Am 29. November hielt der Staatstrojaner-Untersuchungsausschuss des Europäischen Parlaments eine Anhörung zu Spanien ab. Zunächst sprachen Expert:innen zum Einsatz von Staatstrojanern in Spanien. Im zweiten Teil der Anhörung äußerte sich die CNI-Chefin Esperanza Casteleiro Llamazares. Die Fragen der Abgeordneten wollte sie mit Verweis auf ihre Geheimhaltungspflicht jedoch nicht beantworten.
- Date: 2022-11-29
- Institution: European Parliament
- Committee: PEGA
- Chair: Jeroen Lenaers
- Links: Hearing, Highlights, Video
- Note: This transcript is automated and unofficial, it will contain errors.
- Editors: Tim Wurster, Emilia Ferrarese
Panel 1: Ignacio Cembrero (Investigative journalist at El Confidential), Andreu van den Eynde (Criminal lawyer and victim), Gregorio Martin (Emeritus Professor of Computer Science, University of Valencia)
Panel 2: Esperanza Casteleiro Llamazares (Director CNI), Juan Jesús Torres Carbonell (Secretario General de Administración Digital)
Country hearing – Spain
Jeroen Lenaers (Chair): It’s 9:06, so I would like to start our meeting. Welcome to all members and substitute members of the Pegasus Committee. We also welcome to the guests that are with us today. I would like to remind our guests that you are very welcome here to listen to the debates, but you are not invited to participate in any verbal or nonverbal in the debate. We have interpretation for the following languages German, English, French, Italian, Greek, Spanish, Hungarian, Polish, Slovakian, Slovenian, Bulgarian and Romanian.
And then I would like to move to the first point, which is the adoption of the agenda. Unless there are any comments on the agenda, I consider it adopted. And we move to part two of our agenda, which is the country hearing on Spain. The first panel will have three experts speaking to us. We will have Ignacio Cembrero, who is an investigative journalist at El Confidencial. We have a live on an anchor who is with us in the room who is a criminal lawyer and victim of Pegasus. And we’ll have Gregorio Martin, who is emeritus professor of computer science at the University of Valencia.
So, all three of the guests will have 10 minutes to make their presentation. And then we will move to Q&A with our members here today. And I would like to ask those members that would like to take the floor in the Q&A session to already indicate during the contributions of the speakers so we can make the speakers list and make sure we have a proper time management. So, without further ado, I would like to give the floor for 10 minutes to Mr. Ignacio Cembrero, who is connected with us online. So, you have the floor for 10 minutes, please.
Ignacio Cembrero (Investigative journalist at El Confidential): I. I think I will be speaking in Spanish. I hope I will be translated and that the line and the sound is good. I’d like to thank you for having invited me here. Unfortunately, I got late. I got in late on Saturday and I could not come to join you today in Brussels at the committee session.
Now I’m going to talk about Pegasus spying in Spain where there are two points. One is the so-called Catalan gate, which is spying on independent supporters of Catalonia. And it is done by the Spanish security, say, security services. And the other one is by the Moroccan secret services. There’s a slight link between the two cases, and I will explain them. Now, I don’t consider myself very qualified to talk about Catalan gate, even though I had spoken at length on these subjects. But I am more qualified to speaking about the Moroccan situation in Spain.
Now, first of all, there’s a dual situation because first of all, I was I was a victim. And secondly, as an investigative journalist, as I have spent many years following the situation in Morocco and in reports on Morocco, Morocco used the Pegasus malware to spy on Spanish mobile phones. And first of all, it was used in 2019 against journalists, activists, Moroccan exiles in Spain, a Moroccan opposes who live in Spain. Now, first of all, we know through the Forbidden Stories investigation, it was published on the 18th of July last year. Now, during that first investigation, you can already see three names of owners of mobile phones. One is me. However, the most important or the most important is Amina Trinidad, who is an activist. And she was molested by the authorities. And she has a Spanish number on her phone number. The moment they are investigating another 200 Spanish mobile phones and this investigation is ongoing. The 3rd of May, the Guardian revealed this, and it was confirmed by forbidden stories. I don’t know when these numbers would be made public, but these 200 odd phone numbers that will appear are old cell phone numbers, Spanish numbers that were targeted by Morocco, according to The Guardian and Forbidden Stories.
Now, a month before this Forbidden Stories report appeared last year, and it was published by Le Monde, the Guardian, the Washington Post, the Süddeutsche Zeitung, Le Soir, and other national newspapers, a month before this report appeared the 20th of June last year, I knew I was in I was being spied upon by the Moroccan authorities. Now, how did I find out? Well, an article that the director of Moroccan Diplomatic published, Morocco Diplomatic, is a small Moroccan publication very close to the authorities. In an article published by newspaper, there were two WhatsApp messages that I’d exchanged with members of the Spanish government were referred to.
So, the month of May was probably the worst month of the bilateral crisis between Morocco and Spain. And that’s when there was the actual the peaceful with an inverted commas invasion of Ceuta over the 10,000 Moroccan illegal immigrants. Within 48 hours, 20% of them, about 20, 22% of them were minors. Now, how did the director of a Moroccan newspaper, how did he know the contents of at least two WhatsApp messages I’d sent to members of the Spanish government where I’d say, and he put it in his article. Well, obviously he found out during the briefings that the Moroccan secret services give to journalists who are close to them.
Now, if we move on to the second phase of the Moroccan, Morocco, Spain, Pegasus scandal, the second step that was last year, if you remember this year, on the 2nd of May, the Spanish government denounced the highest court, criminal court in Spain because three of their phones had been hacked with Pegasus, and they did with Pegasus, that of the president of the government, the Prime Minister, the Minister of the Defence and the third was that of the Minister for Interior Affairs. Now they said that we had discovered this hacking in April this year. The explanation given by the Government is not believable from any point of view. It cannot be believed.
Now why? Well, because the Minister for Foreign Affairs in Spain, Arancha González Laya, had already said that her mobile had been hacked either in May or June of the previous year when the mobiles of the members of the government were examined and they’d seen that a couple of them were infected. So, it was not in April. And that’s why the Spanish government’s explanation is not credible. And probably they said that in order to soften the impact of the so-called Catalan gate; to show that they were victims of this spying on both sides: the Catalan independence, but also within the government, was reality, there were people spied upon in. And the dates to now May June of the previous year, there’s only one power who would be interested in that, and that is Morocco., because May and June of the previous year are the most intense period of this bilateral crisis between Morocco and Spain.
Now, there’s a couple of incredible things in what the government is saying, they are asking at the judges who are well to investigate but doesn’t denounce or accuse NSO at any moment in time. And they could have, because we know that NSO is produced by an Israeli company and the services showed that it’s Pegasus that is being built by NSO. And furthermore, in order to export it, NSO requires a specific authorisation by the Ministry for Defence of Israel. You cannot understand why Spain did not take NSO to court in Spain, and you can’t understand why it didn’t carry out any type of complaint against Morocco.
Furthermore, the judge is the magistrate Calama who is investigating this if the National Court has promised requests for vacations against Israel, the first in May and the second, if I’m not mistaken, in September and received no response from the Israeli authorities. So, it’s really surprising that a country that has a good relationship with the EU does not cooperate with the Spanish justice system of a member state.
Now, Spain’s attitude is completely different from that of France. France demanded explanations from Israel. It was published in the press, the Ministry for Defence of France, published at the end of July, a clear press statement saying that they’ve been spied back and so are they, demanding explanations from Israel. And the Minister for Defence of Israel went to Paris. And according to the Israeli press and specifically the journalist Barak Arabe, who is one of the best Israeli journalists in terms of cybersecurity, he said that France and Israel reach certain agreements. I would say that the main one is that today malware, Israeli malware can no longer be attached to French phone numbers, numbers that start with +33. This is something that the UK, the United States had obtained, and I think it’s the first idea of launching here. I think that the EU has to reach an agreement with Israel that their spyware cannot enter in any phone of any member states. Just as the UK, the United States and France have managed to do now, it also seems very important to demand from NSO to withdraw the licences of all the secret services, the abuse, their products. They’ve done for some, but not all of them. And it’s important that these secret services that use these products that were exported by NSO must never not be allowed to continue to use them again, as it’s a violation of human rights. And it’s happening in many developing countries that have used the have abused these products by spying on journalists and activists now for having denounced the actions of Morocco with a Pegasus.
The Kingdom of Morocco has sued me in Spain. They sued me not for libel because they can’t. But there was for action, it’s an old mediaeval law that was never deleted from the Spanish law, and there will be a ruling on the 13th of January. It’s the fourth time that Morocco has suing me. And through the Spanish courts, they’ve done it twice in criminal courts for supporting terrorism and then, fortunately, the Spanish courts archived these questions. And then this is the second time it’s taking me through the civil court. Now, I think there’s a directive which is being produced to go against this type of bullying that activists and journalists can undergo through big corporations and countries.
And now this directive has to be set up because we’re being taken four times to court by the Kingdom of Morocco since 2014. And this is really bad for a journalist, even I’ve always won the cases, but I have to hire lawyers, I’ve got to prepare the defence, I’ve got to go to court and I would really like institutions like the European Parliament should get on with it with directives to stop this bullying of journalists and refugees, especially journalists like me, who say that the Kingdom of Morocco has used Pegasus in Spain, in France, and against people who are also in in Brussels, and of course, especially against its main enemy, that is Kenya. So, again, thank you.
Jeroen Lenaers (Chair): Thank you very much, Mr. Cembrero. We immediately move to our guests here in the room with us today, Mr. Andreu van den Eynde, you also have 10 minutes.
Andreu van den Eynde (Criminal lawyer and victim): Thank you, Mr. President. Thanks for inviting me to this committee. I’m a criminal lawyer, Barcelona based criminal lawyer practising for over 25 years. I’m a member of the Barcelona Bar Association and the European Criminal Bar Association. I teach criminal law and cybercrime in the. University of Barcelona and the Academy of European Law.
In 2016, I was in charge of adopting the ethics and compliance programme of this political party called Garibaldi, kind of like Catalonia. And then I started defending some prominent Catalan political leaders from Esquerra Republicana de Catalunya. This included the criminal defence of former MEPs Oriol Junqueras and Raül Romeva, convicted for their roles in the independence referendum of 2017. I have no political activity whatsoever. I’m not affiliated to any political party.
In July 2020, WhatsApp Inc sent a message to the Parliament of the President of Catalonia, Mr. Roger Torrent, informing him that his phone had been targeted with Pegasus. Then I stepped in as the legal adviser of Mr. Torrent, and then we learnt from this first communication that WhatsApp had filed a criminal well, a complaint in the United States against NSO Group for hacking into their servers as a way to infect more than 1000 mobile phones. This is still going on in the United States courts.
And then this American case gave us really precious information because NSO Group assumed their potential involvement in those espionage activities. And their main allegation, which is very interesting for us, is that they should benefit from derivative state immunity, meaning that they only provide Pegasus to official bodies of sovereign states. That is what we call in cyber criminology, state affiliated agents. So, there is strong evidence that NSO group sells its product to intelligence and law enforcement agencies of sovereign states.
In 2020, we had two victims, Mr. Torrent, president of the Catalan parliament, and Mr. Madí, former MEP, are running at that time the time of the hacking to Barcelona mayor’s elections. We filed a criminal complaint in Barcelona and a criminal case was opened in October 2020 on behalf of Mr. Torrent and Mr. Madí. We ask several investigative measures focussing on NSO. Of course, we sued NSO. You know, I think in the preliminary report of the rapporteur, there’s something interesting about this dual use legislation and the way a company can really sell spyware and they are liable of this kind of tools, or they should be liable. So, we sued.
And so, and of course, CNI, the Spanish Secret Services, the prosecutor’s office challenge our pleading to investigate the Spanish secret services. That same month, court number 32 of Barcelona sent a Rotary letter to Israel asking for two specific information if NSO was selling Pegasus. So that was the match, the judge question. And then if NSO kept any computer logs related to the infections two years later, there’s still no answer from Israel. And the judge is not insisting on that. And he has closed the file with no investigation whatsoever, not a single investigative measure. The case is closed. Israel has not even complied with its obligations, according to the Budapest Commission, because of course you know that Israel is part of the Budapest Commission.
Well, then, already this year there was a report on the news about a massive espionage scheme in Spain targeting Catalan politicians, journalists and human rights activists, including the espionage of all Catalan presidents since 2014, including the relatives, staff members and MEPs with parliamentary immunity like Ms. Diana Riba or lawyers that should benefit from the client attorney privilege. I was hacked with Pegasus in the morning of May 14th, 2020, during the COVID lockdown, where all professional activities were online, and I was representing former MEPs, Junqueras and Romeva, that were jailed at the time in prison for being convicted to up to 13 years of prison for the 2017 independence referendum.
My infected device contained information regarding ongoing communications, phone, instant messaging, email, video calls, past communications, even the secure ones with telegram and signal and even conversations carried out in other devices that that could be seen from my phone, social media. Any data personal health and pictures of my family, all my relational data, all the access to all my professional files that are in the cloud, all my passwords, geolocation data. So of course, several communications where a client attorney or attorney to attorney, I can track that. And the same day that there was hacked or around a date, I had a meeting a video call meeting with I think like maybe ten lawyers that were discussing our legal strategy. In the case of the four Catalan politicians jailed at the time, I received the same SMS allegedly coming from the Social Security of Spain that other victims received.
So, all those victims up to 65 by now, we have received those malicious SMSes. We’ve filed several criminal complaints in Barcelona, including my own case. There are around eight criminal courts in Barcelona dealing with dozens of cases related to the Catalan Gates operation. These complaints have started several criminal proceedings after half a year, not a single court in Spain has conducted an investigation, whatsoever. Not a single one.
At the same time, the investigation of the espionage of the Spanish government is going at full speed. They have examined witnesses, expert witnesses. There’s a visit to trial. They have even, I think, secret documentation. They have everything. I’ve sought help from Spanish ombudsman in Pueblo, but he has not replied my message yet. No government body and neither NSO group representative’s have contact me for help or support. In sum, I’ve been notified of the and I haven’t been notified of the surveillance that someone conducted. And I don’t know what data is somewhere regarding my phone. I’m not aware of any NSO legal compliance department investigations that could apply to this illegal and or abusive use of Pegasus about involving of the fancy. Because it seems, you know, everyone is saying that its CNI spying on us. And CNI has not denied that. So, I think it’s not like a random hypothesis. I think we have some kind of evidence about that.
What is the evidence that we have about the involvement of the Secret Service of Spain? First of all, NSO products are sold as per their terms and terms and conditions to intelligence and law enforcement agencies. NSO Representative confirmed this assumption before this same committee last month. NSO main allegation to challenge the American case is related to the privilege as immune state agents. The Catalan gate triggered immediate reaction from the CNI directorship. There was a meeting of the Spanish parliament’s official secrets committee, and the former director was CEST. The Spanish Ombudsman made an investigation on CNI alone and confirmed their involvement in a report saying that it seems that 18 people was spied upon. He’s saying legally, of course, I would challenge that.
On the other hand, Spanish Justice and Defence Ministries have officially stated in the Spanish Parliament a week ago that law enforcement agencies do not own Pegasus. So maybe we should try to focus on some kind of answer from CNI. I’m concluding there is no law in Spain that allows the use of Pegasus except for remote computer searches under strict judicial authorisation and a narrow scope that should meet the necessity test of human rights compliance. There is no law in Spain, not a single one, that allows the use of Pegasus affecting lawyers. There are no rules or guidelines that regulate how intelligence service uses spyware technologies amongst citizens or stating exceptions for legal practitioners, journalists, doctors, etc.
I’m not receiving any kind of help of any authority in Spain to achieve the main two goals regarding cases of violations of human rights. Full investigation of who hacked into my phone and actions to protect my privacy. Informing me about who and why. Hacked into my phone and where is my data? Why do we have by now? We have digital evidence of infections in our devices. Remote access from specific domain names. Evidence of data extraction of our phones. Identical or similar patterns in the attacks of different Catalan victims. And evidence of the recording of conversation that by mistake of some spyware operators have been played out loud. When, you know, when we finished a conversation, then we could hear again our whole meeting that was replayed in our phones remotely. We haven’t had any support from any Spanish authority. And this committee, by letting me explain my case, has gone further than any domestic investigation. But it is a pity, nevertheless, that all the other big voices of the 65 known victims of the Spanish espionage could not be heard today. Thank you.
Jeroen Lenaers (Chair): Thank you very much, Mr. van den Eynde. We move to Mr. Gregorio Martin, who is also connected remotely. I’ll give you the floor.
Gregorio Martin (Emeritus Professor of Computer Science, University of Valencia): Thank you very much indeed. Let’s start. I am 72 years old, as you can see here. And I’m Catalan. And these are slides to illustrate the fact that in the annexes which I have sent out, there is a list of issues which will allow you to look at the technical side of what we are going to be dealing with.
So, the next slide. So, what’s the reason that I, a retired person, decided to study Catalan Gate? Well, it’s a question of down to a logical concern that I felt regarding the use that could be made of Computer science, the NSO, misuse of data, etc. And all these issues that we’ve been hearing about. On the other hand, the arguments which are being brought forward on the technical side, I feel are enough for us to be able to analyse the various options. It’s not an easy topic. It’s not crystal clear, but what I want to do is focus on the tool used in Catalan Gate, the verification tool and trying to do something really difficult. And that is to find out that something is uncertain, foregoing proof of concept, it’s difficult to translate as it’s proving that an idea is false.
Next slide, please. And just to run over the data which have been around for some time, but certainly Catalan Gate was entirely correct. When running through the dates of different entities and persons who had been subject to surveillance. But we have a lot of data without dates and of course, this is something, which takes up a considerable amount of time. And I can’t run through all the individual data. It’s going to take too long.
So next slide, I think it’s important to know that what Catalan Gates stipulates is that there are 65 people involved in the report. But what I’ve done is I’ve taken four examples because these are the only four examples for which Amnesty has published data from validated devices. So, I can only focus on those that because the information which we have from the others is really not very specific. So, here’s one of them, Professor Paluzie. And what you can see under the name is the additional information provided by Amnesty International. Amnesty International. Has been responsible for the MVT tool.
So, in the first column, you’ll see a series of events, iMessage, which is Apple’s own message line, which is encrypted. And while you are sending out an SMS, it may be encrypted, so you’ve gotta use that to another user. And what we’ve seen here is a series of processes and archives, and this is the version which is provided by Citizen Lab using Amnesty’s technology. And they believe that these are important enough to state that somebody has been surveyed and spied upon.
So, here’s the methodology. Methodology, which is the most technical part of this. But. I can’t go on without it just saying that MVT comprises a list of words, indicators, a list of domains which reflect messages and a list of suspected archives which it is believed Pegasus can use when spying. And what will be remaining from all this? So what do you do? First of all, you make an encrypted backup of the mobile phone. And then what you do is retrieve some of this data, you decrypt them, and then once you have decrypted the encrypted data, then you come up with the 200 words which I have just referred to.
So, what is Catalan gate? What’s it’s doing? As you know, we’ve got the 65 cases. Which are covered by the report and presented on the basis of the vectors of the alleged attacks. The previous speaker referred to these and talked about the first vector A, which is WhatsApp, and the second vector is to do with an MVT, and vector C is everything which has been forensically confirmed under Catalan Gate. So, everything to do with Candiru, which is in the fourth section here, is just so anecdotal that I haven’t gone into this any further.
So, we’ve got Vector A, which has nothing to do with MVT. So, it’s only the second two columns which are to do with MVT. Citizen Lab and amnesty recognise that they are not able to carry out forensic analysis on Android phones. So, they can only do this on Apple phones with iOS systems. Just let me remind you that we’re talking just about Android phones here.
So, Vector A, what happened? On the 13th of May 2019, WhatsApp announced a critical vulnerability relating to message authentication and integrity. And it included vulnerabilities. And everything to do with vulnerabilities you’ll see in my first annex. So, This number came up CVE 2019 3568. And WhatsApp very quickly started working on this and came up with a download patch which everyone one was able to install by the 14th of May. And then WhatsApp filed a lawsuit in the American courts. I’m not going to start discussing things with the previous speaker, but they referred not to CVA 2019 three five, six eight, but to CVA 2016 46578 which specifies that thanks to this vulnerability 1400 mobile phones were hacked, some of which belonged to journalists, to lawyers, etc. And I think it’s important to note that not even several days after this had occurred, the accusations were levelled.
Well, they’re saying that the WhatsApp network could have been used to introduce malware. And the same day this came out: Citizen Lab offered to collaborate with WhatsApp on 3568. And then the news came out that the president of the parliament could have been hacked and of course the publication stipulated that WhatsApp had confirmed this hacking. WhatsApp, however, did not confirm that there had been an infection. Despite what the media had said. And I think it’s important to note that Catalan Gate, they said that’s been an infection. But they don’t have any particular information coming into them from WhatsApp. Because this doesn’t really say anything. I don’t think the info that we’ve got here is really particularly valuable. I think that we have to assume that somewhere in the world, there is a list of the 1400 infections. We don’t know where it is, but it should exist. And how would WhatsApp know of the 1400 phones which had been infected, and how is it possible to move from that list of 1400 to Citizen Lab? And then how this has been included and the people infected have been included in Catalan Gate. And here we’ve got a series of questions which are important. I don’t have enough time, sorry, to go through them in detail.
Jeroen Lenaers (Chair): You had 10 minutes to make the contribution. I was lenient with the previous two speakers, but they stuck to more or less 12 minutes. You’re at 13 now, so I would like to ask you to conclude and maybe use the additional information you still have also in reply to the questions that you will most, most surely get.
Gregorio Martin (Emeritus Professor of Computer Science, University of Valencia): Thank you very much. Next slide, please. Next slide, please. The Vector B is the domains that were used by Catalan Gate. The seven domains don’t exist when Catalan Gate was closed. Next slide, please. The “Forensically Confirmed”, that is a series of the ties which are linked to the findings. Which you’ll see on the table of MVT. And of course, all these situations could have arisen because of something entirely different.
So, this is the idea, apart from what I said about the domains, the different processes, here you’ve got them, you’ve also got them in annexes to, could be due to totally normal reasons relating to the operation of the APS in these major systems. And this is the last slide if. Yeah. Here we are.
So, we have completed this forgery concept, and the possibility of creating false negatives goes without saying it’s a fact. So, we’ve looked at in some cases, and Pegasus and some files of Catalan Gate collected and forensically confirmed it is not correct. And I think therefore we can say that Catalan Gate does contain so many errors that we could possibly describe it as a false document.
Jeroen Lenaers (Chair): Thank you, Professor Martin. Then I move to the Q&A with the colleagues here in the room. I have on my speaker list in ‚t Veld, Zoido, López Aguilar, Róża Thun, Bricmont, Ernst, Puigdemont, Riba, Cañas, and Solé. If there are no other ones, I close the speakers list and I’ll give the floor to our rapporteur, Sophie in ’t Veld first. Given the fact that we have about an hour and 10 minutes left, I would like to ask you to stick to two, two and a half minutes with your questions. Thank you.
Sophie in ’t Veld (Renew): Yes. Thank you, Chair, and thanks to all three speakers. I would like to address my first questions to Mr. Martin. I’m a bit surprised by your intervention because, quite frankly, you’ve basically dumped a heap of seemingly unrelated facts on us. And it is unclear to me what your what your I mean, what is it that you’re saying?
You’re basically saying that people are lying. That is not true. And I wonder why? Because we know Pegasus exists. We know it’s being used. We know the Spanish government has it. We know this stuff leaves traces. We know that Citizen Lab and Amnesty International have different system, different methods for analysing the devices and possible and retracing possible infections. So, and although we do not have all the final proof on the table, simply because the authorities flatly refused to cooperate. But I always call this in very simple, normal academic terms, that we have a jigsaw puzzle where we have, you know, thousand pieces. We have 900 pieces, 100 are missing, but we can bloody well see what it is. So, I’m really surprised by your by your intervention.
And I would like to explain what it is that you are saying. Are you saying that Citizens Lab is lying? And are you saying that the 65 targets are lying? And if so, I would like to understand why. And by the way, I am not a tech whiz kid, but I got a little explanation on this MVT system that you refer to. But that is not the method that has been used ultimately to detect the infections.
Then I would like to ask Mr. van den Eynde about the court cases. So, how does that work? You file a legal complaint and then the courts do nothing or nothing visible. So, what’s next then? I mean, is there a is there a time limit or can they just pretend the case doesn’t exist and leave it there forever? What are what are the next steps? Have you had you yourself filed legal complaints against you, against the Spanish state, against and also against whom and where? Where does that stand?
I would like to ask the last question also to Mr. Cembrero. Have you filed a legal complaint, and have you asked the Spanish government for assistance, maybe in your contacts with the Moroccan authorities, have you filed a legal complaint against the Moroccan authorities? And if so, what is the state of play of the case?
And the last yes, last question maybe, uh, to Mr. van den Eynde and maybe the other two also want to say something. How do you explain the three Canadian cases? Uh, and how do they compare to all the other cases? What’s the explanation for three people being targeted with Candiru? Or do we know of more cases by now?
And maybe finally not the question, but the statement to all, but in particular to Mr. Martin. Uh, the former NSO employee has testified that Spanish government has been an NSO customers since 2015. Maybe not necessarily buying Pegasus, but they were a customer of NSO. Okay, so it’s like, you know, they’ve been using it probably for a long time and others have said that it may well have been one of the first. Thank you.
Jeroen Lenaers (Chair): Thank you. Thank you, Sophie in ´t Veld. And we take the answers in the same order. So first pass the floor to Mr. Martin.
Gregorio Martin (Emeritus Professor of Computer Science, University of Valencia): Sometimes it’s complicated to have simultaneous interpretation. I didn’t say that anybody was lying. So, I withdraw that from the discussion. Now fallacious? Yes. I said that there were errors which could have led to this. I said that there were errors, how it’s possible to reproduce the reasons which are being given to say that the mobile phones of Catalan Gates could have been infected or subject to surveillance. Now at no juncture, do we deduce that the Spanish government is spying on these people. We’ve been looking for seven months that something which may have happened, that there may have been abuse, IT abuse.
Now, what I said is something quite different. What we have seen is the media, which had to come up with significant reports. And I have been working on that. They talked about. 50,000 supposed infections. And this is what I’ve been looking at. It’s important to know that from an IT technical point of view, analysing the 65 cases of Catalan Gate with very little information which I had, referring to the four persons that I showed you without using the Catalan Gate hypothesis. And I think it’s important to know that the Toronto University. has one of the best computer science departments in the world. They’ve had the Turing prize, which is the Nobel prise in IT concepts. So, I am not calling the ideas head by this department into question. Of course not. I wouldn’t. But Catalan Gate is using some arguments which are not the arguments used normally by scientists. And that is something which can sow the seeds of doubt. Nothing else.
Jeroen Lenaers (Chair): Thank you Mr. Martin. And Mr. van den Eynde.
Andreu van den Eynde (Criminal lawyer and victim): About the judicial proceedings? Well, of course, they and they must do something. They can investigate something, or they can close the file. What I was stating is that it’s been half a year since we filed a complaint. And it’s really odd that having like 8 to 10 different courts, independent judges, no one is going is trying to step in. And I don’t know, like maybe just asking the NSO or CNI if they have Pegasus.
So, and I just wanted to denounce the different speed that we have if victims are on one side and we are like 65 or in the other side. But eventually we will reach a final judgement from this Barcelona court. And if they don’t want to investigate, then we will appeal. And we know already that if we have to reach international forums, we will have to demonstrate that we have activated all the resources that we have in a domestic and in our domestic area. That’s why we have filed criminal complaints and some colleagues have filed these data protection complaints that have been dismissed. We have asked the Ombudsman and we don’t have any response and we have sent emails to NSO. They haven’t answered. When we gather all this evidence of, you know, the air of Spain departing from the positive obligations to protect human rights, and we will have to go to the Strasbourg or whatever. I don’t know. And maybe we have we will, you know, and really have the day that most parents are going to feel like hope that we have the hope that maybe a single judge will start investigating the cases and about Candiru.
About Candiru. I cannot really give you a proper answer because I don’t have any clients that were infected as far as I know. Candiru has two main particularities. One is that they can hack into devices that are maybe more protected. I don’t know, maybe laptop or computers or personal computers. So, if the operator or the operator tries to spy on a device that it’s not reachable with, like the functionalities of Pegasus, maybe he has to use Candiru. Or maybe Candiru is used for one thing, which is to plant evidence, because we know that Candiru can plant evidence on a device more easily than Pegasus. And when someone plants evidence on a device, that’s what we call forced. That was the word that the professor used because he uses forced evidence, which in Spanish we call falsification, which is a criminal offence. So, I don’t know if lying is the word, but forced evidence is something very serious and Candiru can do that. And of course, maybe 50% of the Catalan victims are at the same time defendants in criminal cases against them. And we are trying to get some help from the courts in this case being defendants and saying, okay, maybe the analysed phones that you are using as incriminating evidence against us are have been hacked and there’s no court buying out that has endorsed this view and help us out in dealing with this case.
Jeroen Lenaers (Chair): Thank you, Mr. Cembrero.
Ignacio Cembrero (Investigative journalist at El Confidential): Now last July I play filed a complaint in the state court because after my name and my telephone number published in various European newspapers from the Forbidden Stories group as an object, as a victim of bullying. The court accepted the finding I’d made, but they archived it. The police analysed my telephoning, and they said that the report was ambiguous and that it wasn’t very clear if the I the malware of the Pegasus had actually been on my phone or not.
Now, according to my information, the police laboratories are not capable of establishing whether a mobile phone has been hacked with Pegasus not even if it’s a mobile phone like mine, which was Android. The only body that is capable of doing that, that it has the means to do that is the crypto law and the National Cryptologic Centre, which depends on the CNI, so from the Spanish Secret Service. Now I never asked the Centre to carry out my analysis of my phone, but I didn’t manage to get them to look at it. Meanwhile, I contacted the director of the National Intelligence Service whether they could send her my request so that her services can check my phone and I’d really be happy because they have the means. It’s the only body in Spain that is capable of analysing in depth whether a mobile phone has been hacked or not or whether it’s got malware on it.
You also asked whether I’d done anything with the Spanish government. Well, the government, this government and the previous one, the socialists as well, were totally ignored. This situation, this bullying I’m having to undergo this bullying by Morocco in private. Members of the government that I know personally and I know quite a few of them, they didn’t show any empathy with what is happening to me. I’m so and I’m so sorry about this. One situation, 2014, 2015, I think that the bullying was not only legal, but it was in the streets. I was being stalked, photographed photos that were then published in Morocco with also things that have been changed with people I was allegedly meeting. And at that time, they’d been somewhat active, not from the Ministry for Foreign Affairs, but the Ministry of the Interior Affairs, to look at this extra judiciary bullying by the Moroccan authorities.
I’d like to remind you, it is very difficult for journalists to work when since 2014, they taken to court four times by the Kingdom of Morocco. The first three I won the case. There’s a further one that is ongoing. They not because we for libel but for some medieval law which is really it’s harassment basically this this appeal that that the kingdom of Morocco has taken to the courts for the 13th of January.
Jeroen Lenaers (Chair): Mr. Zoido.
Juan Ignacio Zoido Álvarez (European People’s Party): Thank you, Mr. Cembrero, for your personal testimony. I want to say something. Did they analyse your phone physically or was it only remote?
And then as far as the Moroccan question that you said that recently, the number of spying has increased. How could you inform the diplomacy that is being followed by Spain in Madrid about this increase of spying cases?
And then I wanted to ask Mr. Martin I have some questions for him, too. Undoubtedly. Without wanting to judge, I would like him to answer very specific questions. What is the scientific basis of the amnesty stating that the proceedings correspond to actual Pegasus actions. Secondly, how do you explain that the report for Catalan Gate was that we did not announce the number of analysis carried out when it was carried out and there was no custody chain of the document then. Do you have any hypothesis or any explanation for this alleged victim? Why did they refuse the request to examine your phone in order to specify this if all these phones were infected? Why did all the victims refuse to have the phones analysed? And then how do you see that the neutrality of the of the link was actually by Mr. Alias, who was allegedly someone who had been infected by Pegasus sombrero.
Jeroen Lenaers (Chair): Thank you. Please, Mr. Cembrero.
Ignacio Cembrero (Investigative journalist at El Confidential): Thank you. Yes. Thank you for your questions. I took my phone physically to attorneys. I gave it to their lawyer who handed it over to the police so it could be analysed.
The second point, relations between Spain and Morocco. Whether they’re good or bad, well, that had nothing to do with the bullying that I underwent. I mean, I’m repeating four demands since the court cases between 2014 to date, one was a small problem. Then it became bigger. And then, apart from the constant insults in the Moroccan press, I repeat that it itself it doesn’t matter as stalking in Madrid, hacking my Facebook page. I was hit by the wheel of a car, was pushed into the road. And then these photos that that had been retouched. Now why and it is quite impressive that Morocco does is interested. I am not anti-Moroccan. It’s a country I like. I would go often when I could go with my family on holiday to Morocco. I have a lot of Moroccan friends there and many of them. Unfortunately for them, they’re exiled in Spain and in Belgium and in France of a United States. Nothing more.
Jeroen Lenaers (Chair): Mr. Martin.
Gregorio Martin (Emeritus Professor of Computer Science, University of Valencia): Well, we’ve worked with the best of intentions right from the start. However, they were working, looking, using a hypothesis. Well, they had a lot of phones where they did. There was the suspicion that they’d been spied upon or hacked. Now, this. Well, look what you what the problem is that you have to be certain and you have to have a reasonable number of suspicious phones in order to be able to follow that route. And if you don’t manage to do that, sometimes things don’t work. On the other hand. We had to see various domains, processes, archives that were in common and this whole list of these allegedly infected links. And then it happens that if you process too much, there might be a certain agglomeration.
Now I have the there is the possibility, a hypothesis that may be and you have very important machines such as the Apple phones with many apps. And these apps use a lot of processes, and they all are very important to archives. Now imagine what happens when you do it with a phone system on your phone. You’ve got a set of websites. You have to change the processes. The processes have to be maintained when you do your backup. Now, you couldn’t run. That could be the risk that you would find some things in common. And your phone number. And they were quite honest when they thought that they’d been an enormous quantity. We’re talking 50,000 infected phones between 2016 and 2021. At the end of the day, when we’re looking at the Pegasus report that we’re dealing with now, they recognise that they reach 67 phones, and they identified traces at 37. I remember the decision of the Indian government to do a recall, to call all the people who were involved. There were hundreds to take their phones. About 20 odd people took their phones. And of the team that decided reach about this, reach the conclusion that there could have been malware on five phones without being able to state that it was Pegasus. Now, there was something someone said earlier, and I want to go back to this a real reality. We are not scientifically possible to say that a phone has been infected with these new spyware. Unfortunately.
Amnesty says they could do it now imagine even Apple has taken its new operating system this summit is the first one involved now the new OS they keep the lock down mode which deals with the messages that are checked. So, so your web browsing is limited, functions with your computer don’t work that if you can’t maintain the configuration. In other words, the problem is so severe, the security problem is so big. And I accept what this commission, this committee is doing, but we’ve got no solutions at the time being. This leads me to say that. Well. Maybe a bit a bit optimistic when you identified infected phones.
Then another question that was made and not you sure about this is what happened in Toronto. Well. I would like to remind you that we’ve gone through a rather difficult period. In maintaining scientific connexions. You’ll all remember that the FDA and the United States worked under pressure of a certain reality so harsh that the drug wanted a vaccination before they were any solution, and he wanted to maintain the scientific lines of what was going on. Now, the Toronto team possibly didn’t do this because there was big pressure brought to bear, a lot of pressure. That’s the 17 communication media. I think it’s fantastic media. I read their report. There were 17 and when they produced Catalan Gate, we looked at these results without going through all the ways in which we scientists communicate. I had to revise it. And then amnesty can’t revised citizen. Amnesty can’t say that Citizen is watching them, and citizen can’t say that Amnesty is watching them. And that’s where you get Catalan Gate. Now, here, what happens is that they’re not proving what they are wanting to prove. Not exactly. And that’s the situation.
Jeroen Lenaers (Chair): We unfortunately have an issue with the timing. And there are many other members that still want to ask questions. So, we also ask the panellists to be as brief as possible in their in their responses to the questions, because otherwise we unfortunately will not have time to also do the second panel, which is very interesting. Now, Mr. López Aguilar, on behalf of the S&D.
Juan Fernando López Aguilar (Socialists and Democrats): This is a hearing here in Spain. I’m going to speak Spanish, given the three speakers are Spanish. Now, I’d like to ask the question first to Mr. Cembrero and then to Mr. van den Eynde. And finally, Mr. Martin, a couple of comments.
Now, in a hearing, the objective is not that, we are not putting in doubt your credibility. We want to show gratitude and respect for this. Now, bearing in mind that the objective of an investigative committee is that you start from the standards for the protection of personal data. This covers everybody in privacy in European law. After having listened up to here, we reach a conclusion that if the spyware and whether the spyware and Pegasus is compatible with what has been with the Declaration of Human Rights as itself, and that’s the objective. We want to see whether it’s acceptable.
But I want you to ask Mr. Cembrero, I’ve known him for a long time, and I’ve known him for many years. And I’d like to ask you first of all, you considered impossible this idea that the mobile phones of the members of the government was spied upon. And yet at the same time, you indirectly said that Morocco is behind all this spying. So, on the one hand, the report is unbelievable. And secondly, you are mentioning Morocco. Now, I know that you know Morocco. But my question is, many investigations do they show that Morocco is the author or is it just a conclusion? You have reached that it can only be Morocco? I don’t talk about the legal basis. The question of Morocco, does it have a legal basis compatible with European law or is it in violation of the law in Morocco itself?
And then I go to question for Mr. van den Eynde. If you give us the story of the secret legal situation to try to get the responsibility for other spying. Now, I understand the law, and I know that the law of 2015 and the criminal law as well, the concept of the law states quite clearly where you can legally follow communications. Now, this is in order to have an investigation to proceed, not only must it be denounced, but they’ve got to have a minimum basis of criminal clues that to give a basis so that they can investigate and allow this on specific people.
Then I have a last question with Mr. Martin. Is it technically possible that this expansion of the bugging that CNI did could take place by infection?
Jeroen Lenaers (Chair): Do you, Mr. Lopez? I guess I’m sorry, but we cannot all take 4 minutes of questions. Here we are, ten members of the European Parliament that want to ask a question. So, you take 4 minutes, which means that other people will not be able to ask questions or the members that we have invited will not be able to answer. I ask for a little bit of respect to the rest of the colleagues and to the procedures of this committee. So first, Mr. Cembrero, please.
Ignacio Cembrero (Investigative journalist at El Confidential): Thank you very much Mr. Lopez.I didn’t say that. It is unbelievable. It is not accepted. I maybe I didn’t express myself well, but I’ll try and explain better. What I said is that you cannot believe that the hacking of the phones of three members of the party, of the Minister of the Defence, the Mesopotamian Affairs, took place in April when, as it was stated in May. No, it is not. You can’t believe it. It was the previous year when it was discovered.
The problem is that the Minister for External Affairs, who was a minister up to July, said in an interview with a Spanish newspaper published on the 7th of June that her boat had been hacked by Morocco and it had been hacked at the spring of the previous year and when she was hacked, she pretended when they hacked the mobile phones of all the members of the government and why they discovered was it was not made public at the time, probably because it was there was probably a question of political opportunism. It was made possible it was made public of the 2nd of May this year to make it coincide probably with the Catalan Gate. I would send you the interview that the Minister gave where it is clear that the cryptologic call centre discovered the hacking of the June of the previous years. Now do you think if it had been discovered the previous year that they did not see the other mobile phones? Of course they did, but they only mentioned it nearly a year later in announcing this decision for pure questions of political opportunity that.
Andreu van den Eynde (Criminal lawyer and victim): I could be brief. Of course, a criminal investigation has to look at the fact that that is the criminal case now. And they started this by saying that they were that it was clear that there were criminal cases. It was not a lack of clues. Now you start the investigation. You look at the law, 2019, it states that that it has the three objectives. Look at the scope, the facts, protect the victims and find the author of the of the crime. Now, the causes are neither protecting the victims, neither looking at the facts, nor are they seeking the author. That’s it.
Gregorio Martin (Emeritus Professor of Computer Science, University of Valencia): Very briefly, I agree with something that President Puigdemont said a few weeks ago here. 18 people were recognised as hacked. There’s no reason to think that it was done in piecemeal, because I would say that none of the administration said this and there’s no proof. What we had is that the that the timing that the 18 were part of the 65. Now, this is the point that we want you to make clear. We’re done for from a legal point of view. So, I don’t really understand that. Mr. López Aguilar’s questions. There probably are possibly different things that talking about.
Jeroen Lenaers (Chair): Róża Thun.
Róża Thun und Hohenstein (Renew): So first to Mr. van den Eynde, can Candiru possibly place forged materials on the device as we know, because was probably also. And the question is, have you ever seen anything of that kind? Any evidence that pops up on your devices or not, for example, in any of the court cases, have you? Do you have any evidence of this?
And to Mr. Martin. Now, you said that they use arguments which are not used by scientists. Well, you didn’t use the word lies, but you used errors. But they also said that there were 50,000 of supposed inventions anyhow. The question is, do you not recognise at all the expertise of the Citizens Lab because I have the impression you question only the Catalan Gate and the it’s not only the Catalan Gate. Do you also question all other cases we have here, many in this room. Do you do you not recognise any of them? Thank you very much.
Jeroen Lenaers (Chair):Thank you. And we’ll start with Mr. van den Eynde.
Andreu van den Eynde (Criminal lawyer and victim): Thank you. Well, I’m. I cannot know. Amongst all the people that are being charged for the Catalan referendum of 2017, they are still charged and facing trial. I don’t know if they are allegedly saying they have planted evidence on their devices because everyone is a case. So I don’t know and maybe it’s not even secret to know that.
What I know is that some of them have asked their courts to allow them to double check their devices that were seized when they were arrested. And just like I think it’s like maybe one or two weeks ago, Mr. Jové, who is facing a serious trial in the High Court of Catalonia, was denied access to his own phone to make a counter expert witness report saying that well and well and I will have to add, this phone that was seized in this investigation had this previous strange history because it was sent to Germany to celebrate at premises, you know, celebrate this another company from Israel. And it was one year there with no chain of custody whatsoever. And we are still asking who kept the phone of Mr. Jové one year in a lab in a private contractor of the Spanish police. And we don’t know it yet.
Jeroen Lenaers (Chair): Thank you, Mr. Martin.
Gregorio Martin (Emeritus Professor of Computer Science, University of Valencia): Is it my turn? Mr. Chairman. Yes. It’s a very difficult question that’s being put to me. I have only analysed Catalan Gate. If you’re asking me if this covers the entire world, then I need time to prepare my information and to look into it. But it is clear that, in accordance with the methodology and the concept which has been designed, I suspect that the Spanish government has not used Pegasus for what it is accused of using Pegasus for. But we need to look into the methodology used by Citizens Lab and Amnesty. When they criticise certain democratic processes.
Jeroen Lenaers (Chair): Thank you, for the greens, Saskia Bricmont
Saskia Bricmont (Greens): Thank you very much for your interventions. Mr. Cembrero. I would like to ask you a question because you said it’s surprising that NSO has not been brought to courts and not been investigated, even though Mr. Sanchez was allegedly spied on. And could you develop a little bit further on what you think the explanation is? Is it possibly because Spain is a client of NSO? Is it for diplomatic reasons? As a victim yourself, can you also develop the effect it had on you, on your relations, on your work? We’ve already met with and discussed with several victims testifying of the chilling effects. I would like also to hear you on this.
And how would you also explain this? Two different speeds on the case of President Sanchez on the one hand and the Catalan Gate on the other hand to Mr. van den Eynde. Thank you also for joining this hearing. I think it’s really important to give the victims a voice as well a bit in the Catalan Gates case. But in other cases, I would like to ask you to develop a little bit further on the current legal framework in place or not in place in Spain, on the oversight mechanism that is in place because CNI need judicial authorisation for its surveillance activities. It would be interesting to have those judicial mandates in the case of at least the recognised cases by the Government. There’s also supposed to be a parliamentary control by the Official Secrets Committee of the Spanish Congress. So, it means that members of the Spanish Congress are supposed to be aware and are not following up properly on this. And also from your side, could you, as a victim share with us effects it had on your work, on your own work, and your relations with your clients?
And finally, to Mr. Martin. When we received as committee members the letter of several stakeholders warning us about the invitation we sent to two people, including you and Mr. Olivers, I wanted to investigate a little further myself before to react on this. And I have to say that I found links with people your own work is based on. And those people have been highly contested and also dismissed from their own duties, I refer to Jonathan Scott. At this stage of our own work as an enquiry committee, we’re not enquiring on the existence of Pegaus or discussing if it exists or not. And NSO and governments recognise its use and NSO also confirmed in front of our committee that Pegasus leaves traces. I know chair the time is running, but I think it’s important that I hear some members wanting to rely on what has been said by Mr. Martin, but all the arguments advanced by him can be contested.
Jeroen Lenaers (Chair): Thank you. And we start with Mr. Cembrero.
[01:29:21] Ignacio Cembrero (Investigative journalist at El Confidential): Thank you very much again, Ms. Bricmont, for your questions. I think that we don’t understand why the Spanish government hasn’t filed a lawsuit relating to the hacking of mobile phones of three government members, nor why they haven’t filed a case against NSO, because it is the Secret Services who did determine that the three mobile phones have been infected by Pegasus, manufactured by NSO, exported outside Israel, for which an authorisation of the Ministry of Defence is required.
And I think that what it should do is to actually protest about this to the government of Israel, as the French President, Emmanuel Macron did. So why wasn’t that done? Your initial reaction is the announcement of the hacking of these mobile phones of the three government members, which is a certain. It’s related to an internal Spanish political operation. So, in May, June last year, when this discovery was made, it was in May. That we saw the Catalan gate erupt. And I think it is unfortunate that unlike France, the Spanish government didn’t negotiate with the Israeli government to ensure that malware wasn’t introduced by Israeli companies into Spain. France, since summer last year, has ensured that French mobile phones cannot be infected by Israeli manufactured malware.
But the Spanish government, despite the fact that three mobiles of important members of the Spanish government were infected, has not done the same thing. It’s very complicated. When you have an infected phone, you need to tell a lot of people. We as journalists, of course, do that immediately because we want to make sure that everybody knows about it, because there’s a lot of information in there, a lot of exchange of mails, etc., and it complicates the work of a journalist considerably. And I think it’s very unfortunate since I tend to private companies. And they did a lot to help me. But unfortunately, those who more or less are in charge of the central encryption centre didn’t lend me a hand at all. When they are able to detect the malware and thus provide subsequent protection. So, as I’ve said before. You’re going to hear from the director of the Spanish national intelligence agencies shortly and please ask her if she is going to use her ability to help defend us as journalists. Thank you very much.
Jeroen Lenaers (Chair): Thank you, Mr. van den Eynde.
Andreu van den Eynde (Criminal lawyer and victim): Well, I’m not fully comfortable in giving an opinion about legislative actions that could really make an advance in this secret, official secret regulation that we have in Spain.
So, the only thing I know is that we have a law from Franco era regarding official secrecy and that there’s no legal way today to make Secret Service accountable. Apart from a criminal proceeding. So that’s why we are so obsessed in asking for help from criminal proceedings, from criminal courts. Because, of course, in Spain and everywhere, you cannot give the excuse of the official secret to commit a crime. So, if this is a crime, if hacking into a lawyer’s phone, which is, of course, a crime, because you cannot do that. And then I. I will I have to ask for help of the judicial system. That’s the only way we can do.
And then, of course, there are legislative measures that maybe the MEPs could say what they have to do to amend the law and about the effects. Well, I have to say that when you know that you have been hacked with Pegasus, which means that they have extracted all your data from your phone, which is all our life, because there is no other place in the earth where that much private information is stored than a smartphone. They have restricted everything from me, my family, my clients. And of course, that affects me, affects my client, attorney privilege, whether my clients are politicians or not. And the only thing that I made was to perform a professional activity as a criminal defender. So, of course, this is shocking. And of course, it’s shocking when you know that it’s so why it’s so widespread.
Jeroen Lenaers (Chair): Thank you, Mr. Martin.
Gregorio Martin (Emeritus Professor of Computer Science, University of Valencia): Yes. Please. Could you put on the first slide of my presentation if it’s possible? And while you’re doing that, I just want to say a couple of things. I’m saying this because what has been levelled at me is something which is really calling into question my approach. I’m 72 years old. I’m not going to get angry, of course. But quite honestly, if people are levelling things against me, which are not correct, I don’t like this. Just a couple of things.
What I’m saying is that the technologists can’t necessarily respond to the technology which has been developed by NSO through Pegasus, this is of great concern. And what is even more of concern is that we don’t know how to do this in Europe. And therefore, we depend on what Facebook and Apple do. And finally, the major concern is that I still don’t know what my government has based itself on to say that there has been Pegasus spyware used. And perhaps we are going to hear more about this by the boss. The boss representing me in a democratic state.
Jeroen Lenaers (Chair): Cornelia Ernst.
Cornelia Ernst (Left): Thank you. I am delighted to have this discussion. And firstly, to Mr. Cembrero, it’s quite impressive what you’ve just been saying. You as a journalist have suffered quite a lot of disadvantages. And I’m interested in this very interesting question and that you note, you know, Morocco and the relations between Spain and Morocco not doing too badly at the moment. Possibly this has to do with the fact that the EU in Spain is actually utilising Morocco for their own ends in terms of migration policy. But are we talking about cooperation here in terms of fighting against smuggling? Can you see how this might be affected and impacted in any way?
And secondly, I think it’s also good to see Mr. van den Eynde are here with us. And I know very often, you know, it’s really, really impressive to see when people get to journalists and so on. And we’re talking about legal cases not being joined in certain cases where there is an obvious connexion. Why do you believe as a lawyer that this was done? The investigative authorities are doing nothing, as you said. Why is this the case? And can we also say that de facto there is in Spain no judicial control over this type of spying? To Mr. Martin, I’m a bit unclear. You talked about forgery in terms of what Citizen Lab and Amnesty International presenting that we have falsification of proof. But then you said, no, they weren’t lying. What’s wrong? Was a mistake made or several mistakes were made? I don’t know. What is the situation? And has there been an independent forensic investigation conducted? And if we don’t have a government behind spying on journalists with Pegasus, then who is behind all of this? How can this all be explained? If it’s not the Spanish government, then who is it that is carrying out this spying? Thank you.
Jeroen Lenaers (Chair): Let’s start with Mr. Cembrero. You have the floor.
Ignacio Cembrero (Investigative journalist at El Confidential): Thank you. Thank you again. Today, the relationship between Morocco and Spain is excellent for the time being. It’s a. Excellent. Since last March, the Spanish government then changed their approach to what’s happening in the Western Sahara and followed the position of Morocco, which is suggesting limited autonomy but still under Moroccan sovereignty. So at the moment the relationship has improved considerably and the Spanish government is not going to allow anybody for the time being to disturb this situation because we have a serious crisis going on with Algeria. The Algerian authorities were informed about Spain’s change of position on the Saharan conflict. And then we find that Spain had changed its approach. It had adopted a neutral approach. And of course, we do have this issue of illegal migrants, particularly on the Canary Islands. And this is something which is very difficult to regulate. And Morocco’s, since April, has actually made an effort to control the illegal immigration to Spain. Well as a journalist, as far as I’m concerned, and relating to the harassment which I have been through from the authorities, this is something which has happened to many journalists. When talking about Spain’s foreign policy, and this is reflected by the fact that the Moroccan government has challenged me in terms of having been hacked, supposedly. So this, as I said, is the fourth time that a lawsuit has been filed against me. And it’s becoming quite normal in my life. We have. A situation which I don’t find at all normal, and that is that a neighbouring country can harass a journalist of the country next door, which is what they’re trying to do is to harass me so that I don’t pursue what I am doing. And what it reflects in fact is harassment of many journalists who are doing what they don’t want them to do, above all investigative journalists.
Andreu van den Eynde (Criminal lawyer and victim): The judicial proceedings are not like going fast or in a proper way. I will try to stick to the facts because everyone is talking about the facts and hypotheses. Okay, let’s go to the scientific methodology. The fact is, no court has done anything. That’s a fact. The prosecutor’s office is not endorsing any investigation, and that’s a fact. So, I don’t know why. Maybe, it’s really tough to investigate Secret Services. Espionage. Maybe that’s the reason, but I will stick to the facts.
So the facts are that it means the Diana Riba had a phone call with her assistant, and then when she hang the phone, received a call and the previous conversation was recorded and she could hear it again. And that’s a fact. So someone recorded their communications and that’s a fact. So the problem is, do we want to know what happened or not?
And then about judicial control of secret services. Well, we have a law. So in theory, there’s a judge in the Supreme Court of Spain that’s authorising their activities. But if we go to the scientific methodology, because Mr. Martin says that this espionage was authorised, then my question is, how can you say that if no one has seen the judicial warrant? And that’s a fact. So no one has seen any authorisation from a judge to hack onto phones or so why is that? Someone is saying that this is legal. Maybe we should see the judicial warrant before. So the only thing we are asking for is information.
Jeroen Lenaers (Chair): Thank you very much. And then, Mr. Martin, you also have the floor to reply to the questions.
Gregorio Martin (Emeritus Professor of Computer Science, University of Valencia): Thank you. Thank you very much for your comments. I’m going to try and be as brief as possible. We’ve been talking about spyware, Pegasus and Citizen Lab. Well, I haven’t been spotted by Pegasus, thank goodness, because they’d know a lot more. But the Catalan gate issue, if necessary, can be explained by using the hypothesis of Pegasus nothing else. So I’m not denying that it comes from Pegasus. But doesn’t seem to be the most likely to me.
Secondly, that Citizen Lab has lied. No, no. I didn’t say anybody’s lied. Not at all. I said that catalan gate, Citizen Labs, sorry. Uh, when they described Catalan gate, didn’t actually follow the necessary rigorous approach. This wouldn’t actually go through any academic filter. When looking at how the phones had been hacked? No. As I saw in the intervention that we’ve just heard. Well, it is agreed that somebody has been spying. And one of the what we find is that telephones are not infiltrated per say. In the. The digital era. This is not how spying is carried out. So how am I going to be able to discuss with a lawyer whether this has happened or not? We need the necessary information which stipulates that there has to be a legal authorisation for the phone to be hacked, for spyware to be used.
Carles Puigdemont i Casamajó (Non-attached): Thank you, Chair.
First of all, the first question I’m putting to Mr. Cembrero. You’ve given us a broad outline, but could you tell me a little more detail? A little more detail how you see the way in which Spain has dealt with this vis a vis Morocco? Is it internal policy or what? We’ve talked about the ban on the use of Pegasus. We talked about France, which has managed to succeed in this. So if you’re looking at this technology, do you think that this is a technology which is used from one country against another? Or do you think it’s also a technology which is used within the country to spy on citizens?
Now, on Morocco, a lot of colleagues that are going to put this question, I think, to the intelligence agency, which is coming next. But. So did you give your telephone to this centre so that they could verify that this particular report that you had given was true? No. You have legal authorisations which have been given for the use of. And this is something which may be used to confound the idea that Pegasus spyware had been used. And how do you explain that? All the experts, the security experts, actually deny the results of citizen lab and Catalan gate. They say that Citizen Lab came up with this reports under pressure from the media.
Finally, well, a standard from the Spanish judiciary system and also from the ombudsman’s office. Could you explain more concrete the reasons there is a political reasons that explain this behaviour. And finally, why a Catalan victim is treated differently than other victims. Thank you.
Jeroen Lenaers (Chair): Thank you, Mr. Puigdemont. And we’ll first go to Mr. Cembrero.
Ignacio Cembrero (Investigative journalist at El Confidential): Yes. Your questions. Yes. First of all, the idea that we have seen different postures from different Spanish governments and now we’re looking at the current one relating to judicial harassment by the Moroccan government, I do think is related to the idea that they want to keep good relations with the Moroccan authorities. Let me remind you that lawyers linked to Morocco said to the foreign minister and his cabinet and they made their case in front of a Saragossa judge. And the Spanish government didn’t show any solidarity at all with those who had been harassed. And in fact, these were people who were linked to the secret services of Morocco. And this is something which was published in El Pais newspaper in summer. So I don’t have any problems with Morocco, as I said. And the Minister of Foreign Affairs was certainly not going to be giving a helping hand in this respect. And neither have they in my case. No.
Did I give my mobile to the Moroccan authorities? No, because I don’t think that Morocco is a state based on the rule of law. So therefore, I would not hand it over. And furthermore, I feel also that the police forces don’t have the ways and means to carry out a proper forensic analysis of an Android to determine which phone which has been affected by Pegasus. The encryption centre in Spain is the only centre which has that possibility today, and at least from my view as a Spanish journalist, that’s the only place that can do this.
Well, the idea that Israel shouldn’t be able to sell its spyware, I think should be something that applies to every single country of the European Union, because now we’ve seen success with France and also with the United States in the EU. They cannot, in fact, mobiles, which start with the number plus 33. Israel or NSO, with the authorisation of the Israeli Defence Ministry, has sold its products and its malware to countries which don’t have the rule of law and which use this malware to spy on activists, politicians, investigative journalists, etc..
Jeroen Lenaers (Chair): Thank you, Mr. Cembrero and then we move to Mr. Martin, you have the floor.
Gregorio Martin (Emeritus Professor of Computer Science, University of Valencia): I’ll try and be brief. President Putin. You must have misunderstood because I think you said clearly that Pegasus was not used for this type of espionage. Juliette, now you’re saying that it isn’t like that. I’m not going to discuss you. Argue with you. You said it, but it appeared that the excuse set out was used when Pegasus was used. Now. It doesn’t really matter, Betty. If we go into the second point, it’s the second time that a blackout alone in front of danger. One said that there was an argument at first. So and now you’re saying something a bit more that all the experts and cybersecurity that are in favour of citizen lab and that I I’m a and someone a black sheep who comes and is saying that that it’s not 100% certain. Now, I don’t think that there’s any expert in cybersecurity who will state that that cities that what cities love is engraved in stone as far as Catalan gate is concerned. Catalan gate, we have four cases and those four cases can be explained through other mechanisms. When you want, we can talk about this and we discuss this and you will understand that will make it’s very difficult for me to discuss this with you and as an argument authority. So in this case. I’m sorry.
Andreu van den Eynde (Criminal lawyer and victim): Well, it’s tough to talk about this double standard. So. Well, I have to revise the last five years, you know, Spanish courts have changed all the laws that laws that we know regarding substantive criminal law, procedural law to fight this political movement. So. Well, I think that’s the the double standard, I guess. I think a representative of the Spanish government said in the parliament, what should we do if not spying on them to fight secessionism? So I think that’s the that’s the case. The only problem is that this sacrifices human rights. So while we cannot assume that this is justified.
Jeroen Lenaers (Chair): Thank you, Mr. van den Eynde. That concludes the first round of speakers on behalf of the groups who are already 15 minutes behind schedule. So we have three more members who would ask for the floor in a second round, will collect the questions and then let the guests answer to all of them at once. And we start with the energy bar or vice chair.
Diana Riba i Giner (Greens):
Okay. Thank you very much. First of all, thank you for being here. Other people have been invited to the first panel to talk about Catalan Gate. Now I have some very specific questions.
First of all, yes, you said that CNI is the only one that has the technology to see whether a phone has been bugged or infected, either by Pegasus or other spyware. Now, you have studied this case. Do you know what technology CNI is using that will hopefully direct it the next battle? But do you know what type of technology that they use to identify spyware?
And my second question for Gregorio Martin, you based all your investigation on the cases that appeared from Citizen Lab. Now, you said that technically or scientifically, you can’t prove anything. I would like to ask you, did you see the reports, the electronic report that appeared all criminal cases or for those who were victims of Catalan day, because that was scientific proof that they were spied upon. Now, did you see the reports personally for your study, for the study acted? And secondly, you also said that there were 18 legal cases of people spied, but the Spanish state in Catalan. Now, did you see this because of this committee? We didn’t see the papers of. I haven’t met anyone who’s actually seen these reports.
Then, could you explain a little more? The question of these independent spy was that are carried out at the in the criminal security case.
Jordi Cañas (Renew): Thank you. Now, first of all, I want you to ask Mr. Gregorio a question. The difference between a thesis and hypothesis is that a thesis has to have been proven, whereas the hypothesis still has to be proven. Now, the scientific method states that a hypothesis can be demonstrated, it can be proven, then they become the thesis. So you have to have the if you have the hypothesis, that can become a thesis. Now, if you follow me, what you are saying is that the analysis submitted by Citizen Lab can’t be verified nor analysed by the peers. Basically a key element in order to go from a hypothesis to a thesis no one can prove. But it is of the same thing that the thesis states does something have to be validated scientifically and reproduced and verified by its peers? If yes, that’s what I want to know.
Secondly, about positives…for instance, there were there were 24 false positives that had been identified, for instance. So could there have been some false positives? And that’s it. Nothing more. Thank you.
Jeroen Lenaers (Chair): Thank you very much, Mr. Solé.
Jordi Solé (Greens): Thank you. I’m going to start with Mr. Martin. On the one hand. You state that you have that you suspect that there were technical errors in citizen lapse reports and Amnesty International’s reports because they did not follow a follow a rigorous rules of the same type, though you say that there’s not much information available and acquiring the information is very complicated. Now, I’m not a scientist like you are, but I told me something about the scientific method. And one of the things the scientific method is based on is that to reach a conclusion such as yours, you need proof, you need a solid proof, a test. And from that proof you can get clear results. Now, I think here that you spoke about four cases and you said that the information of these four cases is very little. So could you explain this to me? How can you reach conclusions that are so firm in the sense with such a weak test, weak proof?
Now, the second question, a question to Mr. Martin, a comment that I found surprising. You said, I think twice that the Spanish government had itself accused itself unless I missed something. But that’s I don’t think I. Well, as far as I’m aware, the Spanish government has never through any spokesperson admitted that it was behind all these cases, the 65 cases of spying in the Catalan gate. So I want to know, what you base yourself and say that the Spanish government self accused itself and why is that this need. You said it in an article to pursue the Spanish government to reach these conclusions. Whether the data and the proof from citizen lab are very weak. I don’t understand why the Spanish government feels this need to come and support you then for Madrid, but denied you said. That Judiciary enquiry is that the Ombudsman didn’t do that. The data protection that we do is not helping. So you as a victim and a lawyer, what do you think would be the right judicial investigation in this specific case? And then which mechanisms of human rights compliance are left to the victims? If you are abandoned through the proceedings that you have the court render going.
Jeroen Lenaers (Chair): And we will take them in the reverse order for the answers we did in beginning. So we start with Mr. Martin, please. You have the floor.
Gregorio Martin (Emeritus Professor of Computer Science, University of Valencia): Thank you. I hope I’ve written down everything and I’ll be brief now. Question from Madam Riba. Yes. If I read the documents that accompany the criminal case, criminal proceedings, and whether I read the judge’s ruling, it’s right for you to say this. But you know the response. How can I read the judge’s order if it states that only some delegates can know the response? The answer is no. This is an element that we’re going to analyse. Of course, I haven’t read this. So don’t blame me too much for not having read them. But that’s the point.
Now, as to the question of how this is a thesis, it’s quite obvious that in order to confirm a hypothesis in a thesis, they need experimentation. This experimentation has to follow a rigorous and reproducible methodology.
Now, as to false positives. Careful. What I’m saying is that each. Well, you can go from a phone, say my phone when compared to another phone like we are assuming that it is working with a third one. I have infected this phone and then I gave it to the tests and I did tell they told me that it was infected and it was not Pegasus nor the phone. That was expected. It was a thought that I could study. That is false. It states that it is positive. It gives you a positive response because it says that, yes, that it is finding the words that show that there is an infection, that it is bugs, but it’s false because the infection didn’t take place. This happens.
Especially. First of all, with domains. But the new thing that now is with archives and processes that we assume. Are associated with this.
Now for Mr. Solé. I don’t think I’ve explained myself well. I didn’t say only four cases. This focus is amnesty. Because if they take in the 65 cases with the details the others used, we could say something else. But the details of the Catalan Gate and I assume, you know, this is a simple lie. So who’s the president of this or that who was attacked and so forth. And that’s all. Fortunately, Amnesty extended all this and that’s why they are saying they gave you an X to where you have the whole. So what? They put out one eye lipstick, what amnesty has taken and the conclusion that they could reach. So. I’ll take the conclusions. And I repeat, I’m only exclusively talking of Catalan gate. And all we know about this.
And ultimate being self accused. No, I didn’t say that the government self accused itself of the 65. No, I’m saying the government of the 12 of the two of May, self accuses it by saying that it was spied upon by we don’t know who and that is there. And that really concerns me because in principle, the only one who could say this, according to the press, it would be Morocco. Now, bear this in mind that if anyone is spying, the Spanish state using Pegasus is because they own a Pegasus. They have the Pegasus. You assume that only certain people have Pegasus. Now, we’ve spoken a lot about Morocco, but what also happens is that I don’t believe that CNI reaches this conclusion because it knows that Morocco and some other customer has spied upon the Spanish government. What I think is that the Spanish government could have reached this conclusion by using the MUVT methodology that was used for Catalan gate. So excuse me, I can’t believe that my state has used the same method that Catalan, that citizen lab has used for Catalan gate. However, I don’t know, I would be interested to see what happens in the second panel. It has to be clear what I have said.
Andreu van den Eynde (Criminal lawyer and victim): Well, I will address this in Spanish. Now, the information we have is that the MUVT method was used by the national authorities. So as far as I know, they applied the same method as Amnesty International, not Spanish amnesty.
Now, here, I think there’s a basic confusion here. We don’t know much about technology here. It’s as if the judicial cases were based on the citizen lab reports. Now, Citizen Lab has the most advanced methodology I’ve most developed to identify Pegasus. So they are the only ones who could detect something that was undetectable. But there are other tools, and in all of the court cases, we carried out a test that Mr. Martin can’t see because of that part of the legal proceedings.
Now, this is carried out using a certain methodology, using all the international rules, chain of custody, etc., and it’s verified with a hash algorithm within a compartment which is digitalised. It’s checked by a notary, it’s submitted. It can be reproduced ad infinitum. I’ve been explaining this for 20 years. How to damage proof. Now they follow all of the international standards, and that’s what we’ve done. It appears that no one in use that we saw have problems of independence. And now, of course, it’s the first proof we have. We’ve got Citizen Lab amnesty and that of our expert. You’ll have the same curriculum, you know, that we have this proof.
So it’s a say it’s a presumption to think that we’re talking about magic here, because in cybercrime, it’s very easy to say this is all complicated and it can always happen, that it’s a false proof, but that you can’t say this in the cyber world, we’re talking one zero. It’s a binary system. We’re looking at a system that communicates using a certain infection vector with the dominion. There’s data extracted, there’s a domain, this domain that can be extrapolated with various servers that are operated on but are used by NSO, and that’s what we’re doing.
Then I go to the second part. It’s not clear if the proof is so complicated. Why don’t we investigate like we did in our lives? But I’m not asking. I trust the investigations we carry out. But there are other traditional ways, which is what discovered all the spy rings and CNI and Pegasus of the last few years that are the testimonials, documents of the whole lifespan span.
Now I continue with the questions, what has this to do with the investigation? You’ve got to ask who knows who has Pegasus now? It’s very difficult as the Court of Auditors, the joint committee, the Congress, parliament, you asked them, do you have Pegasus where they answer, you say, where have you use Pegasus? Why can’t we ask them directly? If it’s a crime, until they prove that it’s legal, we presume that they’ve hacked a mobile phone in any criminal case. You say that you have a mobile, you have a right to investigate these facts, a conclusion.
There’s a last step. If we can’t do that, we can’t carry out the tests and human rights. So we’re going to say to Strasbourg that the Human Rights and Convention doesn’t it doesn’t apply when they’re bugging your phone because we can’t investigate. So we don’t know whether there’s a law that looks at it. If there’s an A and an essential social, there’s a social element. Those are the three crimes. So the court in Strasbourg can’t protect us against government spying. So that’s all there is.
Ignacio Cembrero (Investigative journalist at El Confidential): I’ll be brief here, there’s not much time. I respond to Madam Riba, I’m not an expert in cyber security, and I don’t know what technology the crypto national cryptologic system use. It depends from the CNI. What I do know, though, I know because when my phone was supposedly infected, when my WhatsApp appeared in the press, the Moroccan press, I consulted with various Spanish experts, experts in cybersecurity who live in Spain and even in other countries. They all said to me that the police, the National Police Laboratory was well equipped, but it could not establish whether my phone had been bugged or not by Pegasus. Mine was an Android phone. The only one who had the necessary technology to do this was the National Cryptologic Call Centre. So I repeat this. I did not have access to them.
And I’ll say this for the third time, I would like you to ask the director to open it to the journalists, or at least should we who having to submit the harassment of a foreign power and. There’s a thing I would add that you didn’t ask the judiciary authorization: are there warrants to spy introduce Pegasus and that mobile’s of 18 Catalan independent politicians. Those were proven in the Committee of Official Secrets of the Congress. By the previous director to the MPs who were part of this committee where there were various nationalist Catalans. So I don’t know. It was not proven at the committee here because they don’t have the requirements. But it was showed within that committee of the Congress in Spain. Nothing more.
Jeroen Lenaers (Chair): Thank you to all the speakers. That concludes our morning panel. Just one. One general remark from my side, because one of the panellists asserted that the only way we can ever be certain of the use of spyware is by getting that confirmation from the perpetrator. And now we’ve been working in this committee very hard for six months.
But the ones who do not want to engage with us are the ones perpetrating. So in the absence of cooperation by member states, governments, etc., we have to rely on the technical expertise of the technical experience of renowned institutes like citizen amnesty, the experts of Google of matter that we have spoken to. And in the absence of any kind of cooperation, we will have to rely in the future as well. So thank you very much.
We’ll have a short break now before we start the second panel at 11:30. Thank you very much.
Jeroen Lenaers (Chair): If it everyone could take their places again. We will start with the second panel of this session. Thank you very much. Yeah, let’s see. Okay. Thank you, everybody. Also, our guests. If you are wanting to stay for the second panel, please do so. If not, please vacate the room. Thank you all very much. Our second panel, we will hear from the director of the Spanish National Intelligence Agency, Miss Esperanza Castaneda Llamazares, and we will hear from Funchess, who’s Torres Carbonell, who’s the secretary general administration digital. And we will start with Esperanza Casteleiro Llamazares, director of the Spanish National Intelligence. You have 10 minutes connected remotely. Thank you very much for joining us on short notice and we very much look forward to hear your contribution. You have the floor for 10 minutes.
Esperanza Casteleiro Llamazares (Director CNI): Right. Good morning, everybody. And thank you very much, Chair. I welcome the possibility to share my ideas with you today, as well as the secretaries with the secretary general of digital administration.
On my agency in Spain, we have a democratic state based on the rule of law, and this is in accordance with Article One of our Constitution. We ensure that all the rights and freedoms of our citizens are maintained. Now I don’t have very much time and I’m going to just stick to a ten minute contribution. And my aim is to explain to you what the CNI is, what it does, and who does this, what its origin was, is, and what control it is subject to its. This is in line with certain basic principles which I’m going to with you.
Above all, I should like to underscore that we are a body which is part of Spain’s national security. All the actions of the CNI are based on the principle of the rule of law. What our mission is, what says sanctions are, and what our objectives and what our objectives are. And who authorises the activities of the centre. And of course, this, of course, assumes that we comply with the fundamental rights as outlined in the Constitution.
Now, before going into detail, I should like to say at the very beginning that the see and I works and the strictest possible surveillance of the legal authorities and the Constitution constantly.
Secondly, I should like to explain to you what the law is in Spain of the 11th and the 16th of May, which outlines the objectives and activities which are carried out in accordance with the document code.
The Intelligence Directive, which is a confidential document, a secret document in accordance with Article three of the regulatory law, which I just mentioned in Draughting the proposal for this directive, we had representatives of all the authorities which make up the committee formed by the government in power at the time, and this reflects specific requirements relating to risks and threats to our security. At the same time as a basic premise, it’s important to point out that CNI is an organisation which is subject to a very strict system of control, which is set out in the law.
And to continue, I should like to outline a few points. The regulatory law, which explains the mission and outlines the objectives. Entire activities, of course, also includes functions, one of which is to prevent, detect and if possible, neutralise activities which foreign services groups of persons at risk are threatening the constitutional order with, as well as the rights and freedoms of the Spanish people and Spanish security and Spanish sovereignty, the stability of its institutions and national economic interests.
So the Intelligence Directive is the document which comprises what the CNI’s functions are. It outlines its activities, and it outlines also the priorities which we should have that the law allows us. Or ensures that all the plans and the work which is developed by the sea and AI is properly monitored. So draughting the law. 11, 2002. We referred to emerging risks and also, of course, that we took account of the security of our organisation in line with the current technology available. And of course these areas are linked to the CNI relating to their functions, their operations, as well as conferring the responsibility together with the National Encryption and Encryption Service to ensure that we can exercise our functions properly. And these are in line with what is required by our society.
And this is what we ensure that we comply with in the intelligence service that we’re working in national interest. And we also ensure that we comply with the needs of freedoms and liberties of our citizens. And we are, of course, subject to the Constitution and the law of the country since that was set up. The idea of a service to the state and legality are the primordial principles which we adhere to when carrying out all our different activities. These characterise all the actions taken by the organisation and its components.
As I said, the CNI is a subject to control and I would like to look into this in more detail. These are specific controls which exist. Are. Related to all our actions in the course of which we comply fully with the law. The Control Committee known as the Control of Official Secrets. That is the commission through which the legal services can get access to the necessary information and control the activities of the CNI according to the law. They are aware of the objectives approved by government and they present an annual report on the compliance with those objectives. The Commission was set up in 1995 in accordance with the 10th of May law. Relating to credit. So which were for reserve expenditure? They’re called a reserve fund. And the to a to law which regulates the CNI. And I allows access to classified materials linked to the centre. To the accounts and to all relations with international organisations.
This committee, during the current legislature has been able to investigate what’s necessary and control the absolute majority of what is going on. The holders of ministerial titles are informed on the implementation and the use of budgeted funds. And over time the CNI has appeared from time to time in front of the Commission in order to explain certain activities which the Commission is interested in getting more detail on. The CNI is the only organisation which has a specific parliamentary committee which controls its activities and it can only do this to that committee because of its confidential and secret character, which is enshrined in law. And it is this character, the character of secrecy which determines the mission of our organisation as far as government control goes.
We have a government committee which I’ve already mentioned, which monitors intelligence activities and again this is confidential and what they do is propose the annual activities of the CNI I and periodically carried out surveillance and monitoring of the development of the work of the centre. So we see coordination between CNI and the emphasis on the investigation services of the country as well as the military. As far as economic control goes. There’s nothing particular. Which differentiates the CNI from other left, from control of other bodies and the administration.
So we’ve got parliamentary control over the approval of the budget and the Court of Auditors audits our accounts on an annual basis, and we have the general intervention of the state which permanently monitors the expenditure of our organisation. We also have a prior legal control. And this is on the basis of an organic law to 2002, the 6th of May. The activities of the C and I, which are regulated by this law, are those which relate to fundamental rights as required by Article 18 of our Constitution. In other words. Secretive communication and the right to privacy. So any activity which affects these rights. We’ll need a prior legal authorisation. In the case of the CNI organic law to 2002 responds to this constitutional requirement and.
When we are looking at this prior judicial authorisation, Article eight of the European Convention on Human Rights and Fundamental Rights, it reflects what is provided for in our law. And this, of course, is what is required in a democratic society for urgent regions defence of order, the protection against crime, protection and protection of health, and the protection of the rights and freedoms of individuals. Our law provides for this legal control, this prejudicial control and guarantees and protects the rights and freedoms of our citizens, thereby in accordance with this law. The CNI Secretariat, as Secretary of State, has to ask for authorisation from the competent legal authorities to authorise measures which will affect these fundamental rights. If necessary, for the compliance with our agreement. The judge has to take account of the following for authorisation specification of the measures which are requested. The reasons for the motive of suspicion and the identification of the person or persons affected by the measures and the designation of where this is to be carried out. 24 hours. If a house is to be entered and three months, if it has to do with interception of communications, whether they be by telephone post or other means, and these can be extended for a subsequent amount of time if necessary. The deadline for this is normally 72 years. This can be reduced for urgent reasons to 24 hours. In other words, we do have the 24 hour possibility and finally, using the measures which we are allowed to do by legal control and by the law is ruled by the principles and needs of proportionality.
To have this mechanism of prior authorisation of our activities gives us the security and legitimacy we need in carrying out the activities of our organisation for the public good. So the C and I actually publishes its objectives and prior legal control means that even the most sensitive of activities linked to our objectives are legal because it is only the judge that has the decision that can take the decision. So we have a limitations. And with these limitations the CNI contributes to the maintenance of national security. I should also like to just go a little into.
Jeroen Lenaers (Chair): Almost 15 minutes now. And if not, we I’m afraid we’ll not have any time to direct any questions to you afterwards.
Esperanza Casteleiro Llamazares (Director CNI): Okay. I just wanted to briefly explain the National Encryption Centre. But let’s go into questions instead.
Jeroen Lenaers (Chair): I’m sure there will be many questions and feel free to also elaborate when answering the questions about things that you might still want to add. And I’m really sorry about this, but it’s just a question of time, because we only have 45 minutes left. And we also still need to hear from Mr. Torres Carbonell, who now has the floor for also 10 minutes. You have the floor.
Juan Jesús Torres Carbonell (Secretario General de Administración Digital): Yes. Good morning and thank you very much for inviting me to take part in this. I’m the secretary general of a digital administration, and I’m going to just summarise what our job is. The Secretary General of the digital administration is part of the Ministry of Economic Activities relating to the fiscal activities. And what we do is direct, coordinate and implement the digital aspects of the administration.
A Secretary general was established in 2013 as a result of the work on the reform of public administration reform which tried to rationalise infrastructure procedure and the resources available to the public administration. Most of the measures implemented under this were monitored by a governing body and relate particularly to IT and communication. And in 2016, the digital administration was given its current name, the decret 403 of 2020 the 5th of February. I talked about the development of the basic infrastructure of the Ministry of Economic Affairs and the digitalisation of such affairs. And this was a job entrusted to the Secretary General and included, amongst other things, the draughting of the digital strategy and the digitalisation of the public services, the state’s public bodies, etc., and supervision, and the support of ministerial committees and the implementation of departmental digital plans that were part and parcel of this digitalisation.
The preparation of the business, which was to go to the communications as a department and carrying out the functions of the monitoring body and the presentation of reports on the accessibility of websites and the mobile apps in the public sector, the technical design, implementation and management of the necessary digital media and services to carry out the current public services. Universal public services, high quality for companies and citizens, and the definition of strategic policies to coordinate the different bodies to ensure that they can provide to public digital services. The definition of technical standards and quality standards for the implementation of public services. Cooperation with the Ministry of Finance in the management of electronic files held by the State. And part and parcel of the administration. An analysis of the design and use of compatible systems in the general state administration and its public bodies.
Also, competence as the technical design is to look at the management of electronic invoices. And make sure that. We have general electronic access available to the workers in the public administration of state. Wants to have the transparency portal of the general state administration and the Ministry of Finance, as well as responsible for managing and implementing general projects. Also on the procedures which affect the public sector or the public sector. And also we’ve been involved in the development of tech platforms for common services.
And at the same time, we are responsible for the design, review and use of data processing and the provision of applications and IT services. Communications to delegations, particularly government delegations. Make sure that they have what they need available in all aspects. And we’re also responsible for the support, contracting and management of I.T. budgeting.
In addition, we have drafted the digitalisation plan for the public services up to 2025, which includes the strategies and the 17 measures for which we are responsible. First of all, the digital transformation of administration focussed on the Central State Administration.
The second acts as in the ministerial business and relating to the citizens at large. Health, education, immigration, social policies, etc.. And coordination and support to the digitalisation of autonomous digitalisation. This digitalisation plan in the public administration was part of the general review of the Public Administration programme. In this context, the Secretary General of Digital Administration is currently contracted to be involved in the digitalisation of the different reforms which are provided for within the current recovery process, and this is amongst the different objectives which have agreed upon within the European Commission. Now just to conclude, we have also to encourage the general administration of the state to coordinate with the other different departments. Thank you very much.
Jeroen Lenaers (Chair): Thank you very much, Mr. Torres Carbonell. Then we move to the Q&A session of this panel. Before I do that, like I said at the beginning. Visitors and guests are most welcome in our meetings, but then also show respect to the speakers. Please. And if you just come here to chat amongst yourselves while people are speaking, it’s disrespectful. And please don’t do this someplace else. Thank you very much.
We have a speakers list which consists of Sophie in ’t Veld, Mr. Zoido, Lopez Aguilar. Rosa Thun, Saskia Bricmont, Cornelia Ernst and Mr. Puigdemont. Mr. Canas and Mr. Solé. Unless anybody else wants to be added, I closed the speakers list, giving the time we will do, collecting the questions, and then give the guests the opportunity to answer them all at once. So we start with Sophia, in effect, our rapporteur.
Sophie in ’t Veld (Renew): Yes. Thank you, Chair. I’ll be very quick. Most of my questions are for Mrs. Casteleiro.
First question, in what circumstances would you or is the use of spyware legal in Spain? And two aspects in particular. First of all, would you consider that hacking a lawyer’s phone would constitute a breach of lawyer client confidentiality, or would it be allowed under Spanish law in your views?
And secondly, you referred to judicial authorisation, but only for a period of three months, which can be extended. But how does that sit with the retroactive capability of spyware? Because if you use spyware, it’s not just wiretapping real time for three months. Spyware allows you to go back as far in time as somebody has been using your phone.
Secondly, can you confirm that in, let’s say, the Catalan gate cases that there have been 18 warrants for wiretapping? Can you confirm that? And can you confirm any other cases?
Thirdly, what technical message do your services use for the forensic examination of a phone? Is it the same as the one used by Citizens Lab or Amnesty International? And secondly, can you explain why the Spanish police would send the cell phone of one of the persons who had been charged to celebrate in Germany in order to be examined? And why did that take a year? And do you see and I also make use of that kind of services.
Two last questions. One, can you explain why the previous head of CNI has resigned? And last question. Can you confirm that the Spanish authorities have Pegasus and since when? Thank you.
Jeroen Lenaers (Chair): Thank you, Mr. Zoido. No, there’s no time for ping pong, unfortunately. So we’ll collect the questions, as I indicated already.
Juan Ignacio Zoido Álvarez (European People’s Party): Thank you very much. I should like to really thank Mrs. Casteleiro for taking part in this meeting and the transparency which she is demonstrating of her institution, telling us what her work is all about, and telling us that, of course, in view of the strict confidentiality laws, it’s just wonderful that she’s come along here.
Mr. Sánchez has been the only head of state and government in Europe and I think throughout the world who has recognised that they have been spied on by Pegasus. So this is, I think, quite exceptional. I don’t think it’s called into question the communications system, but I think what we’re seeing is an attempt to avoid interference. Now, how do you look at the confession of Mr. Sánchez in relation to the vulnerability which this might pose for other secret services in the world? Thank you.
Jeroen Lenaers (Chair): Thank you very much, Mr. López Aguilar.
Juan Fernando López Aguilar (Socialists and Democrats): Thank you, Chair. I should like, of course, to thank the speakers. And also just to say this is not the first hearing which I having on a national experience like this, but this is one in which I have representatives of government at the highest possible level and the CNI the secret services in particular.
Now, a question to Mrs. Casteleiro. First of all, the use of 18 legal authorisations to interfere in communications, has it been authorised? According to the Congress of Deputies and the CNN, how can you explain the rest of the 65 interferences which have been reported by citizens? What’s happening? What’s particular about these 18? And secondly, you referred to the legal system, which is a regulated by an organic law, a special control of the central intelligence services that you refer to, or so on the article, which covers all issues relating to interference and which doesn’t necessarily have any connexion with the rest of the integration investigation. So what about the rest of the material linked to the authorisation by the legal services on this? How does the CNI deal with this? Now, I haven’t got much time, but we heard from Mr. Cembrero constantly on the need for his Android phone to be examined by the national encryption services. Now, how is it possible that the encryption services that could examine an Android phone presented by an individual who had been victim of illegal interference in his communication.
Róża Thun und Hohenstein (Renew): Thank you, Chair, and thank you for your presence here. Um, uh, I have a few short questions. You spoke a lot, Mrs. Casteleiro, at all about the permissions of the court for the surveillance. I would like to know a few more details. Does the court know what system will be used and how the system functions? What data do they get to the judges about the person who is going to be surveilled? In some countries, it may be just the telephone number. How is it in the in Spain? What happens then with the data? How do you follow this? What are those status afterwards and such a deep surveillance as, for example, Pegasus allows or does or practises? Is this within the framework of the Spanish law? Thank you very much.
Jeroen Lenaers (Chair): Thank you, Saskia Bricmont.
Saskia Bricmont (Greens): Yes, thank you. Also from my side, I have a couple of questions to the CNI. What is the information that you have to provide to the judge in order to get an authorisation to intercepting communications? You have to bring in evidence, provide names and further details to have the judge assess whether the spying is legal or not. If there are legal grounds at all, and specifically on the kettle and it’s what’s where the grounds for judicial authorisation on the 18 recognised cases and what do you know or can you tell us about the 47 other cases and are the grounds of the regional integrity of Spain or the stability of the rule of law sufficient justifications to introduce such a request. Thank you.
Jeroen Lenaers (Chair): Thank you. Cornelia Ernst.
Cornelia Ernst (Left): Oh, yeah. Thank you. You know, I am just to insist what is the basis legally to actually use Pegasus? I mean, could you just explain that clearly from a legal point of view? And then in terms of judges, have they ever been given information? Do they know what this software is capable of, how invasive it is? Do we have information, you know, scientific information about this? Furthermore, can I ask you, is it legal for the secret services or the intelligence services of Spain to spy on people outside of Spain? Can you confirm that your secret services, your intelligence services have been active in Spain and Germany in spying on people? And is it possible for people to be spied on by Pegasus, people outside of Spain? Thank you.
Jeroen Lenaers (Chair): Thank you, Mr. Puigdemont.
Carles Puigdemont i Casamajó (Non-attached): Well, many of the questions I want to ask the CNI director have already been made. However, I’ll add something more. Initially you mentioned a rules that establish the proportionality, the limitation of any type of violation of human rights in the Constitution. But all experts, without any exception precedent here when they think Pegasus are controllers, said that these are tools that are disproportionate and with any type of limitation.
So first question how can the use of tools that are disproportionate, which allow disproportionate use and limited use, be compatible with a regulation or a that obliges them to be proportional and have certain limitations? You have to answer clearly a question that other colleagues have asked.
Do you have Pegasus? Does CNI have Pegasus? Are you aware that other agencies in Spain have Pegasus? If yes, when was it used? Because the levels of infection identified by citizens allowed the Catalan case, including the 18 cases that you admit that you have a warrant to argue a legal authority greater in time than what the authorisation was. So can you explain why?
Can you also explain whether the reports of the spy people were taken to the Ministry of the Interior, the president of the government? Could you detail better the chain of custody of the data at the archives which were intercepted? Can you understand where the servers are which contain this information? Can you explain why over a year and a half you could guarantee right to defence where you’ve been spied upon, spied upon my lawyer for over a year. Can you guarantee that today we are no longer being spied upon? My lawyer is not being spied upon. I know the Catalan politicians, their families, their contacts, their ideas are not being spied upon for the possible future use. Thank you.
Jeroen Lenaers (Chair): Thank you, Mr. Cañas.
Jordi Cañas (Renew): Thank you. I’d like to ask you if you have Pegasus a you need to say it clearly. Do you have Pegasus yes or no, whether you need this type of spyware? I’m going to ask whether you use it following the law, because this is a stage of law, just like the other 26 member states. I won’t ask this but another question. If a member of a regional government were to meet with the Russian intelligent people, do you ask them to support further independence? Could this be the object of the request for a warrant if intelligence officers from Russia were to come to Spain to organise a violent action to subvert the Constitution? Would you have a warrant to avoid this kind of thing? Another question if the president of a region, let’s say Capello, would go to meet with a. Russian of the day before the Independence Programme. Would you have to follow the various elements that consider this as the attack of the democracy against the rights of the citizens of Catalonia and the rest of Spain?
Jeroen Lenaers (Chair): Thank you. Thank you, Mr. Solé.
Jordi Solé (Greens): Thank you, Madam President. I said I’ve been spied upon with Pegasus. I’m one of the 18 cases that apparently there was a warrant to do this. Why were these 18 people spied upon? Amongst them, the president of Catalonia Pere Aragonès. Who spied on the others victims, the other 47 cases, if it wasn’t you all, if it wasn’t CNI?
Organise a democratic exercise such as a referendum on the basis of a legitimate political request, which was contested every day at the ballot box. Does this justify massive espionage? We’re not voting to protect to decide a democratically. Is this a threat to national security in Spain? And if it were this kind of justification, do you think it’s compatible with fundamental rights? Can you state that in terms of espionage, CNI controls everything that happens in Spain? Are you aware that or not that private companies are using spyware.
That other since Pegasus or similar tools.
And for Mr. Torres Carbonell. One question. You’re here representing the Spanish government today. As far as I’m aware, the Spanish government has not responded to the letter from the commissioner Reynders. Why not? Why didn’t they give the information? And when we received the information. Thank you.
Diana Riba i Giner (Greens): Thank you, President. Well, I had similar questions, for instance. Can you confirm whether I was spied upon as an MP? And in my cases they were to bug things to infections and others run with the full immunity of this house. I would like to ask, as a committee of the European Parliament investigating Pegasus, they want to know whether we are being spied upon as we act as employees.
And second question what method is the cryptological the you naturally to detect Pegasus infections? What technology to usage are you using MUVT and the international court that is investigating espionage of the Spanish government? We are interested the type of scientific tools are being used.
And then what procedures exist so that a citizen myself as they have by any one of the 18 people who say have been investigated legally, can know what kind of actions CNI is carrying out on their personal data. For instance, these 18 people, according to the Ombudsman, have been investigated by CNI feel through legal proceedings what do the objectives they have and what you have so that you can extract all this information from their devices. So what’s the technology used? Thank you.
Jeroen Lenaers (Chair): Thank you very much. Now we have 20 minutes left. So I think most of the questions were directed to Mr. Torres. So I will…sorry. Most of the questions were directed to Ms Casteleiro. So we’ll pass the floor first to Mr. Torres to reply to the questions that were directly asked to him. And of course, you’re also free to elaborate on any other issues that were raised. And then we give the floor to Ms Casteleiro. And first, Mr. Torres.
Juan Jesús Torres Carbonell (Secretario General de Administración Digital): Thank you. Mr. Solé asked about the response, the government’s response to a letter received from the Commissioner. Well, first of all, I want to say that we will respond. We always do, and in each case, the right time to the response to the questions received. Thank you.
Jeroen Lenaers (Chair): Thank you very much. Then I pass the floor to Ms. Casteleiro Llamazares. I have counted about 28 questions. It’s amazing the numbers we can reach you. Some of them were linked to each other. So you have the floor to answer all those questions. And of course, should there be a lack of time, you’re always invited to address additional questions in in writing. But I pass you the floor and we have some time, so please make use of it. Thank you.
Esperanza Casteleiro Llamazares (Director CNI): Thank you. I’ve taken note of the 28 questions. Yes, for legal reasons and for time. I would like to point out that, as I said earlier, CNI is the only institution that has a specific parliamentary committee to take into account its actions, and it’s the only one that can do it due to the secrecy of the ones that are established by the law in Article five. In such a way, in order to be consistence of the legal obligation. I can only answer insisting that the law 11, 2002, which regulates CNI, covers literally the activities of the CNI and of its organisation, entitled Structure Means and Procedures, Personnel, Installations, Bases and Data Centres, Sources of information of information or data that can lead to any of these previous points are classified as secret data. Agreement with work stated in the regulation and international agreements are in this case as the highest level of classification in this legislation. But that’s the legal obligation, which doesn’t allow me to speak of the questions which have to deal see it not only here in the European Parliament, because I can only do it at the official secret committee at the Spanish Parliament as per our law. And the because the question is security in the protection of national security, which is exclusive for the Spanish government, this committee state. Now, as I have the possibility of looking at all these questions and try to see what the law doesn’t allow, the secret and I can respond in writing will do that. Thank you.
Jeroen Lenaers (Chair): Thank you. Thank you very much. And indeed, it would be helpful if then the questions that were answered could be answered in writing. We will make sure that we gather the questions that were asked by the parliamentary groups because I didn’t know them in great detail. But if you could send your questions, we will make sure they reach Ms. Casteleiro, and then she can provide us with the answers. That means we are done a little bit earlier. Of course, it is not the diary satisfactory that none of these questions will be able to answer, but we do hope that in writing we get a more elaborate information also from the director of the Spanish National Intelligence Agency. Thank you, colleagues. And we will meet again at 3:00 this afternoon for the first exchange of views on the draught report by our rapporteur, Sophie in ’t Veld. See you this afternoon and thank you very much.