Written by Hendrik Mildebrath.
As Pegasus revelations gain momentum and the first EU Member States become implicated, one of the most high-profile spying scandals of recent years is coming to light in Europe. The Canadian interdisciplinary laboratory Citizen Lab first discovered traces of Pegasus spyware in 2015, but it was only in 2021 that the scandal broke on a global level through a joint effort by Citizen Lab, Amnesty International, Forbidden Stories and 17 media organisations. Reports revealed that authoritarian and democratic governments around the world were using Pegasus to spy on journalists, lawyers, activists, politicians, and high-ranking state officials. Investigators link the spyware to human rights harms including intimidation, harassment, detention, and murder. Pegasus was developed by the NSO Group and is designed to breach mobile phones and extract vast amounts of data stored or processed by the target system, including text messages, call interceptions, passwords, locations, microphone and camera recordings, and information from apps.
In the European Union, the Hungarian and Polish governments were the first to be caught in the eye of the storm, after media organisations uncovered extensive use of Pegasus spyware by public authorities against opposition figures and government critics. Meanwhile, Spain finds itself in the throes of the Pegasus ‘cyclone’ after Citizen Lab revealed extensive Pegasus spyware operations against Catalans (‘CatalanGate’). Reportedly, Germany, Belgium and the Netherlands also have Pegasus at their disposal, while Cyprus and Bulgaria may have served as countries of export, raising questions about export destinations and authorisations. These revelations raise concerns on various levels of the European legal order with respect to data protection and privacy, freedom of expression, freedom of the press, freedom of association, redress mechanisms, and democratic processes and institutions. In response to abusive surveillance practices, individuals and authorities are sounding out redress and enforcement options, such as individual litigation, formal complaints, infringement procedures and sanctions mechanisms for qualified rule of law deficiencies. The European Parliament has set up a committee of inquiry to investigate the use of Pegasus and equivalent surveillance spyware.
As the Pegasus revelations shed light on the adverse effects of trade in and abuse of cyber-surveillance technologies, policymakers are seeking adequate responses. While the EU has made substantial progress in the area of cybersecurity, civil liability, and privacy, reinforcing their effectiveness may help rein in the abuse of spyware. To curb internal spyware abuse, the EU could promote public and private enforcement of data and privacy rights and further clarify the preconditions and parameters for cyber-surveillance and public-private surveillance cooperation. In a more determined approach, the EU may introduce human rights controls in procurement directives, ensure that unlawfully obtained evidence is inadmissible (misconduct defeats its purpose), and stimulate discussions on the legal limits of intelligence outsourcing as well as on enhanced accountability mechanisms. Additionally, the EU or its Member States could promote responsible behaviour of cyber-espionage professionals, if necessary, by reasonably regulating the spyware industry without driving it away or underground (path of legality). To curb external (third-country) abuse, the EU may consider further promoting the adequate and uniform application of export controls and pursuing coherent foreign policies that limit the proliferation and abuse of spyware. To achieve greater impact, the EU may simultaneously pursue a multilateral approach, partnering with like-minded countries to steer the global spyware market and ostracise malicious actors. In all domains, civil society and regulators call for adequate, coherent and uniform implementation of existing and future policies, as well as practical guidance. To ensure a future-proof iteration of the next policy cycle, it appears beneficial to broaden research to include the design, trade and use of cyber-weapons in general.
Read the complete study on ‘Europe’s PegasusGate: Countering spyware abuse‘ in the Think Tank pages of the European Parliament.