Am 19. April tagte der Staatstrojaner-Untersuchungsausschuss im Europaparlament zum ersten Mal. Die Abgeordneten wählten einen Vorsitzenden und drei stellvertretende Vorsitzende. Danach hörten sie Expert:innen, die über ihre Forschungen zu Staatstrojanern berichteten.
Der neu gewählte Ausschussvorsitzende Jeroen Lenaers sagte:
Wir haben viele Fälle gesehen, in denen unschuldige Menschen wie Journalisten und Anwälte ins Visier von Spionageprogrammen geraten sind, und das ist ein großes Problem für die Demokratie und die Rechtsstaatlichkeit. Wir werden nun Informationen über den Einsatz von Pegasus und anderer vergleichbarer Software sammeln und diese Erkenntnisse in nützliche Empfehlungen umsetzen.
- Date: 2022-04-19
- Institution: European Parliament
- Committee: PEGA
- Chair: Jeroen Lenaers
- Links: Press release, Video
- Note: This transcript is automated and unofficial, it will contain errors.
- Editors: Emilia Ferrarese
Sophie in’t Veld: Okay, friends. Shall we start? Yep. Okay. I would like to invite everybody to take a seat. And I would like to welcome everybody to the constituent session of Pega, the Pegasus Enquiry Committee. And why am I chairing? Because I am the longest serving member of the committee. That’s a polite way of saying, you know your head, you’ve been around for too long. Okay. So I would like to welcome everybody. I have to inform you that interpretation is present in the following languages. German. English. French. Italian. Dutch. Greek. Spanish, Finnish, Swedish, Hungarian, Polish, Slovakian, Slovenian, Bulgarian and Romanian. So and I am chairing this in accordance with Rule 14 as the longest serving member, as I said. And I would like to remind you that the purpose of this meeting is to constitute the committee bureau by electing the chair and up to four vice presidents in accordance with Rule two one. Three of the rules of procedure and the order of business today is that we will first elect a chair and then we will proceed to the election of the four vice chairs. In case we have to go to vote, that is when there is no consensus candidate. But we have to vote. Members and substitutes taking parts in the vote must use EPP vote. So as a provisional chair, I will preside over the election of the permanent chair, to whom I will then hand over the rest of the meeting, including the election of the four vice chairs. So now we proceed to the election of the chair. But first we have to establish the quorum. So is there a quorum? Yes, the quorum has been established. Very good. And then I would invite either political groups or at least two MEPs to nominate any candidates for the presidency of this Enquiry Committee. Is there any group that would like to nominate a candidate? EPP, Mr. Halicki.
Andrzej Halicki (Group of the European People’s Party (Christian Democrats)): I would like to nominate to recommend Jeroen Lenaers for the chairmanship of the committee. In fact of all, Jeroen started two months ago. As you remember, the first hearing concerning Pegasus, which was opened for everybody with a huge number of participants. More than thousands was organised by him and I think that Jeroen will be perfect chairman of this committee, very professional, very open. Not only good representative of EPP.
Sophie in’t Veld: Thank you very much. And what’s more, he’s a compatriot of mine. Okay. Are there any other nominations? No. Then I will have to go through the formality of asking the candidates, in this case, Jeroen Lenaers, if you will, consent to the nomination and whether you have duly completed the declaration of financial interests and the Declaration relating to the code of appropriate behaviour. You will?
Jeroen Lenaers (Chair): Yes, I gladly consent and I fulfil the requirements. So thank you.
Sophie in’t Veld: Very good. Then is there anybody who calls for a vote or can we proceed to elect our chair by acclamation? That looks like acclimation. To turn.
Jeroen Lenaers (Chair): Dear colleagues. Thank you. Thank you all very much. I mean, it’s a great honour to be elected as chair of this committee of enquiry. And I’m looking forward to work together with all of you in the relatively limited time that will have available these 12 months. We have to make sure that we leave no stone, no stone unturned when it comes to investigate the use of Pegasus and similar spyware in Europe and beyond. And thank you also to Sophie in ‚t Veld for kicking off this first part of our constructive meeting. Thank you so much. And I share your surprise that you are already the longest serving member in this room. Now, I will not take too much of your time now, but I would like to make a couple of brief points.
First, that, in my opinion, I really believe we cannot overemphasise the severity of this situation, the use of spyware, surveillance, spyware like Pegasus against journalists, politicians, lawyers, civil society and many others is extremely alarming. And I think it’s important for all of us when we do our work in this committee, to also place ourselves in the position of the victims, to try and imagine for a moment that every message you share with a loved ones, every video you take or watch on your phone, is being watched with you that at all times. People that do not have your best interests at heart are aware of your exact whereabouts. And they should scare us all, I think. And it should already scare us. But imagine what it means if you are a journalist scrutinising a not so democratic government to opposition, politicians, activists, NGOs who are considered an inconvenience by the powers that be in their countries, and the effects of such actions go beyond the direct victims of the spyware attacks. It has a chilling effect on anybody that wants to speak out, that wants to scrutinise governments and that wants to defend democracy and rule of law. And this is why it is so important that this European Parliament will always stand behind and fight alongside the victims of such attacks, and that we do so with strength and vigour. And many colleagues in this House and many of them are here today, have been raising this issue since the revelations of last summer. And I’m glad to see that so many committed colleagues, independent of political colour or national background, will work together in this committee of enquiry because we will need to close and we need to work very closely together if we want to make this committee a success. And it’s very important because we certainly haven’t heard the last about Pegasus and equivalent spyware since a plenary vote on the composition and the mandate of our committee, many new developments have become out in the open. Only in the last week we saw the reporting from Reuters on senior officials being targeted with Pegasus. Over the weekend we all read Citizen’s Lab reporting on the 65 politicians, including MEPs and other sectors targeted by Pegasus. And come the rule and we saw reporting on the use of predator targeting journalists in the European Union as well. So there is much to investigate and this committee has a clear and a strong mandate to do so. And even though we only have 12 months, I’m convinced that with hard work, constructive cooperation and a healthy dose of self-discipline, we will able to make it work. And I count on all of you to contribute in your own way. So thank you very much. And let’s get to work.
That means that we move to the next point of the agenda, which is the election of the vice chairs. I note that we continue to have the quorum that was already established by Sophia in itself. So we proceed to the election of the Vice Chair, starting with the nominations. And I would invite you to first make the nominations for the four seats as vice chairs. Now, we will continue this by asking already the nominations for each of the four positions, just so that we would know if we need to make arrangements for a vote or not, because otherwise that will take more time. And we would like to keep as many time available also for the exchange of views that will follow directly after the election of the Bureau. So I would like to draw your attention that the diversity of Parliament is to be reflected in the composition of the Bureau. That means that the Bureau cannot be purely male or female and that all vice chairs cannot come from the same member state. With that in mind, I would invite the political group or at least two members of the committee to nominate candidates for the election of the first vice chair. Who could I give the floor? Yes, Mr. Heide.
Hannes Heide (Progressive Alliance of Socialists and Democrats): So let me first say it’s a privilege…
Jeroen Lenaers (Chair): There is a camera.
Hannes Heide (Progressive Alliance of Socialists and Democrats): …to be the first who can congratulate you for being our chair. And I want to nominate my colleague, Sándor Rónai from Hungary, who is very much committed to the fight for rule of law and will be an excellent vice chair. And his work already shows that he worked on the case and that he is a very good, would be a very good vice chair.
Jeroen Lenaers (Chair): Thank you very much. Is there any other political group or two members that would like to nominate a candidate for the position of First Vice Chair? That is not the case. I give the floor to you.
Sándor Rónai (Progressive Alliance of Socialists and Democrats): Thank you very much. I would like to…
Jeroen Lenaers (Chair): So, so formally, we need to ask you whether you consent to be nominated and whether you duly completed the declaration of financial interests and relating to the code of appropriate behaviour.
Sándor Rónai (Progressive Alliance of Socialists and Democrats): Yeah, thank you very much. I would like to accept the nomination and I have fulfilled all the requirements. Thank you very much.
Jeroen Lenaers (Chair): Thank you very much. Is there anybody who would like to have a secret ballot to vote on this or can we continue to appoint elect of the candidate by acclamation? I think it’s over there. Thank you. Then I would invite political groups or at least two members of the committee to nominate a candidate for the election of the second vice chair. Yes, Madam Bricmont.
Saskia Bricmont (Group of the Greens/European Free Alliance): Thank you, Chair, and thank you. Congratulations, first of all, and thank you for your introductory remarks. On behalf of the Green/EFA Group, I would like to nominate our colleague Diana Riba i Giner for the position of Second Vice Chair of the committee.
Jeroen Lenaers (Chair): Thank you for the nomination. Is there any other political group who would like to make a nomination for the second vice chair? That is not the case. And I would like to ask the candidate whether she consents to being nominated and whether she has duly completed the declaration of financial interest and relating to the code of appropriate behaviour.
Diana Riba i Giner (Group of the Greens/European Free Alliance):
Yes, I agree. And I have all the requisite theory that. Thanks.
Jeroen Lenaers (Chair): Excellent. Thank you very much. And also here the question whether it’s anybody who would request a vote on the nomination or we can continue by electing the second vice chair by acclamation. Yeah. Congratulations. Then I invite the political group, or at least two members to nominate candidates for the election of the third vice chair. Who could I give the floor? Sophie.
Sophie in’t Veld: Yes, there was a little emergency. It is my pleasure to nominate on behalf of the Renew Group, Moritz Körner.
Jeroen Lenaers (Chair): Thank you. Is there any other political group that would like to nominate a candidate for the position of Third Vice Chair? That is not the case. And I invite Mr. Körner to consent to being nominated and that he has fulfilled all the requirements.
Moritz Körner (Renew Europe): Yes, I accept the nomination and I fulfilled the formal requirements.
Jeroen Lenaers (Chair): Thank you. Thank you very much. And then the formal question whether anybody would like to have a secret ballot vote on the nomination of the third vice chair. And if not, we proceed by acclamation. Okay. Congratulations, Mr. Körner. And then I move to the position of the fourth vice chair, and I would like to ask one of groups to make a nomination for the fourth vice chair. Who could I give the floor? Hmm. Is anybody asking for the floor? Remotely, maybe. Cornelia Ernst is here. Could we pass the floor to Cornelia Ernst who is online?
Cornelia Ernst (The Left): Yeah. Thank you. Thank you. For our group, I’d like to propose for the post of the fourth vice chair for Giorgos Georgiou. And I hope there will be support.
Jeroen Lenaers (Chair): Thank you very much. Cornelia Ernst. Then I would like to ask the other political groups whether there is an alternative candidate for the position of fourth Vice Chair. There is not. Then I would like to ask the candidate whether he consents and whether he fulfils all the requirements. I’m not sure if Mr. Georgiou is with us or connected online.
Jeroen Lenaers (Chair): We hear he is online, but we have some problems with the connexion, apparently. If we can’t establish a connexion with Mr. Georgiou, I propose that we, for the moment constitute the committee with three vice chairs. And at the next possible meeting we will also nominate the fourth vice chair in order to not delay the workings of our committee. At the moment. We don’t seem to be able to get a connexion. So also, if Ms Ernst doesn’t disagree too much, we will come back to the nomination of the fourth vice chair at the next official meeting of our Committee of Enquiry. Yes.
So please, for the first, second and third vice chairs, please take your seat here at the roster. And congratulations on your election. I look forward to cooperate with all of you. Making sure all the name tags are in order now. And now we have constituted the committee and the Bureau. We can start the real work. Now, of course, it was very hard to already organise a hearing for a committee that didn’t exist yet with a chair and vice chair that weren’t elected yet and nothing officially organised. So that left us administratively only with the option to organise an exchange of views with guests. So this is slightly different from a hearing, meaning that we would first pass the floor to the colleagues of the different political groups. We will then give the floor to our guests.
And we have invited three organisations with their representatives. First, forbidden stories, the journalistic cooperation that brought to light many of the Pegasus scandal in the beginning Citizen Lab, which we all know, who have done a lot of the research, also bringing to light and also the forensic research on the phones that were targeted. And we will also have invited Amnesty International with two representatives who have also done a lot of research on the Pegasus and equivalent spyware scandal. And we thought it was important to already use the time that we have at our disposal today to set the scene, to get into some of the questions that members might have in order to not lose too much time. So having that in mind, we will start with our colleagues from the different political parties. And I first passed the floor to the EPP Juan Ignacio Zoido, who has 2 minutes and he’s connected online. Please, Mr. Zoido.
Juan Ignacio Zoido Álvarez (Group of the European People’s Party (Christian Democrats)):Thank you very much. I’d like to start by congratulating Mr. Lenaers on being nominated as president. I’ve worked for him for a number of years now, and I think he’s an excellent choice as chair of our committee. I would also like to thank the representatives of civil society for being with us here today. We are looking now at the improper use of the Pegasus programme. This enquiry is necessary in light of some concerning information that’s come out in the press in recent years. What we can’t forget, however, is that we’re talking about the incorrect use of Pegasus that does not belong in a European democracy, and it belongs to tyrannical states. Now the European Union fights organised crime and terrorism. But I would like the members of Citizens Lab to tell us whether they’ve been able to find proof of any use of Pegasus against these types of threats. Because we have to ensure that those who are charged with protecting our security and our safety can have the tools that they need. However, with all of the necessary guarantees. So I’m quite surprised by some of the accusations that we have heard. You know, some experts have said that there is no conclusive evidence that would indict the Spanish government. Spain very much focuses on the rule of law. And in any type of intervention, it’s done in full respect of the law and with proper judicial guarantees. So all members of this committee, as well as ex-members of the judiciary, will respect the correct rule of law. Thank you very much for your work.
Jeroen Lenaers (Chair): Thank you, Mr. Zoido. And then I pass the floor to the SnD, Mr. Hannes Heide.
Hannes Heide (Progressive Alliance of Socialists and Democrats): Thank you. And congratulations to the chairman, Jeroen Lenaers. I’ve already had a chance to talk to him about the work this committee will do. And I’d also like to congratulate the vice chair says while spyware and illegal monitoring has already reached the heart of the EU. If you open the papers basically every day, you can read about the abuse of this software. It can be used to monitor the opposition, to monitor journalists, to monitor lawyers, human rights activists, people working for the rule of law. And then finally, politicians are being monitored as well. People in the European Commission to any of us could fall victim to this kind of monitoring. This investigate committee is going to be focussing on democracy, European values and the rule of law. And I can’t say I’m looking forward to this work because it’s going to be a tough job. We’re going to have to look at how EU member states have used this software, how they’ve used it to monitor people and the extent to which this software is already being used. And so I’m very pleased to be able to talk to the NGOs as well. And I’m looking forward to hearing from people who have fallen victim to this kind of surveillance. I’m looking forward to hearing about how the systems work. Hi. People are actually selected for this kind of surveillance. And then there’s one thing I’d like to say very clearly here. We’re talking about European values, the rule of law and democracy. And I’m sure that my colleagues and I will use the next 12 months to shine some light on this very dark situation. There is a lot of public interest in this and there are expectations because it’s about the rights and interests of our citizens. Thank you.
Jeroen Lenaers (Chair): Thank you. Thank you very much. And then we move to Renew, Róża Thun, who is connected online, I believe. You have the floor.
Róża Thun und Hohenstein (Renew Europe): Yes. Thank you very much. Yes. Congratulations. Also from my side and also to all vice chair of this extremely important committee that, as we have just heard, that awakes a huge interest. And why does it take such an interest of media and of our citizens of the European Union? It’s because everybody wants to feel secure. And we must clarify this really not only the security which is essential of the particular persons of members of the European Union, our citizens, but also the security of our democracy, security of our elections, security of free media. All this was heard in the as we hear in the last two years through this bugging system. So I’m especially grateful to the experts who are invited today and who will help us finding out how the whole thing works. Where does it work against the law? Because remember that the instrument is come were conceived to protect us and not to attack us, to protect our democracy and protect us against severe crimes and against terrorism and not to destroy democracy. And that’s what we want to secure for the future. So thank you very much to our guests who reacted to our invitation. And I hope that we will work together to bring fruits to secure our members for the future. And I would like to ask them. Right. I hope that we will get the answer from you. If you were on our place, if you were members of the European Parliament of this very committee, how would you start? Whom would your first invite? We have our plans, of course, but I am very interested. What would you propose if you were to invite people here? People who use probably Pegasus? With whom would you start? That is one question that I have and another maybe last remark that I would like to make. The in fact, I am very grateful to the whole European Parliament that our proposal that came from our political group renewal was so seriously taken on board that almost the whole European Parliament voted for this extremely important committee, that we have a broad support in the European Parliament, that we take the issue of security of our European citizens so seriously that we prove with this committee. So today we start the work. Thank you very much.
Jeroen Lenaers (Chair): Thank you very much. And then I move to the Greens and I pass the floor to Saskia Bricmont. We have 2 minutes, please.
Saskia Bricmont (Group of the Greens/European Free Alliance): Thank you, Chair. Congratulations again. And also congratulations to our vice chairs, their colleagues, their speakers. I, first of all want to thank you, thank the speakers for their work and the work done by their organisations. Without your investigations, these scandals would not have been uncovered and my group is really happy, so to say, to start this enquiry committee work. After many months of first hearings that showed that this enquiry committee is highly needed, the revelations show national and EU law have been violated and there is a total lack of regulation and oversight structures. As lawmakers, we now have the duty to fix this and to put an end to this threatening spying scandal, including democracies spying on their own citizens. All those revelations are attacks against democracy, attacks against the EU, against the fundamental rights enshrined in its law. Yesterday’s revelations are attacks against parliamentary democracy as employees and MEPs targeted, including our colleagues Diana Riba, Jordi Solé and Antoni Comín. Cases are piling up and there is evidence because this has been used in 45 countries by all types of governments. Last week we learnt commission officials, including Commissioner for Justice Didier Reynders was also tapped. Political opponents and activists. Human rights defenders. Lawyers, journalists. MEPs. Commissioner. Where will it end? The situation is getting out of control. And we should not look only at Pegasus. We cannot ignore that similar softwares are as dangerous, like the case of Thanasis Koukakis. Greek investigative journalists spied by the so-called Predator spyware suddenly demonstrated. This enquiry committee needs to ensure full transparency of the use of Pegasus and similar software. We owe that to the victims, but we also owe it to our democracies and or fundamental rights in addition to Member States. It is also crucial that this committee does not overlook the external affairs component of the use of spying software. Justice and Home Affairs. Cooperation. Due diligence of EU companies, respect for dual use regulation, etc.. We owe this to those who fight all over the world to defend freedom and fundamental rights. I would like to conclude with the words of Edward Snowden. We are losing our we as a society. If we don’t stand up, if we don’t say what we think those rights should be, and if we don’t protect them, we will very soon find out that we do not have them. There is no alternative. Those technologies need to be banned. Thank you very much.
Jeroen Lenaers (Chair): Thank you. And then I moved to ID and I pass the floor to Gilles Lebreton for 2 minutes as well.
Gilles Lebreton (Identity and Democracy Group): Thank you, Chairman. I’d like to start by congratulating you on your election and the vice chairs as well. Pegasus and this spyware is a very serious problem because it means that many European citizens have been spied on through their mobile phones. Now, of course, as others have said, this does highlight the violation of human rights, the right to private life, and it also highlights other national security and defence problems as well. Because the high responsible, high representatives in national countries, for example, in France, have also been subject to spying as well. And so we hope that we’ll be able to shed light on everything that has happened. And we’d like to identify those responsible who have been using this kind of spyware. And the idea is to try to prevent this from happening again in the future. So I do look forward to working with this committee, and I’m sure it will come up with some good results with the help of the experts helping us. Thank you.
Jeroen Lenaers (Chair): Thank you, Mr. Lebreton. And now we move to ECR. Mr. Dominik Tarczyński. You have the floor for 2 minutes. I think you are connected online. He’s not connected. Is there anybody else from ECR who would like to speak on Mr Tarczyński’s behalf. That is not the case. Then I continue on behalf of the left, Cornelia Ernst. You were connected, so I’m sure we can. We can. Yes. Cornelia.
Cornelia Ernst (The Left): Thank you. I’m pleased that we have this committee. It’s very important. And I’d like to congratulate everyone who is involved. The sound quality is not particularly good for interpretation. I think that without the work by journalists and many researchers. We wouldn’t have had this information and we probably wouldn’t have had this committee. The extent of this surveillance reminded me of a book by George Orwell, 1984, a book about many years ago. And it talked about total surveillance and it said that it was a sign of totalitarian states. And here we’re talking about democracy. Our democracy. And it’s about defending it. And we’ve seen something similar with the NSA scandal. Pegasus raises questions here about whether or not we can protect privacy. Fundamental rights are being threatened here. And this is something someone has already said. The sound quality is not very clear. And I think. But there should not be trade in this kind of software. It should be banned. I can say on behalf of our group that we’re going to do everything we can to make sure that there is a consequence for countries that are illegally surveilling people. This technology should not only be regulated, but rather, as I said. It should be banned. And this is something we will make clear in the committee. Illegal surveillance of citizens. It’s what’s happening. And we’ve just heard what was happening in Spain recently. I’m very concerned about that. We need to take this very seriously. Because it’s not only Europe looking at us, but the entire world.
Jeroen Lenaers (Chair): Thank you, Mrs. Ernst. And then we move to the non-inscrits. And, Mr Puigdemont, you have the floor for 2 minutes.
Carles Puigdemont i Casamajó (non-attached Members): Thank you, Chairman. I’d like to take the chance to congratulate you as well on your appointment as the chair. You’re going to be working on a topic that more than ever before is one that. Reuters. Concerns here in Europe. Democracy in Europe is at risk when the rights are violated and especially when that’s being done by the member states. Now. We’ve seen a massive attack recently. It was the biggest attack until now. And it also affects his parliament. There were colleagues. Mr. Jordi Solé, myself. Diana Riba as well. We’ve been targeted and this parliament therefore has been affected itself. They have spied on our lives. They did that through our devices and the devices of our families. Our family life was violated. And it was with the use of software that could only be accessed by member states. We’ve also seen cases in Poland and Hungary and now we’ve seen cases in Spain. We cannot defend the rule of law when we violate the rule of law. We are faced with totalitarian regimes. Protecting minorities and dissidents is more important than ever before. And this committee will need to work hard to make sure that European society can have confidence in the states governing them again. This is something they need to be protecting fundamental rights, not violating them.
Jeroen Lenaers (Chair): Thank you all very much. And most of you have already welcomed our guests who will be with us online. And I would just like to echo our gratitude for them to be able to be with us at such short notice and in such an informal setting. And our exchange of views with them today, of course, is not the only time we could work together with them. I think many of you have mentioned that already, that it’s important also because of the knowledge and the experience both in the technology and in the other aspects of this situation are going to be very helpful for our work that we are going to be doing here. So I think in the words of all that one, I hope we work together. And the question that she asked, what would you do if you were us, I think is a very valid starting point for today’s session. So without further ado, I would like to pass the floor to the journalists from Forbidden Stories, Laurent Richard and Sandrine Rigaud and some individual who are connected with us online to maybe respond to some of the questions you’ve heard, but also certainly provide your own input in maybe around 6 minutes if you could. So please, you have the floor. Thank you. And it’s good to see you again.
Laurent Richard (journalist from Forbidden stories): Thank you very much for the floor, I’m Laurent Richard. Thank you for having invited to this committee. It’s good news that European members of Parliament are dealing with these issues, with essential challenges for our democracies, for our rights and our fundamental rights. It is a decision that is very important with regards to the access of information, which highlights the weakness of the reaction of many Member States with regards to the revelations on Pegasus, in just a few words, Pegasus, this is something that was revealed by forbidden stories and what could 17 press organisations and the technical support of Amnesty International, Amnesty International’s security lab that’s here with us today. We worked with more than 80 journalists, and this is how we work in forbidden stories. We carry out investigations around the world. And we look at those journalists and reporters that have been threatened or killed so that we can expose what people are seeking to hide. We started to work on cyber surveillance when we saw what happened for a mexican rapporteur who was assassinated. And of course, in Mexico, there’s an area where cyber surveillance companies really do a lot of business. They’ve sold to many people in and Mexico have bought these types of cyber surveillance tools. We worked on that and we continue with amnesty labs. And then we had a historical leak of data. It was 50,000 telephone numbers of clients of this company at the scoop. And all the states have bought Pegasus software in order to hack or in fact, as we say, thousands of cell phones. So we started to work with amnesty on this. And amnesty gave us incredible technical support, and it also gave us a lot of proof. And that was the strength of this project. We were able to reveal the identity of a large number of victims and also be able to look at the backgrounds and see how, how and why people were under surveillance. So what does it mean to be a victim of Pegasus today? A victim of Pegasus is really all your secrets are laid bare. All your intimate intimacy is in the hands of your worst enemy. Whoever is putting you under surveillance, it’s like someone looking over your shoulder, reading what you’re writing. We’ll see what you want. Even so, encrypted messages on WhatsApp or Signal. So for a journalist, for example, because this allows a state to know that your sources as well, if you’re a human rights defenders, Pegasus can allow US states to look at how you’re preparing your next demonstrations that in the. Dictatorship, you will end up in prison because the Pegasus allows the dictatorship to know exactly what you are preparing, what your ideas are, and it will make it possible for the state to geo-locate you, to do what a dictator does with opponents and generally sends them to prisons. And that sort of thing. So we carried out investigations on these for 50,000 numbers. And in general we saw that there were many common patterns. And under the list of most of the victims, most of these people represented a danger for the powers that be and often had to escape, like the Moroccan journalist who had escaped to France and was tracked down by the Kingdom of Morocco. And this happened in Azerbaijan and in other countries, because Pegasus allows them to geo locate you. But to know exactly all that you are doing on your phone. 50,000 states, 11 states, 2000 numbers, 11 states. So it’s not a comprehensive. Hungary and Poland are the ones in Europe who are able to reveal the names of many journalists in the world, and also human rights activists and governmental opponents who were put had the numbers put into the Pegasus system. And in some cases which have the proof, find the proof. When we were able to carry out a forensic or technical analysis of the phone, we were able to prove that the phone had actually been infected. This is a project that had a great deal of impact, very different from what we’ve seen up to date up to now. Most states said that they were simply doing what the Snowden affair had revealed, which was a huge revelation, huge, huge scandal of cyber surveillance affecting mainly the NSA, the U.S., which targeted all sorts of people through using metadata. We’re not talking about metadata here. We’re talking about a direct infection, an organic attack within your device that something that totally takes over control of your phone and reveals your secrets to whoever has you under surveillance. We were able to show the face of these victims and we were able to demonstrate that the globalisation of the system as well. Since in 2022 we really are facing a tragic situation because there’s no counter power here. As journalists we raised questions and we had very few answers for states, so we turned to states, including those within the European Union. We had very few answers and very little transparency, and there’s very little counter-balance counter powers. And this is the problem of cyber power. Cyber security. States say they don’t want to respond. And if they do, everything is under the defence secrets. And these are private companies that whose actions are validated by well it’s a the government of Israel that it mainly supports Pegasus and we’re talking about something that falls within the powers of a state. So there’s no counter power counterpoint to this. As a journalist, from a purely journalistic point of view, when we look at a committee such as yours, there are many questions that come to mind. The Pegasus affair is also something that goes beyond the European Union. So when you look at the CEO of NSO, most of the clients of Pegasus within the European Union, but we have no answers and no transparency on this. So we need to know who’s in Europe has bought Pegasus. We need to have transparency with regards to this. From a citizens point of view, this is extremely crucial. So we would like to know if the Committee of Enquiry will be looking at the financial means that allow this type of market. Pegasus also is linked to Europe because the funds are domiciled in Luxembourg or in the UK, the European capitals, which have made it possible for the system, global spy system to work. It’s perfectly legal and this company sells to states and as you all know, the software only track down terrorists or criminals and as there is no mechanism to stop the software. When there is abuse? Well, we see how things end up with journalists and human rights activists around the world who find themselves under these lists. There’s also an important question, and of course, it is up to you and those in the committee to see this through when you work should we are not ban this software in so far as the fact that states already have their own software. Is the European Union capable of banning what certain states, the states are already manufacturing or should we have a mechanism so we can control states and protect our citizens? We are victims of Pegasus to date, which can lead to hell for some people. What can be done? Nothing can be done, really. It’s very difficult to take anyone to court on this, to take these companies to court or the financial capital that was invested to make it possible for these companies to carry out this work. And of course, it is no longer just about cyber surveillance. There are many other companies around the world in this market less visible, visible than the one we’ve looked at. And we thank you for giving me the floor. And, of course, we are here if you have any further question.
Jeroen Lenaers (Chair): Yes, thank you, Mr. Richard. And of course, you also have the opportunity to come back in in a second round and add further to the information. I think that the questions you raise are very relevant and the fact that you already noticed in your research that it’s very difficult to get answers because there’s little also so little transparency. And this little counter power is one of the main reasons, I think that we have this committee in the first place. So we look forward to cooperate and to find those answers together. Then I happily move to Toronto for CitizensLab and I pass the floor to John Scott-Railton. Please, you have the floor.
Technical assistant: Mr. Scott-Railton, can you please press this button? Thank you.
John Scott-Railton (CitizensLab) Yes. Hello. I hope everyone can hear me. If someone in the audience could just give a thumbs up that you can hear me. Okay. So thank you so much for having me, dear chair. And do you remember us? Thank you, of course, for the opportunity to speak on this important issue. Just yesterday, as I know you know, we published a report indicating that at least 65 individuals in the EU have been targeted with Pegasus or a kangaroo mercenary spyware. Multiple MEPs were targeted as part of that, as well as many other political figures, journalists and other members of civil society. We also saw relational targeting. Friends and family members were certainly amongst those who were targeted. Meanwhile, just last week we learnt that an EU commissioner and his staff were targeted with mercenary spyware and I’m confident that these cases are only the beginning. I’d like to share with you a trend that we’ve observed. It can be tempting to think that this issue is about companies selling to autocrats. And it’s true. Mercenary spyware is a major driver of abuses and domestic repression in autocracies, and it’s certainly helping to keep some of them in power. But as we’ve seen in Hungary, Poland and now perhaps Spain, this spyware is a problem for democracies within the EU. Once the technology is acquired, the temptation to abuse it is great and oversight is regrettably poor. As a result, abuse can be practically a foregone conclusion. Do all EU member states have effective oversight in place to prevent such overreach and abuse? The recent cases we’ve seen certainly suggest otherwise. The CEO of NSO Group was recently reported as saying that NSO has a monopoly on the European market. We also learnt that NSO heavily discounts sales to European countries, charging them tens of millions while charging Middle Eastern autocrats hundreds of millions. Why is this NSO and other mercenary spyware? Companies desperately want legitimacy and business growth, and it’s coming at the expense of our democracies as they attempt to pump in powerful spyware. In a democracy, politics must be fair. That cannot happen if a government in power has a total view of its opponents. Innermost negotiations. Oversight is also impossible if security services routinely spy on lawmakers. The same is true for elections and for lawsuits in which the government is a party or the press or human rights defenders. At this point, I think the situation paints a clear picture. There’s an unregulated industry selling a dangerous constellation of intrusive products and services to governments that lack effective oversight. What’s to be done? First, there must be consequences. The European Union should examine sanctioning NSO group and kendrew, as well as their executives and other spyware companies. Second, the European Union should regulate the import and export of spyware. Imports should be regulated so that European Union governments are not rewarding ethically bankrupt firms that are also supplying spyware to dictators. What signal does it send that amidst the torrent of abuse revelations around Pegasus, Germany announced that it was using this spyware? Moreover, the European Union should not be in the business of exporting spyware that is used to undermine democracy. Before the world learnt about NSO, there was FinFisher and hacking team. Both were exporting from the EU, as our research showed. Both caused well-documented global harm. Today we know that some EU countries like Cyprus are playing an active role in the export of mercenary espionage tools. This is a well-known embarrassment and it must end. Regulating technologies is hard. It’s easy to create a law that’s outdated by the time it takes effect or accidentally stifles and punishes legitimate research or innovation. Fortunately, the mercenary spyware industry has many features that go beyond their dual use tech, such as the services that they provide to customers alongside the spyware. These uniquely harmful activities are great targets for calibrating regulation. I hope we have an opportunity to speak on this further. Third, there must be robust transparency around which EU member states have acquired spyware and from whom, as well as which companies in the EU are exporting these intrusive technologies without a basic understanding of how widely the use extends. We cannot possibly hope to effectively address the problem of abuses at scale. Fourth, I think the EU must set norms around how Member States oversee the acquisition and use of spyware. This activity should not simply be protected under a broad narrative of national security. Finally, the EU Parliament as an institution must protect itself and its members from spying. It cannot be the case that the EU and its negotiations are available to any state, EU or not, that can pay for a Pegasus licence. There’s much to learn and I believe that this committee can accomplish much. We stand ready to share what we know. I will close on one observation, which is the public narrative around amnesty and other mercenary. Our companies is built on a false dichotomy. The claim that this is a balance between protection and between regrettable abuses. In fact, what we see from our research and I know this to be true for the Forbidden Stories team as well as Amnesty, is that the use of these tools extends much more broadly into various forms of intelligence gathering. In some cases, that is the purpose of the acquisition. I bring this up only to highlight the extent to which we need to be careful about the rhetoric from these companies and about how they narrate and their client states narrate the intended and designed use of their products. Thank you very much.
Jeroen Lenaers (Chair): Thank you. Thank you very much, Mr. Scott-Railton. That was very interesting. And we will hear in a second round also from your colleague Bill Marczak, too, to add to any questions that there may be. And I think you’ve given us already some very concrete recommendations that could be food for thought and discussion within our committee. And we will also look forward. And that was also your open invitation to keep you closely involved in the work that we do here and to maybe focus on some of the details that you already discussed today. So thank you very much. Then I move to our third guests on behalf of Amnesty International. I give the floor to and I really hope I pronounce your name correctly. Donncha O’Cearbhaill.
Donncha O’Cearbhaill (Amnesty International): Thank you very much for the invitation to speak with you today. My name is Donncha O’Cearbhaill and I’m the head of security lab at International. Our team of technical experts has been investigating abuses in the cyber defence industry for many years now. Today I’d like to opportunity to make some of these abuses more concrete and introduce you to some of our research approach and some of the cases of abuse we have found. But inside the EU and outside our research and NSO group that began back in 2018, we funded Pegasus Spyware. It was used to target one of our own Amnesty International colleagues. At the time, our colleague worked on issues related to human rights abuses in Saudi Arabia. Following this initial discovery and further forensic investigations, we’ve been able to build up a detailed technical understanding of how to Pegasus spyware operates and where it is being used in the world. For analysis of hundreds of mobile phones, we have identified a pattern of recognisable forensic traces that it has reliably confirmed that phone has been targeted and infected with Pegasus. We publish a peer reviewed forensic methodology report which describes in detail how these forensic evidence have been collected and analysed as partners. Forbidden stories of outlined the full global scale of human rights abuses. The Pegasus spyware. Spyware scandal became ignorable following the publication of the Pegasus Project last summer, and interesting was the title of the predatory investigation and provided the crucial forensic evidence proving that the spyware was abused to target civil society around the world. In Hungary, Russia identified the three investigative journalists that were hacked using Pegasus, including two journalists from the project partner organisation directory. Six activists and opposition figures in the country were also spied on, including a Belgian university student engine, Adrian Ridwan, who was found to have his phone hacked just days after being detained at a protest in Budapest. Our investigations have also identified two additional Polish opposition figures who are targeted Pegasus, Magdalena Łośko now member Polish parliament was targeted in April 2019 when she led her colleagues election campaign for European Parliament. That colleague Krzysztof Brejza was himself identified by Citizen Lab as a target as a victim of excessive surveillance in 2019. At the time, Krzysztof Brejza was coordinating the Opposition’s election campaign for parliament in Poland. Amnesty International also later confirmed that Krzysztof’s father Ryszard Brejza was also repeatedly targeted over Pegasus attack messages in the same period leading up to the 2019 elections. As John Scott-Railton has raised, this link between surveillance and elections is obviously a big threat for democracies and something which needs to be investigated here. And the International has also identified many more cases where members of civil society in France, Spain and Belgium have been persistently targeted by Pegasus customers, likely based outside of the European Union. In Belgium, activist Carine Kanimba and journalist Peter Verlinden were both hacked with Pegasus. At the time, Carine Kanimba was campaigning for the release of her father, Paul Rusesabagina, who was detained by Rwanda parties. The journalist Peter Verlinden has also written extensively about Rwanda in his work. The human rights defender Ruben. Emilia from Western Sahara was also repeatedly hacked with Pegasus while he was living in Belgium. Amnesty International’s also found extensive evidence that journalists, lawyers, activists and political figures in France were targeted and compromised using Pegasus spyware. Confirmed cases include the hacking of Moroccan investigative journalist Hisham Mansouri, who is living in exile in France. Investigation also found that two journalists from investigative outlet Mediapart were also compromised by the same Pegasus customer in 2019. Later, French judicial authorities confirmed the forensic evidence first identified by Amnesty International, showing the Pegasus was used to target these devices. This brief outlines not include the extensive evidence of spyware misuse, which has been identified outside the European Union and which also is important to look at in the context of the scandal. While civil society organisations have expended significant efforts to uncover abuses linked to spyware. These cases, unfortunately, represent only a tip of the iceberg in terms of the scale of abuse and harms caused by this. Industry is urgently trying to put a stop to these abuses, which are currently driving a global human rights crisis. I look forward to working with the committee to continue to investigate this important topic. Thank you.
Jeroen Lenaers (Chair): Thank you very much. What you call it the tip of the iceberg. Mr. Scott-Railton mentioned that these cases are just the beginning, so I think that also says something about the magnitude of the work ahead of us. But thank you very much for your brief introduction. Also, we were able to hear from you after a second round of speakers from the Parliament. I have a list of speakers on behalf of the political groups for the second round. If there’s anybody else who would like to take the floor as part of the round, please also indicated because I think we have some time to also include more speakers here. So thank you. I first move to the EPP for the second vote. Mr. Bartosz Arłukowicz, we have the floor, please.
Bartosz Adam Arłukowicz (Group of the European People’s Party (Christian Democrats)): Well, thank you very much, Mr. Chairman. The topic under discussion today, which we are going to continue discussing over the next months to come, is of key importance to the security, democracy, freedom of elections and the future of secure Europe. Now allow me to begin by saying the following We must not make the following mistake. No, Pegasus is not just a method of eavesdropping, if you like. It is not only a method of espionage. This is a weapon used by spies, used against someone. Now, the whole business started in Poland, in my country. One day we simply learnt that Pegasus is used against the head of the political campaign in the parliamentary and European elections. Fake news were produced against that person. The government television promoted such information. His family members were also victimised. Another person who was spied against by Pegasus was one of the better well-known barristers in Poland and a former deputy prime minister as well, and a barrister of Donald Tusk. As it happened. So against that person, Pegasus was applied. Now prosecutor Madame Wrzosek, she is one of the very few prosecutors who is not humble because of this government, and she was also spied against by means of Pegasus. Now today we have learnt that Pegasus was used against the head of the biggest organisation of employées in Poland, the organisation which groups together thousands of businesspeople in Poland. He called me today and said I was targeted too. And we are talking only about Poland now. Pegasus reaches out across Europe with its tentacles, if you like. It is used against the civil servants. We’ve just been told about Germany, France and Belgium. That is a key task for us. Ladies and gentlemen, we need to look at the problem of European security, the rule of law, the security of our children and our families. If we allow the situation whereby in civilised Europe, on the one hand bombs are dropped on human beings and on the other side someone is following our private lives of friends, private activities, our private views. We are doomed to failure unless we react to protest and say no more of that. Thank you.
Jeroen Lenaers (Chair): And I move to SnD. Andrea Cozzolino.
Andrea Cozzolino (Progressive Alliance of Socialists and Democrats): Thank you very much. I’d like to start by offering my congratulations to you and to all of the vice chair of the committee. We’ve got a lot of very important work to do in the upcoming 12 months. There are a couple of challenges. First of all, work on our countries, Europe, the use of this technology in Europe. We’ve heard from some colleagues now and we have to look at some very sensitive issues. It’s almost as if we’re privatising a very important part of democratic countries by relying on this type of technology to ensure security for our communities is here. And yet we know the types of uses that we’ve seen of it. But there’s a second challenge that goes beyond Europe, particularly when it comes to countries that we have trade relationships with political agreements, and particularly particularly countries, for example, on the south of the Mediterranean, countries with huge economic potential. Emirates, Saudi Arabia, who have used this type of spyware and that have been dreadful events that we’ve had to see. And so I would like to hear from our experts and our speakers to the people that are going to be helping us in the. Coming weeks and months in our work. If our conception of this is correct, keep an eye on Europe and our states. But at the same time, we also have to ensure that we’re aware of what’s going on outside of Europe and the type of uses that are being made of these technologies outside of Europe, as well as the influence that this has on certain European countries in particular.
Jeroen Lenaers (Chair): Thank you. I close the speakers list. Now we have a lot of people interested in taking the floor, so please stick to the 2 minutes. And then we managed to let everybody speak while speak. I passed the floor to Sophie in ‚t Veld.
Sophie in’t Veld: Yes, thank you, Chair. And let me congratulate again from this bench with your election. I’m very, very pleased that we have come to this moment because last summer, when the revelations were first reported, then my group already then called for an enquiry. But then it took a while that there were revelations about what happened in Poland, and then the mood became, let’s say, ripe for a full blown enquiry. And now it’s finally there. And ever since we have decided to set it up, new revelations have reached us even until yesterday involving more and more countries. And I have to say that the response by national governments in the European Commission and the European Council has been one of deafening silence. So we’ll get back to that because I think in particular the news that EU commissioners and their staff have been targeted I think is one of the most serious elements in this whole story, because if it is true that they have been targeted by Member State governments, then we are actually going right to the heart of the European project, which is built on trust or mutual trust. And I think what we are talking about here is not just using spyware, but using spyware against citizens, not for security purposes, but for political purposes. And that means that it will compromise our democracy. It will compromise the rule of law, and it will affect fundamental rights. So it goes its completely say everything covered in Article two of the of the treaties. I have a few questions to our speakers and I know that we will have many more opportunities for more detailed questions, but just a few random questions. We’ve been talking a lot, we’ve heard a lot about NSO, but by now we know that there are several more companies, more products. Can you say a little bit about are you investigating them as well? How much do you have already? How many more revelations can we expect? Do we see that there is maybe a shift, a kind of waterbed effect away from NSO into other into other companies? Then I’m interested to know how much NSO and equivalent companies do you think how much do they know about the targets? Because I think that’s also going to be one of the key questions when we’re talking about sanctions against those companies, putting them on blacklists and what have you, then the countries is my last question. The countries that we know of so far, we know Poland, Hungary, Spain seems to be pretty clear that the governments have used spyware against their citizens. Then in different contexts we hear about Bulgaria, Romania, the Netherlands, Belgium, Germany, Cyprus and France. What other countries do you have on the radar screen that we and the U.K., but that’s now outside the European Union. What other countries can we expect to get revelations about soon? Those would be my questions for now. Oh, one last question, Chair. This is more a request to you given the revelations we had about the European Commission. Don’t you think that this committee should already be calling for a kind of scan of equipment inside the European Parliament? Because we know that there are also rumours about what not just the MEPs that we’ve heard of in recent days, but also in various groups. Staffers may have been targeted. Don’t you think we should have a kind of help desk where people can go and have their have their phones scanned for the presence of spyware?
Jeroen Lenaers (Chair): Yes. Thank you. And I think that last proposal is very good. We are looking with DGI Tech also how and in what format we could organise that maybe not only for staff, not only for members, but also for staff, because that’s also something we saw, of course in the reporting by Reuters on the European Commission. That is not only at the political level but also at the administrator level that targets were identified. So that’s something we’ll work with it and I hope we can present something there very soon. So thank you. And then I move to the Greens. Diana Riba, my vice president, please.
Diana Riba i Giner (Group of the Greens/European Free Alliance): Thank you. I just wanted to repeat that we are here with the Pegasus committee were all together and this is already a success. Many of us have been working for a while now to ensure that this committee could form and could work. I would also like to share some reflections. I think that this committee has to focus on a couple of very important points. Some of them have already been set out. One is to bring to light and focus on all of these people who have been spied on to understand how and why they were spied on and what type of information that governments have on them. We all have a right to know who’s been fired and why and what information has been taken for their investigations. On top of the countries that we already know, these three countries or others where there are suspicions. Poland and Hungary. And Spain. Hopefully these cases will act as an impotence in order to create a framework of laws or tools, in order to ensure that in the future the European space won’t see this type of violation of our freedoms and liberties and rights. We live in a space that is becoming smaller and smaller, and we need to ensure that we have the right tools to prevent activities such as that of Pegasus, whereby activists or political opposition aren’t under this type of threat. We have to create the spaces that they need in order to protect democracy, in order to see those type of democratic spaces reducing. Another important topic. And this is something that we’ve heard recently. I think the parliament is all looking into who’s been spied on, which states have carried it out. And I know that, for example, I have as a member of the European Parliament. And so if I’m being spied on, that means that spying on all of the house, all of our conversations between us, then all of our mails and agendas, we very much suspect who has done this, but we don’t know why I’m being looked at or what kind of information has been taken from my mobile phone when that act took place. So we need to know whether it’s also the case for you. I mean, this is the first case was in the House. We hope it will be the last. We know that Mr. Comey and Mr. Foley and Rahman, but could also be at risk. We hope that there won’t be other cases. We’re supposed to have immunity to be unprotected. And so some member states, however, aren’t respecting this. I see this as a crime against the 450 million Europeans because it’s attack on their democracy. I think we have to work in order to ensure work on behalf of all of our 450 million citizens. I’d like to thank our guests for being with us today. Many of them refer to more transparency. We have to have transparency on who’s money, where this money is coming from that they’re using to carry out this spying. This is the money of our taxpayers, of all of our citizens. And so I would very much like to ask our guests what we can do to shed more light on all of this and to properly understand where this is all coming from. A few more specific questions. What can we do to share this information between us? What type of tools would be appropriate to share this information? A lot of people are looking for the information, are investigating it. What’s the safest way to share that information to ensure proper transparency? Thank you.
Jeroen Lenaers (Chair): Thank you very much. I move back to for ID, Gilles Lebreton.
Gilles Lebreton (Identity and Democracy Group): Yes. Well, those were very interesting presentations, and I think I’ve got the same questions as the rest of the members here. We can see that some member states are already being called into question. Some of them are big countries France, Germany, Spain. So that’s all very worrying. And we do need to shed light on who is responsible here. Are those countries just victims or are they also guilty? We really do need to know what we’re dealing with here. And I’m also very interested in getting an overview of the way in which the parliament has been spied on itself, because we’re talking here at the moment. Maybe we’re being spied on. So I’m very interested in this idea of a helpdesk as well, somewhere that the staff and the members can go to get their devices checked. Then we might know the scale of the problem. So I think this has been a very, very interesting first session and that we’ve got off to a good start.
Jeroen Lenaers (Chair): Thank you. Mr.Lebreton. And for ECR online. Beta Kempa, please.
Technical assistant: Ms. Kempa, can you please present speak button. Thank you.
Beata Kempa (European Conservatives and Reformists Group): A very warm welcome to all of you. I would like to thank you for the opportunity to take the floor. I would like to present our position on Pegasus. Indeed. This is a serious issue. New information keep coming, and it indicates that Europe and its key institutions are not safe. Reuters informed yesterday that in 2020 why one high ranking EU officials were spied against by means of Pegasus. It was also meant to be applied at Boris Johnson’s Downing Street office and the traces linked to United Arab Emirates. So we think this should be the focus of our attention. Espionage carried out by the services of states or other external organisations which may pose a threat to our security. At the same time, we learn that Pegasus is almost universally used across Europe by and by the services, by the Secret Services. Citizens Lab published their report yesterday, which says that at least 65 Catalonian oppositionists were victimised by Pegasus two, whereas the remit of the committee, as decided by European Parliament, clearly points to Poland and Hungary, which is not only in the light of our discussion today, we need to factor in the universal application of this spyware and real threats to the European Union. This is also a kind of pressure on the Polish government and it is also an intervention, if you like, intervening in the political processes in Poland. On top of that, an image is promoted whereby it is the government which allegedly applies Pegasus on the opposition. If we look at the standards used as of 2012, when Donald Tusk and William Cooper were in office, we should also conclude that the title given to this committee is inadequate. We are dealing with the intervention imposed by foreign services of 30 states, and of course the application of the state of the art technology like that is warranted within the bounds of law because states cannot apply lower technologies than those used by the criminals. Of course, it is important to make sure, if it is the courts of law who decide on that and they independent in their decisions. If such devices are to be applied so the abuse of the Pegasus system, we are very much interested in looking into this matter and presenting to the European public what the situation really is in terms of the operation of Pegasus and the scale of its application by the secret services of the EU Member States. The threats which are already identified. To conclude. To conclude, we would like the work of our committee to radically improve digital security in the EU, to better protect privacy and better protect private and confidential information, and not as a weapon against Poland, Hungary. Thank you.
Jeroen Lenaers (Chair): Very much. I mean, very lenient with regard to the speaking time also because ECR didn’t have any participant in the first round. But I would really like to urge everybody to stick to the speaking time so as many colleagues as possible could take the floor. And with regards to the title and the mandate of the committee, it’s been adopted by a plenary big majority in plenary, and it’s very clear on what we can and cannot investigate. And it certainly is wider than only third country interventions in Europe. So thank you very much. And I passed the floor to the left, Cornelia Ernst, for 2 minutes, please.
Cornelia Ernst (The Left): Yes. Thank you. I’d like to ask a question. Firstly. It’s been said that members of the European Parliament have been affected as well. How do you find that out, though? It would be good to have a helpdesk. Yes. Both for the members and the staff. And if we could expand on that, that would be very good. And then when I hear that member states or countries are using this software, it’s not going to be as easy to investigate. So I would have to ask. What do you think is important? How should this be investigated? What is your advice? And then thirdly. You’ve been saying that the analysis so far shows that Apple has been affected in particular. Now, there is a dark zone here as well because. We don’t know exactly what’s happening. What do we need to do to close these gaps? What is missing? What do we need? Money or what else? Then the point about the member states. So it’s not just about Poland and Hungary. I’ve been reading that Germany as well was also involved. They’ve used a more limited version of the software. So which member states are concerned and what is meant by a more limited version of the software? And can you tell us what investigations are currently underway and what other research can we expect? Thank you.
Jeroen Lenaers (Chair): Thank you. And for the second round of the non-inscrits, Monsieur Puigdemont.
Carles Puigdemont i Casamajó (non-attached Members): Thank you, Chairman. Well. I won’t repeat points that have been mentioned. But I do want to say that we will be looking for clarity on various points of clarity on the funding of the Pegasus programme. It’s not something someone like us can access. No, that’s not possible. A group of people can’t just get together to buy a Pegasus licence. No, that’s not possible at all. The report about the infection in Mexico. 18 people were spied on and the general. Prosecutor. Identified a cost of €250,000 for that licence. So just think about who has that money. Where does that money come from? Think about whether or not that money could also be analysed. Can it be analysed in a transparent way by the national parliaments? Or is it something that is beyond all parliamentary scrutiny? So this is something that is outside any concept of the rule of law. This is something that the committee needs to look at. In particular, we need to follow the money. If you follow the money, then maybe you’ll be surprised. And yes. We need to ask for explanations and this committee. Must. Stress these points, and it’s going to have to be the countries that provide the answers. And it’s also going to be independent judicial authorities as well. They’re going to have to help. Clarify the way in which the money was used. So we need to look at the financial network here that has allowed someone to. Destroy our confidence in the European system of law. And to do that through these devices that we’re carrying at all times, you don’t know if you’re being spied on or not. We’re powerless. We have no power to protect this parliament from that sort of spy. Spang So I think that’s an important aspect of our work. This is something that we need to shed light on. And I’d like to thank the experts for the work that they are doing and the information that they’ll be able to provide us with.
Jeroen Lenaers (Chair): Thank you. That concludes the second round of speakers on behalf of the political groups and will continue with the colleagues who have asked the floor. We have six in total and we also would like to really have some time for as we are you on the list. We also we like to have some time for the guests to respond. So if you could limit yourself to about one minute would be really helpful. Thank you. And I start with Vladimír Bilčík.
Vladimír Bilčík (Group of the European People’s Party (Christian Democrats)): Thank you very much, Chair. Congratulations. Congratulations to the whole bureau. And I very much look forward to working in this investigative enquiry committee. Let me just go straight to the questions and maybe raise a few points of our perhaps our guest could be helpful in terms of guiding our efforts. We have a limited time, and I think there are so many questions we need to be asking to have a useful report at the end. So I would like to use the opportunity to maybe raise some of these questions. One is and we’ve already said this, it concerns a number of countries, but perhaps which countries would be most useful globally for the problems we are facing in Europe, in the European Union with Pegasus? I mean, I notice the report by the citizens lab, which also talked about the UK officials being targeted the highest political level. So which countries should be, in your view? Look at when we try to dissect the problem inside the European Union, which one, which cases would be most useful? Now, I have a couple of questions on the technical aspects, and this relates to issues which colleagues have raised already. How can we basically safeguard ourselves against this this spying? Because the question is, you know, how do we how do we defend ourselves against the cross-border attacks? Several countries seem to have it seem to you as inside the European Union, but that means that anybody inside the EU can be targeted. How does it work technically? And who would be the useful people talk to? But also this idea of a scan, you know, how safe is a scan of a spyware which costs such huge amounts of money and couldn’t this can be misused as well. That is that is also a useful question in terms of how this operates. So who would who would be helpful here in terms of getting us a better understanding on technical aspects and to more to more quick points? One is on the safeguards which are weak. Other examples of perhaps parliaments across the member states, other countries which have these strong committees, which can have access to restrictive information and perhaps could be could be good safeguards when it comes to not overseeing such high and expensive purchases by governments. And the last point is, we basically are really in a position where we have to listen to people who are a part of public sources. Who would you advise us to invite when it comes to interesting whistleblowers or even people who might be willing to talk? Something that I was saying, you know, the governments are silent. Well, of course, this is an extremely sensitive matter, but at the same time, it’s an extremely important matter. So who would you advise us to talk to when it comes to getting some insights from the governments? Because this is going to be the real challenge in our work. Thank you and apologies.
Jeroen Lenaers (Chair): No, thank you. Please. We do have it on. I’m always in these committees where after each speaker the chair takes half a minute to explain that we shouldn’t take more time or we didn’t want to do that. So please, a little bit of self-discipline would be really helpful. Hannah Neumann, please.
Hannah Neumann (Group of the Greens/European Free Alliance): Thank you so much. And I want to be very clear on one thing. The revelations that we saw yesterday also showed that six of our colleagues, members of this European Parliament, have been infected by spyware. And for at least one of them, Diana Riba, we know that she has been spied upon while she worked in committee inside this parliament. So we know they would have or they can have information, confidential information of these stocks. They can have confidential information from the exchanges she had. They can have confidential information on parliamentary documents. And this clearly shows that an attack on one of us is an attack on all of us, because it undermines the notion of parliamentary immunity, which is core of making democracies and our work here work. I mean, imagine we want to control the executive and security agents. And at the same time, everything we do when we consult and we discuss, when we strategize. They can listen into it. That’s what we are facing. And I think we really need to send a very strong signal at the beginning of this committee with a parliamentary debate in the next plenary, that we do not accept such political interferences into the work of us here inside this European Parliament, irrelevant of political group, national context or whatsoever, because that is what makes us strong as a European Parliament. Second point, and that’s going to be a question. We know that the systematic kind of abuse, we see it also in many third countries, especially in dictatorial regimes, autocratic regimes. We spoke about Saudi Arabia here today. So for me, the question is also for the scope of these of this enquiry committee, what kind of knowledge do we have on European Union complicity in this kind of espionage, be it through financial flows, the sending of exploits? Or do you expect us to look into that because we do not have enough knowledge on that yet. Thank you very much.
Jeroen Lenaers (Chair): Thank you. Dragoș TudoracheI, please.
Dragoș TudoracheI (Renew Europe Group): Thank you very much, Chair, and congratulations to you and your colleagues at our bureau for being elected. Also, we would like to thank our speakers for the courage in the work they’ve done. I think the fact that they brought this to the fore helped us also in awakening to this reality and dealing with it properly as we do right now. I actually have a question based on your forensic work, the forensic work that was done by my colleagues, both in Amnesty and in citizens lab. And that goes to the heart of the business model, because that’s one thing that I’ve tried to understand and no one seems to have a clear answer. Maybe you do. Once a contract is signed between an assault and a government, as far as I understand, who then controls the software? Does NSO remain in control of the software once it is deployed? Or is the government that acquired it then becomes the controller of the software and then decides on which targets to choose? And second question linked to that is then who holds the data? These are the data being held by an assault on NSO servers to be used or reused of you reviewed afterwards? Or does the data remain in the devices and is only being remotely accessed each time the one in command decides that they want to access the data. Thank you.
Jeroen Lenaers (Chair): Thank you. Then we move to Eva Kaili connected remotely. You have the floor.
Eva Kaili (Progressive Alliance of Socialists and Democrats): Thank you, Chair. Congratulations for managing for the first meeting to have such an interesting debate and everybody that participated in and for the work of our excellent speakers. Let me just clarify a couple of things. I wrote them on the chat. We launched this new bureau. We launched now the possibility for all members of the European Parliament to check their devices at the ICP helpdesk so that you can leave your device, especially when you have been on a mission in a third country, or you have concerns to ensure that you will have a simple or a more in-depth check, depending on your possibility to leave your device for a longer time. We tried to extend that beyond politicians. I have tabled a pilot project. I think more colleagues now are ready to do the same, to have a European citizens lab to ensure journalists, activists they will be able to check their devices inside Europe. I would just mention that we have discussions for more companies is not just in the so it’s cube these companies usually they have and they could have the tax bases in Luxembourg we can see them in UK. But also they can operate through third countries because they can we can send I mean a government can send a number and they can get everything from our device. They can even listen constantly from our mics, everything that’s been discussed around the device from a third country back to the government. So if I would ask the expert something, it could be we can understand if we are having a malicious spyware on our devices, can we can we find where this information leads to? Is it another government? Is it the member? Is it the third country? If we are able to follow the path and get more information on who is tracking our devices, then there has been on the news an investigative journalism identified, also FBI using Pegasus. So I think it’s very important to discuss about this case in depth and see what kind of data we have and decide also if it’s allowed to be used by governments. Because at the European level, whenever I ask a question, the responses, the these kind of activities should be authorised by the member states. I think we need to have a European if European approach. And we also have been discussing with the I city if we should call for a secure communication messaging application for politicians or people that they should have secure lines made in the EU so that we know and we can understand where our data win. But also, I would like here to ask you, do you think that even if they can not have access to our content, if it is not stored on the cloud, because the moment it is stored on the cloud, it’s not encrypted anymore. So for example, WhatsApp, if you have a text and you have to backup in the cloud, then it’s not encrypted. But if you use signal that doesn’t save on the cloud, anything that is just through your device that something could be detected, but it’s not being stored somewhere. So do you think that our metadata also could lead to cases like I showed you, because this is the case that actually revealed how this kind of spyware has been developed. And do you have more companies than the one mentioned data that we should decide how we should approach them? Thank you. Thank you so much and congratulations for your work.
Jeroen Lenaers (Chair): Thank you. And then we move to Assita Kanko who’s also remotely connected.
Assita Kanko (European Conservatives and Reformists Group): Thank you. Thank you very much. I hope you can hear me. I would like to congratulate you for your election as chair and also express my great appreciation for the fact that we are starting this committee work. That is very important not only to protect individual freedom, but also to protect our democracies and press freedom, which is very much threatened today. I have read the concerning and appalling information shared yesterday showing that colleagues, including Putin, for example, who is in this room at least longer, have been targeted. And what shocked me the most is that some people have even been targeted to family members like a spouse. So we are not only exposed as politicians, our families are also experiencing some form of risk. So I look very much forward to the way in which we are going to work together. I really hope that we will focus on the facts and focus on what we need to find and make proper recommendations to protect our democracies and against this kind of espionage, but also find recommendations that can last, that are sustainable and enforceable. One question that I have for our experts is the following. Did you notice that in the countries, depending on the level of education or digital education, there have been other kind of behaviour in the way in which people can be exposed to such forms of espionage or, you know, whatever you do, you cannot find a way to escape this. I am worry about the fact that even as members we are not very well informed about how we can be protected. I saw a mail from IT asking everyone to use Signal in a certain way. But I must confess that even for me, it was not that easy to follow the steps. So is that part linked to education or something that we can actually take into account? And how what kind of advice would you give on that. For the rest, we will have a couple of months to really focus on all the technical matters. Thank you very much.
Jeroen Lenaers (Chair): Thank you. And then last but not least, Andrzej Halicki. You have the floor.
Andrzej Halicki (Group of the European People’s party (Christian Democrats)): Thank you, Mr. Chairman. First of all, I would like to emphasise that I would like to agree with my colleague ECR, from Polish delegation about the campaign. Yes, this is not the Polish and the Hungarian example case, because we are talking about European security, about security of our citizens, our security. And it is very important to have, well, pan-European view on that European standards implemented by government, and nobody can be above the law. So if we have so shocking information, this is also the same feeling as about the camp I had. I was very shocking with the information that illegal spying on Commissioner Didier Reynders, the Commissioner on justice was. So the question is who did it when? Why we have to confirm the dates, the activity of Mr. Commissioner and we have to have the clear answer. So my question to our expertise. Is it possible to have such answer the area able to, to, to give us any information on that? Because it’s crucial. And I would like also ask about the other systems, because we are very focussed on Pegasus, NSO Group as a company and Israel as a state. But as we know, there are other similar systems as Predator. So what are the Oslo system? Are you recognise one, two, three, more or more than ten? How many? And if it is possible to have the information about the states, the companies, because it’s also very important to have the knowledge, wider knowledge on that. And in the end, this is the question to to to you, Mr. Chairman, to the presidency. But of course, we are talking about European directives, European law, European security in the end. But the crucial thing is to have also cooperation with the national level, the governments, too, but also the national parliaments. I mean, because this is also concerning the national law and the supervision of the security services and the law as a whole. So to protect our citizens, we have to cooperate with some national parliament. And in post parliament we have enquiry committee on Pegasus too. So this is the question to our Kalinda, but I would like to, to recommend close cooperation to the National Parliament representatives to think through much.
Jeroen Lenaers (Chair): Yes. Thank you very much for that last recommendation. I’m sure there are there are other parliaments as well, also outside of Europe who have been doing investigation. I think it would be very important to closely cooperate with them as well. But, of course, the agenda for the next 12 months still needs to be decided. But in cooperation with all of you, I think we should manage to do so. Thank you all very much. We have about 15 minutes left, so I would ask our panellists to give them at least the impossible task to answer all the questions within more or less 5 minutes. Many questions on the technical issues, on the financial follow, the money, the financial trails, please. I would do the same sequence as we did before. So I will start with forbidden stories. Laurent Richard et Sandrine Rigaud. I guess it’s Sandrine Rigaud who will speak to us in the second round. Please you have the floor.
Sandrine Rigaud (journalist from Forbidden Stories): Thank you. I’m going to go. I am the chief editor of Forbidden Stories and the coordinator of the Pegasus stories, I’ll just answer some questions with the gods and I’ll leave the more technical to Amnesty International and Citizens Lab. You asked us which guests should we hear, people we would invite if we were there. I have a few suggestions. I would have liked to have heard the authorities from the NSO group. We, on many occasions since the publication of this project have asked to talk to them, but they prefer to choose the journalists they speak to. NSO Group is an interesting company because it says it respects human rights and has a very rigorous human rights charter. We’d like to know what controls they’ve put in place. They say they have excluded seven countries over recent years. What are those countries? Who are those countries? What has NSO group done since? We believe that all these revelations from the Pegasus affairs on the basis of the Amnesty International Security Lab, we were able to show that the Moroccan journalist was targeted by Pegasus. Since then, Omar Hadi, the journalist has been locked up. And what has the NSO group done since this? These revelations can and is there confirm that Morocco is a user of Pegasus software? So these are a few questions that we would like to have answers to. You could perhaps also turn to Silicon Valley platforms and companies that are often the portals or the or the doors to the software. And as a group, we know that Israel has exploited the they saw the possibilities it could get from WhatsApp, from Google, in order to get to surveil or put its victims under surveillance. So these come and there are companies that have technical information and know who the main targets were and when they had to plug the gaps that the NSO exploited, they would certainly know a lot more. We know certain member states use because there’s others. France that was targeted is also carrying out its own enquiries. In July we were able to show that Emmanuel Macron, virtually the entire government, the entire cabinet were well, their numbers were victims of the NSO system. So what is France doing? France has been very silent on this issue. So these are certain suggestions. We are very closely following your work with regards to protection where we Amnesty and Citizen Lab have already said this NSA exploits the zero cake failings, if you like, on your telephone. It can attack your phone. No one can actually protect themselves from the attacks. And we would advise you very strongly to have your phones analysed and that’s to go through security lab of a citizen lab to do. This because they are really at the cutting edge of analysing these Pegasus softwares and other that are being sold. There are companies, security lab and or Citizen Lab could give you those names. And we are closely watching these companies. As journalists, we’ve only had access to very restricted non comprehensive source since we revealed the use of this software by a dozen other countries. And there have been other revelations since then and I think you’re in a better position today to urgently demand from the European member states to see who amongst them are using these software and for what, etc.. Thank you.
Jeroen Lenaers (Chair): Thank you. And then we give the floor back to Citizen Lab, and now it will be Bill Marczak who takes the floor. Please.
Bill Marczak (CitizensLab): Dear Chair Members, thank you for having us today. So I’ll just briefly jump in to some of the questions that I heard and then give a little bit of more, more general remark. So, so one question that I heard a lot from the members is a question about what companies know about how their products are being used. For example, what does an ISO group know about how Pegasus is being used and how its customers are using the spyware, who they’re targeting, what information is collected? Well, this is somewhat of a murky answer to this question, but we got a little bit more information yesterday in the report by The New Yorker magazine. A source quoted in that report says that maybe NSO group is able to access all of the information collected by all of its customers from all of its targets. And maybe that information is also available in the NSO group database as well. It’s unclear if this is completely true, but as I said, this is this is sort of murky. But if this was true, this would make sense. We’ve seen a number of interesting coincidences. For example, recently NSO Group took the extreme step of notifying a longtime Pegasus target, but only right after I myself notified the very same target. Also, based on our research, what we’ve concluded is that there is some centralised entity with respect to Pegasus, likely NSO group itself that is setting up all of the servers and all of the infrastructure for the clients. And information taken from the hacked phones is flowing back to the government or to NSO through these servers that are set up by the centralised entity. So in conclusion, we are not 100% sure obviously, but NSO might collect this information and with respect to other companies operating in the space, that that is also a possibility. And of course, this brings me to the next question about other companies operating in this space. Of course, Pegasus is on everyone’s minds here today. But remember our recent report yesterday about targeting of Catalan activists mentioned, of course, another company, Kangaroo, whose spyware was operating in the EU. And just last week, another company site tracks their predator spyware was documented, used against an EU citizen. I’m speaking, of course, of the case of Thanasis Koukakis, a financial journalist in Greece whose phone was confirmed hacked by Citizen Lab with site trucks as predator spyware. And the confirmation was with respect to hacking in 2021, investigative journalists in Greece who were investigating this surveillance uncovered documents pointing back to the Greek government as the likely culprit in that case. So there’s a whole industry of companies here. There’s even more companies we’ve heard about that have not had any documented links to the EU yet, but could potentially come into the fold if NSO Group or other companies leaked for some reason were to leave the market. The way I like to think about this technology generally is sort of like handling radioactive material when this technology is sold without proper customer vetting. Like we see companies like NSO Group not conducting proper customer vetting or it’s used by the agency without very strict independent oversight, it can be mishandled accidentally or even deliberately, and it can have this slow, deeply corrosive effect on democratic institutions over time. And let’s also not forget the spectre of foreign espionage. Companies like NSO Group explicitly authorise or licence their customers to spy in certain jurisdictions. And we’ve seen of course, that NSO group has authorised a number of non European Union customers that has customers outside the European Union to spy on EU citizens. For example, as we saw in the Pegasus project, the case of Rwanda spying in Belgium. And this is presumably the case of, you know, for non EU customers of other spyware vendors too. So given the dangers to both democratic institutions and national security, I’m happy to see this is moving forward. And of course, I would also like to add that that. Citizen Lab stands ready to assist or work with whomever is doing a scanning of EU Parliament members in order to help do this scanning in their privacy preserving manner. So thank you for having us today and I’ll let my colleagues from Amnesty field the rest of the questions.
Jeroen Lenaers (Chair): But let me thank you for your contributions today and also for that offer, which we will certainly take you up on. Thank you very much. And indeed, we conclude the meeting by giving the floor back to Amnesty International. And this time it will be Nikita Banerjee who will take the floor. Please. You have the floor.
Likhita Banerji (Amnesty International): Thank you to the Chair for the opportunity to address the floor. We acknowledge some of the questions we have received and we hope to answer some of them as the committee takes forward the proceedings in the coming weeks. In more detail. On the question of what NSO does or doesn’t do as our colleague some citizen lab pointed out, contrary statements have come up on what it does know. NSO previously has said that it does not have visibility, but recent reports are beginning to suggest otherwise. We’d like to take this opportunity to say that this drives home the problem of the lack of regulation, which allows and saw the opportunity to take forward this obfuscation, and which is why companies such as an assault cannot be allowed to regulate itself based on the mounting evidence of abuse that has been uncovered by civil society. Just now abundantly clear that we are looking at a global human rights crisis posed by the cyber surveillance industry and states who misuse their tools. In particular, the scale and breadth of the abuse facilitated by NSO Group and its state clients is utterly out of control, destabilising and threatening to individuals, human rights and the digital ecosystem as a whole. The work done by civil society to expose these human rights violations is crucial and poses a serious challenge to an industry that is stubbornly resistant to transparency. However, we wish to stress that civil society disclosures cannot represent the only form of check on industry participants and its state clients. And governments have not done nearly enough to rein in this out of control problem. The fact that parliamentarians and government official have been targeted, including in the EU institutions, is really worrying. But we would also like to take this opportunity to re-emphasise that surveillance is a serious threat to civil society and listed on the world and including on the human rights stood out on there, including privacy, freedom of expression and assembly. Experts have documented an evolving vector of attacks that are becoming harder to protect against and harder still to seek accountability for. Even when the presence of surveillance cannot be proven, the mere suspicion that it exists causes civil society to self-censor, imposing a chilling effect on human rights work. Surveillance poses enormous risk to the physical safety and mental well-being of human rights defenders. It also places sources, colleagues and loved ones in harm’s way. Many rights defenders, known to be targeted and or infected, have also faced history of repression at the hands of governments. We want to also emphasise that for women human rights defenders, the threat of surveillance is grave. Still, information obtained through unlawful surveillance can be weaponised against them through leaks and smear campaigns. Even when human rights defenders choose to leave the countries of origin, we have seen that surveillance for laws making it a tool for transnational repression and giving rise to the feeling that nowhere is safe. As we have observed and also questions have come up, the problem is not Dr. one bad actor. An example of targeting with other forms of spyware clearly demonstrate this. In addition to the examples shared by our colleagues, which is in lab, Veeam also documented malware campaigns in India, Vietnam and some other jurisdictions. This is an unaccountable industry, an unaccountable state practise that must not be allowed to continue in its current forms. Therefore, Amnesty International is calling on states to impose an immediate moratorium on the sale, export use and transfer of surveillance technology until proper human rights safeguards are in place. We now watch the Committee of Enquiry to take into account the root causes that cause these violations to continue, which is a pervasive lack of regulation and persistent impunity. On the question of who should be shielded from, we would also like to request the committee to centre. The lived experiences of civil society have been put under surveillance. The answer is robust regulation, independent oversight and accountability for abuses and meaningful transparency. Further, this regulatory action must be multifaceted, including strengthening domestic laws, safeguarding against surveillance, export control mechanisms and corporate human rights due diligence mechanisms for companies, amongst others. We look forward to engaging with the committee on this. Fast forward in greater detail. Thank you.
Jeroen Lenaers (Chair): Thank you. And that concludes our session for today. Let me thank the interpreters for making this meeting possible, regardless of or language requirements. Let me thank everybody who participated. I think if we can keep up this sort of active participation by all members, from all groups, we can really do a lot of work even though we only have 12 months. And let me also thank the Secretariat for having been able to organise this meeting, even though the committee, of course, before today officially did not exist yet, and using all the flexibilities within our rules and administration to make this very useful exchange of views possible. Thank you. And most of all, thanks to our guests from the three different organisations for their knowledge, for the experience that they shared with us. There were many questions that we still need to answer, and all of you have indicated that you will be very open and willing to help us in that process in the next 12 months. And I think I can only say on behalf of all of us that we gladly take you up on that offer, and we will certainly be in touch on how to do that in the next 12 months. So thank you all. And I would like to ask the coordinators and deputy coordinators.