EU governments accused of using spyware ‘to cover up corruption and criminal activity’
European Union governments have used “spyware on their citizens for political purposes and to cover up corruption and criminal activity,” according to a new draft report from a committee of the European Parliament.
Released on Tuesday, the 159-page report was prompted by reporting from the Pegasus Project, an international journalistic collaboration, which alleged a tool of the same name sold by NSO Group had regularly been used politically, rather than for law enforcement purposes, including against officials within the EU.
The committee found there has been an insufficient response to the tool’s misuse, accusing the European Council of practicing “omertà” — a code of silence — over the abuses of spyware inside the bloc. It called for the European Commission to conduct “a comprehensive and in-depth investigation into the abuse of and trade in spyware in the EU” alongside a “full-blown inquiry into all allegations and suspicions of the use of spyware against EU Commission officials.”
The committee, which focused on “the use of Pegasus and equivalent surveillance spyware,” has no special investigatory powers, for instance summoning witnesses to testify under oath.
Who's who in the EU
There are three major institutions within the European Union. At the top is the European Commission, a 27-person body which effectively functions as a cabinet government. The cabinet is comprised of one person from each member state, whose portfolio is decided by the president of the European Commission. It is the only EU body which may propose new legislation.
Then there is the European Council comprised of the heads of each member state’s government. It sets the EU’s strategic direction and political priorities, in particular by choosing the president of the European Commission.
The European Parliament is the only EU institution which has directly elected members, 705 of them currently. Although it has ceremonial precedence over the other two bodies, its members are unable to suggest legislation however they may reject laws proposed by the Commission or suggest amendments, and their votes are required to make any such legislation into law.
Sophie in ’t Veld, the Dutch MEP who served as the committee’s rapporteur, published the draft report on her website. She complains that no meaningful action is being taken by EU institutions to tackle the abuses highlighted by the report.
The committee chair said that the draft of the report has not been finalized and members can still amend certain aspects before it should be considered to represent “the position of the European Parliament as a whole.”
The European Commission did propose legislation in September that would protect journalists from being targeted with spyware, but that law has yet to receive the Council’s support. Even if it were enacted, it would not cover other targets of the technology.
Regulating in this area is a challenge under EU law. Article 4 of the Treaty on European Union stresses that “national security remains the sole responsibility of each Member State," limiting the Commission’s ability to interfere in this realm.
The committee argues there are a number of existing laws that could “serve as regulatory tools with regard to spyware,” including the EU’s privacy and data protection regulations, alongside its laws on export controls for dual-use technologies. However the report says “without proper and meaningful enforcement, EU laws are mere paper tigers that create ample space for the illegitimate use of spyware.”
In ’t Veld complained: “The spyware industry is pan-European, but the European Commission treats it as a purely national matter - leaving the defense of democracy wide open.”
Her committee’s report accuses five states of abusing or facilitating the abuse of the technology in ways that would be considered illegal under the EU’s Charter on Fundamental Rights, including Poland, Hungary, Greece, Spain and Cyprus.
These governments "represent almost a quarter of the EU population, so they carry considerable weight in the Council," the report says. A spokesperson for the European Council did not respond to The Record’s requests for comment.
Greek Prime Minister Kyriakos Mitsotakis announced on Monday that his government would ban the use of spyware following reports the technology was used on journalists and politicians, among others.
While the Commission has publicly requested clarification about these allegations from the governments of Poland, Hungary, Spain and Greece — stating that the countries can not simply cite "national security" as "an unlimited carve out from European laws and Treaties" — the report criticized "this timid admonition" and deemed it unlikely that the Commission would engage in any further action. A spokesperson for the Commission also did not respond to a request for comment.
Numerous incidents have emerged across the EU in recent years of opposition figures and journalists being hacked in what appear to be politically-charged circumstances. Many of them were uncovered by the University of Toronto’s interdisciplinary Citizen Lab, including cases in Hungary, Spain’s Catalonia region, and Greece.
Reuters reported in April that senior officials at the European Commission itself had also been targeted by spyware provided by Israeli vendor NSO Group, which was sanctioned by the U.S. last November, partly for being used to target journalists and other illegitimate targets. The company has denied that officials could have been targeted by its tools.
Correction: An earlier version of this story stated that Sophie in 't Veld is the chief of the committee. She is the committee's rapporteur.
Alexander Martin is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.