Results of the Independent PEGA Mission from 24 – 27 October 2022 in Madrid and Barcelona 

Image: Aleix Sarri i Camargo.

While the Spanish national government is obstructing any clarification on the biggest European spy scandal, numerous NGOs and lawmakers are working on it. We heard shocking testimonies on this matter. The 65 known Pegasus victims are only the tip of the iceberg. Many more people are affected, even abroad. Any control of spying programmes, whether in parliament or through the judiciary, is proving impossible. The scale of this affair is shaking the foundations of democracy in Europe as well.

The phones of at least 63 people were attacked with the Pegasus spy software in Spain and its regions between 2015 and 2021. 51 successful attacks could be proven on their phones. This was the result of forensic investigations by the Canadian institute CitizenLab, which were published in April 2022. Attacks against the other 12 phones via SMS or WhatsApp, however, could not be confirmed beyond doubt forensically.

According to the investigations, 4 other people were infected with a Trojan programme by Candiru, also an Israeli manufacturer, which has similar functions but targets computer systems. At least two people were attacked with both programmes. Since, the forensic tools used by CitizenLab predominantly detect infections on iOS devices, the number of people, in reality, affected could be significantly higher.

In July 2020, the revelations came after WhatsApp had notified 1,400 users affected by the vulnerability exploited with Pegasus in Spain about the attacks. Some of them had already experienced anomalies on their devices at that time. After the publication by WhatsApp, CitizenLab offered victims in the Spanish state to submit their phones for a forensic and technical analysis. Many victims have agreed to be named in a report, while other victims wanted to remain anonymous.

Persecution for political motives 

The Pegasus malware comes from the Israeli NSO Group, which its manufacturers claim is exclusively sold to state agencies. In the report by CitizenLab, the attacks to a specific actor were not clearly attributed, but noted that numerous indications point to the Spanish government. We were able to substantiate this suspicion during the mission. If the known attacks were to be plotted on a timeline, it is clear that the Spanish state was simultaneously carrying out further repression against the people and organisations concerned with the Catalan independence movement.

The victims were persecuted for political reasons. As far as is known, 15 politicians were attacked, including 4 former or current Catalan state presidents, 4 lawyers, 3 journalists, 3 political parties, 3 Members of the European Parliament as well as members of at least 2 civil society organisations. Also amongst the victims are the co-founders of a company that designed a censorship-resistant, secure digital voting system.

Government also allegedly hacked with Pegasus

A few days after the mass espionage in CatalanGate became known, the Spanish government also declared that it had been attacked with Pegasus. According to this statement, corresponding traces from the previous year were found on the mobile phones of the Prime Minister Pedro Sánchez, the defence minister Margarita Robles and the interior minister Fernando Grande Marlaska. According to reports, the Foreign Minister was also affected, but this has not been confirmed. However, several concerns were raised during the mission about the timing of the government’s announcement about their own attacks. This was described as a ‘smokescreen’, according to which the government wanted to make itself a victim after CatalanGate.

It remains unclear where the attack originated, but it is suspected that Morocco is behind it. The government there is said to have received Pegasus as a gift by the United Arab Emirates. The targeting is currently being investigated by the highest criminal court in Spain, the Audencia Nacional. However, it is doubtful whether the case will be seriously pursued. The relationship between Spain and Morocco is currently not considered to be troubled, and Morocco is also needed for migration defence. The intelligence cooperation between Spain and Morocco has been good since the attacks in Madrid in 2004.

Fake SMS with personalised information

CitizenLab was able to secure approximately 500 relevant data sets (points of data), including around 300 SMS messages in which the people concerned were asked to click on a link. In some cases, one user received 50 of such SMS messages on one device.

The SMS messages that were sent to the victims contained personalised information, stimulated for the person to click. For example, alleged links to organisations like Human Rights Watch, newspapers like The Guardian, Politico or to tax and social security, for which the person concerned was actually waiting for a message.

„Relational targeting“

Not all suspected devices could actually be examined forensically. For example, the attacked MPs had to return their official devices after the end of their legislative term.

In some cases, family members, partners or close associates were infected with the governmental malware, as part of „off centre targeting“ or „relational targeting“. This was for instances, where the primary targets only carried their own phones with them carefully for security reasons, or had a US phone numbers, that could not be attacked by NSO software due to hard coding.

Analysis also by Amnesty International

In addition to CitizenLab, Amnesty International’s Tech Lab has also developed a tool for the forensic investigation of Pegasus infections. Unlike CitizenLab, Amnesty has made this „Mobile Verification Toolkit“ (MVT) publicly available for download; it is said to have found even more infections. This MVT may have helped in the discovery of the alleged attacks on government officials‘ phones. However, the Pegasus programmers can use the openly available MVT to programme new versions of their malware so that it is no longer detected by it.

CitizenLab’s investigations led to a safeguard against further attacks. For example, a victim handed over his infected computer to the institute, which was able to track a Candiru attack in real time and pass on the exploited vulnerability to Microsoft. The resulting patch protected the devices of 1.5 billion users from further attacks.

Illegal „transnational targeting“

Some of those affected were temporarily or permanently outside Spain at the time of the attacks became known, for example in France, Belgium, Switzerland or Germany. For instance, in 2018, Carles Puigdemont’s phone was attacked via relational targeting, when he was arrested in Germany, probably by the Policía Nacional. A new phone he was using on German territory was also hacked.

In most cases, it is not known whether permission was obtained from the security authorities responsible in the countries for this „transnational targeting“ or whether they were at least informed about the surveillance measure. If this was not done, it was an illegal measure on the territory of another, sovereign state. As far as Germany is concerned, no such request or information of the competent police authorities has been made, as it is known to the public.

No permission for secret service

According to Article 588bis of the Criminal Procedure Act (Ley de Enjuiciamiento Criminal), the use of spyware for remote surveillance is allowed for the police on Spanish territory. This applies to both the Policía Nacional and the Guardia Civil. However, during the mission, victims were critical about the scope of the data collected under 588bis because it was far too extensive and disproportionate. For the Catalans, applications for surveillance were made either to the Supreme Court (Tribunal Supremo) or to the Audiencia Nacional, a special court for the prosecution of serious crimes such as terrorism. Central Court number 6, with Judge Manuel García Castellón, is responsible for orders filed there.

However, there is no corresponding law for the Spanish Secret Services, Centro Nacional de Inteligencia (CNI), which acts as both a domestic and international intelligence agency and justifies its operations with a threat to „national security“. The use of Pegasus even with a court order is therefore illegal. After CatalanGate became known, the head of the Services, Paz Esteban, was removed, but not due to surveillance against Catalans. Instead, it was for failing to prevent the service’s alleged espionage against the three members of the Spanish government.

Privatisation of surveillance 

In 2008, the Spanish secret service developed a spyware, but it was detected by anitvirus software from the manufacturer Kaspersky. As is well known, they wanted to purchase Pegasus, but at the time was considered too expensive. Even today, the Spanish state does not have a well-known spyware industry like Italy, Germany or Israel, and the country is lagging behind in terms of forensic technology. That is why the authorities buy the software and corresponding services from abroad.

The problem with obtaining malware like Pegasus or Candiru is also the privatisation of surveillance. Many victims in CatalanGate voiced this criticism as this entailed, for example, that the NSO Group was contracted to carry out the spying.

Secret parliamentary commission does not monitor

In the Spanish Parliament, the ‘Official Secrets Commission’, a Special Commission that is tasked to control, among other things, surveillance spyware. However, this commission does not meet regularly as it does in other EU countries. A meeting that was convened once for the CatalanGate took place in secret. Contrary to previous practice, each parliamentary group was allowed to send a representative there. At the meeting, the head of the secret service, who had been fired, was allegedly summoned to provide documents to prove the measures taken against a total of 18 persons who had not been named. These documents were only shown and not distributed.

Results of the meeting were not officially communicated. The Spanish state apparently did not want to take responsibility for all the other surveillance measures against at least 47 other people, as identified by CitizenLab. These measures could involve the police authorities. Members of the Control Commission were also not allowed to report on this, but are said to have been intimidated by the findings presented there.

Judges not aware of spyware products

If a judge is to issue an order for the use of Pegasus or Candiru, he must know the product and its capabilities. This is also necessary for legal certainty, so that once a measure has been completed and made public, those affected can challenge it in court or classify the evidence allegedly obtained about it. However, two classified applications for such a surveillance measure, which could be viewed by the Independent PEGA Mission, showed the opposite. No names of mercenary spyware manufacturers or products were mentioned in them.

Instead, they listed the capabilities desired in the surveillance operation; including remotely scanning the entire file system, taking screenshots, reading communications, activating the microphone. In the two applications at hand, there was no requirement for activating the video camera of the mobile phone made. The Policía Nacional wanted to use spyware in it to pursue alleged terrorism, while the Guardia Civil wanted to investigate rebellion and sedition.  The Independent PEGA Mission was unable to determine whether the applications were granted.

Secret law from the Franco era

The secrecy of espionage with Pegasus & Co is based on the secret law (Ley de Screto), from a law from 1968 and dates from the Franco era. There is no automatic declassification of documents, for example after a certain period of time. Only the Council of Ministers can decide on this.

Therefore, there are still hundreds of thousands of secret documents in the archives. The current government coalition did plan a bill to rewrite the law, a draft came from the Social Democratic Prime Minister’s Office. After two years, however, there was no agreement on automatic declassification, because the proposed period would be very long after 50 years; moreover, it remains unclear which documents would be declassified at all.

Courts do not investigate

Around half of those affected have reported the attacks to a total of six different local courts in Barcelona and one in Madrid as of July 2020. However, the cases are not combined by the judges, although there is an obvious connection. The investigating authorities remain largely inactive and, as in the case of Court 32, have only sent a one letter to the government in Israel. In one case, it became known that a judge was critical of the Catalan independence movement on Facebook; he was subsequently replaced. Only the court in Madrid, in its case involving a lawyer, found that the attorney-client privilege had been violated. However, another, larger number of those affected were meeting with lawyers at the time of the attacks.

Many of those politically persecuted with Pegasus do not trust the Spanish judiciary and therefore do not want to hand over their mobile phones to the courts for investigative purposes as requested. Instead, they prefer to find their own forensic experts or expert witnesses, such as CitizenLab or Amnesty International. It is feared that this could lead to the dismissal of charges.

Judicial „high-speed train“ for alleged government hack 

The investigative eagerness is different in the alleged government hack, whose attacks on Sánchez, Robles and Marlaska are being prosecuted by the Audiencia Nacional in Madrid. Ministers are being heard as witnesses, the investigating judge José Luis Calama even wanted to travel to Israel and complained about months of inactivity by the authorities there. This was described to the Mission as a judicial „high-speed train“.

However, the Audiencia Nacional is not investigating the attacks on people affected by CatalanGate, even though the attacks were directed against elected politicians in the exercise of their office. It could even be argued, we heard, that the Catalan referendum was an election campaign that could not be held freely. It would therefore be important to establish exactly when the mercenary spyware was used.

Doubts about the independence of the judiciary 

Often, we were able to detect a widespread scepticism about the independence of the Spanish judiciary. Some interlocutors even spoke of a „deep state“, for example because intercepted material is leaked to the media. In general, therefore, a problem with the separation of powers is criticised. Because democracy in Spain is based on territorial unity according to the constitution, any independence movement can be described as terrorism, sedition or rebellion.

An important pillar of a democratic state, the judicial system however, has not undergone a transition everywhere after the end of the Franco regime. Judicial networks with parties or families are criticised, and high-ranking judges form an elite. For this reason, the procedure for appointing judges in the future must be changed. In the case of Pegasus, most measures were approved by only one judge. This judge, who also issued orders against Catalan self-determination efforts, is now to become a constitutional judge.

Research made more difficult

Journalists complained to the Independent PEGA Mission that their research is often difficult. The legislation hinders the investigation of scandals like CatalanGate, because important facts are subject to secrecy. Parliamentary questions are also hardly answered.

Non-governmental organisations working on human or civil rights are also fobbed off accordingly. Some ministries do not even answer such questions. This also applies to the Transparency Authority. Such a lack of interest is also noted in the case of the Ombudsman Ángel Gabilondo, who made a very disappointing report on CatalanGate, in which he even supports the government.

Government refuses to meet with Mission

The government was also tight-lipped about the Independent PEGA Mission. Requests for meetings with the Minister of the Interior, the Minister of Defence, the intelligence service CNI or the General Director of the Guardia Civil were either refused or not even answered. The Ministry of the Interior told the Independent PEGA Mission to check the facts on its website. This is a disregard for parliamentary scrutiny. The same applies to the Spanish Ombudsman, who was unable to meet.

The organisations and individuals heard by the Mission criticise the fact that the Spanish government has still not sent a corresponding report to Brussels after the EU Commission requested it. In Catalonia, attention is also drawn to the fact that the former Minister of the Interior, Juan Ignacio Zoido, who was responsible for numerous surveillance operations with Pegasus, as an MEP is today obstructing a mission of the PEGA Committee to Spain.

Intelligence cooperation with Morocco and Israel

The government in Madrid is also not pushing for a comprehensive investigation in Israel. Spain could take legal action against the NSO Group, for example. The alleged espionage against the Spanish government from Morocco is also only half-heartedly pursued. The government in Paris had achieved – like the governments in the USA and Great Britain – that Pegasus could no longer be used to carry out attacks against French telephones. It is pointed out to the Independent PEGA Mission that neighbouring France has made the matter much bigger at the diplomatic level; this has also led to a crisis between the two governments in Paris and Rabat. Instead, the newly appointed Spanish intelligence chief after CatalanGate has already met with his Moroccan counterpart in Rabat.

Morocco’s police and intelligence cooperation is also said to be good with Israel. The secret service there is arming the government in Rabat in the fight against self-determination. Morocco uses Israeli drones for targeted killings of activists even in Algeria. A drone base with electronic reconnaissance is said to be located near Melilla.

Regional government in Catalonia sets up its own inquiry

CatalanGate is seen in Catalonia as an unprecedented attack on private telecommunications and possibly the biggest cyber-spying scandal in Europe in the 21st century. The exact number of people affected is not known, it could be hundreds or thousands, both by the police and secret services. However, not even the Catalan politicians have been contacted about this by the national government in Madrid, nor has the ombudsman.

On three different occasions, the Unidas Podemos group (Podemos, Izquierda Unida, the green party Equo and other smaller left parties) has suggested setting up a parliamentary committee of inquiry in the national parliament (Congreso de Diputados). This has always been rejected by the Popular Party, the Social Democrats and the Vox party. The explanation given was that there exists a Control Commission for this. This is one of the reasons why the regional government in Catalonia has set up a committee of inquiry into Pegasus.

Victims want acknowledgement

Mercenary spyware is extremely invasive. The loss of their personal data deprives the victims of their right to privacy. The Mission was able to ascertain this during its interviews with all those attacked. The attack on privacy also affects family and friends, whose communications also fall into the hands of the state. This contradicts the principle of proportionality.

These victims showed an extraordinary need to speak out. Their demands are for justice, legal accountability, transparency (including on mercenary spyware expenses) and compensation. But first, in the spirit of democratic oversight and privacy, the authorities should disclose where and how private photos of the victims were obtained and used.

Democracy also affected as a whole in the EU

It is not only a person’s life and privacy that is probed with malware such as Pegasus or Candiru. The victims also see democracy in the European Union as a whole affected. They point out that particularly in Spain, not all state officials are part of a democratic tradition. These anti-democratic forces used mercenary spyware to intimidate political movements.

On the question of whether mercenary spyware should be regulated or banned, the Mission heard different opinions. If, as in the Spanish state, the separation of powers could not be trusted, only a ban would help. Other voices, especially among non-governmental organisations, however, call for more checks and balances on the use of Pegasus & Co. A proposal for this can be found in the Geneva Declaration on Targeted Surveillance and Human Rights, which is also supported by the Catalan regional government.

MEP Cornelia Ernst and staff
Brussels, 28 November 2022

The Independent PEGA Mission met with:

• Amnesty International

• Elies Campo; CitizenLab Fellow (victim)

• Antoni Abat (victim), Sergi Duran, Ada Ferrer, Elisenda Paluzie (victim), Joan Torres, Sonia Urri; Assemblea Nacional Catalana

• Meritxell Serret, Minister for Foreign Action and European Union (victim)

• Esquerra Republicana
  

• Albert Batet, President of the JxCAT, member of the oversight committee about the use of Pegasus

• Josep Rius, Deputy at the Catalan Parliament, member of the oversight committee about the use of Pegasus

• Jordi Orobitg, Deputy at the Catalan Parliament

• Montserrat Vinyets, Deputy at the Catalan Parliament, Board member of the oversight committee about the use of Pegasus

• David Cid, Deputy at the Catalan Parliament, spokesperson of the parliamentary group of ECP

• Mauricio Valiente, Izquierda Unida

• Enrique Santiago, Partido Comunista de España, State Secretary

• Javier Sánchez Serna, Podemos