The EU needs to regulate the growing use and trade in spyware within the bloc, the EU Parliament’s special PEGA (Pegasus surveillance software) committee concluded.
The draft recommendations and report presented on January 24th follow almost a year and a half of work by the special inquiry committee in response to revelations in 2021 by journalists and think tanks about the use of spyware—such as the Israeli-developed Pegasus program—by several member states on political opponents, journalists, and other citizens.
After hearings with journalists, experts, and representatives from the NSO Group, as well as visits to Israel, Hungary, Poland, and Greece, the committee’s draft report concluded that though not all member states have admitted it publicly, it can be assumed that all EU countries possess some form of spyware. In most countries, it is used as intended—to fight organised crime and terrorism—but in some, namely Poland and Hungary, as well as to a lesser extent in Greece, it is being used systematically by governments against their political opponents.
The recommendations call for an immediate moratorium on the use, acquisition, and exportation of spyware, with the possibility of lifting the ban on a country-by-country basis, should the governments meet certain requirements. It calls for stricter enforcement of existing regulations around such technologies, and seeks to implement international cooperation to develop joint spyware strategies, including reformed export and licensing frameworks with other countries like, for example, the U.S. It further recommended prohibiting the export of spyware from the EU to governments with poor human rights records.
The draft also includes country-specific recommendations for those governments accused of extensive use and misuse of spyware.
For Poland and Hungary, the committee recommended restoring institutional safeguards and oversight mechanisms, and ensuring their independence. Additionally, it wanted Europol to be invited to investigate alleged violations.
In Poland, judges should also be randomly allocated to cases to avoid the selection of those ‘friendly’ to the intelligence services overseeing the use of spyware.
Both Poland and Hungary have acknowledged possessing and using the software but denied violating citizens’ rights. The Polish government denied using it against political opponents, while Hungary’s Hungarian National Authority for Data Protection and Freedom of Information stated that it had investigated hundreds of cases of spyware use and found that all of them met the legal criteria of risk for national security and legal authorisation.
For Greece, where the spyware scandal nearly toppled the current government, the committee recommended that authorities be permitted to investigate alleged incidents of surveillance unhindered and that the decision to bring the country’s intelligence service under the direct control of the prime minister be reversed.
The committee was more lenient with Spain, where Pegasus and a similar software Candiru were used against Catalan separatists in the lead-up to the 2017 illegal independence referendum. It found the use of spyware compliant with EU treaties but recommended greater transparency and response to possible victims.
The report also targeted Bulgaria and Cyprus as hubs for the use and export of the spyware, though the industry’s presence in Europe goes beyond those two countries.
The NSO Group has offices in Bulgaria and Cyprus and media reports allege that Pegasus attacks have been launched from servers in Bulgaria, though both Cyprus and Bulgaria have denied permitting the export of Pegasus. The NSO Group also has a ‘corporate presence’ in the Netherlands and Luxembourg, according to the committee report.
Although the Israeli NSO Group, the company responsible for Pegasus, is best known for its spyware, it is far from the only player in the industry. The report cites seven other companies with offices in Ireland, Switzerland, Austria, France, Italy, Germany, Greece, and Cyprus.
At the same time, the report also reprimands the EU Council and Commission for inaction.
“No member state, nor the Council, nor the Commission has any desire to shed light on the spyware scandal, thus knowingly protecting Union governments which violate human rights within and outside of the Union,” the report reads.
At a press conference in November of last year, liberal Dutch MEP Sophie in ‘t Veld, the rapporteur for the committee, acknowledged that the draft report of findings is largely based on information already publicly available, even while governments have been tight-lipped and uncooperative.
In April 2022, the EU Commission made it clear that it would not investigate possible illegal spyware use by member states, considering it a national security issue and therefore outside of its competence. Also, Poland, for example, bluntly refused to engage with the committee during its visit to the country.
Still, the report recommended that the commission take the lead on tightening regulations by proposing legislation for spyware. It seems unlikely the commission considers it a priority.
