Friday, January 27, 2023 | Back issues
Courthouse News Service Courthouse News Service

Europe’s got a big, creepy spyware problem – and it’s going unchecked

Journalists and digital experts are uncovering large-scale domestic spying in European Union countries with hackers targeting the smartphones of journalists, lawyers, politicians and activists. It's been dubbed “Europe's Watergate,” but the EU's response has been to look the other way.

(CN) — It's a chilling thought: The specter of Stasi-like government surveillance is back in Europe and yet the European Union's leaders are ominously silent about a mushrooming of spyware across the bloc.

The accusation of widespread and illegal spyware use is leveled by a European Parliament committee that's spent the past nine months probing how several European governments have spied on a range of individuals – politicians, journalists, lawyers, activists and business people – by hacking their smartphones under the guise of national security.

“The more we inquire, the bigger we see this issue is,” said Saskia Bricmont, a Belgian Green party parliamentarian and member of the PEGA committee, the panel investigating spyware.

“It's related to business, to the political level,” she said in a telephone interview. “It touches on the independence of the judiciary; it touches on access to justice for victims.”

It's a murky world connecting power brokers, spy agencies, police forces, technology experts, mercenary intelligence agents, money and corrupt governments.

The scale of spyware abuse remains far from known, but the committee's 159-page draft report paints a disturbing picture of a largely unregulated market of spyware tools being sold by companies in the EU and deployed by EU governments. Spyware is very expensive, costing millions of dollars to purchase.

The report asserted it can be “safely assumed” that all 27 EU nations “have purchased one or more commercial spyware products” and that Europe has become a hub for spyware exports to countries with dreadful human rights records.
Four countries – Poland, Hungary, Spain and Greece – are accused of engaging in illegal spyware use by hacking the phones of journalists, politicians, lawyers, activists and others. In Poland, Hungary and Greece, the phones of a range of government adversaries were allegedly hacked; in Spain, politicians, activists and others involved in Catalonia's drive for independence were alleged targets.

At least 14 of the 27 EU countries purchased Pegasus spyware, a highly sophisticated program developed by NSO Group, a major Israeli security firm with links to Israel's military intelligence, the report said. NSO has branches in Bulgaria and Cyprus.

Pegasus was designed to easily take over smartphones and extract all their contents without the individual who's targeted even making a single click, a so-called “zero-click attack.”

A massive scandal over Pegasus erupted in July 2021 with the release of a blockbuster report by a consortium of journalists and Amnesty International. The consortium's reports were based on a leak of more than 50,000 phone numbers allegedly spied on by governments around the world that purchased Pegasus.

Amnesty International reported that its forensic researchers had determined that four days after the killing of journalist Jamal Khashoggi, NSO Group's flagship Pegasus spyware was successfully installed on the phone of his fiancee, Hatize Cengiz, pictured here in Istanbul last year. (AP Photo/Emrah Gurel, File)

The investigation found governments were using Pegasus to not only spy on suspected criminals and terrorists but also on journalists, human rights activists, lawyers, politicians, academics, business people, members of royal families and even the heads of state, including French President Emmanuel Macron, the consortium said.

More revelations arrived.

In December 2021, Citizen Lab, a University of Toronto-based research group that investigates digital espionage, and Meta, the parent company of Facebook, reported on their findings about Predator, a cheaper version of Pegasus sold by Intellexa, a company founded by Tal Dilian, a former Israeli intelligence officer who'd set up business in Cyprus before he moved his operations to Greece.

In the parliamentary report, other spyware companies come to light too: In Austria, there's DSIRF, a large spyware provider with close ties to former Chancellor Sebastian Kurz; Tykelab is an Italian spyware company; FinFisher, now defunct, operated from Germany; in Lithuania, Anatoly Hurgin, an Israeli-Russian former Israeli military engineer and co-developer of Pegasus, has set up a suspected spyware company called UAB.

The parliamentary report charges that the spyware market has thrived in the EU's open markets and border-free zone that's allowed opaque companies to take advantage of favorable banking and tax regimes inside the EU while also an exporting spyware to countries, including dictatorships, around the world.

ADVERTISEMENT

For the EU, which likes to boast that it's a beacon of liberal democracy and a standard-bearer for human rights, these revelations about its own governments spying on their citizens are deeply damaging.

The use of spyware by governments on persons who aren't threats to national security – suspected terrorists, violent criminals, foreign spies – is an illegal practice that violates core democratic principles: The right to privacy, the right to freedom of expression, the right to property, the right to a fair trial and other fundamental human rights laws.

“What's at stake here is not just the privacy of individuals but our democracy and our free society as a whole,” said Sophie in ’t Veld, a Dutch parliamentarian with the liberal Renew Europe party and the PEGA committee's rapporteur, during a news conference last November in Athens.

The committee went to Greece and Cyprus as part of its investigation. Lacking powers to summon officials under oath and obtain access to financial documents, the PEGA committee's ability to dig deep into government actions has been severely restrained. Under EU treaties, the European Parliament lacks full investigative powers.

In its visits to Poland and Greece, the PEGA committee's requests for information and interviews with key officials were snubbed. In Poland, the government even refused any cooperation with the committee.

After more than 18 months of revelations since the Pegasus expose, there have been few repercussions for individuals and governments accused of spying on innocent European citizens.

Investigations have been opened in countries accused of illegal spyware use, but as yet no criminal charges have been filed and those probes have lacked seriousness, Bricmont said.

“As far as I know, no conclusive investigation has been made so far and in some countries there are real issues related to the independence of the inquiries,” Bricmont said.

Only two government officials – the head of Greece's intelligence service and a top aide and relative to Greece's prime minister – have lost their jobs over spyware allegations.

The European Commission, the EU's executive branch, has been mostly silent about the scandals, even though its own staff and members of European Parliament, known as MEPs, allegedly have fallen victim to government spying.

“What happens when MEPs are being targeted by national spying agencies? Isn’t the commission’s responsibility to protect them?” said Georgios Samaras, a Greek-born political scientist at King's College London, in an email.

(fancycrave1/PixaBay via Courthouse News)

He said the EU must punish governments that spy on their citizens with sanctions.

“If the use of hacking spyware is normalized, it could result in serious and more widespread distribution of Predator and Pegasus,” he said. “State surveillance is not acceptable in democracies.”

In an email, the European Commission said it was cooperating with the PEGA committee and that it had “provided answers to several questionnaires” from parliament.

It added that national governments, not the EU commission, are in charge of matters concerning national security and that national authorities are empowered to investigate allegations of illegal spyware surveillance.

“They are competent to safeguard their national security and must oversee and control their security services to ensure that they fully respect fundamental rights, including protection of personal data, the safety of journalists and freedom of expression,” the commission said.

The commission's press office also pointed out that the executive branch is pushing new rules to safeguard journalists from spyware and to require smartphone manufacturers to fix vulnerabilities that allow spyware to hack phones.

But Bricmont decried the commission for inaction, saying the extent of its involvement has been to send letters to Poland, Hungary, Greece and Spain asking for more information about their use of spyware.

ADVERTISEMENT

“Basically the answer the commission got was that if it has been done, it has been done under national security reasons, so secrecy prevails,” Bricmont said. “Nothing to see here. And the commission has apparently been satisfied with those answers.”

The commission declined to provide Courthouse News with copies of the correspondence it had with the four countries, citing confidentiality.

Meanwhile, Europol, the EU's police agency, is not investigating the allegations despite calls from the European Parliament to do so, according to Bricmont.

“We fear that evidence might be deleted on purpose by the secret services or the governments,” she said. “We want Europol to secure the evidence, but so far Europol is mainly acting on demand of the member states.”

Europol did not answer a query from Courthouse News.

“There is obvious political unwillingness to intervene,” Bricmont said.

Meanwhile, the governments accused of spying have provided very little information about their purchase and use of spyware. Information about what has been collected from individuals' phones has not been disclosed, Bricmont said.

Lawsuits over spyware have been launched in SpainGreece, Poland and Hungary, but those cases are only at the opening phases and done little to open government files and shed light on individual cases.

In its report, the PEGA committee makes an ominous comparison to the use of spyware today to the pervasive spying conducted by communist East Germany's Stasi with its hundreds of thousands of employees and informants.

“The scandal was quickly labeled 'Europe's Watergate,'” the report said. “However, rather than the political thriller 'All the President's Men' about the burglary into the Watergate building in 1972, today's spyware scandal is reminiscent of the chilling movie 'Das Leben der Anderen' ('The Lives of Others') depicting the surveillance of citizens by the totalitarian communist regime.”

"The Lives of Others" was a 2006 German film about the Stasi's monitoring of East Germans.

The comparison to the terror of the Stasi may seem like an exaggeration, but the report says governments in Poland, Hungary and Greece have made spying on opponents and critics part of their governing strategy.

In the cases of Poland and Hungary, the report says there are suspicions the far-right and ultra-nationalistic governments in power in Warsaw and Budapest even spy on people within their own ruling circles.

“The scope for legal surveillance in Poland has been expanded to the near unlimited,” the report said. “Commercial spyware is not merely a technical instrument used in isolation and in random situations. It is an integral and vital part of a system designed specifically for the unfettered surveillance and control of citizens.”

In Poland, an opposition politician's text messages – likely captured with spyware – were even broadcast on public television in a smear campaign allegedly orchestrated by the ruling government in the run-up to elections in 2019.

Polish Senator Krzysztof Brejza is seen in Warsaw during parliamentary elections in October 2019. (AP Photo)

That hacked politician, Senator Krzysztof Brejza, was in charge of the campaign of Civic Platform, a main challenger to the ruling Law and Justice party.

In Hungary, spyware allegedly has been used on the smartphones of multiple people deemed enemies of Prime Minister Viktor Orban and his ruling Fidesz party.

“The use of Pegasus in Hungary appears to be part of a calculated and strategic destruction of media freedom and freedom of expression by the government,” the report said. “The Fidesz government has utilized this spyware in order to introduce a regime of harassment, blackmail, threats and pressure against independent journalists and media moguls.”

Pegasus has been used against more than 300 Hungarians, including political activists, journalists, lawyers, entrepreneurs and a former government minister, the report said, citing analysis by Amnesty International.

“The political control over the use of surveillance in Hungary is complete and total,” the report said. “The Orban-led Fidesz regime has made it so that they can target lawyers, journalists, political opponents and civil society organizations with ease and without fear of recourse. In addition, their control over almost all Hungarian media outlets allows them to continue pushing their own version of the truth, stopping much of the public scrutiny conducted by the media from reaching Hungarian citizens.”

In Greece, the fallout from the scandal has damaged the reputation of the government of Prime Minister Kyriakos Mitsotakis, a right-wing conservative who heads the New Democracy party. Mitsotakis has denied any knowledge of the spying, but his government is accused of trying to seal off probes into the scandal.

The Greek government allegedly targeted Nikos Androulakis, a European Parliament member and head of Pasok, a center-left rival to New Democracy. Also spied on was Christos Spirtzis, a former infrastructure minister and a lawmaker with the left-wing Syriza party.

Another target was a business journalist, Thanasis Koukakis, whose work concentrated on financial corruption, and another journalist, Stavros Malichoudis, who'd written embarrassing stories about Greece's harsh treatment of refugees.

“There is a threatening and worrying evolution of the democratic situation and the respect of rule of law in Greece,” Bricmont said. “They used a very intrusive spyware violating data privacy rules, violating intimacy, family life.”

In Spain, the government is accused of spying on at least 65 people connected to the Catalan independence drive, including its most prominent political leaders, key activists and lawyers. The Spanish government has acknowledged targeting 18 people, saying it was given legal authority to do so. But Madrid has refused to disclose details about its spying program.

Spanish authorities charged the leaders of the independence drive and an unauthorized referendum in 2017 with sedition and other criminal charges. During court proceedings, the government allegedly infected the smartphones of lawyers and family members of those facing trial.

Bricmont said the wide-scale surveillance of Catalan separatists was “questionable for a democracy” and she faulted Spain for not carrying out thorough inquiries into what happened.

In its final report, due to be released later this year, the PEGA committee is expected to call for EU-wide legislation to curtail the spread of spyware and rules to ensure governments don't abuse the use of spyware.

“We can learn a lot from past government surveillance practices and governments tend to abuse these types of technology,” said Siena Anstis, a legal adviser at Citizen Lab. “They want to engage in surveillance; they take as much as they can until there are guardrails in place. I think to an extent that has been the history of government surveillance.”

Courthouse News reporter Cain Burdeau is based in the European Union.

Read the Top 8

Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.

Loading
Loading...