Surveillance: after Pegasus and Predator, the EU is (slowly) taking action

The new technological scenarios entail unprecedented challenges, like the Pegasus case with dozens of journalists, activists, and human rights defenders subjected to surveillance and wiretaps. The EU has responded with the Commission of Inquiry of the European Parliament on the amendments and the regulation on the export of civil and military dual-use technologies. The European Data Protection Authority (EDPS) itself was unequivocal in its analysis   published on 15 February 2022: it is not just about the right to privacy and the violation of privacy – fundamental freedoms as well as democracy and the rule of law are also at stake. For this reason, the Authority had recalled, "the entire system of safeguarding our fundamental rights and freedoms must be rethought, because they are endangered by these instruments". The measures suggested by the EDPS include some changes to the export regulation, so as to "condition the export of technologies suitable for digital surveillance on respect for fundamental rights and privacy".

Now that several months have passed since those concerned declarations, now that the regulations and reports have been published, many doubts remain about the actual guarantees and protections, while the intra-European surveillance market appears to thrive, which an investigation by IrpiMedia  defines “a black hole”.

We talk about it with Lorenzo Bagnoli, senior reporter and editor at IrpiMedia.
What is the focus of your research?

The global surveillance industry. One of our objectives is to understand how the relationship between countries producing and importing surveillance technologies works and to analyse money flows, to look for those who finances this world.

IrpiMedia is an independent, non-profit transnational investigative journalism outlet that covers organised crime, corruption, environment, migration, and justice. How did surveillance enter into the picture?

It has always been a topic of interest, for me even as a freelancer before the foundation of IrpiMedia. It is a pivotal theme on which in the past the collaborative approach that distinguishes our work has been lacking. Our #Sorveglianze  series was born from the collaboration with Privacy International, a British organisation that deals with advocacy on the topic, with which we try to identify the most interesting threads.

When looking for a definition of “surveillance system”, what should we think about?

The mass surveillance system is a political and technological infrastructure that a state sets up with the ideal aim of building a safer society through the use of technological tools. In fact, the technological tools used are so invasive that in some cases they damage digital rights, especially among the poorest segments of the population. Those who produce technologies that power surveillance systems have the power to influence the decisions of a nation state.

The alarm was also raised at the European Union level, especially for some countries such as Hungary, Poland, and Cyprus.

We must thank the European Parliament and the Commission of Inquiry established in March 2022. Compared to the past, there are parliamentary groups that are more aware of how mass surveillance can arbitrarily target minorities and oppositions. However, I don't think there is consensus in European fora to consider the spread of these technologies "alarming". The presence of Cyprus among the problem countries according to the monitoring of the PEGA Committee is not too surprising, for historical and geographical reasons.

For this reason, at a certain point IrpiMedia also dealt with Cyprus.

Our interest in Cyprus was only due to the sale of Predator and the role the country played as a broker for Israeli technology in Greece. In general, in terms of public attention, since 2019 the spotlight has certainly been on Cyprus after the founder of Intellexa himself – the company involved in the scandal in Greece – had shown in an interview  one of his own vans sold by a company of the group full of surveillance technologies.

Business deals passing through Cyprus bypassing the bans have since emerged.

Since at least 2015, around the time of the HackingTeam leak, it has been clear that there is a problem in the functioning of the licensing system for surveillance technologies such as spyware. In the case of Cyprus and the Predator case, the problem is the use of specific technology and the manufacturer NSO. NSO must comply with the export authorisation granted by the Defense Exports Control Agency (DECA) of the Israeli Ministry of Defense, but if the technology is exported by a company owned by NSO but registered in a country like Cyprus then it can create a hole in the control network. Cyprus can apply looser control to exports and, since exports between EU countries are less strictly regulated, at that point the intra-European resale system is the problem. Furthermore, Cyprus is a border country, which manages to use its position to act as a bridge between the EU and the Eastern Mediterranean.

Last January, the Commission of Inquiry produced a recommendation in which it condemns any export of these technologies to countries where human rights are violated and, noting that some abuses have been committed by Cyprus, calls on the government to provide a precise list of all export permits, revoking inappropriate ones, and to collaborate with Europol on alleged cases of spyware use against journalists, lawyers, and members of civil society. But Cyprus is not an isolated case, and the Commission reiterates that in other member states too there is "the presence of a thriving spyware industry which takes advantage of the good reputation, the single market and freedom of movement in the EU, allowing states such as Cyprus and Bulgaria to become clearinghouses for spyware to non-democratic regimes around the world”. The reality is therefore known. Are the solutions only legal or can there be other tools?

It is necessary to put in place a strategy to strengthen the cybersecurity of digital devices, providing both economic support to device manufacturing companies and including new obligations, such as extending security updates to older devices that would otherwise remain vulnerable.

Furthermore, a simplification of access to device analysis could be envisaged, in order to collect telemetry information useful for verifying infections. Until now this activity has been carried out almost exclusively by civil society organisations, let's think about tools like the one developed by Amnesty Tech , which are very useful because they also allow those without high IT knowledge to carry out a preliminary analysis of a device and understand if there is any trace of infection.

Regulation, however, remains an important point: even just thinking about creating a public list of companies that sell surveillance technologies could be a step forward. At this moment journalists and associations are trying to put together a puzzle whose dimensions and number of pieces are unknown: we are walking in the dark, waiting to discover the name of yet another new company.

Is there something that public opinion could do at European level?

If we think about the behaviour of some member countries during the PEGA Commission's investigation into the use of spyware such as Pegasus, we realise how some did not want to cooperate and respond to the Commission's requests. In some cases they even almost sabotaged the works, like Spain with the case linked to Catalonia or Greece. Public opinion could put pressure to ensure that, in the next European elections in 2024, MEPs are much more aware of the risks of these technologies and have a much more incisive approach, also starting from the results of the report and recommendations of the PEGA Commission. Furthermore, public opinion could also ask for greater transparency from their governments regarding data on exports of these technologies: the European Commission collects data on exports but only publishes aggregate data without detailing the activities of each individual member state. States, in turn, barricade themselves behind this fiction of transparency to deny access to any data.

This content is part of the Media Freedom Rapid Response  (MFRR), a Europe-wide mechanism which tracks, monitors and responds to violations of press and media freedom in EU Member States and Candidate Countries. The project is co-funded by the European Commission.