Pressure grows for EU to take action on Pegasus spyware

25 Feb 2022

Image: © flipppi/Stock.adobe.com

Experts, investigators and victims of Pegasus recently shared their insights on the controversial spyware, while members of the EU Parliament are calling for an inquiry.

The EU’s data protection watchdog recently called for a ban on the development and use of Pegasus spyware following revelations of its potential impact on privacy rights.

The European Data Protection Supervisor (EDPS) said the use of military-grade spyware such as Pegasus could cause “unprecedented risks and damages” to the rights and freedoms of individuals, as well as to democracy and the rule of law.

“Pegasus constitutes a paradigm shift in terms of access to private communications and devices, which is able to affect the very essence of our fundamental rights, in particular the right to privacy,” the EDPS said in a report published on 15 February. “This fact makes its use incompatible with our democratic values.”

Following a European Parliament discussion on the matter that same day, the European People’s Party (EPP) said a majority of MEPs are in favour of launching an inquiry committee to look into the illegal use of the Pegasus spyware.

Pegasus was developed by Israel’s NSO Group, which creates surveillance technology that can be used to track targeted iOS and Android users. NSO claims its products are used by government intelligence and law enforcement agencies to prevent and investigate serious crime and terror incidents.

But the group made headlines last year when an investigation claimed the Pegasus spyware was abused and used to target journalists, activists and government officials.

The Pegasus spyware can infect the phones of targets through a variety of mechanisms, such as a message that provides a link to a website and, if clicked, delivers malware to the device.

‘Canary in the coal mine’

A public hearing arranged by the EPP took place on 10 February where experts, investigators and victims of Pegasus shared their insights on the controversial spyware.

At the hearing, Roman Giertych, the lawyer of Polish politician Donald Tusk, described his experience of being targeted through the spyware. Citizen Lab, the Canadian research group that has helped uncover Pegasus abuses, said last year that Giertych’s phone was first hacked in September 2019.

Giertych believes he was not the main target and was being hacked as a means to get to Tusk. At the time, people were waiting to see if Tusk was going to run as a presidential candidate in Poland, and Giertych claimed that Poland’s ruling PiS party wanted to find out more information.

Last month, the leader of PiS confirmed that the Polish government has access to Pegasus spyware, Politico reported, but denied that it was used against political opponents in the 2019 election campaign.

Giertych referenced John Scott-Railton from Citizen Lab by saying the spyware is the “canary in the coal mine, pointing to a far greater danger”.

Who is using Pegasus in the EU?

Last year, more than 80 journalists from 17 media organisations in 10 countries were involved in an investigation called the The Pegasus Project. The group was led by Paris-based media non-profit Forbidden Stories with technical support provided by Amnesty International.

Speaking at the EPP hearing, Forbidden Stories director Laurent Richard and editor-in-chief Sandrine Rigaud said they came up against an “unprecedented espionage operation in a number of countries” using Pegasus software from the NSO Group.

According to Forbidden Stories, NSO Group has said many of its clients are within the EU but no member states confirmed using Pegasus during its investigation. Since then, leaders in Poland and Hungary have admitted to purchasing the spyware.

Richard said the team saw “thousands” of victims who had their data stolen by security services. “All of these people are considered dangerous to certain powers, be they human rights activists, be they because they’re seen as threats to a regime,” he said.

He added that Forbidden Stories will continue its investigation to see what sort of control checks are in place by security groups using Pegasus spyware.

NSO previously said the Pegasus Project report is full of false accusations, wrong assumptions and uncorroborated theories.

“Their sources have supplied them with information which has no factual basis, as evident by the lack of supporting documentation for many of their claims,” said the issued response last year.

Rigaud also said that the most recent iPhone updates have not prevented victims from being hacked. Last September, Apple issued an urgent update to address a security flaw that could be exploited to infect iOS devices with the Pegasus spyware.

In November, Apple then filed a lawsuit against NSO Group in a bid to “hold it accountable for the surveillance and targeting of Apple users”. The tech giant was seeking to permanently ban the group from using any Apple software, services or devices.

How is NSO Group involved?

Citizen Lab senior researcher Bill Marczak said at the hearing that the big question regarding Pegasus is “who exactly gets to see the information extracted from the phones”.

Marczak said any future investigations or regulatory effort should look into the “ongoing role” of the NSO Group, rather than focusing on just the technology.

“A tool like Pegasus is mostly useless without constant updates, maintenance and help from NSO. And of course there is a whole ecosystem of other entities that support NSO including companies that sell software and hardware to NSO, including exploits to break into phones, and let’s not forget the investors that sustain the company.

“Lets also keep in mind that NSO Group is not alone in this industry,” Marczak said.

Last December, it was reported that NSO Group was considering options to sell the company or shut down its controversial Pegasus unit amid international backlash. A month before, the group was blacklisted by the US Chamber of Commerce for enabling “transnational repression” with its spyware tools.

What will the EU do next?

At the European Parliament plenary session earlier this month, MEPs discussed the findings that suggest certain EU governments have used Pegasus spyware on journalists, politicians and others. Dutch MEP Jeroen Lenaers said the issue is not about countries being allowed to use technology to fight organised crime and terrorism, but about the rule of law.

“This is about the abuse of technology for political gain and about the complete absence of checks and balances,” Lenaers said.

The Greens/European Free Alliance group president and Belgian MEP Philippe Lamberts, added that the Pegasus scandal reveals “nothing less than the illegal and abusive use of cyber surveillance weapons against our fellow citizens”.

“The EU has stood by on the issue of surveillance for too long,” Lamberts said in a statement. “Silence and inaction are no longer possible in the light of the allegations that EU member states such as Hungary are utilising surveillance tools against citizens.

“This is why we are calling for an inquiry committee to expose the extent of these illegal hacking practices,” he added.

The EPP said it is planning its own “fact-finding mission” to Poland to map out the full scope and consequences of the use of Pegasus, planned for next month.

“The terms and the mandate of the parliamentary committee looking into the Pegasus scandal are still being negotiated by the main political groups in the European Parliament,” the EPP said in a statement earlier this month.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com