Cambridge University halts GBP400m deal with UAE over Pegasus spyware claims
Exclusive: UK institution was in line for huge donation but has paused talks due to concerns Gulf state used hacking software
The University of Cambridge has broken off talks with the United Arab Emirates over a record GBP400m collaboration after claims about the Gulf state’s use of controversial Pegasus hacking software, the university’s vice-chancellor has said.
The proposed deal, hailed by the university in July as a “potential strategic partnership … helping to solve some of the greatest challenges facing our planet” – would have included the largest donation of its kind in the university’s history, spanning a decade and involving direct investment from the UAE of more than GBP310m.
But Stephen Toope, Cambridge’s outgoing vice-chancellor, said in an interview that no meetings or conversations with UAE were now taking place after revelations related to Pegasus, software that can hack into and secretly take control of a mobile phone.
A university spokesperson said it had approached the UAE and other partnerships “with an open mind” and “these are always finely balanced assessments”, adding: “We will be reflecting over the next few months before further evaluating our long term options with our partners and with the university community.”
The Guardian’s Pegasus Project revealed a leak of more than 50,000 phone numbers that, it is believed, were linked to people of interest to clients of NSO Group, the Israeli company behind Pegasus. The principal government responsible for selecting hundreds of UK numbers appeared to be the UAE, the Guardian found.
“There were further revelations about Pegasus that really caused us to decide that it’s not the right time to be pursuing these kinds of really ambitious plans with the UAE,” Toope told the Varsity student newspaper.
Asked if he would consider pursuing the deal in the future, Toope said: “No one’s going to be rushing into this. There will be no secret arrangements being made. I think we’re going to have to have a robust discussion at some point in the future. Or we may determine that it’s not worth raising again. I honestly don’t know.”
Toope said he had not met the UAE’s ruling prince and was not holding meetings with anyone from the state. “There are existing relationships across the university on a departmental and individual academic level but there are no conversations about a big project,” he said. “We’re aware of the risks in dealing with many states around the world but we think it’s worth having the conversation.”
News of the potential collaboration, with documents seen by the Guardian detailing “joint UAE and University of Cambridge branding” and new institutes based in the Gulf state, caused an outcry over the prospect of financial ties with a monarchy notorious for alleged human rights abuses, few democratic institutions and hostility towards the rights of women as well as those of LGBTQ+ people.
Talks over the partnership were supported by the university’s internal bodies, despite concerns. But Toope’s remarks suggest that it was the UAE’s alleged use of the controversial hacking software that was responsible for ending the talks.
In July, shortly after the Cambridge-UAE partnership was announced, the Pegasus Project revealed that more than 400 UK mobile phone numbers appeared in a leaked list of numbers identified by government clients of NSO between 2017 and 2019. The UAE was identified as one of 40 countries that had access to Pegasus, and the principal country linked to the UK numbers.
The Cambridge-UAE project was to have included a joint innovation institute and a plan to improve and overhaul the emirates education system, as well as work on climate change and energy transition. “Are those important enough things to think that we might be able to mitigate the risks? The answer is: I don’t know quite frankly,” said Toope, who is to step down at the end of the year.
Dubai, the emirate city ruled by Sheikh Mohammed bin Rashid al-Maktoum, is also believed to have been an NSO client. The phones of Sheikh Mohammed’s daughter Princess Latifa and his ex-wife Princess Haya, who fled the country and came to the UK in 2019, both appeared in the data.
Last week a high court judge ruled that Sheikh Mohammed hacked the phone of Princess Haya using Pegasus spyware in an unlawful abuse of power and trust.
Dubai did not respond to a Guardian request for comment on the Pegasus Project at the time. Sheikh Mohammed did not respond, although it is understood he denies attempting to hack the phones of Latifa or her friends or associates, or ordering others to do so.
In multiple statements, NSO said that the fact that a number appeared on the leaked list was in no way indicative of whether a number was targeted for surveillance using Pegasus. “The list is not a list of Pegasus targets or potential targets,” the company said. “The numbers in the list are not related to NSO Group in any way.”
A university spokesperson said: “The University of Cambridge has numerous partnerships with governments and organisations around the world. It approached the UAE as it does all potential partnerships: with an open mind, and rigorously weighing the opportunities to contribute to society – through collaborative research, education and innovation – against any challenges.”