PEGA hearing: state hacking and spyware in Germany

On 14 November, EDRi observer Andre Meister from German digital rights newspaper netzpolitik.org, spoke at the PEGA committee's hearing in his capacity as an investigative journalist, covering state hacking for over a decade. Check out what he had to say to the PEGA committee responsible for investigating the use of the Pegasus spyware in Europe.

By netzpolitik.org (guest author) · November 30, 2022

A photo of Meister

Find the text version of the speech here. You can also read it in German here.

It was interesting that Meister was the only expert in the room. But it was even more shocking that the German government and police turned down the committee’s invitation. 

With their refusal to show up and testify, Germany joins the long list of countries unwilling to cooperate with this important inquiry – to investigate the use of Pegasus in Europe. 

In his speech to the committee, Meister showed that this behaviour is symptomatic and Germany shares many of the problems in the other countries the committee is investigating.

Meister outlined the history of state hacking in Germany and the cases it’s used for. Then, he explained the legal framework and a special new fundamental right in Germany. He talked about the products that Germany has bought and developed. And following that he illustrated the secrecy and lack of accountability of state hacking in Germany. Finally, he presented a laudable initiative of the German government to regulate an important aspect of this problem.

Example of state hacking

In 2015, the president of the German domestic intelligence agency personally filed a criminal complaint against Meister and his colleagues, accusing them of nothing less than treason for doing their job: reporting truthful information in the public interest on the internet surveillance capabilities of German domestic intelligence agency. These criminal investigations were later dropped, but the extreme allegations allowed police the entire arsenal of surveillance capabilities against the journalists. Only two years later, this would include state hacking.

In order to gain some level of public security – even if that is just a dozen drug crimes – state hacking creates immense insecurity in our digital environment. To hack the iPhones of a few dozen alleged criminals, states and companies keep all two billion iPhones on this planet insecure and vulnerable to hacking by anyone. 

Security vulnerabilities are a danger to national security. This argument was theoretical for a long time, but now we have an example in the EU: The Spanish state hacked Catalans, and with the exact same vulnerability Morocco hacked the Spanish prime minister and defence minister. 

IT security is binary. No-one is safe until everyone is safe. 

The tech industry understands this. ENISA understands this. And the German government understands this. In their coalition agreement last year they wrote: „Exploiting vulnerabilities in IT systems is highly problematic in terms of IT security and civil rights. The state will therefore not buy or keep open any vulnerabilities, but will always strive to close them as quickly as possible.“ 

This is a much-needed first step. Unfortunately, the German government still didn’t implement their promise. But this committee should not fall behind the German government. PEGA’s final report should mandate both state and private actors to fix all vulnerabilities as quickly as possible, without exception. 

State hacking has fundamental problems

The German police claim that state hacking is necessary, proportionate, accountable, and used only against terror and the most serious crimes. All of these claims are false and mislead the public on the necessity and legitimacy of stat hacking for security reasons.

In his speech, Meister referred to the EDPS, which said that state hacking “poses unprecedented risks … not only to the fundamental rights and freedoms of the individual but also to democracy and the rule of law.”

Beyond that, state hacking is also a danger to IT security, a danger to critical infrastructure, a danger to public security, a danger to national security, and – as the hacking of EU institutions has shown – a danger to European security.

Read the speech in German here.

Contribution by: EDRi observer, Andre Meister, Journalist, netzpolitik.org