking justice. The court’s decision emphasizes the high bar for proving digital surveillance when the investigation process must remain confidential to protect future detection capabilities.
We acknowledge the principles in Thai jurisdiction that the burden of proof belongs to the plaintiff in civil cases. However, we maintained that document no.5 is definitive confirmation of being targeted by the Pegasus spyware. And we wish to see more sympathy and flexibility to apply the burden of proof for the victims and more active roles from the court to examine the duty of the giant spyware developer.
