When she was working in Brussels, Meritxell Serret used a Belgian phone and a Belgian number. Between June 2018 and October 2020, while working as a representative of the Catalan government to the European Union, Serret was infected by Pegasus, a spyware exposing her messages and calls, and switching her camera and recorder on without her knowledge or consent. A report by the University of Toronto’s Citizen Lab determined that she had been spied on by the Spanish government.
Spyware abuse is not new. Commercial spyware, including the Israeli-made Pegasus technology, is widely used to target political opponents and journalists in countries from the United Arab Emirates to Azerbaijan. Tensions between Catalonia and Spain are not new, either. But in the wake of the Citizen Lab report, both issues landed side by side on the desk of Sophie in ’t Veld, the Dutch member of the European Parliament who launched the EU’s current efforts to investigate spyware abuse in Hungary, Poland, Greece, Cyprus, and Spain. Her investigation is defined as much by its stonewalling as by its findings.
Pegasus’s invasiveness and use in high-profile cases—Washington Post columnist Jamal Khashoggi’s phone was found to be targeted by Pegasus prior to his murder by Saudi agents in Istanbul—led the United States to blacklist the technology, and other countries to call for its ban. But government use of spyware, and not just Pegasus, is on the rise in Europe, which is becoming a hub for producing and exporting this technology, including EU-based company Intellexa. While the United States blacklists Pegasus and issues export controls on U.S.-made spying technology, the EU lacks the capacity to issue similar EU-wide blacklists, let alone bans, on any commercial spyware programs.
Madrid’s recent obstruction of the European Parliament’s investigation of government abuses of spyware in the EU showcases Brussels’s limited ability to regulate the technology. The EU’s vulnerability to illicit, abusive spying, including by governments, is growing—a trend that leaves the continent resembling what a European Parliament spokesperson referred to as “a Wild West.” Brussels, a famously stern protector of online data, can only raise public awareness of government spyware abuse. In November 2022, in ’t Veld and her team released a report on their findings; in January 2023, they issued non-binding recommendations for the countries under scrutiny.
Brussels’s difficulties begin with confirming that governments are even using spyware in the first place. Serret discovered that she had been spied on when Citizen Lab, a research group at the University of Toronto focused on technology-driven human rights abuses, told her so. She was apparently one of as many as 65 Catalan politicians involved in the region’s 2017 referendum for independence from Spain, alongside journalists and activists, whose phones had been infected with Pegasus and Candiru by the Spanish government. The Spanish Supreme Court ruled Catalonia’s independence bid unconstitutional in 2017.
NSO Group, the Israeli company that produces the Pegasus software, confirmed it sold the technology to the Spanish government, and the Citizen Lab report was mentioned in the U.S. State Department’s 2022 human rights report for Spain. Those hacked, however, received no confirmation from the Spanish authorities that they had been spied on despite filing repeated requests for the information. The news of her targeting was “shocking” to Serret: “I always thought that they wouldn’t spy on me, being in Brussels,” she said.
On March 20, the same day that the U.S. State Department published its human rights report for Spain, in ’t Veld and her team headed for Madrid. Their fact-finding mission was hindered by the fact that members of the Spanish Congress Defense Committee declined to meet with them. The team did emerge with a clearer understanding of how Spain authorized spyware targeting, but the information only raised further concerns. In ’t Veld’s team learned that as many as 18 of the targets in Spain had been ordered by a judge, which renders the government’s use of spyware technically legal.
“But then the next question is, legal in the sense that the procedural steps have been followed, but was it also proportionate and necessary?” asked in ’t Veld. The spyware was also used on journalists and the family members of politicians.
While Spain has a procedure in place for targets of spyware to raise concerns to a judge about having been snooped upon, citizens receive no confirmation about whether they were in fact inspected by spyware—leaving them to rely on the Citizen Lab report, which judges routinely discredit. “In Spain there’s been very sustained attempts to discredit Citizen Lab as motived by political interests,” in ’t Veld said. “This I’ve not seen in any other country.”
But other countries don’t necessarily play well, either. Across the continent, “we get no meaningful information from governments,” in ’t Veld said. Unlike the U.S. Congress, the European Parliament does not have the power to subpoena member states to testify or require them to hand over information for its investigations. During the visit to Madrid, in ’t Veld also met with Serret, who left feeling that the European Parliament’s commission “were willing to find all the answers that we are demanding.”
Serret highlighted what she sees as the main danger: “This is a real threat for democracies in Europe.”
In ’t Veld echoed that point, noting that European countries’ use of spyware is “a siege or storming of the EU democratic institutions, but in a digital way,” and it poses a threat to democracy as much as to privacy and individual rights. In January, her committee called on Hungary, Poland, and Greece to “restore … legal safeguards” breached by their use of spyware, but concluded that “the regulatory framework in Spain seems to be in line with the requirements set by the treaties and by judgments by the CJEU [Court of Justice of the European Union] and the ECtHR [European Court of Human Rights].” The recommendations, published before in ’t Veld’s visit to Madrid, cited the need for further fact-finding in Spain.
The Spanish government did not respond to multiple requests for comment.
Spain is not Europe’s problem child when it comes to democracy, issues with Catalan separatists aside. Hungary and Poland have both run roughshod over the judiciary and civil rights, and both have incurred the wrath of Brussels. And both have ridden Pegasus or similar software. In Hungary, laws stipulate that citizens cannot be informed that they have been targeted by spyware by the authority that is spying on them. According to the European Parliament’s November report, in Poland, the “abuse of spyware does not seem to be part of an integral authoritarian strategy, but rather a tool used on an ad hoc basis for political and financial gains.”
“It’s a very invasive technology which would very easily lead to human rights concerns,” said Caitlin Chin, a fellow at the Center for Strategic and International Studies. But while data-protection laws can be passed and enforced at the EU-wide level, national security is up to each member state, and regulating spyware falls under that umbrella. That will make it harder for the European Union to follow in the United States’ footsteps and regulate spyware use by its member states or implement export bans on EU-made technology. The likelihood that Brussels will be able to craft a proper regulatory regime is low, said Winnona DeSombre Bernsen, a nonresident fellow at the Atlantic Council.
The White House hosted another Summit for Democracy in Washington last month. It made headlines for booting Hungary and Turkey from the event. Less noticed was the fact that those in attendance promised to counter the misuse of commercial spyware by governments. Well, almost all. Poland, Greece, and Spain declined to sign.
Source : Foreign Policy