ARGUMENT: REGULATING SPYWAREPEGA Committee Votes on Spyware Recommendations

In July 2021, the Pegasus Project—a consortium of 80 journalists from 17 media organizations in 10 countries—broke the storythat several governments were using the Pegasus spyware against journalists, activists, politicians, academics, and even heads of state. Eugenia Lostri write in Lawfare that the Pegasus Project rested on a massive data leak, which revealed more than 50,000 potential surveillance victims. The investigation identified several of NSO Group’s clients who went after unseemly targets, including both authoritarian regimes and democracies. 

She adds:

Following the public backlash over these revelations, the European Parliament set up a committee of inquiry(PEGA committee) to investigate the allegations concerning misuse of spyware in the region. Established in March 2022, and launched in Aprilof that year, the committee was tasked to look into “contraventions, or maladministration in the implementation, of Union law, resulting from the use of the Pegasus and equivalent surveillance spyware.” Its mandate included the collection of evidence on how its member states, and in particular Poland and Hungary, may have been violating human rights and freedoms via spyware. On May 8, the committee adopted its final report and recommendationsafter a year of work.

….

In addition, the PEGA committee conducted investigatory missions to Hungary, Spain, Greece, Cyprus, and Polandin order to discuss how spyware was being used by public authorities and what oversight and redress mechanisms were in place. During these missions, committee members met with public officials, members of the judiciary, victims of spyware, and representatives of civil society. They also conducted a mission to Israel, to “gather information and facts, both as regards private companies that produce and sell the main spywares (notably ‘Pegasus’) and from public authorities that deliver licenses and exercise control over their use, in order to better understand the nature and the functioning of the matter.”

Now, slightly over a year later, the committee has approved its final report and issued recommendations.

In Poland and Hungary, the two nations explicitly included in the committee’s mandate, the the committee found systemic issues and accused the governments of having “dismantled independent oversight mechanisms”: in Hungary, with the objective of repressing freedom of expression, and in Poland, as a way to repress the opposition and government critics. Both countries are called upon to “comply with European Court of Human Rights judgements and restore judicial independence and oversight bodies.”

In Greece, concerns lie with “weakened safeguards” that have allowed both the use of spyware “against journalists, politicians and businesspersons” and its export “to countries with poor human rights records.” However, the committee did not find the use of spyware “to be part of an integral authoritarian strategy, but rather a tool used on an ad hoc basis for political and financial gains[.]” The committee calls on the Greek government to strengthen its framework and align its export licenses with the EU legislation. Cyprus was mentioned as a conduit for unchecked export of surveillance tools to authoritarian regimes. In Spain, by contrast, concerns are limited to ensuring that the investigations over the misuse of spyware are conducted independently. Particularly, the committee asks that victims be provided “real legal remedies.”

Among the committee’s recommendations:

·  Stronger regulation and the creation of an EU Tech Lab.

·  Export controls

·  A joint EU-U.S. spyware strategy.

·  Developing “common rules on marketing and exportation” with countries such as Israel

·  The EU ensures that its development aid is not used to acquire and use spyware

Lostri concludes:

Progress is iterative, and it is certainly a testament to the tireless workof a strongcivil societythat this issue has broken through the noise and become a central focus for protecting human rights. Although the PEGA committee report may not go as far as calling for a ban on spyware, it is reassuring to see the report join the repository of thorough investigations on the impact of spyware on fundamental rights.