The EU Parliament’s probe into European governments’ use of the military-grade spyware, Pegasus, is in its third month.
MEPs have now heard from the journalists that exposed the use of the spyware and big tech firms, and they have agreed to make in-country visits to Hungary, Poland, and Spain: the three European countries accused of using Pegasus to spy on journalists, activists, and their political opposition.
The parliamentary committee is charged with learning in-depth about Pegasus and similar software, investigating its use by EU-member states, and then making recommendations on regulating its use in the EU.
The probe into the spyware stems from the Pegasus Project, the work of an international consortium of journalists—led by the French-based Forbidden Stories, Amnesty International, and the Canadian-based Citizen Lab—that exposed the use of Pegasus in some 50 countries by approximately 10 governments. Targets included not only heads of state but also journalists, human rights activists, and members of the political opposition.
Pegasus is developed and sold by the Israeli-based NSO Group. Israel considers the tool so powerful that each sale must be approved by the Israeli ministry of defence. According to the NSO group, it only sells to democratic governments for use against terrorists and organized crime. But the Pegasus Project alleged, for example, that the phone of slain journalist Jamal Khashoggi’s wife, Hanan Elatr, was infected with Pegasus months before Khashoggi was murdered by Saudi agents in October 2018. Hungary also appeared on the list of governments that had deployed Pegasus against its intended use (to stop crime), citing forensic evidence that journalists and others opposed to Prime Minister Viktor Orbán had been targets of the spyware.
The Hungarian government has acknowledged owning the spyware but has denied all wrongdoing.
In December of 2021, similar accusations emerged against the Polish government, allegations that it had targeted its political opposition during the tight 2019 elections and used messages, hacked from the phone of the opposition leader, in a smear campaign.
Then in April, just as the EU Parliament investigation was getting underway, the Citizen Lab published CatalanGate, a report that alleged the Spanish government had spied on Catalan separatists, including politicians, activists, and their families.
Both the Polish and Spanish government’s have admitted to having the software but deny any wrongdoing. Probes into the allegations are underway in both countries.
At the beginning of June, the Dutch government also revealed that it had used Pegasus to track down the country’s most wanted criminal: a drug lord. It said it had targeted drug kingpin Ridouan Taghi, “among others,” with the spyware. In response, some politicians called for the government to reveal who else had been targeted and in what context.
MEP Sophie in ‘t Veld, who is part of an EU Parliament probe into Pegasus, warned the spyware was “massively invasive, and we’ve seen other countries use it for political aims.”
Though initially considered a tool used by autocratic or rogue governments, journalists have been finding evidence that its use in Europe is growing. The New Yorker quoted a former senior Israeli intelligence official in April as stating, “NSO has a monopoly in Europe.”
“Cyber security wants legitimacy and market growth so that’s why they are going for the European market,” Scott Railton with the Citizen Lab told MEPs at a hearing in May.
Though use of third-party spyware such as Pegasus is unregulated in Europe, individual countries each have their own laws and oversight processes for surveillance by law enforcement and intelligence services (that apply to spyware as well). On these grounds, governments defend themselves against allegations of misuse, but often without providing details, claiming the matter as a security secret.
With this as the background, lines in the parliamentary committee are drawn between more conservative MEPs, ready to defend proper use of spyware, and more progressive MEPs prepared to ban the use of Pegasus, as the European Data Protection Supervisor called for in February.
Within the committee itself, members are not only on opposite sides of the political aisle, but on opposite sides of the spyware.
One of the committee members is Spaniard Carles Puigdemont of Lliures per Europa, a fugitive in Brussels who led the 2017 referendum on Catalan independence—illegal under Spanish law—and was allegedly spied on with Pegasus by the Spanish government. Also representing Spain on the committee is Juan Ignacio Zoido of the PPE and minister of the interior of the centre-right government, in power at the time of the referendum staged by Puigdemont.
“We’re talking about the incorrect use of Pegasus that does not belong in an EU democracy and that belongs to tyrannic states,” Zoida said at the committee’s first meeting. “The EU fights organized crime and terrorism. Have they found any use of Pegasus against these kinds of threats? We need to ensure that those who are charged with this have the tools they need, so I am quite surprised by some of the accusations that we have heard.”
Zoida is a former member of a government accused of using Pegasus against Catalan separatists.
But German MEP for the Left, Cornelia Ernst, said the surveillance alleged by journalists reminded her of George Orwell’s novel 1984.
“This software should be banned. From our group there will be consequences for governments that are spying on people,” she asserted.
In May, journalists provided testimony on the extreme invasiveness of the software—capable of searching the contents of a mobile phone and turning on its microphone and camera undetected.
“What does it mean to be a victim of Pegasus? All your secrets are laid bare, your intimate secrets are laid bare to your worst enemy,” French journalist Sandrine Rigaud from Forbidden Stories told MEPs. “For a journalist, for example, Pegasus allows a state to know your sources, how you’re preparing your next story …. and the state can geolocate you.”
She also lamented the lack of transparency around its use.
“We are facing a tragic situation because there is no counterbalance,” she added. “We raised questions and when we turned to those states there were no answers. States say they don’t want to respond, and when they do, they say everything is under state secrets.”
“Once in place, the temptation to abuse it is great and oversight little,” Railton also said.
At a hearing in mid-June, MEPs heard from big tech. Pegasus and similar spywares exploit the inherent undetected flaws in smart phones and other devices to stealthily infect targets, to the growing frustration of tech companies. In December 2021, Apple filed a lawsuit against the NSO Group for targeting its iphone customers. At the EU Parliament, Representatives from Google, Microsoft, and other tech giants told MEPs that spyware providers offered little transparency and also accused governments of fuelling the growing spyware market through their purchases.
David Agranovich, security policy director at Meta, the parent company for Facebook, Instagram, and WhatsApp, said that surveillance technology has traditionally been developed and controlled by governments themselves with democratic controls in place, but “the challenge of the surveillance or hire industry is that it makes this type of democratic oversight difficult to impossible.”
“Ironically, groups selling malicious tools are very particular about the confidentiality around their products, services, contracting and pricing associated with their offensive tools,” said Kaja Ciglic, director of digital peace for Microsoft.
Agranovich encouraged member states to enforce the same “requirements of due diligence you would expect from other industries,” such as “know your client” obligations.
The parliamentary committee’s investigation is expected to last through April 2023.
