Council of Europe report calls use of Pegasus spyware by several countries potentially illegal

Several European states known to have acquired or deployed powerful foreign commercial surveillance tools have potentially used them illegally, according to a report released Friday by the Parliamentary Assembly of the Council of Europe (PACE).

The PACE's Committee on Legal Affairs and Human Rights, which produced the report, asked at least 14 European Union countries which have bought or used the tools, including the Netherlands, Germany, Belgium and Luxembourg, to “clarify the framework of its use and applicable oversight mechanisms” within three months.

Additionally, the report singles out Poland, Hungary, Spain, Greece and Azerbaijan, which have already weathered public scandals related to their use of the NSO Group’s Pegasus spyware and similar tools, to undertake “effective, independent and prompt investigations” on all confirmed and alleged cases of spyware abuse.

All Council of Europe member states must regulate the acquisition and use of spyware by law enforcement and intelligence agencies, the report said, “limiting the use of Pegasus-type spyware to exceptional situations as a matter of last resort.”

The Council of Europe was established in the wake of World War II to promote human rights and democracy. While it cannot enact laws, it describes itself as being able to “push for the enforcement of select international agreements reached by member states on various topics.” The Parliamentary Assembly is the Council’s deliberative body and its members are appointed by the national parliaments of the Assembly's 47 member states.

The PACE report asserts that member states must establish oversight structures, including by national parliaments, to monitor the acquisition and use of the spyware.

Ron Deibert, the director of the research and development institute Citizen Lab, which focuses on digital surveillance, called the report “promising” on Twitter and highlighted the fact that it “calls out Poland, Hungary, Greece, Spain and Azerbaijan on spyware abuses” and mandates that they investigate domestic spyware abuse.

On Thursday, Poland’s Senate released the findings of an 18-month-long investigation by a special commission which said the Pegasus hack of an opposition politician in 2019 featured "gross violations of constitutional standards.”

The commission said it had alerted prosecutors there of the potential for criminal charges against the Polish politicians believed to potentially have been a part of the scandal.

In a summary report of the findings, Pegasus Surveillance Committee Chairman Marcin Bosacki asserted that Pegasus was used in Poland to an “extremely aggressive degree.”