In der öffentlichen Anhörung, die der PEGA-Ausschuss in Zusammenarbeit mit dem Ausschuss für auswärtige Angelegenheiten organisiert hatte, diskutierten die Parlamentarier:innen und Gastexpert:innen am 15. Dezember 2022 über Staatstrojanereinsätze außerhalb der EU. Die Staatstrojaner werden dabei mutmaßlich und mindestens indirekt auch mit EU-Geldern finanziert. In dieser Sitzung standen daher die Folgen der Einsätze für Menschenrechte im Fokus. Ein weiterer Schwerpunkt lag auf den Auswirkungen, die Staatstrojanereinsätze auf die diplomatischen Beziehungen der EU haben.
Die Berichterstatterin Sophie in ’t Veld zeigte sich einmal mehr ungläubig und verärgert über das berichtete Verhalten der Kommission. Sie ließ sich, wie sie selbst einräumte, zu einem „vorweihnachtlichen Wutausbruch“ hinreißen:
Ich muss sagen, dass mich das zutiefst deprimiert oder wütend macht, oder beides, denn es bestätigt wieder einmal die Haltung der Europäischen Kommission, die einerseits sehr technokratisch ist und so tut, als seien die Regierungen ihr einziger Gesprächspartner, dass sie keine Verantwortung für die Wahrung der EU-Werte, für die tatsächliche Durchsetzung der Gesetze und Verträge hat. […]
[Die Kommission] tut einfach so, als sei das alles eine technokratische Übung. Und wenn dieses Haus jetzt nicht selbst in einem solchen Schlamassel stecken würde, würde ich tatsächlich wollen, dass es die Kommission zum Teufel jagt. Aber gut, das ist meine vorweihnachtliche Tirade. Wir lassen wirklich keine Gelegenheit aus, um Mist zu bauen, oder?
Von der Anhörung gibt es ein Video, aber kein offizielles Transkript. Daher veröffentlichen wir ein inoffizielles Transkript.
- Date: 2022-12-15
- Institution: European Parliament
- Committee: PEGA
- Chair: Jeroen Lenaers & Diana Riba i Giner
- Links: Hearing, Highlights, Video
- Note: This transcript is automated and unofficial, it will contain errors.
- Editor: Tim Wurster, Emilia Ferrarese
Spyware used in third countries and implications for EU foreign relations
Jeroen Lenaers (Chair): Okay. Dear colleagues. Good morning. I propose that we start. There is a lot of simultaneous meetings ongoing this morning. During the last morning of the last day before the Christmas recess. So, we’ll have some colleagues who will be walking in and out of the room during the meeting, but many will also follow online. So, we have interpretation today in German, English, French, Italian, Greek, Spanish, Hungarian, Polish, Slovakian, Slovenian, Bulgarian and Romanian.
And we will have our hearing today on spyware used in third countries and implications for EU foreign relations. Now, third countries and EU foreign relations have covered quite a lot of our agenda this week for many reasons. So, in that sense, it’s quite apt to have this meeting here today. The use of spyware is not limited, as we know, to the use by member states, amongst others.
The mandate of our committee requests us to collect information on the extent to which member states or third countries use intrusive surveillance in a way that violates the rights and freedoms enshrined in the Charter, as well as assess the level of risk this poses to the values enshrined in Article two of our treaty democracy, rule of law, respect for human rights.
So, our committee is also tasked with investigating whether the use of Pegasus or equivalent spyware by Member States authorities has resulted in the transfer of personal data to third countries in particularly, but not limited to the NSO group as well as to third countries governments.
So together with this first hearing, we will organise a second hearing on the geopolitical aspects and will also be informed through a study commissioned by the Policy Department on Pegasus and equivalent surveillance spyware and its impact on aspects related to the EU’s external relations for which we have a presentation foreseen in January.
Now, without further ado, I would like to move to the hearing. I am just quickly checking with our IT desk whether Mr. Benjakob is connected online. He is not yet. Then I propose we move immediately to Ms. Ilia Siatitsa who is a programme director and Senior Legal Officer of Privacy International who is also connected with us remotely. You have the floor for about 10 minutes.
Ilia Siatitsa (Privacy International): Thank you. Thank you very much. Good morning. Thank you very much for offering me the opportunity to give evidence before this committee for another time on behalf of Privacy International or PI, a London based non-profit that advocates and researches globally against government and corporate abuses of data and technology. My slide, please.
My opening statement will first briefly touch on the EU foreign policy priorities. I will then focus on the EU roles in transferring surveillance capabilities to third countries. I will there outline our concerns and observations regarding those transfers and conclude with key recommendations by PI that seek to assist this committee in strengthening the rule of law, in upholding the rights of millions of individuals living in the EU and beyond. Slide, please.
Respect for human rights and dignity, as it was already mentioned, mentioned together with the principles of freedom, democracy, equality and the rule of law are values common to all European Union countries? They also guide the EU’s actions both inside and outside its borders. The European Union’s Global Strategy for Foreign and Security Policy has set out five broad priorities, amongst which there is a commitment to rules based global governance. In particular, the EU committed to a global order based international law which ensures human rights. The common policy commits to systematically mainstreaming human rights and gender issues across policy sectors, institutions, and to champion their indivisibility and universality. Slide, please.
This commitment underpins every activity, including the security and defence priorities where the UK has committed to develop human rights compliant anti-terrorism cooperation with, amongst others, North Africa, the Middle East, the Western Balkans and Turkey. The EU foreign policy plays a key role in supporting the rule of law, democratisation and human rights protection around the world. Yet we are concerned that certainly your practises seem to undermine the same core rules and values they have committed to promote and champion slightly. Specifically, we are gravely concerned about the activities carried out by the European Commission as well as most notably the European Border and Coast Guard agency Frontex, the European Union Agency for Law Enforcement, their training, CEPOL and the European External Action Service, which relate to the transfer of surveillance capabilities to authorities of non-EU countries. This surveillance support from several EU borders institutions includes direct transfer of surveillance equipment to third countries, training of third countries intelligence and security forces, financing of their operations and procurement, facilitating of exports of surveillance equipment by industry and promoting light installation which enables surveillance. These transfers include transfers of spyware and hacking capabilities, which can be used not only against human rights defenders, journalists and others, but across borders against people in EU countries as well as EU diplomats. We know this as a result of a long and extensive access to documents process that Privacy International has undertaken since 2019. These documents reveal a far more worrying picture of what the EU’s situation and its member states contribute to slightly. Slide, please.
For example. Recommendation of a training session provided by the National Police of Spain with EU support to the police, security and intelligence authorities in Bosnia and Herzegovina on financial investigations revealed the promotion of the use of malware and computer trojans. That is, software used to have individual devices to extract data, to take control of functions such as the camera and the microphone. And that is sold on the open market by companies such as NSO Group. European Union is the world’s largest donor of development aid and instrumental support and supporter of democracies in peace around the world and a powerful global force for reining in big tech and other exploitative interests. However, in the past years they have been using those powers to expand the surveillance capabilities of neighbouring countries and beyond. Just to bring two examples slightly. Amongst others, the EU Trust Fund for Africa, a funding programme which uses EU aid money for migration control, has provided the Government of Niger with surveillance equipment that includes a cell phone tower simulator used to intercept communication. This is often referred to as a name that got their gotcha. They are highly intrusive devices. They are designed to imitate mobile phone towers and capable of carrying out indiscriminate monitoring of my files present in a given area. This allows otherwise anonymous people to be identified and their locations tracked. Yet the country has no law that regulate the use of this kind of intrusive equipment. There seem to be no robust restraints that can prevent authorities from using the equipment for other purposes beyond just for border control purposes. The 11.5 million funds to Niger further included the provision of surveillance drones, surveillance cameras, surveillance software and a wiretapping centre. Slide, please.
Similarly in Serbia, security authorities have sought using EU funds to purchase tools used to gather personal data from Facebook axes, user passwords, browsing history, content, contacts, locations, history, email and quote. Bypass. Two factor authentication. A key security measure which activists and journalists and others rely upon around the world. Slide, please.
Last week, the European Ombudsman agreed with our concerns. She should the decision following a complaint submitted by Privacy International, together with five other human rights groups, finding that the European Commission failed to take necessary measures to ensure the protection of human rights in the transfers of technology with potential surveillance. Gabon City. That is supported by its multibillion emergency trust fund for Africa. The Ombudsman’s enquiry investigated the support of projects across Africa that aimed at bolstering surveillance and tracking powers and involved extensive evidence gathering from the commission and the complainants. It found that the Commission was not able to demonstrate that the measures in place ensured a coherent and structured approach for assessing the human rights impacts. The decision recommends that the Commission now require that an assessment of the potential human rights impacts of projects be presented together with corresponding mitigating measures. The lack of such protections, which the Ombudsman called a serious shortcoming, poses a clearly risk that these two balance transfers might cause serious violations of human rights. Behind the coalition of human rights groups have also filed two more complaints to the European Ombudsman on Frontex and the European External Action Service. The complaints are currently being similarly investigated. Examples like the one above underpins the threads. These abuses pose for the rights of EU citizens too, as they can be exploited by third country authorities that lack the stringent safeguards present in the EU legal order. The EU foreign policy plays a key role in supporting the rule of law, democratisation and human rights protection around the world. It should take measures to ensure that its current activities do not that do not undermine the same principles they seek to promote. This enquiry will by now be aware that the surveillance market is global and that countries such as China, Israel and the US are all significant exporters and similarly provide financial and technical support to national authorities around the world for surveillance. There is no shortage of surveillance, which means that the work of activists and journalists in countries around the EU’s neighbourhood will continue to be endangered, undermining democratisation efforts and entrenching authoritarianism. The very things the EU stands against, and which threaten its own economic and security interests. We strongly believe that this committee’s work can be central in ensuring that EU foreign relations are not undermined by Swype, spyware and other surveillance used in third countries. Slide, please.
With regard to what the U.S. should do, there are the following recommendations that we urge you to adopt. First, the expert and transfer. Transfer of certain surveillance technologies should be prohibited to do their highly intrusive nature and the unique threats they pose to privacy and security, amongst others. Hacking capabilities sold by spyware companies such as the NSO group have the potential to be far more intrusive than any other surveillance technique by permitting the government to remotely and in secret access, personal devices and all the intimate information they store. As such, it is difficult to foresee a circumstance where their use would meet the standards and requirements set under international human rights law. Second, transfer of surveillance should be made conditional to an appropriate legal framework and effective safeguards, including independent authorisation and oversight procedures as well as appropriate remedial mechanisms. Furthermore, support of surveillance technologies should only be provided to countries with the adequate level of data protection frameworks. Third, any transfer of surveillance capabilities should be provided only after adequate human rights impact and risk assessments are carried out. For finally, it is key to provide the European Parliament greater capabilities of scrutiny and ensuring accountability over EU funds. Slightly. In sum, B, I believe that this committee is presented with a unique opportunity to uphold the fundamental rights of millions of people, while in doing so also promote the EU’s own interests. We are confident that it will live up to its challenging task and promote democracies where people are free to be human, both offline and online. Thank you very much for your attention and I look forward to your questions.
Jeroen Lenaers (Chair): Thank you very much, Mr. Siatitsa. I’ll check again wether Mr. Benjakob is connected. No, not yet. Then we move to our third guest, Mr. Guilhem, who is an expert in surveillance technologies and a former agent of the French intelligence services. And you recently published a book where you discussed the use of spyware such as Pegasus, so we’re very interested to listen to your contribution. You also have about 10 minutes.
Guilhem Giraud (Expert on Surveillance Technologies): Thank you, Chairman. Good morning, everybody. I’m an engineer by training and I’ve been a designer for 25 years of strategic surveillance and counter surveillance systems. First of all, I was employed by an intelligence service from the French Home Affairs Ministry, and I moved then to the private sector and French companies in that sector and then independent consultant advising various governments in Africa and the Middle East. To give you a complete idea of the various positions I have adopted.
When I got back to French in 2021, I founded a company specialised in the provision of special investigative techniques to the French administration, and probably I will be a candidate for the supply of spyware, which the French call data capture software. It’s in 706/102 in the criminal law and also in the internal security law. And I’d also like to make it clear. And that if the French administration uses spyware, it’s because legislators have recognised the need in certain situations to have it, particularly when the seriousness of crimes makes that necessary and when the targets of surveillance themselves use encrypted means of communication. The applications that we know – Telegram, Signal, WhatsApp. So, these conversations need to be intercepted in the target terminal, not online because then they will be undertaken. You can’t decode them.
Between 2015 and 2021, I was in charge of maintaining the security of the electronic communications of a royal family in a state in the Persian Gulf. So, I had a technical centre which had encryption capabilities, and I was regularly consulted on sensitive matters dealing with these issues. Let me just make it clear that it’s not Qatar. As I wrote in a book published this September, I was indirectly approached by NSO, which produces the Pegasus software. Although the interception of communications, which was a prerogative then of the Ministry of the Interior in that state, was explicitly ruled out of my mandate by the local authorities. I did receive a visit at my workplace in 2016, in the summer of an advisor who was near the head of state, who asked me to get in touch with the director of NSO to allow his employer to get hold of Pegasus software. The person I spoke to was absolutely ecstatic about that idea. And he said, and I quote: This software will allow us to listen to everybody, enemies as well as our friends. All the leaders in the Gulf want this. So, I was quite clearly asked to enter into a direct relationship with NSO without involving the country’s institutions, and to make myself a primary contractor for activating an untrammelled surveillance device through Pegasus, which will be used exclusive by the royal family outside any kind of oversight by the state. Having looked at the situation a few hours later, I categorically refused this mission, and I said no and warned my employer about it. But if I’d been keen on making money, I would have accepted it without hesitation, because I would have been placed providentially as a supplier and intermediary in a market where the value is definitely higher than €10 million.
When I look back at my decision and its implications, I realise that my decision gave me something much more valuable because I realised you could do the job that I had chosen dishonestly, and I had quite consciously decided to do it properly. Since then, I’ve carried on flagging up the dangers of unregulated surveillance, and I’m proud to be able to testify before you today.
My conscience is clear, and I can make my skills and experience available for the concept of a rational idea of surveillance. In November this year, I read your entire interim report. And the close correlation between what you’d found in various EU countries and my own experience was a bit of a shock. I really wasn’t expecting that. I found this description of the temptation that powerful people feel to try to get around the rules of their states, to remove safeguards, protecting their fellow citizens so as to concentrate more power in their own hands.
If one takes a step back and looks at what’s happening throughout the world on this matter, you have to see that spyware is proliferating and that it’s completely free to use it. There’s complete freedom as far as using it is concerned. There’s an almost free app which allows you to find out – illegally, let me mention – where your partner happens to be at any time. And we’ve also got the Zero-day zero click exploits. And there are a large variety of products. There’s something really for everybody. And there is no kind of hindrance, no rule, which allows one even to monitor what they do, let alone hinder it.
If we think about the implementation of ways of circumscribing the application of this software, we need to put an end to the belief which is very widespread amongst decision makers at all levels, that they’re completely free to use the software. Having looked into it, I came up with a list of measures, a provisional list, which I would like to mention for the sake of a discussion today and subsequently.
First of all, I reckon we need clearly to define the parameters for the way in which spyware can be used by member straight administration in the legitimate task of protecting the population. We need to remember that spyware is used by Member States and as I said at the beginning, it can be extremely useful when it comes to tracking terrorists and criminal organisations and I am not against that at all. Let me make that clear.
But the European institutions need to take a position as a leader in regulation when it comes to spyware. Those who don’t obey the rules should be excluded from the European market and from a certain extent would knowingly be excluded from the market completely. One idea could be, for example, to limit the number of files gathered by spyware to ones that were created after the warrant for the surveillance was issued by a judge. This is a point that various members of the Pega committee have already mentioned, and I think it’s a good idea.
Secondly, a flanking measure for one, really, we need to have an assessment procedure for spyware, conformity, which is brought in the European Union in various member states. A local conformity procedure exists to be a question of harmonising these rules to make sure we can keep a central registry.
Thirdly, we need to, I think, force all intelligence services to place a software label on each of the infections by spyware that is carried out. This would have, for example, approval of the software, the enquiry and see the target. So, you know that where it comes from, which enquiry is concerned and what software is being used, that we know whether it was legal or not. Along with these three ideas which would be part, I think, of a kind of centre of excellence at European level. It would be a good idea, I think, to ask Member States or propose member states assistance in the creation of these provisions. It will be a counterpart to the binding measures that will also be placed upon them.
And finally – this isn’t connected directly to the previous for a non-expert in this area – but I did see the vulnerabilities when it comes to telecommunications operator networks, a very significant gap which are exploited but which is exploited by spyware manufacturers. So, we should make electronic communications operators in member states obliged to upgrade the safety of their networks so as not to make infections and hacking by these companies which make software too easy because they don’t follow the rules of the European Union. And I’ll leave it at that. Chairman, thank you.
Jeroen Lenaers (Chair): Thank you very much. I think that’s very interesting. Also, thanks for keeping such a close eye on the work of our committee. Yes. Reflecting on some of the comments that have been made already, I think it’s very, very helpful that we appreciate that Mr. Benjakob is connected by now. So, I immediately pass the floor also for 10 minutes to Omer Benjakob, who is a cyber and disinformation reporter from Haaretz newspaper and amongst others. He recently published an article about the export of surveillance software from Cyprus and Greece to Sudan. So, you have the floor for 10 minutes. And could I also ask the colleagues who would like to take part in the Q&A session after the speaker to indicate to their wish to do so? Thank you.
Omer Benjakob (Haaretz): So thank you so much for having me here today. It’s a real honour to address this committee. I want to kind of offer a bit of context based on my experience reporting about this field for the past year and then kind of end into talking about the investigation that was published a few weeks ago together with journalists from Greece and the lighthouse in the Netherlands.
So, I think in the year and a half that has passed since the Project Pegasus investigation kind of exploded, and we all became acutely aware of this industry and the way it’s used. I think we’ve learnt a lot, or I’ve also learnt a lot and I want to kind of share some of that context because I think it’s actually very, very important as you move forward trying to put forward a European policy on this issue.
So, I think one important thing that we learnt is that a lot of this stuff was legal and then a lot of the use of NSO in itself was not only regulated but actually quite strictly regulated at least by the state of Israel. So, look at the selling side. I think what we’ve learnt is that the use on the receiving side is also legal in many cases.
And I think the third thing we’ve learnt is that this ecosystem or that this functions within a much broader ecosystem of, we can say, diplomacy and also technology and communication because I think though we might all feel personally, or I think we might all have different opinions about how the use of spyware is done in Europe and whether we want that to be legal or not. I think there is a wider question, which is how does this market look when it’s completely unregulated and how it looks when it is regulated?
And maybe we don’t feel comfortable with the use of this, for example, in Spain for what we perceive as political purposes. But it is a legal use that I think from my perspective, from looking at this past year and a half, I do not think that banning spyware is a realistic option. I think the only option is regulation. And the point I’m going to try to convey to you is that I think that unlike what we kind of assume, that this is a completely new issue. Cyber is a mystery. It’s not a mystery. It’s an arms sale. The Western world has almost 100 years of experience, more regulating arms sales. We’re quite good at it. And I think this is the kind of thinking we should be bringing to this. And I think that the discussion about sales to other countries vis a vis the EU is a great way to understand that.
Jeroen Lenaers (Chair): We’re trying to… Its connexion is unstable. Okay, we’ll try once to refresh. And if not, we…
Omer Benjakob (Haaretz): I’m back. Sorry.
Jeroen Lenaers (Chair): Yes, great. Thank you. Thank you, Mr. Benjakob. He was just back long enough to say, I’m back. We’ll try to refresh once more.
Omer Benjakob (Haaretz): I’m back, can you hear me?
Jeroen Lenaers (Chair): Yes, we can hear you.
Omer Benjakob (Haaretz): I’ll try to be short. The story here, or my big takeaway in the broad perspective is that this is a story of privatisation. We’re seeing skills, technologies, abilities that used to belong only to states entering the private markets.
On the other hand, we’re also seeing that as they enter the private market, states and entities who did not have the ability to develop these technologies independently, are the biggest clients. And I think that is a very, very, very important point to understand as we move forward in terms of our discussion about policy and regulation, because we know that there are countries who know how to do this. I mean, other countries who don’t want to do know how to do this. We know there are countries who want to buy this technology. And I don’t think that dynamic is solvable.
I think what is solvable is regulating the dynamics between these countries and also creating some legal framework or some even diplomatic framework in which countries that don’t have internal legal frameworks to deal with this stuff can because it’s not just about this or that specific spyware. These technologies are sold in bundles.
And as I like to say, NSO only has the bedrock of leading forensics, there are many other software, many other programmes, many other services that we may or may not be conscious of them. And I think therefore, we need to be very careful in terms of focussing too much on one specific tech, too much on one specific, you know, like what cyber people call attack vectors. So, for example, it’s very popular now to think about banning zero days or zero clicks within this space. But I think that’s it’s an idea that has merit.
But I think the broader issue is that we need to make sure that these kind of arms, when they reach countries, either they don’t reach countries that don’t have any legal framework to deal with them or when they do, then at the sellers end there is some due diligence and some accountability, I think the Israeli model of the way these companies are governed or oversight is not necessarily a good one, but it does involve some. From what we’re seeing in the past six months, it seems that Israeli oversight is, in many senses, much more strict and much more mature than certain aspects of the EU policy just because it’s lagging behind. And a lot of the work that a lot of journalists have been doing on the company, generically known as Intellexa, has to do exactly with the fact that though they, from our perspective, seem exactly like NSO, the moment they function from countries like Greece or Cyprus, then the regulation governing them seems to be very different.
Generally, though, Israel has been kind of portrayed as like the mothership bad guy of the story. I think this is actually one of the ironic points that Israel is actually proving itself to be quite good at regulating this technology. A lot of what we’re seeing in Greece and Cyprus has to do with companies that want to avoid Israeli oversight and seem to believe that European oversight is much simpler, too, to circumnavigate or at least easier to play with. The history of Israeli spyware and exports does pass through Cyprus. So, a lot of these companies were set up, therefore, for, let’s call it regulation like circumnavigation.
That being said, I do think it’s clear that the Israeli model that requires these companies to provide an end user certificate with very specific rules, this annual certificate may not be legal. I think what’s sad about Israel is that this past year and a half has told us that they just didn’t want to regulate the field that much. So now they want to because now we’re all in like it’s bad PR, but until this moment, no one wanted to overly regulate the field. But now it is quite strictly regulated to what I’m understanding. And I think what we’re seeing is the rise of these kind of unregulated or quasi regulated companies.
One more comment that I think is very important. Intellexa and firms like Intellexa, what makes them unique when they move out of regulation is they can do something that Israeli firms cannot, which is provide a bundle of services. So according to Israeli export law and so in companies like in install who sell offensive cyber, you’re not sell a service. They can’t teach you how to hack. They can sell you a technology that can hack, but they can’t teach you how to do it. What we’re seeing now is service companies, the service thing, this technology plus service is a different scale of an issue. And I think that in a sense is much harder to regulate.
But just to circle back to kind of the broader point, I think that regulation and regulation that is that borrows its logic from the world of international arms sales is the only solution, I think, sticking with. Possession of these tools within a diplomatic framework is also key. But I think the past year and a half has taught us that you can regulate it. The moment Israel understood that it’s bad publicity or bad diplomacy for them to sell this to Africa, it’s not being sold in Africa anymore. And I think the question becomes how the EU becomes kind of the leader in terms of creating the framework for this regulation, which is very important because I think if we ban it, if this is banned, it will only become more illegal. We’re already seeing alongside firms like Intellexa, a lot of smaller suppliers who are selling exploits or just selling with the exploits behind the technology.
And I think it’s very important that we don’t push the field so hard that it goes completely underground because we don’t even, we can’t even imagine how and how bad this looks underground, like a year and a half ago, NSO, we thought, was like the most evil thing you could imagine is quite the opposite. They’re completely legal to regulate this company, and we should strive that all these companies be as regulated as ever. So maybe we’d prefer that they have officials that will take different business decisions. But at the core of everything they did, it was legal, and they had paperwork for it, even with Spain, even with what happened in Africa. Yeah. And that’s the thinking about regulation needs to, it needs to be, I think much more focussed on the end users, the countries getting it and the process in which it happens. So that’s my kind of broad big picture. Certainly, based on this past year and a half, I really, really am honoured to have had the chance to talk to you. I’ve met some of you when you were here in Israel, and I’m here if you have any questions.
Jeroen Lenaers (Chair): Thank you very much. And I can assure you that there will be questions. I will take the questions one by one from our members, and then you get the opportunity to reply, all three of you, to the questions. So first we go to our rapporteur, Sophie in ’t Veld.
Sophie in ’t Veld (Renew Europe): Yes. Thank you, Chair. And I apologise to the first two speakers for being late, but I had to be in a trialogue. And I have still not mastered the art of omnipresence. I’m practising, but I know I’m very limited.
My questions to Mr. Giraud a little bit a random – I’m interested in the issue of exports because we’ve been looking a lot at Cyprus, Bulgaria, Israel as a hub for exports. But I’d like to hear a little bit more about France. You have seen the recent publication, I imagine, in Politico, about Mr. Leandri with his new business alternative. And he seems to be operating as a kind of broker. Is that that your impression as well? Because apparently, he is also offering Predator. This is what I hear. What is your impression of how the export rules are being applied in France today? We know that in the past there have been issues, there are court cases against Amesys. etc. but how does that work? Because if Leandri thinks that he can sell Predator and other products and services. Then apparently, he thinks that that he can do that under the current export regime. And I would like to hear a little bit more about that.
Then you said something about marking. I was trying to understand exactly what you meant. Does that mean that you think Secret Services should have a kind of, let’s say, a kind of signature kind of label so that when there’s an infection, we know that it’s from a particular Secret Service? Okay. I see you’re nodding so that.
Okay, I’d like to hear your views on the regulation of trade in in vulnerabilities.
And then to Mr. Benjakob, maybe also to Mr. Giraud, if he cares to answer, because Mr. Benjakob, you say that the is by now the Israeli export licence regime is more strict or applied more strictly in any case than in the European Union. That is probably right. Do you expect that to change under the new government? How does this relate to the story that Cellebrite is still being used in Russia? Apparently, this is…okay. I’m asking the right question. Okay. You can leave you to answer that.
And two final questions. Of course, neither Israel nor NSO will confirm which two countries have been struck off the list of 14 EU member states, but everybody assumes it was Poland and Hungary. Do we have any more tangible indications for that.
And finally, what are your expectations of the new cooperation between or the new initiative of Mr. Julio and Mr. Kurz? What do you expect? Thank you.
Jeroen Lenaers (Chair): Thank you, Sophie. I was trying to lip read what Mr. Benjakob was trying to tell us, but you’ll get the floor in a minute. First, to take the answers in the order of the question, Mister Giraud?
Guilhem Giraud (Expert on Surveillance Technologies): Well, thank you for those questions. On the question of alternatives, this is quite a specific issue. Mr. Leandri is very controversial. And I don’t think he’s representative of the industrial fabric in France. Mr. Leandri is to some extent a symptom of the abusive relationship that you can have between industry and politics in France. That’s what I would say.
On regulation, I know that there have been changes and the Commission has a double usage approach to looking at exports of this software. And I think that now the Prime Minister’s services have to give final approval before an export is made. That wasn’t the case previously. And I would like to say that the administration is more engaged in the process. You talked about Amesys and Libya. So, I’m very familiar with that case. I was present at a hearing as a witness on crimes against humanity. So, I’m very aware of that.
Then thinking as an engineer. I think I would say that every service has to have a clear signature, separate signature. So, you’d have to have three different signatures all together, which would be stamped on the software. You would have to have a key to access that. Information serve as citizen was aware of an operational service, they would be able to say who was tracking them. And that’s what I’m suggesting. That was my conclusion as to a healthy solution.
And then finally, what I would say when we’re talking about spyware is that when people are thinking about vulnerabilities, that people are thinking about where those loopholes are, they’re thinking about selling solutions on the black market. Maybe they have direct contracts with suppliers and there is a whole chain of suppliers. So those who find the vulnerabilities of the first link in that chain. So, they are hidden. I’m not familiar with who they might be. I don’t know how you would regulate that sector where they’re identifying vulnerabilities, but I think that is the key question. Thank you.
Jeroen Lenaers (Chair): Thank you very much. And then we move to Mr. Benjakob.
Omer Benjakob (Haaretz): So just the first question had to do with why I think the Israeli oversight is better at this point than if it were changed. And the second question was about Cellebrite, right? Sophie?
Sophie in ’t Veld (Renew Europe): Yes.
Omer Benjakob (Haaretz): So I think the Israeli oversight, the reason it’s working so well right now is because there was such a big backlash, specifically vis a vis the United States. I think what’s interesting about this backlash is that it really shows how a market could function. It shows the good and the bad of this dynamic and this change that is now going to happen. And I believe that now will change. I don’t know if it’s going to be back to what was in the past, but I think it’s safe to assume that a different government will mean a different policy in this context. I think what’s interesting is to look at certain companies and this kind of strictly in relation to the very bad companies that are built only from selling to, let’s say kind of nondemocratic regimes. And then we’re used to this kind of bonanza that Israel was facilitating or having a very hard time to hold on. But a lot of companies are not. It really changed the market and I think there are a lot of new companies, mostly the market leaders.
That’s also something that we should say, like it’s mostly like the two or three big companies that are managing to kind of, you know, craft a way forward in this dynamic. So I don’t know from the Israeli defence establishment if this was a success. I think they don’t think it was because I think some companies did shut down more companies than they want to do. But in theory, I can mention, you know, a company like Tarragon, which is that which has never been directly accused of any wrongdoing. And Dragon is a company that doesn’t seem to have had a bad year. The NSO had a bad year because they had a bad year. And other firms also. But also, you know, I think Dragon had a good year because they never like their built up being very close to the defence establishment and they’re generally focussed only on five eyes and Western sense, and it works. I think it’s not enough to support an entire ecosystem like Israel used to have, but it’s also very important to understand what we’re actually regulating. This is a great way to get into Cellebrite because firms like Cellebrite are not even, or at least very recently weren’t even considered. Cyber firms like Cellebrite sells a hardware device that allows police forces to use latest to empty a device. Or, as someone told me once.
Jeroen Lenaers (Chair): A Cliff-Hanger from Mr. Benjakob. Maybe we will give the floor to… Mr. Benjakob is back.
Omer Benjakob (Haaretz): Sorry. I’m sorry. I’ll finish up. I was cut off. I think the point is, and this is a very, very kind of nuanced an important point is that regulation works. You need to incentivise the companies and you do incentivise the countries, and it has to work in this full ecosystem. So, countries need incentivised to regulate it. Sales countries need incentives to regulate. When they receive it, the end user agreements. But we should not be thinking of something else.
Last question about courts and sort of coolio’s company dream. I don’t know that much about this. I think they’re actually a defensive company, but I really, really, really don’t know the answer. It makes sense to be the defensive company because there’s more money in defensive cyber than offensive cyber. Unlike what people think like as a market, generally the defensive field is bigger and less wholly A-plus courts. Sounds to me mostly like a defensive company that is targeting state contracts. They want to do defence of big like water infrastructures. It makes sense that they could both use their branding to do this, and I can clearly see how this could support some like evil spyware operation just because we know they don’t need that to do that. So, besides the fact that it’s two like scary, sexy names, I don’t think this is actually something that dangerous. It’s a defensive cyber company that wants to bank on the names of its two founders, two big, really big contracts from states that are really scared when they hear the word cyber and don’t really know what that means.
Jeroen Lenaers (Chair): That is a very good summary. Thank you so much. And then Ms. Siatitsa, you have the floor.
Ilia Siatitsa (Privacy International): Thank you. Thank you very much. I’ll just follow up on a couple of points that were raised. And in particular, I would be on the side of agreeing that hiking capabilities and hiking powers are quite extensive, and they go beyond this. The surveillance industry that sells them. There are certain countries that are capable of conducting hiking without the need of any of buying any equipment by whatever. And so, regulating hiking powers is key answer to the whole issue, going beyond regulating a specific industry that is selling those powers.
Having said that, I would like, though to caution the committee to distinguishing which regulation works. First of all, with regards to experts’ regulation, unless there is full transparency of who is selling to whom and specific enforcement agencies that they are receiving this capability, we cannot really be talking about appropriate regulation. And also, legality should not only be assessed with regard to whether the export paperwork has been filed, but also with regard to the legal framework that regulates the use of those powers. And this is scarce at the moment, not only the EU but across the world. It’s about regulation and about the capability also to conduct oversight with regard to how has access to those powers when these against whom those powers have been used. Being capable of having an appropriate remedial mechanism and being able to notify people with regards when they’ve been targeted. I mean, these are only I’m only scratching the surface at the moment. But in that regards, Privacy International as well has been proposing a set of safeguards, hiking, necessary hiking safeguards that should be in place whenever a government decides that they should be using hiking powers.
And the one last thing I want to just to put in the mind is part of a state’s obligations, includes as well the obligation to ensure security of digital security, of communications. And the question back is to what extent exploiting vulnerabilities of devices instead of trying to patch them and correct them doesn’t undermine this obligation to ensure the digital security of communications. Thank you very much.
Jeroen Lenaers (Chair): Thank you very much, Miss Novak.
Ljudmila Novak (European People’s Party): I’d like to thank all of the speakers for presenting these very interesting reports.
However, listening to all of this, it seems that our democracy is under a great threat. Some things can be changed and improved. But others can’t. For example, in the first presentation we heard that the EU was selling spyware to certain countries that don’t even have any sort of regulation for this area. And I believe that we really should condition the sales. And training in this area and the fact that these countries have to respect our regulation. On the other hand, even in the EU, this regulation isn’t in the best shape.
So I would like to ask you if you could maybe mention some countries that are more advanced in this regard. Are there certain member states of the European Union that don’t even know such regulation? And do you believe that we should have? A more solid EU wide regulation in this area. I am not sure that all. Member States are actually interested in implementing a better regulation. On their territory, especially those that don’t have the best intentions. In this regard, I think that in the European Union we have a lot of issues that are less important and are better regulated. So, I think that we really should regulate better when it comes to this very dangerous area. Thank you.
Jeroen Lenaers (Chair): Thank you. Ms. Novak, all three of the panelists to answer that, maybe we’ll do the reverse order and start with Ms. Siatitsa.
Ilia Siatitsa (Privacy International): Thank you, Thank you very much for your question because. Exactly to the point and what we have been advocating since early on, that a regulation of hiking powers. It’s not a solution that comes. It requires a broader and multipronged approach to regulation. It needs not it requires to regulate exports later and stricter and imports in that regard. It requires also to introducing and robust surveillance powers regulation framework specific to hiking powers. If these powers are used and most of the countries are at the moment do not have a framework that regulates, regulates, equipment, interference, specifically, they usually would just cover under existing surveillance frameworks, and that as such is not sufficient to regulate the spa’s because of their unique and intrusive nature as well. And then it would also require clear procurement procedures.
And finally, it would require a judicial system and system that is equipped with being capable of assessing those the usage of such powers, and also to be able to correct them and remedy the victims. And when there are such. And then also, as I mentioned in my intervention, a regulation needs to come also from the most unlikely places. And some of this hacking capabilities are right now facilitated by, for instance, EU aid money. And so having stronger regulation in the way EU AIDS assistance is provided, especially when it includes enhancing surveillance capabilities, would be absolutely necessary. Whether that can come as a. EU across regulation, I think with the list of the different regulatory frameworks that needs to be updated. I think you can guess my answers. It wouldn’t be something that it’s at the moment necessarily feasible and will have to come in the form of recommendation and directive at the beginning, at least from different angles. Thank you.
Jeroen Lenaers (Chair): Thank you, Mr. Benjakob.
Omer Benjakob (Haaretz): I think what happened with Spain really shows that when countries find themselves on both sides of a certain story, then this issue that I think was just raised with it is very smart. This issue of this also being an important issue, which I fully, fully agree that someone is already selling it, but someone is buying it, I think really raises interesting questions about how we expect and how we want these things to be regulated. Because I think what’s so intriguing for me is from a civilian perspective about Spain, is that like they were simultaneously like this is completely legal when you’re doing this internally for political whatever purposes, but when you do it to us for military purposes or diplomacy us, it’s not legitimate. And I think that’s very telling. I think it’s very interesting because that same problem plays out within countries. Right. So, imagine the difference between using these technologies to collect intelligence for, quote unquote, a ticking time bomb as opposed to collecting evidence that you want to present in court. And I think that’s a lot of my thinking about countries that have regulatory frameworks have already addressed these questions. I think that’s a very important point to take into account, which is to understand the different kind of uses that this could have.
And I think that when you think about, for example, that all this data is for democratic processes, my assumption is the next year is going to be focussed less and less on offensive cyber and more and more on firms that provide what you could generally call open source intelligence. Social media analysis and this kind of stuff, which seem to us very kind of like banal and benign right now. But I have a feeling that we will soon discover that they could be also used for mass surveillance. And this idea of surveillance using social media is to me, as big of an issue as the spyware. And I think that until we perceive that they are also together, for example, within Intellexa, they are all sold as wide bundles. Yet the tactical interception of hacking someone’s phone is sold together with open source kind of mass media and mass. It’s not mass surveillance, but it’s like social media driven surveillance through avatars and this kind of stuff are happening together in the recent rhythms up together. And for example, we never thought about this doing it. So, is that how do I find someone’s number? How do I know in a certain protest movement who do I want to target? Was Pegasus right? We have this assumption that everyone knows everyone, but it’s not. And so, for example, you want to map a protest movement, you need technology that is not even really regulated.
And this leads back to Sophie’s question to me about celebrating celebrate. Was it under regulation until very recently? Because what they were doing was not perceived to be offensive cyber for military clients, it was perceived to be civilian technology, dual use technology for police clients. But we’ll discover that a police crisis could also be an investigative force in Russia. That. I’m sure he’s doing everything legally within the Russian framework. Yes. And I’m sure every everything they do, even in retrospect, they can get paperwork to prove that it’s legal. But I think the point is different. So, it’s that that this was sold, quote unquote, legally to a civilian factor. Then regulation changed in 2020. And Israel now considers this company to be part of its it. But the technology is still there and this Killswitch Remote Killswitch, it’s unclear if it works or if you maybe you can just hack the technology. So, this this kind of trickling down of technology is also something that we’re seeing. And we have to take that into account. Right. We’re seeing that that, you know, firms like bell trucks in India will offer services that are like a hacked version of Pegasus. Right. So, I think in that sense, like the broader ecosystem is really, really, really important and breaking down what do they actually want to regulate and how? Like sales of exploits, who are the clients at Intel versus evidence collection? These are all really, really important questions that we have to kind of like break down and be able to actually address this. That’s my take on it.
Jeroen Lenaers (Chair): Thank you, Mr Giraud.
Guilhem Giraud (Expert on Surveillance Technologies): I’ve noted a few things down, a few interesting things you said, first of all, on potentially regulating research on vulnerabilities by hackers, those that are the source of zero day and abilities. Well, this shows our schizophrenic approach because as a specialist in security. I think that spyware is necessary. And therefore, the hackers that provide us with zero-day files are also necessary in certain cases. Citizens may be hacked, but. If a cybersecurity expert not so far from my profession, he that person may think that we need to protect all citizens from these kinds of attacks, even though we are to some extent, colleagues. So, it’s very difficult to decide on this. If we decide. This. This could perhaps give our investigative powers to the big tech companies. The and the companies such as Apple and Google that are able to exploit telephones. It’s those companies that would be able to use exploit the programmers without using hacking. And this is a threat for European sovereignty. I’d like to invite you to follow the activities of TAG, the Threat Assessment Group at Google, which publishes vulnerability files from software manufacturers. And for a year and a half, Tiger has focussed all of its attention on European countries. Companies before they focussed on non-European companies. So, we need to be very watchful of potential interference from overseas. So that’s on regulation.
Now, in a broader sense, on regulation at European level, I think that there are countries which are able to ensure that the European Union is the cutting edge on this subject. There are some countries that don’t want to apply these measures. And but the European Union would need to be there to harmonise the rules. To make it available for everybody and to put in place potential restrictions. A couple of remarks on the fact that the EU is participating in exporting surveillance tools. I am an accredited expert for the European External Action Service. The work that I have done for them. It’s part of a framework of assistance for European partner services. And the mood of European civil servants that I have seen is against guiding partners within a strict framework. They want to open up to international. Exchanges. So, I’m not sure what exactly is been described there, but I just wanted to add what I’ve seen there. Thank you.
Jeroen Lenaers (Chair): So we pass the floor to Saskia Bricmont and apologies, but I have to leave myself and I will leave you in the good hands of our vice chair Diana Riba. Please, Saskia.
Saskia Bricmont (Greens): Thank you very much. I’m going to speak to you in French, Mr. Giraud. Thank you very much to all three speakers for your extremely interesting presentations. Very useful for our work.
Mr. Giraud, as, you could say, you’re an insider in this area, I’d really like to hear what you have to say on the normalization of the use of this type of spyware in third countries. Do you think that this really is widespread, that there is mass usage of this spyware, or could we perhaps map out the main uses of this technology? You have a specific proposal relating to traceability so that we could regulate by ensuring traceability of spying. This is a proposal we haven’t heard so far. And. It. Is this feasible? On a practical level. I think you mentioned a European centre of excellence, which would allow us to. To implement legislation. Would this centre be able to run transparency registers, traceability registers? I think it would be interesting to hear from you as you’re an expert on this subject. Perhaps not today here, but you could. Give us more proposals in relation to this. Now I’m switching to English.
Mr. Benjakob, you said that we shouldn’t legally regulate all the different aspects. And you mentioned, for instance Zero-Day vulnerabilities. That we do not need to go into details, I would say. No, that’s not what you said. I misunderstood you then. Okay. You’ll come back to it.
Omer Benjakob (Haaretz): The opposite!
Saskia Bricmont (Greens): Okay, the opposite. Okay, my bad.
Omer Benjakob (Haaretz): I didn’t want you to outlaw it. I don’t want you to ban it in a broad, blanket sense. I think that would be the most irresponsible thing. I want us to regulate every facet. And I think regulation is the solution. And that was my position. I’m sorry if it wasn’t clear.
Saskia Bricmont (Greens): Okay. No, perfect. So, my question to you is mainly related to your work on Sudan. You are a validated expert to Sudan. I would like to know a bit more about it. Did you get any reaction after reporting on this case? Do you know about the reactions of the Greek and Cyprus authorities? Because in my knowledge, this is completely illegal to export such kind of spyware to Sudan. So really interested in more exchanges about this with you today. And what we should do from the EU level.
And then finally to Ms. Siatitsa, I would like to hear from you about the use of spyware technologies in occupied territories in Israel. Do you have any Knowledge on that? Any reflections to share with us on testing of those technologies in the occupied territories? And also, if you have any other measures that you would suggest to us to better fight spyware attacks by third countries. That’s a general question, but it would be interesting to hear you on that as well.
And finally, for the three of you, I also think it would be interesting to have un état de l’art of the best practises, of the good legislations that are in place that ensure oversight. And there too if you can contribute already based on the knowledge you have on good examples of legislations, that could be the starting point of the harmonisation inside the EU. That would be also interesting for us. Thank you very much.
Diana Riba i Giner (Vice Chair): I pass the floor to…
Guilhem Giraud (Expert on Surveillance Technologies): I.. Oh, I’m sorry.
Diana Riba i Giner (Vice Chair): Yeah, yeah no. In the same order. Perfect.
Guilhem Giraud (Expert on Surveillance Technologies): Thank you. Well, on mapping the use of spyware. Well, this really requires a partial and quite subjective response. I think there is a convergence between the maximalist aspect of the software and this cynical aspect of diplomacy across the world. These things are both covert, so there are some people who don’t take into consideration human needs. I think there is a clear fit between the tool that is provided and the nature of this diplomacy. But this is just a personal judgement
When it comes to traceability. Why am I proposing this ammo? The old fashioned wire tapping of the past had a huge advantage. We needed the assistance of the Telecom operator to facilitate it. The telecom company has clear legal obligations. It’s very much. Part of the state structure. It provides services to end users, but it also has loyalty to the state. And these operators were an excellent basis for applying these rules and intercepting communications. The Judges gave authority to the telecoms operator. Then the phone number is wiped, tapped, and then it’s much obliged to a database. But with spyware, we don’t have this.
You buy a server, and you hack a telephone. Who’s going to see that taking place? Nobody. So, we need to rely on other things to be able to trace what is happening. I suggest that we focus on the targeted telephone, which shows the traces of the hacking operation. And if you have a citizen who comes to you and says and who is searched, for instance, you in your hands will have that tool which shows the traces of the hacking. For this reason, I suggest we that’s where we that’s what we focus on. So, it is the link between the software and our reality.
So, I suggest we put in some code in the hacking software, which is also put on the targeted telephone. This is the only way to allow us to have traces. And these traces would have been very useful to have when the Pegasus scandal broke out to know exactly what was happening, because it’s still very unclear to this day.
And then there was a question relating to the state of the art. I can talk about French legislation. The legislators have recognised that investigators need to know in some situations what the bad guys are seeing on their screens and what they’re actually typing on their screens. It’s a kind of electronic search in real time, and it is the this is based on French law and the articles that I mentioned before. I think that this is a good a good approach and it could be improved. Perhaps French legislators could help you in discussions on that kind of those kinds of laws. It’s a start at least, but I can only talk about French legislation. Thank you.
Diana Riba i Giner (Vice Chair) ): I give the floor Omer Benjakob.
Omer Benjakob (Haaretz): Yeah. So, about the investigation that touched us, Sudan. It was it was a collective effort. So, we were it was done together with amazing journalists in Greece from a very important organization called Inside Stories and also partners with the Lighthouse, which I’m sure you as Europeans are familiar with the reporters for the Lighthouse would be much better suited to address questions directly relating to Sudan. Just because I’m less knowledgeable about that and less connected there. Ironically, I think we did get at some point some response from the Sudanese forces that they said something along the lines of, you know, as being fake news and so on. So just in terms of that and about Sudan.
So, in that sense, I’m not I don’t know the answer to that, but my thinking about is just listening also now to the previous experts is that I think there are a few good practises that should be used. And I think this also touches on the question about the way these technologies are used in the Israeli as part of the Israeli occupation of the West Bank and Gaza, that when these technologies are export exported, they can only be exported as a technology, not as a service. And I think that’s a huge thing. And this decision between technology and service is actually very important. I think that’s a very good practise thing to think about.
So, for example, with NSO sales staff to Israel, it can sell it without regulation. In a sense, Israel is the only country that you can export cyber to with no regulations. That’s the only country that it’s like. It’s actually already excluded from all exports because it’s only an export. It’s local for us. And I think this distinction is actually very promising and very lucrative for you as legislators to think about this distinction between tech and service. Because there’s a big question if you give someone a gun, which you might not like, but there’s no limits to giving that gun and training them how to use it.
We talk about non-kinetic weapons like cyber. This is actually very, very, very, very, very important. And it also touches to some of the things, I think that were raised earlier about different types of hacks that also don’t do forensics. I think it’s very important to understand NSO and firms like NSO are the high end of a very big market. Phones are not the only thing people are hacking. If I wanted to destroy all of your careers, your phones would be one way to do that. One out of many, for example, your computer would probably be more lucrative to me, for example. And I think we need to, I’ll be really honest, stop obsessing about it. And so, like it just even Intellexa in and of itself is interesting because it showcases that there are 14 or 13 different services. And I think that’s a very important thing to remember because when we move forward in regulation, you’ll quickly discover that any of these services are relevant to your regulation.
So, for example, zero day or zero clicks’ rights completely irrelevant when you talk about ss7 hackings, which are still a thing, still a thing that governments do to locate dissidents or citizens. And that’s it’s I’m not sure that the solution of like fingerprinting, you know, a letter. No, like a state packet of the seven could work. But I think we need to think about this just slightly more broadly. And I think the tech versus service distinction is actually very lucrative because then you can say, hey, you can’t sell hacking as a service. I don’t care if you do it with a chainsaw or with a Pegasus. We can’t sell that as a service. It’s just not a service you could provide. So that to me seems to be like a very kind of lucrative kind of thing. And I think I also touched on the Palestinian issue very briefly, though that wasn’t necessarily for me.
Diana Riba i Giner (Vice Chair): And this is Ilia Siatitsa, floor is yours.
Ilia Siatitsa (Privacy International): Thank you. Thank you very much. As reported by civil society groups like Hamlet and by former Israeli soldiers, the Israeli authorities have control over the technical infrastructure in Palestine, giving them wide scale access to posting and communications. The technical details of which, as you can imagine, aren’t widely reported. By controlling the technical infrastructure however, and what the former soldiers report, they routinely can access phones. And I would recommend reading the testimonies of these soldiers and consulting afterwards for the committee’s attention, specifically when it comes to the use of the NSO spyware. Al Jazeera reported last year about at least six Palestinian activists being affected with this fire that I would be happy to share.
And finally, there’s been wide reports with regards and in addition to spyware, there have been tension. There has been wide reporting around the intensive and growing surveillance of public space spaces such as checkpoints. And most notably, the National has published a report that I’m happy also to share with regard to a company called Anyvision that sells facial recognition technologies, and which has recently, and which has been installed in checkpoints across and which has recently rebranded itself discover capabilities around the world. With regard to your question of regulation. I would be grateful if you could repeat just this. I missed the entire question. Thank you.
Saskia Bricmont (Greens): It was mainly about your specific recommendations for the regulation at EU level in terms of exports of such technologies and their use. It’s a broad question I realize.
Ilia Siatitsa (Privacy International): No. I mean, again, I mean, depends on what side the experts are coming. I in my presentation spoke specifically on how through aid and development assistance, exports have been facilitated from the EU country sides. And in that regard, I think it would be key for the EU to become the leader in ensuring that there is transparency with regard to the exports, what type of surveillance to whom, to which agencies and under which brand they could be.
A few of the key solutions that could be put in place with regard to regulation and further as, as I mentioned before, ensuring that there are appropriate human rights impacts and risk assessments before permitting authorising any of these exports could be necessary to ensure that the EU does not find itself facilitating abuses, of course, of such technologies. And I’m, it’s a very broad question as you’ve mentioned. So, it’s very difficult to just include everything. But again, also, I’m happy to further share specific, more detailed recommendations with regard to regulations that we have published.
Diana Riba i Giner (Vice Chair):. Thank you. Mr. Puigdemont.
Carles Puigdemont i Casamajó (Non-attached): Thank you, Chair. Thank you to all of you for your explanations here. I have a concrete question to Ms. Siatitsa.
In your presentation, you explained that occasion and the Spanish police are teaching Bosnia Herzegovina police on the use of malware. Could you be more concrete, could you enlarge your explanation on this case? But because that could be very interesting to us to know if there is a member state who is teaching another member of the European Union on the use of malware.
Then I have a question for Mr. Giraud. You spoke about your recommendations. I agree by and large on that. But another issue I couldn’t really fathom this labelling this little bit of code you said one could put in these devices. Who’s going to do that? The company that actually makes us buy, where do we have to trust them to do things? They know all of these secrets that should they be able to find some way of hiding within the software? So the people will know that any kind of software exposure have been carried out or who is going to check that this happens? The state that’s actually using this stuff and misusing it as well. Can we trust states whose job is to guarantee our rights, that they won’t avail themselves of this almost unlimited power of surveilling us?
Diana Riba i Giner (Vice Chair): Okay, Guilhem Giraud, you can have the floor.
Guilhem Giraud (Expert on Surveillance Technologies): Thanks for the question. First of all, the recommendations that I made. I didn’t have them peer reviewed, if I can put it like that. They’re just off the cuff things and I’ve never shared them before. But I’ll be very happy to for people to look at them with the critical eye and we can have a discussion. But the preliminary thing would be. As far as I’m concerned, the first stage would be to draw a clear distinction between those companies, which are accredited by the European Union and all the others. That’s got to be the first stage as far as I’m concerned.
I’ve been working for these in this sector for 25 years. I know an awful lot of people, and there’s two kinds of people that are people like me who are legal minded, who’ve worked for a state service or still work for a state service and are imbued with the spirit of public service. And there are other people who want to make money. That might seem like a cartoon type distinction I drawing, but it’s genuinely what I’ve seen in my experience in the sector.
So, we need to draw a distinction between those companies accredited by the European Union and the others. And to do that, we can use already existing processes in the member states in France as an accreditation process for companies who want to make this this spyware. And it’s highly intrusive, of course, and is a procedure that has to be gone through that’s quite tough.
And so Europe would add another story to that building, if you like, making sure that there is a standard file of issues that need to be dealt with. And there will be a unique number for each software maker in the European Union that we could genuinely have a system of trust where you recognise the people you can trust and the others and the people you can trust. You can actually question them on the way they’ve used the software, but you know that already they’re operating in a standardised within a standardised framework. I think you.
Diana Riba i Giner (Vice Chair): The floor is yours. Ilia Siatitsa.
Ilia Siatitsa (Privacy International): Thank you. Thank you for the question. Let me start by explaining how we came across this information. In 2019, we started submitting Freedom of Information requests, access to documents, requests to various EU institutions, including CEPOL, which is the European Union’s law enforcement training agency. And through it, through answers to the requests, the requests was asking about any assistance, whether equipment, training or other. That is, that third countries, non-EU member countries, have received from EU institutions and other. And through it we have received a series of documents from CEPOL, including training material, and one of which was quite, quite a lot of information within this material was redacted.
But then there was a presentation that I have mentioned and provided given by the Spanish police to Bosnia Herzegovina authorities. And within it there was a slide that spoke about malware and Trojans. I in my presentation, before I leave on the slide, there was actually a screenshot of exactly what we have received. One of the pictures, one of the slides of what we have received, and we can also share the entire we have published the documents and I would be happy to share a link with the full training and information we have seen. Thank you.
Diana Riba i Giner (Vice Chair): Now, the last question, Mr. Lebreton, the floor is yours.
Gilles Lebreton (Identity and Democracy): I have a question for Mr. Giraud, Madam Chairman, thank you.
Now, like you, I think the use of spyware by states can be necessary for obvious national security reasons. But we need to take precautions. And you said something I thought was very valuable, but I didn’t completely grasp all the aspects of it. You said we can improve traceability of the infection of mobile phones by spyware. And on the basis of that, you said you could have the coding system. You talked about accredited companies, colleges, companies accredited by the European Union, talks about how you can put that system in place. I’m sorry. This is all a bit vague to me. Who would be implementing the coding part? Is it the manufacturers? Is it the people who use the spyware? I think it’s a very valuable avenue. And I’d like to be sure I’ve got your position on this very clear.
Guilhem Giraud (Expert on Surveillance Technologies): Thanks for that. I forgot to answer the previous question. I just realised that so I could do that as well. So yeah. Getting down to the details.
In my job, there’s two ways of getting hold of information you need for an investigation. Especially enquiry techniques. They’re called You’ve Got Capture, which we’ve been talking about, which is where you put some code onto a target device to capture information at source. And you’ve got the good old tapping interception, which is done by the operator where you duplicate, if you like, the communication flow as it moves through the operator’s network. That’s good technical quality, and that technique is standardised in a very precise way by a European institute. There’s a working party that’s called LI, Lawful Intercept. And they’ve been working for a very long time on this. I’m familiar with them. They draw up rules. Which you need to obey. The rules have communications protocol. That’s just a kind of syntax to define what kinds of data exchanges can exist between the company which will deliver the malware and the one which will the spyware sorry, the one which will run it. And it’s mandatory for these companies to put up a server which will store administrative data and the administrator will hold all that data.
That’s an excellent model. That’s the model we should be following because that sector works very well. It’s a community, it exists in Europe and it comes up with software which works very well on the basis of that model. My proposal would be that we have a similar type model.
For the second way of accessing data, which is capture, which I talked about, we’re talking about today at the moment is nothing is literally nothing throughout the world. And what we need to do is to have an executive bureau with operational capacity in storage, with a European institution which should have the power to come up with standards physically, to set up central servers, which would receive the information from the various member states, which said member states would meet with companies on their territory, come up with identifiers for their products, make the companies, provide those and send them to the in the investigations they’re part of. So, you have a kind of pyramid of servers where the software company. But it pushes the button to infect a phone would automatically have a label attached to, say, spyware that would communicate with a member state server and the server would gather all those labels and they’d be available at EU level so that they could be regulated and supervised. Obviously.
I’m just basically talking off the top of my head. It’s just an idea. The Lawful Intercept Group has been working on this for 30 years. And I’m just certainly not able to come up with something that will work as well in 5 minutes. I’m just throwing the idea out there for you. Thank you.
Diana Riba i Giner (Vice Chair): I think we have a last quick question because we have a second panel this morning. Saskia Bricmont.
Saskia Bricmont (Greens): So this is a follow up question for Mr. Giraud. Now I realise that this is a subjective issue. But you were talking about French law and the rule of law. And it might be worth exploring that in some way.
So, I’m just wondering. You’re saying that there is already a framework. I mean, saying that there are constraints on how France can use this kind of software. But at the same time, we know that there are French people, French citizens, including President Macron, has been monitored and that has. Given rise to. Some political reaction. So, we feel. Well, it hasn’t. I beg your pardon. So, we’re a bit surprised by the lack of response from the president’s office and from the parliament. So, I’m wondering if that is part of cynical diplomatic diplomacy. Are that people just aware that this is very widespread? Are we just being naive within the authorities in Europe, our governments being naive? So, what’s going on here? How can you explain the lack of reaction? Thank you.
Guilhem Giraud (Expert on Surveillance Technologies): Okay. Well, thank you. Well, I have to say, I feel rather uneasy commenting on this specific scandal. There were a whole number of ministers who were infected, including the president. So, they were all affected by spyware. I have to say that I’m not in the confidence of. Those bodies. But I know that there have been a number of internal investigations. I don’t think they’re naive. I think there has been a very strong response to diplomatic level. I think this has an impact, certainly for those involved. But under the current. Current government structure, there is a tendency towards secrecy. So, we don’t have very much information.
However, when spyware. Attacks at Target, a legitimate target within the French administration. In judicial terms, there has to be an authorisation from a judge. It’s very clear what has to happen. And the information also has to be codified. So, we’ve got a fairly recent piece of legislation. I really like it as a piece of legislation because it clearly sets out the framework in which the intelligence services can operate. So, this is Book eight. If you look at the preamble of that book, then you find all of the competent authorities. So, there is a clear list of the cases in which these technologies can be used.
Diana Riba i Giner (Vice Chair): Thank you very much to be here with us this morning. Thank you. We will take a short break before restarting our second panel of the day. Thank you very much
Diana Riba i Giner (Vice Chair): In the second panel, we have invited the speakers to present a more institutional view at what is happening in relation to third countries to participate in this panel. We will have the following speakers. Senor Pedro Vaca Villarreal, a special rapporteur for freedom of expression of the Inter-American Commission on Human Rights here remotely connected and Ms. Marta Hirsch-Ziembinska, principal adviser on the Charter of Fundamental Rights, European Ombudsman.
I will ask the member who wish to take the floor for this panel to indicate to me and the Secretariat during the statement of the Speaker. Without further delay, I will start with our first speakers, Senor Pedro Vaca Villareal. I thank you for participation in such an early hour from Washington DC. I understand you will be speaking in Spanish. You have the floor for 10 minutes.
Pedro Vaca Villareal (IACHR): Well, good morning to everyone. Well, first of all, thank you for inviting me. Thank you to the chair, vice chairs of the Pegasus Committee, and indeed thank you to all of the members.
So, my name is Pedro Vaca Villareal. I’m currently the special rapporteur for Freedom of Expression of the American Commission on Human Rights. So, we’ve been in place, Since 1959. So, we’re supposed to try and defend freedom of expression. In 2017, five years ago, we became aware of early reports of Pegasus being used in the Americas. And based on information that we received between January 2015 and 2016, there were all sorts of journalists and human rights activists and lawyers and political opposition parties and people in public offices in Mexico whose devices were infected. That includes one reporter who was assassinated in 2017.
Up to 2022, we have received information about the use of Pegasus against journalists and human rights activists on four other occasions. We also have heard about 1400 people who were infected around the world. And Mexico is once again a major target of this spyware. In 2019 in 2021, we were also told about over 780 journalists who had used devices were infected and around a third of the 5000 telephones were infected, two thirds of which were in Mexico. So, Mexico, really does have an interest in this issue.
In this year. We’ve heard about more. Spy where operations in El Salvador. At least 35 civil society operators and press. Operators were involved. So, there’s been a public hearing. In March this year in which we heard from public officials who were also alerted about potential infections of their devices. And then there’s the Pharaoh case, 22 members of Pharaoh in El Salvador. We’re told that they had been infected, 17 of which were the subject of precautionary measures in 2021. So, a lot of the hits had to happen between April and May 2021.
Three months after, there was an intervention. So, well, In Mexico, we’ve found other cases of spyware. The security services have found a remote system. And there have been sales of Pegasus in the country, according to the reports that have come into our office, mostly from civil society. The victims of infection by Pegasus are not involved in criminal activities, which is what the company would claim is the purpose of their software. In fact, the individuals who have been targeted are actually protected under international human rights law at the time of the attacks. Most of the people were investigating and reporting on public interest issues and were aware raising awareness about corruption and human rights violations. So, this is particularly concerning because spyware isn’t only a violation of privacy of the victims, but it also has a potential impact where whereby journalists and others could suffer.
Now, up to now, we wondered whether there were more victims, but there are three cases which we consider of particular relevance. First of all, the. Institutions don’t have the political will, all the resources to engage in combating Pegasus. And then secondly, there have been public announcements that there has been an abuse of this so far, but there hasn’t been any clarification of what has happened. In fact, we’ve seen an increase in the number of cases. And then thirdly, which is very relevant, there have been violations of human rights and that does require sanctions that will set an example up to date.
We are not aware of any significant judicial proceedings in any of the cases that I’ve described since 2017. Civil society organisations have expressed their concerns about what is going on in El Salvador and Mexico. There have been announcements that have that there are investigations and there has been some modest progress in the legal proceedings in investigating the use of Pegasus in Mexico. So, it’s important that we can protect the integrity of both the victims and their legal representatives. And in El Salvador, from the start of the year, the state announced that there were investigations that they called an exhaustive. We don’t know what the outcome has been. Although these investigations are supposed to be the authorities working out who is responsible for what. And they’ve also been investigating the activities of state officials.
Now, paradoxically, we have a tool that is supposed to be for security, but it doesn’t enjoy the same cooperation level when their investigations. So, there is public authority cooperation in security operations, but there is not equal cooperation when there should be an investigation of abuses of these. Software’s. Services. So, we need to have proper accountability, especially in terms of supervision.
So, we have private companies which need to render an account of what they are doing internationally. We need to mitigate and provide reparation for the harm that has already been done. So, there are obstacles. We need to have information because you’ve got two challenges.
First of all, we need to deal with the abuses that have already been committed. And secondly, we need to ensure that there is no further repeat of these abuses. So, we haven’t had sufficient responses from public authorities in some of these cases where those public authorities may have been involved. Now for reasons of. Time what I would say. There were people who engaged in legitimate democratic roles and functions. And so, we need to have clarity. We need reparations. We need accountability. We do want to have a free press. We don’t want to have intimidation of the press. And what I would say is that we do want to work with you and. Office for Human Rights. You want to ensure transparency and we want to use surveillance technologies within a legitimate legal framework that would ensure that we can maintain human rights. So, we do think it is useful to have an exchange of information between the Inter-American Commission on Human Rights and the EU. So, I’m very grateful to you for having invited me to speak today, and obviously I’d be delighted to take any questions you have.
Diana Riba i Giner (Vice Chair): Thank you very much. Mr. Vaca Villareal, and this is Marta Hirsch-Ziembinska, the principal adviser on the Charter of Fundamental Rights at the Office of the European Ombudsman here in Strasbourg. And you will present to the members of our Ombudsman recent position on how the European Commission assesses the human rights impact before providing support to African countries to develop surveillance capabilities. The decision was circulated to the members ahead of these hearings. You have the floor for 10 minutes.
Marta Hirsch-Ziembinska (European Ombudsman): Thank you very much. And thank you for having invited the European Ombudsman today. And I would just add to we just heard that the title was officially given to the cases. It was that the European Commission, how the European Commission assesses the human rights impacts and in fact the Commission did not. We just to explain our findings, I think I need first to say a few words about the background of the case, namely, speak a few words about the European Union Emergency Trust Fund for stability and addressing root causes of irregular migration and displaced persons in Africa.
This trust fund was created in 2015, so in the middle of the huge migration, as we said, crisis and the European Commission, 25 European Union Member States, Norway, Switzerland signed the constitutive agreement of the trust funds for Africa. The majority of funding for this trust is coming from the European Development Fund, about 70%, and 20% from other programmes, and 7% of funding comes from the Member States and other donors.
The European Commission acts as a representative of the European Union and it is called a manager of this trust fund and we have even a special member of the Commission who is really manager of the fund. The initiatives funded by the European Union Trust Fund for Africa and are implemented either by the direct management by the Commission or indirect management with partners such as the International Organisation for Migration, High Commissioner for Human Rights of United Nations or International Labour Organisation.
We received the complaint by the end of last year. The complaint was submitted to the Ombudsman by six civil society organisations, amongst them Privacy International and International Federation for Human Rights, just to name two. And these organisations have very, very strong concerns about the projects covered by the European Trust Fund for Africa, projects involving the transfer of surveillance capabilities to the African countries with poor human rights records, poor governance.
And the complainants to the Ombudsman actually refer to two kinds of projects projects to create biometric databases by the administrations of the African countries, including providing them by the Union with technical equipment for information, data analysis and second kind of projects to which they refer to projects to provide African countries with surveillance equipment, such phone interception systems, along with knowledge and surveillance techniques and other equipments, all to strengthen their border management.
Obviously, there is a risk in such countries with a recent history of human rights violations, poor governance, that they could use biometric data for unlawful tracking and monitoring of individuals. And the complainants told the Ombudsman that in this situation it is obvious that before deciding to fund such initiatives, the Commission should have carried out a prior risk and impact assessment to ensure that any transfer of technology with potential surveillance capacity will not result in violations of human rights, such as the right to privacy and other rights.
And they gave us examples of what is happening in Niger, for instance, or in Libya, obviously, when, for instance, Niger was provided with surveillance drones, cameras, surveillance software, wiretapping centre, etc., and the transfer of this surveillance equipment came in the context of a crackdown on activists in Niger.
The Ombudsman opened an enquiry, and she asked the commission actually two things whether it carries out any kind of human rights risk or impact assessment prior to approving initiatives under the European Union Trust Fund for Africa. And secondly, to explain what other measures the Commission puts in place to protect human rights in the context of projects implemented in these African countries and the trust fund.
And the Commission replied actually with two or three arguments. First, the Commission said that, yeah, that European trust fund, that what they are doing is covered by European financial regulation. That is also European Union trust funds guidelines, which applies to the projects in question. But there is no legal obligation for the Commission to carry out the Human Rights Impact Assessment before these activities take place. Secondly, the Commission said that the main responsibility for assuring respect of human rights lies with the national African governments. And thirdly, the Commission said that the measures it put in place and here they refer to three measures: multilayer approval process of projects, use of specific documentations of project, which the commission calls action documents and thirdly, possible suspension of found. So, all these three measures are enough to assure to mitigate the risks for human rights. And in this way, the commission guarantees the human rights approach, as they said, to these activities.
And what the ombudsman found after the investigation, first, I want to underline that the question before the Ombudsman was not a question as to whether surveillance capabilities should or should not have been transferred. This was not the issue for us. The question was whether the Commission informs itself and assesses fully and properly risks to human rights in that context, because principles of good administration, the Ombudsman says again, it again required that the Commission carries out its tasks with due diligence.
And the Ombudsman also referred to other enquiries we had concerning free trade agreements in which the Ombudsman said already that human rights impact assessments can indentify the sources of the risk at each stage, and such assessment has a preventive role. If something negative impacts is identified and then the provisions could be seen modified or mitigating measures could be decided before the agreements entered into force. And this applies also to the situations of the Ombudsman and the Ombudsman.
Finally, underline that prior human rights impact assessment concerning this project could also help the Commission to Act transparency and better reply to the public concerns concerning the European Union involvement in this kind of projects in these specific countries and what we could verify. Of course, on the website of the Commission we could read quite a lot of details about different projects, but there was no word about… yes? How?
Sophie in ’t Veld (Renew Europe): I have the impression that the interpreters are trying to tell you you’re too fast.
Marta Hirsch-Ziembinska (European Ombudsman): Ah okay. Okay. I send them the text, so I hoped that they would be able to follow. I’m sorry. Okay. This is a point: one year of investigation, and I have to summarise this in 10 minutes. Quite difficult, but I try to do my best. Well, I will slow a bit.
So, the first issue also was the transparency for the ombudsman, because if prior to this projects there is a human rights impact assessment which was of course published, the public concerns about the European involvement in all this activities in this African countries about sort of vast capabilities could be somehow I mean, I would say clarified what we can see on the website of the commission, for instance, about the Trust Fund for Africa. There are many details of the projects, and this project has so many as regards the migration spending, the border management, they are altogether about 80 projects, for instance. But there are no details about how these projects were adopted, how were they implemented?
And the commission also published something which they call a European Union Trust Fund for Africa Risk Register. But this register doesn’t include human rights risks like it would not have been a human rights risk, which is very strange. And the Ombudsman also underline it and following what the complainants told us, of course, which is evident that in these countries, when these projects are implemented, there are major governance issues, poor human rights records, and if the serious capabilities, technologies capacity is transferred and use it by the partner countries, African countries for different proposals that the proposal foreseen under the project, there is a risk for human rights of individuals in these countries as well as for the ability for the Union to fulfil its human rights obligations. And the Commission didn’t challenge this view of the Ombudsman, but the Commission said, as I told you, that there are other measures, and these measures are enough and could replace somehow human rights impact assessment.
The Ombudsman didn’t agree with the Commission first. She said that suspension of funding, if the Commission finds human rights violations in the implementation of the trust fund project is a reactive measure. So, the goal is to prevent the human rights violations. And if we do this prior human rights impact assessment suspension of funding, so it’s not a sufficient measure.
The Commission relied on so-called action documents. For each project. There is a special action document, some documentation, quite the toilet. But we look at into 20 project, we choose to project justice simple. We look at into projects which concern Niger, Algeria, Egypt, Libya, Morocco, Tunisia, Djibouti, Somalia, Sudan, Ivory Coast and Senegal. Already these countries tell percent what could happen there. And in this action documents, we didn’t find any proper human rights impact assessments. The action document was drafted in a way very unstructured. The methodologies applied were very confusing. It was very confusing. There were some chapters like Risk Assess assumptions and cross-cutting issues with which human rights issues were somehow mentioned. But what is essential for the Commission in this document was to show the risk for the project itself and not the risk for human rights of individuals.
And finally, the multilayered approval procedure to which the Commission referred it, and it was a procedure very much simplified, very quick, and there was no possibility in few days which were foreseen for this procedure to have diligent assessment of human rights impacts. And the question that it is the emergency fund doesn’t exclude that the approval procedure could be much better. The Ombudsman concluded the commission was not able to demonstrate that the measure in place ensures at current a structured approach to assessing the human rights impacts of European Union trust fund projects and to the Ombudsman also.
So, about the future, because this trust fund for Africa is one of the trust funds, there would be others and maybe development financing will go on the basis of such solutions. And this is why the Ombudsman made suggestions for improvement for the future. And see, this suggestion was quite disruptive in kind but very important. I think that sometimes the ombudsman tells the Commission this is the way you have to, to, to assess our suggestion and maybe this could help. And we told them that they should have a separate document, a standalone document, as distinct from, as they call it, action document, in which you, the Commission, should assess all potential human rights impacts of projects and present also mitigation measures together.
So, we suggested that the Commission could review the current template it half of the action document to reflect this suggestions, and we would expect the Commission’s reply to the Ombudsman’s suggestion in the early spring next year. And yeah, we will see what they will tell us. Anyway, the investigation was very interesting. We’re very grateful to the complainants to come to us and we hope that something useful will come afterwards. Thank you.
Diana Riba i Giner (Vice Chair): Thank you very much, Ms. Hirsch-Ziembinska, and I would like to thank each of you for these contributions. Now is the time to open the question and answers for all of the members. The first is for Sophie in ’t Veld, our rapporteur of this committee.
Sophie in ’t Veld (Renew Europe): Yes. I would like to thank our two speakers.
I have to say that it leaves me deeply depressed or angry or both, I have to say, because it again confirms the attitude of the European Commission, which is very technocratic on one hand, and pretending that governments are its only interlocutor, that it has no responsibility for upholding EU values, for actually enforcing the laws and the treaties. But it just pretends that it’s all a technocratic exercise. And if this house weren’t in such a mess itself at this moment, I would actually want it to send the commission packing. But okay, this is my pre-Christmas rant. We really don’t miss an opportunity to mess up, do we?
Okay, my question. Do you do you think after your intervention, do you have any indications that the commission actually got it, that they’re going to do it differently? And do you have any indication that the commission would you know, if it gets it, it means that it’s going to apply the same logic to other, let’s say, policy areas, because I think they’re doing exactly the same with the dual use regulation, you know, verifying whether the export rules are being applied.
And when it comes to dual use, it’s also about human rights. They make it the same tick box exercise. They just ask the governments, you know, are you correctly applying the rules? And then the government says, Yeah, yeah, of course we’re applying the rules. And then the commission, oh, thank you very much, we’ll be back in two years. This is what the commission does. And after two years, they do the same. And then the issue report saying everything’s fine, wonderful, hunky dory. And we know it’s not.
And I’m very, very grateful for the ombudsman that you are actually doing what the Commission should be doing. But is it your impression that they now understand and that they’re going to try to do what you’ve recommended and that they actually understood the logic of applying the same or let’s say, approaching these matters in the same way, also in other policy areas. You can be brutally honest. This is this is, you know, the last Thursday in Strasbourg before Christmas. So please.
Marta Hirsch-Ziembinska (European Ombudsman): Well, I think, unfortunately, we cannot be too positive about what could happen. You know, we will see what the commission reply replies something. The reply would be very kind. But whether there would be some content, I’m not sure in any way. What is the Ombudsman’s approach and I mean really sort of very keen to be very practical. We told them almost with a finger to this, you know, is it somehow ombudsman educates the commission and it’s very hard to reply to concrete suggestions by saying we just ignored them. So at least I hope that they will explain in administrative terms what they could do better in the future about the past.
I mean, we had so many investigations and human rights impact assessments and the commissioner’s reply, as I said, is similar in this case is also in other cases their first defence is there is no legal obligation to do something, so we don’t do it. But this is not good administration. The diligence was explained it on many occasions by the court and the Commission knows that they should do not only what is in the law, but on many occasions, they should see holistically many other provisions of law, not only ones which apply directly to the specific case and take this into account.
And the Commission knows how to do human rights impact assessment because DG Trade, for instance, issued a very good guidance on this. We had that investigation in 2014 when the Ombudsman looked into European Structural Funds and to Emiratis told the Commission, you have to take into account the Charter and help Member States with some guidance, how they should check the compliance of the use of the funds with the Charter. And the Commission did so.
So, I mean, it is possible, but if I say to speak about the investigation from 2014 and the Commission move it on this only a few years later, so now the Ombudsman decides to add this case in November. Hopefully the Commission will not take long time. And also, there are other issues, of course, the issue of the development rate, how we perceive it. I mean, there are many, many, many issues around, but I am not so positive that the Commission would say, thank you very much, Ombudsman, we do everything what she wants. No, I’m not so positive. This is my personal approach. Thank you.
Diana Riba i Giner (Vice Chair): Yes. Saskia Bricmont.
Saskia Bricmont (Greens): Thanks. Thank you very much for your interventions to both of you. I have a question to Mr. Vaca Villareal. What is your assessment about the way we could work together from EU and from Latin America perspectives?
Because the EU can regulate, the EU can have its own framework, but we also need to have an international approach on this. The US has been somehow regulating, but I also hear that yeah, everything is not done on that level to prevent abuses of spyware. And so, what’s your insight? Is there any political willingness from American perspective to work on a legislative framework, on safeguards, on better regulation and that we could maybe find common ground to work together.
And Madam Hirsch-Ziembinska, thank you very much also and I share my colleague’s situation because the Commission is really abusing Human rights. Recently your office addressed also the issue of trades and the problem I can think of the human rights clause that is not enforceable in the context of our trade relations with other cases. And now this one adding a layer to the inaction of the European Commission.
And so, if there is no legal obligation, we should adopt a legal obligation, that will be a part of our recommendations. And you’ve mentioned its ex-ante impact assessments. It’s true for the Fund for Africa. It’s true for trade relations. It’s true for many other files where systematic impact assessments should be done, including on human rights, not only on human rights, but of course, including on human rights. So, if we can work together on this, it would be it would be, yeah necessary to do that.
I’m looking at my questions. Yes. Do you think we haven’t talk about specific legislations, but for instance, did you dig into the dual use regulation and what could be done there to improve also the work that we were doing in our enquiry committee? Do you think it should be revised and in which direction, in your view? Or is it mainly a lack of implementation of the current legislation in place? Maybe you can – I don’t know if your enquiry also digged into that but that would be interesting to know your thoughts on that matter. Thank you very much.
Diana Riba i Giner (Vice Chair): Let’s turn to Mr. Vaca Villareal. Go ahead, sir.
Pedro Vaca Villareal (IACHR): Can you hear me? Thanks very much for the question. I think there’s three elements.
First of all, I work with the Inter American Human Rights Committee and we are monitoring the situation and looking at the question of living penalties. But that, of course, is more up to the member states. We carry out investigations within the Human Rights Committee, but there’s a series of barriers, high walls, put by the states and one is on information.
The first area where I would suggest that we could work together, exchange information between ourselves and you in Europe would be minimum information standards, which would allow one to see how an investigation is going, but also the measures taken to prevent repetition. It is also part of the internal checks on these mechanisms as well as the external checks that you have in a checks and balances system which is what is at the heart of democracy.
And one thing that’s linked is that a multilateral and bilateral level, the assessment. And making certain there is cooperation between yourselves and member states in the region. So, in your assessment of the validity of the instruments, we need to make certain that certain human rights standards are met and that the states carry out best practises in these areas because states have recognised publicly that this is a challenge, and they don’t have all the information at hand necessarily.
And also, we’ve got what I’d call structural bodies to try to deal with these issues relating to the rule of law. The rule of law is under threat. If, for example, we want to investigate and levy penalties and make as a deterrent effect. Legal independence is hugely important. It’s hugely important that there are human resources and financial resources which are sufficient to allow investigations to take place with the requisite guarantees.
And in Latin America, this is a huge topic for discussion. There’s a lot of talk on this. The rule of law is a whole a single thing. And also, this is a question of paying attention to the victims. To large numbers of these are journalists. So, we need to improve the conditions under which journalists work. That’s very important.
One element that is linked to the rule of law and journalism aspect is that whether or not there’s going to be participation of state agents. And in many of the cases that we’ve been referred to, there are. When it comes to freedom of expression, I think it’s important that the victims, particularly journalists. Were. Who’s telling truth to power in their investigations. So, it’s only natural and indeed a good thing that there are, if you like, tensions between journalists and the public authorities. And these issues, these questionings are things which automatically boost or ultimately will strengthen our democratic systems.
But if there is some kind of interference. In a way that allows Pegasus to be brought into people’s lives, then the tension is no longer between equals, but one side is much stronger than the other, i.e., the state. I’m not mentioning any particular case, but it’s important that this kind of technologies are not used to penalise activities which are at the heart of any democracy like journalism. Thank you.
Marta Hirsch-Ziembinska (European Ombudsman): Okay. Thank you. Well, there are two questions.
Understand, the human rights impact assessment is an exercise, is administrative exercise. The commission knows very well how to do it. But what the Commission has tried to do is delivered some due to human rights and to mix it up with other issues and doing general impact assessment in which human rights would disappear. And this is not good. We told the commission on several occasions; you have to separate this separate documents. You have to do this what you know to do, human rights impact assessment.
And we when we look in the documents of many this projects and surveillance capabilities transfer of tools to African countries, it depends actually which delegation was involved. There were some delegations which were quite diligent, you know, so they knew how to do this, and they did it even they had no instructions to do it. So, I would say it is possible to do it. The Commission could know how to do it and whether we need the legislation telling the commission that well, we have already the treaty TEU which clearly says external action should be guided by it would say, indivisibility of human rights and fundamental freedoms, respect for human dignity.
And so, it’s enough that the Commission interprets this primary law of the European Union the proper way, and it’s evident that human rights impact assessment should be done. And again, this is administrative exercise, and this is very easy if you do it not as a tick box as, you know, exercise, but really you assess things in a diligent way and the basis of your research information, the commission has it.
Well, another question was about dual use regulation. If the Ombudsman receives a complaint concerning whatever European Union law, unfortunately we cannot deal with it because we cannot deal with merits of the element of the law. But I could imagine one day maybe we receive a complaint concerning the implementation and now we have an investigation which is still ongoing.
So, I cannot comment much about this. It was also complaint from the same NGOs which came to us as regards the African Trust and it concerned European External Action Service and their involvement in, in this transfer of surveillance capacities and there, the element which relates to dual use regulation is there. But at this stage, unfortunately, I cannot comment more. Thank you.
Diana Riba i Giner (Vice Chair): Thank you. Now I will pass the floor to Thun und Hohenstein.
Róża Thun und Hohenstein (Renew Europe): Thank you Chair, thank you very much our guests for your presentations. Well, we speak here about countries outside of the European Union, we do not legislate. If we don’t pay, we don’t really have influence.
But as far as Mexico, I would like to ask a specific question, because there was a case of spying, illegal. But the current president, I remember, promised to stop this practise and to investigate in the case. So that it stops. Now, I wanted to know, do we are we are sure that it really did stop or are we have the certainty, or do we have reasons for suspicions that this is still ongoing?
But as far as developing countries are concerned and our aid the fact that the ombudsman in its office or her office look so closely at the human rights and demands the proper assessments from the Commission is of utmost importance. But frankly speaking, what I really do not understand and I wonder if the ombudsman ever, well if she can ask about it or if she did ask about it: what does a surveillance system that we apparently provided to those countries have to do with development, with development aid? Why do we provide at all? Is this within the framework of development aid?
This is frankly speaking, I know that this is a procedure that has been, I mean this story has been functioning for a longer time, but still, every time I hear that not only that they buy with the money that they receive from us, but that we provide the system. Every time I hear this, I am profoundly shocked because to my mind, this has nothing to do with the policy of development aid. Thank you very much.
Diana Riba i Giner (Vice Chair): I will pass the floor in the inverse order. Please.
Marta Hirsch-Ziembinska (European Ombudsman): Yeah, thank you very much for this question.
Well, we dealt with a specific complaint so we could not go much repetitive. I would say we had to deal with the allegations and claims. Even the ombudsman went a bit farther as usual. She does, and she made the suggestion for improvement. But indeed, I mean, from the material we studied for this case, it is obvious that as regards European Trust Fund for Africa, this I mean, again, it was done in 2015. So, it was because of a migration situation and the European Union wanted simply to stop migration from these countries. And development aid is about eradication of poverty. It’s not about the have to say, for managing the flux of migration.
And they were we came across with different material issued by different NGO was very active in this field from which it’s obvious that the objective was, was wrong. And it was again against the cooperation as existing, giving the developing country agenda and also even about the problems created collaterally, because when they strengthened the border management, the intra migration in the African continent was stopped as well. And this is extremely complicated for economic reasons.
So yeah, we didn’t ask the questions about this. The scope of the investigation was not about this, and it would be difficult to trace it in this way because it would be going rather to policy than the administration matters. But as I said, from material that we studied, yeah, that is, your suspicion is exactly correct. Thank you.
Pedro Vaca Villareal (IACHR): Thanks for the question.
On the one hand, I want to share a thought. Up till 2016, and that was when things started happening, 2015 2016, the spyware, you’re aware in the Committee of Issues of traceability, etc. Back then, it was different. But five years on, we need to do more.
And on the particular case of Mexico, I mean, looking into it on the 8th of November last year, over a year ago, that’s to say the prosecutor general said he’d got an arrest warrant against one person who’s apparently responsible, supposedly responsible, for using what’s known as Pegasus. This is a very small advance in the light of the seriousness of the events that we’ve heard. But at least one complaint has been acted on.
Then there’s also the cooperation and information aspects are important. Cooperation to shed light on these issues and information so that as democracies, we can take the best decisions in order to stop these abuses acting occurring again. This goes back to an earlier question. If in multilateral organisations we want to come up with frameworks for prevention and to stop the repetition of abuse, then, of course, we need information so that we can formulate those rules. We need to know what the consequences are. We know what the consequences of the software use is. But there’s no register in Latin America on the actual minimum information, which will be enough so as to take preventive measures in the future.
And so, in Mexico, the information is often contradictory. We were told these by civil society organisations, for example, which who requested publicly available information that there were some leaks from the defence sector as well in October this year. And the information which I’ve been given through the RFU didn’t actually chime with what we got in terms of leaks. So, information and cooperation are very important things if we’re trying to meet these challenges. Thank you, Chairman.
Diana Riba i Giner (Vice Chair): Any other questions? If not, I’ll ask one myself to Mr. Vaca Villareal.
We don’t have, well, we got many cases in Europe which have begun to move through the courts, but very few have been investigated thoroughly. You mentioned Mexico, El Salvador. Do you know any specific examples of complaints from Pegasus victims which have actually gone through some legal procedure and are getting close to the end of the legal process? You talked about the victims and finding redress. Could you possibly give us some names even and we’ll look into them ourselves. Thanks very much.
Pedro Vaca Villareal (IACHR): Thank you. Of the cases that I’m aware of, there’s a lot of things that have been going on because people have been trying to, I’ve been seeking justice for several years in many cases, and they’ve not found the problems, the obstacles placed in their way, just of information, the institutional level.
And what I could do is actually put you on once I’ve spoken to the people concerned if they agree. I would be able to send information to you. But I recommend listening to victims because this is the dimension of the problem which I think it would be very useful to you for your committee.
And also, there are questions that go beyond the legal issues or entail a legal issue. But don’t stop there. For example, there’s information extraction. And this asks the question as to what the member states, what the states do with the information, where they store it and what happens to it subsequently. This is a very important issue as far as freedom of expression is concerned. It’s important that victims are briefed about the future of the information that was taken from them as well, what happened to it. And this might change the protection of the right of privacy for example, if this is an issue, for example, that was particularly relevant for female journalists.
And so getting into touch with victims and representatives by your committee, I think, would be a very sensible step, Madam Chairman, because unfortunately one of the things we can tell you about from this part of the world is that this has been going on for a long time, people seeking justice, and there’s lots of obstacles placed in the way of such people. There are certain sectors who don’t want to see much in terms of redress of the victims, but it could be a very useful thing. Thank you.
Diana Riba i Giner (Vice Chair): Well, thanks very much to our guests, particularly Mr. Vaca Villareal. It’s extremely early in Washington, thanks very much for having got up early and spent time with us.
There’s nothing else on the agenda. So next meeting is scheduled for Monday, the 9th of January in Brussels. Thanks very much for being here. Let me wish you a very happy holidays, merry Christmas and have a well-earned rest so that you can come back with batteries recharged in 2023 to get back down to work. And so, we can produce an excellent report. Thanks very much.
And the chairman kindly thanks the interpreters as you worked very well. Lots of people speaking very quickly and also wishes interpreters a happy holiday.