DigitalEU.net

Independent views on digitalisation in Europe

Here is Europe’s Watergate and no one speaks about it

By Hartmut Seibel, Brussels – 10/11/2022

Government use of surveillance spyware:  MEP Sophie in ‘t Veld’s first report for the European Parliament’s inquiry committee is truly alarming for every European citizen but the European spyware scandal hardly gets any coverage!

The EU Parliament’s Committee that was appointed in 2021 to investigate the use of surveillance spyware has issued its draft report on 08/11/2022. The EP Committee’s ‘rapporteur’ Sophie in ‘t Veld is reportedly angry and probably there is ample reason to be angry.

It appears that there have been a few frictions, even within the EP’s Committee, that have led its rapporteur Sophie in’t Veld to unilaterally publish her draft report – without further ado.

She denounces the uncooperative attitudes of numerous national governments concerned, and the overall sleepwalking mode by the European institutions given that the use of surveillance spyware risks to undermine the democracy in Europe overall. The problem is far too serious and cannot be considered simply a matter of national security.

The issue goes far beyond the local abuses by governments and secret services e.g. in Spain, Greece, Hungary or Poland. There are yet no suitable instruments in place to forbid or govern the use of spyware, no effective control nor prohibition to prevent the use of any spyware.

Below is a selection of some of the most relevant extracts of Sophie in t’Veld’s draft report from 8 November 2022 (to be found here) which speak for themselves (emphasis was added):

Europe’s Watergate

In summer 2021, the Pegasus Project, a collective of investigative journalists, NGOs and researchers, revealed a list of 50,000 persons who had been targeted with mercenary spyware. Among them, journalists, lawyers, prosecutors, activists politicians, and even heads of state. The most dramatic case may well be that of Jamal Khashoggi, the Saudi journalist, who was savagely murdered in 2018 for his criticism of the Saudi regime. However, there were also many European targets on the list.

Some had been targeted by actors outside the EU, but others were targeted by their own national governments. The revelations met with outrage around the world. The scandal was quickly labelled “Europe’s Watergate”. However, rather than the political thriller “All the President’s Men” about the burglary into the Watergate building in 1972, today’s spyware scandal is reminiscent of the chilling movie “Das Leben der Anderen” (The Life of Others) depicting the surveillance of citizens by the totalitarian communist regime. Today’s digital burglary with spyware is far more sophisticated and invasive, and hardly leaves any trace.

The use of spyware goes far beyond the conventional surveillance of a person. It gives total access and control to the spying actors. Contrary to classic wiretapping, spyware does not only allow for real-time surveillance, but full, retroactive access to files and messages created in the past, as well as metadata about past communications. The surveillance can even be done at a distance, in countries anywhere in the world. Spyware can be used to essentially take over a smart-phone and extract all its contents, including documents, images and messages. Material thus obtained can be used not only to observe actions, but also to blackmail, discredit, manipulate and intimidate the victims. Access to the victim’s system can be manipulated and fabricated content can be planted.

The microphone and camera can be activated remotely and turn the device into a spy in the room. All the while, the victim is not aware of anything. Spyware leaves few traces on the victim’s device, and even if it is detected it is nearly impossible to prove who was responsible for the attack. The abuse of spyware does not just violate the right to privacy of individuals.

It undermines democracy and democratic institutions by stealth. It silences opposition and critics, eliminates scrutiny and has a chilling effect on free press and civil society. It further serves to manipulate elections. The term “mercenary spyware” reflects very well the nature of the product and of the industry. Even failed attempts to infect a smart phone with spyware have political ramifications, and can harm the individual as well as democracy. Participation in public life becomes impossible without the certainty of being free and unobserved.

The spyware scandal is not a series of isolated national cases of abuse, but a full-blown European affair. EU Member State governments have been using spyware on their citizens for political purposes and to cover up corruption and criminal activity. Some went even further and embedded spyware in a system deliberately designed for authoritarian rule. Other Member State governments may not have engaged in abuse of spyware, but they have facilitated the obscure trade in spyware.

 Europe has become an attractive place for mercenary spyware. Europe has been the hub for exports to dictatorships and oppressive regimes, such as Libya, Egypt and Bangladesh, where the spyware has been used against human rights activists, journalists and government critics.

The abuse of spyware is a severe violation of all the values of the European Union, and it is testing the resilience of the democratic rule of law in Europe. In the past years, the EU has very rapidly built up its capacity to respond to external threats to our democracy, be it war, disinformation campaigns or political interference.

By contrast, the capacity to respond to internal threats to democracy remain woefully underdeveloped. Anti-democratic tendencies can freely spread like gangrene throughout 4 the EU as there is impunity for transgressions by national governments.

The EU is ill equipped to deal with such an attack on democracy from within. On the one hand the EU is very much a political entity, governed by supranational laws and supranational institutions, with a single market, open borders, passportless travel, EU citizenship and a single Area of Security, Freedom and Justice.

However, despite solemn pledges to European values, in practice those values are still considered very much a national matter. The spyware scandal mercilessly exposes the immaturity and weakness of the EU as a democratic entity. With regard to democratic values, the EU is built on the “presumption of compliance” by national governments, but in practice, it has turned into “pretence of compliance”. The scenario of national governments deliberately ignoring and violating the EU laws, is simply not foreseen in the EU governance structures.

The EU has not been equipped with instruments for such cases. The EU bodies have few powers, and even less appetite, to confront national authorities in case of transgressions, and certainly not in the delicate area of “national security”.

By intergovernmental logic, the EU institutions are subordinate to the national governments. However, without effective, meaningful supranational enforcement mechanisms, new legislation will be futile. Fixing the problem will require both regulatory measures and governance reforms.

The US is not spared from attacks on democracy from the inside, for example Watergate, and the siege of Congress on January 6th 2021, but it is equipped to respond forcefully. It has the powers to confront even the highest political leaders when they do not respect the law and the Constitution.

Indeed, following the 2021 revelations on spyware, the United States responded rapidly and with determination to the revelations of the Pegasus Project. The US Trade Department swiftly blacklisted NSO Group, the Department of Justice launched an inquiry, and strict regulation for the trade in spyware is in the pipeline. The FBI even came to Europe to investigate a spyware attack against a dual US-European citizen.

Tech giants like Apple and Microsoft have launched legal challenges against spyware companies. Victims have filed legal complaints, prosecutors are investigating and parliamentary inquiries have been launched.

In contrast, with the exception of the European Parliament, the other EU institutions have remained largely silent and passive, claiming it is an exclusively national matter.

The European Council and the national governments are practising “omertà”. There has not been any official response to the scandal by the European Council. Member State governments have largely declined the invitation to cooperate with the PEGA committee. Some governments downright refused to cooperate, others were friendly and polite but did not really share meaningful information. Even a simple questionnaire sent to all Member States about the details of their national legal framework for the use of spyware, has hardly received any substantial answers. Literally on the eve of the publication of this draft report, the PEGA committee received a joint reply from the Member States via the Council, also without any substance.

The European Commission has expressed concern and asked a few Member State governments for clarifications, but only those cases where a scandal had already erupted at national level. The Commission has shared – reluctantly and piecemeal – information concerning the spyware attacks on its own Commission officials. Europol has so far declined to make use of its new powers to initiate an investigation. Only after being pressed by the European Parliament, it addressed a letter to five Member States, asking if a police inquiry had started, and if they could be of assistance.

The European Council and the national governments are practising omertà. There has not been any official response to the scandal by the European Council. Member State governments have largely declined the invitation to cooperate with the PEGA committee. Some governments downright refused to cooperate, others were friendly and polite but did not really share meaningful information. Even a simple questionnaire sent to all Member States about the details of their national legal framework for the use of spyware, has hardly received any substantial answers. Literally on the eve of the publication of this draft report, the PEGA committee received a joint reply from the Member States via the Council, also without any substance….”

Re: Use of surveillance spyware in all EU Member States?!

301. It can be safely assumed that authorities in all Member States use spyware in one way or another. Spyware may be acquired directly, or through a proxy, broker company or middleman. There may also be arrangements for specific services, instead of actually purchasing the software. Additional services may be offered, such as training of staff or the provision of servers. It is important to realise that the purchase and use of spyware is very costly, running into millions of euros. But in many Member States this expenditure is not included in the regular budget, and it may thus escape scrutiny.

MEP Sophie in ‘t Veld, remarked in an interview when presenting her draft report: “We are very worried about American democracy, we are very worried about democracy in Brazil … Why is it that we are worried about lots of things except for democracy inside the European Union itself?

She is calling for a moratorium on the use of spyware until the European Union eventually figures out joint rules on the use of malicious software.

A subject matter to be monitored …

Useful links:

https://www.politico.eu/article/eu-spyware-probe-slams-government-leaders-as-perpetrators-of-abuse/

https://netzpolitik.org/2022/spionage-skandal-pegasus-abrechnung-mit-europa/

Author

Hartmut Seibel

Article categories