PEGA Committee does not go all the way on spyware regulation

On 8 May 2023, the Committee of Inquiry of the European Parliament investigating the use of Pegasus and equivalent surveillance spyware (PEGA) adopted its final report and recommendation, after 14 months of hearings, studies and fact-finding missions.

By EDRi · May 9, 2023

State hacking techniques have reached an unprecedented level of sophistication. Thanks to the relentless work of civil society and journalists to uncover spyware uses, it is now clear that governments can invade anyone’s phone, anywhere in the world, at any time, without much constraint and with even less accountability. The market of surveillance technologies, still out of control despite the international outcry that followed the Pegasus revelations, is a testament to these unlimited spying capacities.

Spyware and other hacking techniques are critical threats to our privacy, security and democracies. They serve states’ oppressive agendas against journalists, political activists and human rights defenders. This political challenge urgently deserves more than a single-country response. Hence it raises the question of the European Union’s (EU) reaction.

On 8 May 2023, the Committee of Inquiry of the European Parliament investigating the use of Pegasus and equivalent surveillance spyware (PEGA) adopted its final report and recommendation, after 14 months of hearings, studies and fact-finding missions. Even if those conclusions are not binding on the European Commission, let alone EU Member States, EDRi had recommended to the Committee to send a strong political signal and call for an EU-wide ban on spyware.

Unfortunately, the PEGA Committee missed the chance to draw this vitally important red line. Instead, it settled for an intermediary solution: introducing a condition-based moratorium and a European regulatory framework. This blogpost focuses on the contents of the Committee’s adopted recommendation and does not address the report.

A moratorium or not?

The recommendation introduces a call for the “adoption of conditions for legal use, sale, acquisition, and transfer of spyware”. It sets at the end of year the deadline for Member States a list of four conditions to fulfil in order to be allowed to use spyware:

  • the investigation and resolution of spyware abuse cases,

  • the alignment of their national legal framework with applicable international law standards,

  • the “explicit commitment to involve Europol” in their investigations, and

  • the repeal of export licences that would not be compliant with EU law.

Whereas the original text from the Rapporteur included a clear-cut call for an immediate moratorium, the amended version now raises doubts as to whether the “legal use, sale, acquisition, and transfer of spyware” will effectively continue while the evaluation of the conditions is carried out by the Commission. It is therefore uncertain if abuse will “be stopped immediately”, as otherwise aimed for by the Committee.

In light of the persistent uncovering of hacking campaigns, the risk that some Member States do not fulfil the conditions by the deadline is quite substantial. However, the text does not foresee any enforcement action to address this non-compliance.

It is also a pity that the assessment criteria and conditions are not further defined in the recommendation. The need to consult relevant actors, such as national regulatory authorities, civil society and victim groups and lawyers and journalists associations, could have been a helpful addition to ensure the evaluation relies on multiple, reliable and high-quality sources of information. It would have also helped to hold the Commission accountable for its conclusions, considering its usual soft hand on Member States’ surveillance activities.

A future EU regulation? But without prohibition

With regards to long-term actions the EU should take to regulate spyware, the Committee recommends the establishment of “common EU standards” that it develops in twenty propositions. Sadly, the Committee failed to introduce specifically defined prohibitions on the most intrusive forms of spyware.

Many hacking methods developed and currently available on the market, including the use of spyware as investigated by the PEGA Committee, do not meet by their very nature, functionality and impact, the necessity and proportionality requirements. Their intrusiveness is such that they affect the essence of the right to privacy – as stated by the European Data Protection Supervisor (EDPS) in its preliminary remarks on modern spyware. However strong the safeguards can be, they cannot mitigate the fundamental rights violations these tools entail.

EDRi and some political groups in the Parliament have attempted to delineate the scope of a ban based on a list of characteristics that, according to our current knowledge of the market, usually make the recipe for disproportionate interferences with rights and freedoms. Unfortunately, these proposals did not make it to the final text, missing a big political opportunity to prevent the further deployment and proliferation of ever-intrusive spying tools.

”There is a need to say the consequences of this spying. It’s scary in fact. And it’s violent (…) because you have the impression that someone broke into your home, broke into your life.”

Lénaïg Bredoux, Journalist at Mediapart, a French investigative newspaper

Another dark spot is the inherent contradiction between the restriction on the use of spyware to “exceptional and specific cases in order to protect national security”(paragraph 29(a)) – an exclusive competence of Member States – and the proposed legal basis of judicial cooperation in criminal matters (Chapter 4 of Title 5 of the treaty on the Functioning of the European Union) to back up use of spyware for law enforcement (para -29b) and “validity of evidence by way of spyware in cross-borders cases”. Law enforcement and national security protection are two different aims that should not be mixed up – a dangerous amalgam repeated throughout the recommendation.

Attempts to circumscribe these “exceptional cases” to a closed list of clearly and precisely defined serious crimes are not reassuring. Existing lists of categories of crimes in current EU legislation are generally too broadly defined and inadequate. For example, definitions of terrorist acts in EU law have been largely criticised (by civil society and UN Special Rapporteurs) for being too vague and broad, allowing for their misuse to criminalise and repress journalistic work, human rights defenders, activists and artistic expression. Furthermore the interpretation of “serious crimes that represent a genuine threat to national security” would remain very disparate among European States without further clarifications in EU law. This is especially apparent when Greece treats migrants as threats to national security, the same way France does for drug trafficking and undeclared demonstrations.

The final text has also compromised on the absolute protection of specific professions such as lawyers, doctors and journalists against surveillance through spyware (originally introduced by the Rapporteur) by introducing national security and law enforcement exceptions.

A blow to commercial spyware?

The PEGA recommendation makes positive calls to put an end to the harmful commercial trade of system vulnerabilities and followed EDRi’s recommendations to safeguard security research. Paragraph 59 suggests a ban on the sale “for any other purpose than strengthening the security of that system” and “an obligation to disclose the findings of all vulnerability research in a coordinated and responsible manner that promotes public safety and minimises the risk of exploitation of that vulnerability”. The creation of a contact point to report vulnerabilities, financial support of bug bounties and industry incentives are encouraged.

Unfortunately, the recommendation does go as far as to prohibit the commercial trade of spyware in the EU. It is our view that the search for vulnerabilities, their exploitation and the execution of a hack, should not be outsourced to the private sector, domestic or foreign. The purpose here is to ensure public accountability. The EU should stop directly or indirectly supporting an industry that sells information to cybercriminals and states that use it in an irresponsible way (like NSO did).

Looking away, pointing fingers

Because some committees members come from the same ruling party in Member States accused of spyware abuses, the attempt to minimise the actions by EU governments is quite striking. Several amendments that essentially push the blame on “third countries” have made it to the final text, while wiping out the initial blunt criticisms of the draft recommendation and report addressed to certain Member States and EU institutions.

"This hesitation to unequivocally acknowledge the abuse by European states is a shame for the recognition and reparation that victims of spyware need and seek."a

Chloé Berthélémy, Senior Policy Advisor, EDRi

Despite the many shortcomings highlighted above, the Committee also makes valuable proposals that could lay a solid ground for a future EU legislative proposal. The following elements are worth mentioning:

  • the establishment of an independent European tech lab tasked to provide technical support to individuals by detecting spyware traces in their devices;

  • the EU accession to the Convention 108+ of the Council of Europe;

  • stricter management of EU research and development aid funds to prevent the financing of spyware development and use;

  • the integration of spyware use monitoring in the Commission’s rule of law reports on EU states;

  • the call on national parliaments to set up meaningful oversight bodies of intelligence services and better cooperate among them to increase accountability and control;

  • the call for the adoption of the e-Privacy Regulation in order to reinforce the protection of confidentiality of communications;

  • and the request to the Commission to start infringement procedures against Member States whose laws violate the e-Privacy Directive (which many do with their national data retention legislation).

Hopefully, the Commission will pick up the pass and start to work on a robust and concrete European response to this ‘spyware crisis’.

Chloé Berthélémy

Chloé Berthélémy

Senior Policy Advisor

Twitter: @ChloBemy