In recent years, and even before, it has been mainly activists, human rights activists and opposition members who have been attacked with mercenary spyware, reports Claudio Guarnieri. This did not happen before. This industry is flourishing. Companies like NSO are in the headlines, but even before that there was corresponding abuse with technology from other manufacturers, for example with products from German companies. Ten years ago there were already signs that journalists were being spied on, for example during the Arab Spring, and the spyware came from Europe. So the manufacturers profited from it. In 2014, the colleagues from Citizen Lab reported on Italian Trojans from Hacking Lab. They found out that Lombardy was involved and that the company received public money. Thus, the Wassenaar Agreement was also violated.
In the Finfisher example, there were exports from Germany to Turkey, but no permits or even requests for them. Al Jazeera did a good documentary on how export controls and sanctions are circumvented. This continues to happen, the surveillance industry and its networks continue to grow [see the sponsors of the ISS World sales fair in Prague, 2022]. There is a thriving market, as you can see, in Italy. There is also an industry for the discovery and trade of exploits, but we know little about that.
There needs to be more transparency for exports, licences need to be published with details of the manufacturer, country of destination and purpose of use. We need to contain an industry that was created in an old regulatory framework. There needs to be more accountability and compensation for victims. The European Union must take action here.
In the Q&A session, Guarnieri stressed the need to regulate when a manufacturer is not made aware of vulnerabilities but exploits them for spyware. Transparency rules for member states must be strengthened. Incentives for companies are probably not enough. In addition to transparency, there is also a lack of obligations. Member States and companies must be encouraged to offer victims some kind of complaints mechanism, EU legislation is needed for this. Mercenary spyware cannot be compared to other technologies, they are sophisticated tools and powers for their users, so special rules are needed. Some countries seem more active than others in manufacturing and selling, Italy seems to be a pioneer. The nine European manufacturers presented by Guarnieri in his presentation are also far from complete, they are only those companies exhibiting at ISS World this time.
Miriam Saage-Maaß reports how lawsuits against exports of mercenary spyware were successful or came to nothing. However, the Finfisher case in Germany was successful. With the public prosecutor in Munich, they had pursued a violation of the EU Dual Use Regulation, and the prosecutors then searched flats and the company headquarters. Since the regulation came into force, the German government has not granted a licence for mercenary spyware. However, Finfisher’s software has been found in countries such as Turkey during this time. Finfisher says its spyware was not exported from the EU, however, but from a third country, so rules were followed. So how is the place of manufacture and export defined in de regulations?
So an attempt was made to circumvent the EU regulation. The prosecution of such incidents must become a priority. There needs to be a moratorium on exports of this software. There needs to be more transparency for ex- and imported spyware. Human rights impact assessment for export licences must be introduced or improved. EU legislation must be extended to all surveillance tools. There needs to be ways to compensate victims, such as human rights defenders, when their freedom of expression has been violated. We see this every day, worldwide.
Saage-Maaß concretised in the Q&A session that human impact assessments could also become a binding part of the Wassenaar Arrangement. Companies also have due diligence obligations, and they may not be aware of them. Beyond the four ECCHR cases, there are other important investigations in other countries, such as Italy and France. There, too, the activities have already led to convictions. To better prosecute the phenomenon, the definition of cyber-surveillance needs to be broadened and become as broad as possible. The EU Dual Use Regulation must also be adapted accordingly.
Jean-Philippe Lecouffe gives an overview of Europol’s work. The agency does not intercept itself, nor does it take action against criminals itself due to a lack of executive powers, so national authorities are always in charge. Europol supports cross-border investigations and provides expertise. Europol is accountable to the LIBE Committee and has its own data protection control and soon a fundamental rights commissioner. Europol has been successful in the fight against crime and terrorism, having recently presented the 2021 anti-terrorism report to the LIBE.
However, Europol is lagging behind, Lecouffe asserts, the threat is increasing, criminals and terrorists are very clever and use new techniques to hide income. Innocent citizens are becoming victims. Law enforcement officers therefore need the latest methods and tools to combat this. As with weapons, this requires rules and regulations that must be adhered to and abuses must be dealt with.
Lecouffe did not respond to requests to be more specific about the topic of the hearing, namely mercenary spyware. Nor does he want to say anything in response to questions about his work with the French Gendarmerie. In France, however, there have always been judicial orders for the use of spyware. These are invasive tools that must be controlled and contained within a clear legal framework. Criminals also use similar technology to infiltrate hospitals, for example, and steal data or render it unusable in order to blackmail victims.
According to Lecouffe, Europol has a certain expertise with which member states are assisted and, for example, as in the case of Daphne Caruana Galizia in Malta, data from read-out telephones are used. In addition, they help with the exchange of good practices. In the Innovation Lab also does research on technologies, but not on mercenary spyware. When asked, Lecouffe explains that Europol has no mandate to check in every member state which cyber tools are being used.
Lecouffe had the feeling that he was sitting in the dock here in the committee. When asked further that he did not answer the committee’s questions specifically, Lecouffe repeated that he had the impression that he had answered all the questions asked. However, Europol was not shirking responsibility and knew that there were problems, but that no one at EU level could deal with them.
Europol would, however, examine whether the powers of the new regulation, valid from June, to initiate investigations in member states, could also be applied to the illegal use of mercenary spyware.
Rosamunde van Brakel speaks on the use of surveillance tools by governments in the EU. More and more citizens are affected, adults and children are becoming victims of a surveillance society. It makes people lose confidence in good governance. It also causes social harm, as research has shown. Spyware like Pegasus is used to infiltrate criminal organisations. But it is also a weapon. Some authorities and agencies use Pegasus; but how and to what extent remains unclear.
Von Brakel can say something about Belgium. The Minister of Justice stated in a newspaper that the use of Pegasus by secret services would be legal, but whether it is remains open. Later, we read in the New Yorker that the police use the software. This was not confirmed to us. The federal police, however, said that the interception takes place within a clear framework, under the control of an investigating judge. In addition, it says that spyware is nothing new in Belgium, because the government has bought 30-50 Finfisher licences, according to Wikileaks. But there is no transparency and accountability, so there might not be any assessments on data protection and fundamental rights in the case of spyware. This is also what became known about facial recognition, for example. This kind of thing could lead to a loss of trust in the government.
Spyware and phone tapping are not the same, differences are quantitative and qualitative. The use of spyware is more invasive because the camera and microphone can be switched on. This also affects relatives or children of the victims. It also remains unclear to what extent the manufacturers of the spyware have access to the data, for example when they install updates. Human rights are often not taken into account when awarding contracts; instead, the cheapest provider is chosen. There are also risks such as function creep, in that the purpose is expanded. In Belgium we see this in the example of number plate recognition, which was introduced against serious crimes but is now used to prosecute tax offences. Traditional safeguards are no longer sufficient to prevent such abuse. Innovative mechanisms are therefore needed to comply with the law, and citizens must be involved. The governance framework needs to be extended to new technologies. And in a broader context, Pegasus is just one example. We also need more research and better funding. Evidence-based identifiers and studies on the use of spyware like Pegasus are needed.
When asked, von Brakel adds that this is not a new field of research, which of course already exists. But the regulations in the governance framework have not evolved. Research showed that harms of surveillance technologies in society were included in discussions of this framework. The EU directive on data protection in law enforcement could also be violated. Other research concludes that ethical evaluations are carried out before data protection impact assessments. Changing this is a European task.
Clara Portela wants to show options for regulation. Software like Pegasus is part of a broader surveillance toolbox that EU member states also use. What mechanisms does the EU have in place to prevent exports to countries that violate human rights and intercept citizens? It would also be possible to stop the supply of the equipment. Those who violate this could be subject to a visa ban and assets could be frozen. However, this only happens in exceptional cases, such as Myanmar or Venezuela. A new package must contain more possibilities for this. This also includes a blacklist of companies that participate in the violation of human rights. As a result, a company loses access to markets, as in the case of the US blacklist. Its reputation is also damaged.
However, the EU’s horizontal regulations do not include any such lists. They exist for the prosecution of human rights violations, cyber attacks and promotion of terrorism, and CBRN threats. But why are there not similar elements as for arms exports?
When asked, Portela stresses that the spyware in and from third countries could also be used against citizens of EU member states. These companies should be blacklisted immediately. Human rights impact assessments are also needed before export licences can be issued.
There is a lot of research on the problem. More than funding this, which the EU is doing, we need to implement the findings. It is a question of balance between law enforcement and civil rights, where do we draw the line? Where is the positive use of spyware? And how do we protect the population from abuse, how do we ensure that spyware is only used for the real purpose? Spying on journalists and activists must be prevented.
See here the stream of today‘s hearing.