EU failure to rein in spyware reflects lack of political will, parliamentarian says

A leading member of the European Parliament on Wednesday condemned Europe’s governing bodies for not doing more to address rampant spyware abuses across the continent.

Parliamentarian Sophie in’t Veld, who led the European Parliament’s investigation into the use of spyware in Spain, Greece and Poland, said European governments haven’t curtailed it because they lack the political will to act.

“They know what they have to do,” in’t Veld said. “The problem is they don't want to do it.”

“They kind of like their little toy and they're very reluctant to give it up,” she added, speaking at a panel hosted by the Center for Democracy and Technology, a digital rights advocacy group.

in’t Veld also condemned Europe for exporting spyware to other countries.

A general moratorium or ban on spyware in Europe is not under discussion, said Anna Buchta, a senior official with the European Data Protection Supervisor, because many governments want to keep using the tools for law enforcement and national security purposes. That’s despite a checkered history of abuse in countries across the continent, she said.

“There is a temptation to just see this as yet another lawful intercept technology,” Buchta said. “We have tried to make the point that it's not just another tool — this is a paradigm shift.”

Commercial spyware such as the NSO Group’s Pegasus, which has been deployed against opposition politicians, journalists and other targets across Europe, “brings the intensity and the seriousness of interference with the private life to such a level that it really cannot be compared to a traditional interception of communication,” she added.

She said many European states have hidden behind language in the Treaty on the European Union (TEU), the EU's mutual defense clause, to argue that they have the right to deploy Pegasus to protect their national security interests.

But in’t Veld and Buchta questioned those assertions, with Buchta saying there is a body of case law in Europe’s Court of Justice that suggests mutual defense and national security concerns “cannot be treated as a blank check.” 

A national security threat

European spyware abuses have consistently made headlines in recent months. 

Traces of spyware were found on two phones belonging to members of the European Parliament’s Subcommittee on Security and Defense in February during a random check of devices — a practice the body instituted as a safeguard against abuse of the surveillance technology in the run-up to national elections.

Much attention is now fixated on Poland, whose national prosecutor said last month that an estimated 578 citizens were targeted with Pegasus between 2017 and 2022. 

The top official in Poland’s former ruling Law and Justice (PiS) party, which is said to have deployed the spyware on opposition politicians and others, has announced that his party members will not testify before a parliamentary commission investigating the use of Pegasus, according to local Polish news reports published Tuesday.

A leading spyware researcher whose work helped uncover the Polish scandal said the lack of action by European authorities in the face of such a widespread problem is bewildering.

“The world has been watching with puzzled wonderment as the EU continues to fall flat on spyware accountability,” John Scott-Railton, a senior researcher at Canada-based Citizen Lab, told Recorded Future News. “Can the political quagmire really be this bad?”

Scott-Railton said much of the political pressure not to ban spyware in Europe comes from those emphasizing national security concerns.

“One by one EU states are discovering that if they try to minimize the spyware issue because of inconvenient abuses it comes back to bite them as a national security threat,” he said.

However, spyware itself is a national security threat, according to David Kaye, former United Nations Special Rapporteur on freedom of opinion and expression.

Kaye said the U.S.’s framing of commercial surveillance in that light has made it the global leader in trying to contain the problem. 

In recent months, the U.S. has sanctioned the leader of the company producing Predator spyware along with entities tied to it and has implemented visa restrictions for individuals and family members of those believed to be trading in commercial spyware.

The company behind Pegasus, the NSO Group, was placed on the Commerce Department’s entities list in 2021 and two more spyware developers were blacklisted last July. Companies placed on the entities list are forced to adhere to strict licensing requirements and other rules.

Powerful commercial surveillance tools should be framed as a national security threat in order for meaningful reform to take hold, Kaye said.

“It resonates with governments in a different way when you say, look, the proliferation of these tools, without constraint, isn't merely a problem for people outside of your country or for journalists, who aren't necessarily the most popular constituency, or for politicians in some places, but it's actually also a national security threat,” Kaye said.