Defending the defenders: a look at Amnesty International’s Digital Forensics Fellowship

Featuring: Molly Cyr, Training and Community Engagement Lead at Amnesty International’s Security Lab

In an increasingly digital world, journalists and human rights organizations are facing an invisible enemy: surveillance tools. Built to be undetectable, they’re deployed by governments and threat actors with resources that activists often can’t match. 

But across the globe, a new movement is emerging, one that refuses to be silenced in the shadows of spyware and digital surveillance. The DFF (Digital Forensics Fellowship), launched by Amnesty International’s Security Lab, is training human rights defenders to fight back. 

This article explores how the DFF program has evolved from its inception, why it’s been effective, and how DFF fellows are transforming the landscape of digital security for activists.

The birth of the Digital Forensics Fellowship

The DFF is a training program designed to upskill human rights defenders in mobile device forensics. To understand why it exists, it’s important to first grasp the threat it addresses. Amnesty International had already been researching spyware, but it was 2021’s Pegasus Project that truly exposed the scale and severity of targeted surveillance. 

The project’s revelations were staggering: NSO Group’s Pegasus spyware had been used to target journalists, activists, and human rights defenders globally. Forensic analysis identified over 50,000 phone numbers of potential surveillance targets. The spyware in question could extract messages, photos, location data, and more — all without the victim’s knowledge.

As Molly Cyr explains, the DFF “emerged in response to the growing number of civil society organizations seeking to protect themselves from advanced attacks made possible by spyware.”

The first edition launched in 2022 as an introductory training program. By its fourth edition, starting in 2026, the DFF has grown into a more advanced curriculum tailored for organizations that regularly conduct mobile device forensics. The program has evolved “in step with the significant progress that civil society has made in researching and publishing about human rights violations resulting from the use of spyware or other surveillance technologies,” Molly notes.

This shift signifies that many organizations are now overseeing localized, contextually relevant research into spyware use in their own countries. 

What is digital forensics, and why does it matter?

Digital forensics is the process of analyzing a device, like a mobile phone, to uncover whether or not it was targeted by an attacker and, if so, if it’s been infected with spyware. For human rights defenders, this process is the best way to understand if they’ve been targeted by surveillance enabled by tools such as spyware.

The Security Lab focuses on consensual forensics, meaning all analysis is conducted with the informed consent of the device’s owner. This approach is vital because it arms surveillance victims with their own decision-making agency.

As Molly puts it, “this way of working is inherently powerful for people who have borne the brunt of myriad threats.” When activists or journalists learn what has happened to their device, they can decide what to do next.

What kinds of threats are activists facing today? 

Molly explains that the landscape is changing at an alarming pace. Digital surveillance technologies “are being developed and deployed rapidly and used in conjunction with other tools and tactics to monitor people and movements in innovative ways.” 

While the specific dangers vary by geography and profile, one thing is clear: traditional security measures are often no match for modern surveillance tools. Techniques like digital forensics could be exactly what human rights groups need to fight back.

Building the anti-surveillance movement: what DFF fellows learn

The 2026 DFF curriculum covers advanced iOS and Android forensics, along with a new focus on setting up and maintaining sustainable helplines within fellows’ organizations. This includes knowing when to refer individuals to other types of support services, such as those that address physical safety. “Ensuring that an organization has a clear procedure for receiving cases in a secure way is crucial,” Molly adds.

But the real power of the DFF and the Security Lab’s partnership program lies not just in the technical skills it teaches — it lies in its wider impact. Molly highlights “the ripple effect of training individuals and organizations who then go out and directly support or train their communities.”

This course has already yielded major real-world wins. In 2025, digital forensics company Cellebrite suspended product licenses for Serbian customers after Amnesty International revealed that authorities had misused the company’s forensic tools to unlawfully target activists and journalists critical of the government.

DFF fellow stories: from training to transformation

The true measure of the DFF’s success is found in the work fellows are doing around the world. Here are three powerful stories that illustrate how the program is turning the tables in the fight against surveillance.

Marla and InterSecLab: building a safety network through collaboration

Marla, who participated in the DFF while at InterSecLab, praises the program for creating a safety network for small organizations that may become vulnerable when exposing surveillance. She specifically points to the DFF as a catalyst for new research, claiming it “ends up being a hub for new research, new perspectives, and new skills to bloom.”

One example is the Geedge Networks project. 

After training from Amnesty International in mobile device forensics and surveillance detection, InterSecLab investigated and exposed Geedge Networks, a Chinese company exporting surveillance and censorship technology to authoritarian regimes. The investigation analyzed over 100,000 leaked internal documents to reveal how the company’s tech enables deep packet inspection, real-time monitoring of citizens, and selective control over internet traffic. 

Conducted in collaboration with several international partners, the research demonstrates how DFF training can lead to major, actionable, and scalable investigations. 

Ragheb and SMEX: forging institutional capacity in Asia and Africa 

Ragheb works with SMEX, a digital rights organization operating in West Asia and North Africa. While he had prior experience reading surveillance research, he finds the DFF offered much more. According to Ragheb, the program gave “a structured path that goes deep into specific topics while keeping the work grounded in hands-on practice.”  

The DFF also strengthened Ragheb’s understanding of which system architectures are most vulnerable to surveillance and helped him refine both his technical practices and his ability to teach these skills to fellow technologists. In his words, digital surveillance “in a human rights context is, by nature, a search for extremely faint signals, and DFF helped me understand where to look, and why.”

In the case of SMEX, the DFF helped establish their first Digital Forensics Lab, a unit now conducting mobile device analysis and threat investigations for activists across their region. Ragheb created a sustainable system for his organization to investigate spyware, phishing schemes, and malware attacks, turning individual skill-building into organizational capability. 

Tim and Russian civil society: fighting censorship with forensic skills

Tim works with various organizations, primarily those that support Russian civil society facing increasing oppression both at home and abroad. In his eyes, one of the DFF’s top benefits is personal, as the program taught him “how to analyze applications, traffic, certificates, and domain infrastructure.”

He also singled out the sense of community the DFF has fostered as a plus. “Access to outstanding experts — both from Amnesty and among the fellows — is also enormously valuable. It creates great opportunities for exchanging experience, seeking advice, and professional growth,” Tim adds.

Through his work with RKS Global, an organization dedicated to supporting internet freedom, Tim applied his DFF training to expose how Russian digital service providers are secretly inspecting devices to detect VPN (Virtual Private Network) usage and enforce authoritarian censorship. The research revealed coordinated government-private sector surveillance that threatens internet freedom in Russia. 

Looking ahead: a sprawling digital forensics movement

The DFF represents more than a training program — it’s a thriving movement of technologists who refuse to let surveillance win. As Molly notes, “We are dedicated to this program, and we see it as a way to give power to people to confront and protect themselves against the world’s most intimidating surveillance tools.”

The fellows’ stories illustrate what’s possible when knowledge, community, and courage converge. From crafting sustainable helpdesks to publishing groundbreaking research, the DFF is creating a network of defenders who are more capable, more connected, and more empowered than ever before.

Continued training is vital, Molly indicates, “as it makes our research actionable and accessible for our peers.”

Why protecting activists protects everyone

And the DFF’s work extends beyond human rights alone. “Making sure that the most at-risk users have the tools and support they need to work securely benefits everyone,” Molly concludes.

Across the tech world, higher security standards for the most vulnerable parties ultimately protect all users. And when human rights organizations like Amnesty International share findings about sophisticated threats targeting activists and journalists, increased awareness can lead to accountability and changes on a broad scale.   

In other words, defending the defenders makes the entire internet safer.

*The Security Lab regularly updates its Digital Security Resource Hub with relevant digital and information security resources in multiple languages.