EU privacy watchdog wants Pegasus spyware banned

The European Union Data Protection Supervisor (EDPS) has urged EU officials to ban the use and deployment of the Pegasus commercial spyware across Europe, citing unprecedented risks and damages to personal freedoms and the rule of law across Europe.

Developed by Israeli software company NSO Group, Pegasus is a powerful spyware strain capable of infecting both Android and iOS devices.

The tool is sold as part of a surveillance-as-a-service package that can infect users, retrieve data from their devices, and monitor their movements and online activity in real-time.

Since its launch as a commercial product in the early 2010s, NSO Group has claimed that it has only sold the tool to official law enforcement agencies.

However, despite the agency's claims, all recent investigations have found the Pegasus spyware on the phones of countless journalists, political figures, dissidents, and activists in tens of countries, ranging from oppressive regimes but also western democracies.

Recent cases of Pegasus infections found outside the scope of regular crime-fighting investigations have found the spyware deployed on the phones of politicians and activists in Hungary, Poland, El Salvador, Finland, and Israel.

In the light of recent cases of irregular use of the Pegasus spyware, the EDPS, which is an independent authority that advises EU lawmakers on data protection and privacy topics, has called on them to ban the use of the software inside EU countries.

The EDPS cited the spyware's advanced features, its ability to obtain unrestricted access to phones, and its zero-click infection capabilities as the main reasons for its decision, 

The EU data protection watchdog said that a tool as advanced as Pegasus should not be allowed to be used inside Europe without any restrictions or supervision, which encourages abuse from NSO's customers.

The EDPS left a door open for the tool's deployment but asked the EU to better oversight of its criminal and national security procedures, which are the legal mechanisms through which Pegasus has been deployed in the past.

" 'National security' cannot be used as an excuse to an extensive use of such technologies nor as an argument against the involvement of the European Union," the EDPS said in a set of preliminary remarks today.

The EDPS' call for the ban of the Pegasus spyware comes after the US sanctioned the NSO Group last year after it found the company had allowed its tool to be used by oppressive regimes to commit human rights violations.

Weeks later, Apple also filed a civil lawsuit against NSO Group, asking a judge for an injunction to prevent the Israeli company from developing new exploits for its devices.

Historically, the NSO Group has constantly claimed it only sold its tool to foreign governments and law enforcement agencies and that it did not know or was responsible of how its customers used the tool, a claim that was countered by security experts who studied the company's Pegasus surveillance platform.