In Panel 1, we are interested in the legal situation in European countries when other nations use mercenary spying programs like Pegasus there. For example, what changes in the legal situation when such surveillance is intercepted in the EU by a third country? Panel 2 analysed the promises of European governments to use spy software from Pegasus & Co only in a legally compliant way. Is it even possible to verify the possibly illegal use of a spyware with the available means?
The introductory lecture is given by Román Ramírez, founder of the Spanish IT security conference Rooted Con. Ramírez does not fundamentally question surveillance with Trojan programs. Criminals are increasingly using encrypted communication. Access to the devices would therefore be necessary for law enforcement, but this would require a court order in any case. This order should not be issued in a blanket manner and „by design,“ but only upon request. Even an emergency should not be an exception. Ramírez emphasizes Spain, where there are judges who are specialized in exactly this kind of surveillance orders.
Controlling the use of Trojan programs is the most important issue, according to Ramírez. Every citizen must be protected, he says. Therefore, there need to be consequences for abuse when fundamental rights are not respected in the process. Here, compensation or apologies must also be discussed.
For comparison, the speaker mentions the carrying of a weapon by a civil servant, for which there are a number of regulations. Transferred to software, it could therefore be made possible for the decrypted content to be checked. The use of surveillance software would have to be done in teams so that needs and competencies are not centralized. Each process should be stored for democratic control.
It could also be established in principle to exclude certain operations or topics from monitoring. However, Ramírez suspects that users would not like this, because they would like to make individual decisions about each deployment.
Michel Arditti of the Swiss group SCSWorld, which has been advising governments on security issues since 2003, does not consider the use of government Trojan programs to be fundamentally problematic. In the fight against terrorism, he says, investigators don’t have time to obtain permits. The tools have already been used to prevent attacks. However, SCSWorld has also developed defenses against such interceptions, he said.
Pegasus is a surgical tool, according to Arditti. The witness classifies the software as targeted and thus tactical surveillance by police, as opposed to strategic surveillance as mass interception by intelligence agencies. He cites France, which intercepts one million communications per second, as an example. But even the use of tactical mercenary spyware generates an incredible amount of information in the terabyte range (such as data from SMS and messengers, photos, videos), which must be filtered and analyzed in complex procedures.
In recent years, he added, the use of eavesdropping tools has become increasingly complex, as (for example, after the switch to encrypted GSM or with 5G) more and more data transmissions and services are encrypted. Industry and users were therefore looking for other solutions, for example to intercept a cell phone directly. The operator must be as close to the target as possible, because it is not always clear whether the attack will work. In the process, traces would sometimes be left behind. Criminals also use such tools, but it is even more difficult to trace them. No Trojans can be bought on the darknet, but intercepted data can.
Many countries are currently trying to develop mercenary spyware, he said. Arditti speaks of about 30 companies worldwide that sell NSO-like tools. Pegasus is specifically sold only to governments, he said, and export licenses are required to sell it abroad. Each buying country would have to set up a server platform to attack phones individually. Subsequent extraction, he said, requires immense capacity. The contracts define the number of accesses for a certain period of time. Infections cannot be guaranteed; a lot of work would have to be done up front to achieve this. There are now many companies that act as intermediaries between the customer and the manufacturer of mercenary spyware. NSO software is expensive, so such advice on scenarios and the most appropriate software to use is important.
NSO definitely does not have access to the wiretapping data. Whoever sells the system does not operate it. The supplier is also not responsible for server maintenance.
Companies like NSO would have to be regulated, according to Arditti. But the witness thinks Big Data corporations are an even bigger threat than anti-terrorist agencies using mercenary spyware. A lot of data lies with companies in the cloud, this can sometimes not be prevented at all, he explained. In the case of Samsung phones with Google’s operating system, two companies are even collecting data.
Sessa Duro of the International Association of Judges points to the problem that interception measures cannot be questioned by those affected because they usually do not learn about them. Many freedoms could be affected, such as the exercise of religion or freedom of assembly. All freedom-restricting measures would have to have a legal basis; people who are intercepted would have to be defined, as would the nature of the violation, the circumstances under which data are collected and destroyed. The process and the data collected would have to be accessible to those affected. There should be no interpretation in judicial authorization.
In some countries, authorities often pick judges who are more likely to approve a measure than others. That’s why governments need strict rules. Judges are not there to approve, but to check whether human rights are being violated. In the area of mercenary spyware, these are primarily Article 8 of the ECHR (protection of private and family life) and Article 13 (appeal against government measures). If these were nevertheless breached, there would have to be an actual necessity. This also means unconditional compensation if the wiretapping measure was not appropriate and thus illegal. The ECJ has not yet dealt with this, but perhaps now is the right time. In particular, rules are needed for cross-border cases of wiretapping.
It is important that judges are independent, and the European Parliament must ensure this. This is not the case everywhere, but the witness does not give any examples. It is important that the evidence obtained is also legally binding. After it has been collected, it must be examined whether it can be admitted. The judges needed for this must be well trained.
The EDPS Wojciech Wiewiórowski says that it is not his task to determine when an intervention with mercenary spyware like Pegasus is allowed. Often it is used by secret services, which cannot be checked with the mandate of the EDPS. Currently, he said, his office is dealing with operations in Hungary, Poland and Spain.
Back in 2015 during Hacking Team scandal, after leaked user data, program code, internal documents and emails of the surveillance company were published, the EDPS (Wiewiórowski’s predecessor) had suggested regulation. There is a need for legal control of the authorities‘ actions, ex ante and ex post. At present, he said, this is more of a formality, and the measures are not seriously examined for their legal effectiveness. Many countries had also not enacted rules for picking the forbidden fruit; that is, when evidence obtained unlawfully was used for prosecution. The witness cited Europol as an example.
To remedy the situation, he says, civil society must be strengthened. Wiewiórowski warns against the trade in exploits and the increasing use of mercenary spayware in cyber wars and military missions. These uses must also be questioned.
Cindy Cohn, a U.S. civil rights attorney with EFF who specializes in Internet law, points out that human rights defenders need more support in this area.
Cohn recommends several conditions for more accountability. For one, she calls for more device security. Governments, she says, are often ambiguous when they call for more security and encryption but undermine it at the same time. That’s why it’s imperative that exploits be made public immediately. The EFF, for example, has developed a certification to make Internet surfing more secure, she said, which should actually be a government task.
The witness also calls for the creation and use of complaint mechanisms. Users need more accountability on the part of governments. Companies that produce such software should be held accountable and should not benefit from impunity. It is particularly perfidious to disguise malware as WhatsApp messages. This represents a misuse of the brand name, and companies must be able to take action against it. Apple also had tried to track down user affected. One could look at the obstacles that emerge in the process, so that victims can better claim justice.
Governments should also create stronger incentives for companies not to sell malware. A conversation should be had with Israel’s government, she said, since many mercenary spyware manufacturers are based there and the often-abused technology was co-developed by the government.
Until there is more jurisdiction, oversight and due diligence in this area, EFF is calling for a moratorium on mercenary spyware. Instead, NSO is currently showing its products at the ISS World conference for spy technology in Europe, where the company is even a gold sponsor.
When it comes to human rights, there should be no national exception with regard to exports. According to Cohn, export bans are not very effective under American law. After taking a closer look, some courts were surprised at what they approved and what actually took place. The secrecy of export licenses must therefore be broken, he said. The NSA leak also showed that interception technology can also be used criminally.
See here the stream of today‘s hearing.