In der Nachmittagssitzung des 29. November stellte die Berichterstatterin Sophie in ’t Veld den vorläufigen Bericht des Staatstrojaner-Auschusses vor. Ihr Fazit fiel dabei vernichtend aus:
Das Besorgniserregendste ist, dass sowohl die Regierungen als auch die sehr undurchsichtige Spyware-Industrie ein gemeinsames Interesse daran haben, den Status quo beizubehalten und kein Licht in die Sache zu bringen, geschweige denn sie zu regulieren oder zu überwachen. Auf diese Weise ist Europa gewissermaßen zum ‚gangsta’s paradise‘ der Spyware-Industrie geworden, und die EU unternimmt nicht viel dagegen.
Die Sitzung diente auch dem Austausch zum Stand des Berichts der Parlamentarier:innen untereinander. Von der Anhörung gibt es ein Video, aber kein offizielles Transkript. Daher veröffentlichen wir ein inoffizielles Transkript.
- Date: 2022-11-29
- Institution: European Parliament
- Committee: PEGA
- Chair: Jeroen Lenaers
- Links: Video, Draft Report
- Note: This transcript is automated and unofficial, it will contain errors.
- Editor: Tim Wurster
Exchange of views on draft report
Jeroen Lenaers (Chair): Okay, colleagues, if everybody would like to take their seats, I propose that we begin the afternoon session of our big committee meeting. It’s going to be an interesting meeting because it’s the first time, I think, since we started that we will not have any external guests or panelists or experts, but it’s just us, which I didn’t mean in a bad way, by the way. It’s I’m sure it’s going to be very rich.
So, it’s the first exchange of views on the draft report that’s going to be presented by our rapporteur, Sophie in ’t Veld, since we have the full afternoon session of this. So, I don’t want to be too, too strict on timings if people now keep it within normal boundaries. So, we’ll first hear from the rapporteur, then from all our shadows, and then for any other members or substitutes of the committee that would like to take the floor. So first, Sophie, and about our rapporteur. You have the floor for a presentation of the main points of your draft report.
Sophie in ’t Veld (Renew): Thank you, Chair. And before actually presenting the report itself, I would like to extend a word of thanks and also make some procedural remarks. First of all, I would like to thank the people in my office, the people in the bigger secretariats, the people in my group, and the people in the study service, and specifically Mr. Chiara Steyn, Stephane and Michel and Eric Alexander, Yana, Ottavio and Emily. They have really done an amazing job behind the scenes, and they deserve all our praise. But I would also like to thank the people who have actually triggered all this, namely people like the Pegasus Project, Citizen’s Lab and Amnesty International, but also all the diligent, the very courageous journalists who are doing an amazing job in bringing all the wrongdoing to light.
And we can see every day they’re paying a high price for it, and that price is actually going up. We hear more and more about journalists being threatened, intimidated, harassed, slaps imposed on them, or they are being targeted with spyware themselves. And I think European democracy owes them gratitude. And I call them our very own Woodward and Bernstein. On the procedure and the work message, as you know, the first so-called findings document has been submitted for translation on November eight, two weeks ago. You’ll find the whole document on the website of the European Parliament. But for administrative reasons, the document has been divided up in different parts and short, and I think it is useful for colleagues to realise that and the bits that will have to be deleted will be reintroduced, reintroduced by way of amendment. And then for the committee to decide, of course with a view to the timetable of figure the report had to be submitted or the drafts report when the enquiry is still ongoing. But that is unfortunately unavoidable because if we want to adopt the reports into resolution at the end of the mandate of Baker, then we have to submit a draft report before that. And that means that contrary to normal legislative reports will be working on the reports and a resolution in parallel to the ongoing enquiry.
We’ve had a first Shadows meeting last week in Strasbourg. Today I will present to you the draft reports. The draft resolution will be presented on January 24th, but a flavour of what I intend to put into there is already in the last chapter of the findings document in the chapter called Areas for Action. The deadline for amendments on the report are is the 26th of January, the deadline for amendments to the resolution which you will have in your inboxes before the Christmas break. The deadline for amendments to that resolution is February 9th. Both reports a resolution will be voted in PEGA on April 26th. Then the resolution will be will go on to be voted in plenary, either the May June mini session or the mid-June session in Strasbourg. The report will not be voted in plenary, but self-evidently it will serve as a basis for the plenary debate and therefore it will be updated as necessary until the time of the debate.
Now, regretfully, authorities, as well as the spyware industry, have largely refused to cooperate or to provide any meaningful answers. We got answers from Cyprus, Belgium, Luxembourg, Austria, and Poland, as far as I’m aware, as well as a collective answer by the Council to the European Parliament, basically saying, Dear European Parliament, we’re not going to answer by lot of cases the Council. So, we’ve had to use other sources. We’ve had as a source, of course, the Speaker hearings, questionnaires that we’ve sent out, media, public sources, bilateral talks with experts, journalists, people who had been targeted, etc. And then finally, because I know this remark will be made on the, let’s say, the quality of the evidence, do we have enough evidence to prove beyond any doubt what has taken place in court? No. Some pieces of the puzzle are still missing, but there is more than enough material to make very clear what is going on. And I would hope that in the course of time we will get the final pieces of proof, preferably from the sources themselves.
Okay. On the substance of the report, first, what are we talking about? A spyware. No need to explain to you. Spyware, basically a software used to take over your phone is very invasive because not only can it be used to activate your microphone in your camera and serve for real time wiretapping and following, but it can actually access everything that’s on your phone. So also, retroactively to retrieve all your messages, your documents, your images, the apps you’re using, etc., etc. So, it’s very invasive. The second and it leaves very few traces. And I hear there are versions of spyware maybe already on the market which leave no traces at all. And the second feature, which is, you know, important, is that spyware is very expensive. So, it’s not something that you can buy in the supermarket, and anybody can use it. So, this this is important to keep in mind because it says something about, you know, who is using it. Of course, spyware can in principle be used for legitimate purposes in exceptional circumstances to fight terrorism or serious crime, for example. But we see that both the use of and trade in spyware are highly problematic in practise.
And I would indeed distinguish two clusters of abuse and illegal activity. On one hand, there is illegitimate use of spyware by government parties using spyware for political purposes. And on the other hand, we have the illegal exports of spyware from Europe to undemocratic and murderous regimes or non-state actors. So, the use of spyware by, let’s say, public bodies and the trade in and export of spyware from Europe, the abuse of spyware doesn’t just violate the right to privacy of individuals. It undermines democracy. And democratic institutions are used to silence opposition and critics and to eliminate scrutiny. It may be even used to manipulate elections, but even when it’s not actually used and this is the tricky bit, it has a very strong chilling effect. And I think we can all be testimony to that because many of us, I’m sure, got the question.
So what about you? Can you be sure that your phone is not has not been infected by spyware? And then, you know, we go to the IT department here or citizen’s lab and we have our phones checked. But there is this sort of constant nagging feeling like, can we be absolutely sure? And that doubt and uncertainty are just as dangerous for democracy as the actual hacking itself, because it means that people are going to self-censor, you know, whether it’s journalists, politicians, activists, lawyers, whoever. So, it has a chilling effect.
So, we witness excessive or illegitimate use or even downright abuse of spyware by several EU governments or government parties, though in very different ways. I would like to underline that and some of the main countries of concern or the governments are of concern and no need to mention them are Poland, Hungary, Greece, Spain and possibly Cyprus. However, we can safely assume that all member. States are using one or more brands of spyware, even if they do their utmost to leave no fingerprints when they are purchasing spyware and they refuse all access to information. Not all governments use spyware for political purposes. I mean, some are very decent and responsible, but all member states collectively refuse to address the matter. And I call this collective silence omerta. Pure and simple. And I think it is irresponsible. The spyware industry is shady, opaque, and elusive. But most of all, it’s lucrative and booming. And it has very low ethical standards.
Europe has facilitated the exports of spyware to places like Libya, Egypt, Bangladesh and other various other under various dictatorships and oppressive regimes where it has been used against human rights defenders and journalists, for example. Therefore, I think the term mercenary spyware is entirely accurate. The spyware industry is fully Europeanised making use of the internal market, freedom of movement, Schengen and reputation. The good reputation of the EU label. Europe offers excellent conditions for the industry, including weak enforcement of EU rules. We have very good rules, but very weak enforcement and this is something that will come back in the report. Thus, the spyware industry uses, for example, Cyprus and Bulgaria as their preferred export hubs. Luxembourg for their financial transactions. Ireland for the tax breaks. Malta to buy golden passports. The Czech Republic for its annual meetup. Spyware vendors are based in various countries like Italy, France and Austria and others. Many companies have been set up and are run by Israeli citizens, often retired army officials or Mossad officials, and several of them also having EU citizenship from one country or another. There are also other connexions between the EU and, for example, North Macedonia and possibly even Russia when it comes to the spyware industry. And there’s a raft of letterbox companies strewn across the European Union creating an impenetrable web, which is nearly impossible to investigate.
The most worrying element is that both governments, on the one hand, and this very murky spyware industry on the other, have a shared interest in keeping the status quo and not shedding light on the whole matter, never mind regulation or oversight. So, in this way, Europe has become somewhat the spyware gangsta’s paradise, and the EU is not doing very much about it. Whereas the Commission is very determined to fight attacks on democracy from the outside. Even with a Democracy Action Plan and defends mechanisms against fake news, foreign interference, etc. But when the attacks come, are attacks on democracy come from within? The European Commission is very timid and silent when the threat to democracy is not some faraway stranger, but the government of EU member states. The Commission suddenly considers that the defence of European democracy is no longer a European matter, but a matter for the Member States. The European Commission and Europol have so far remained silent and inactive. The first from sending a few letters to Member States, but that was more or less an empty gesture. They refer to the national authorities as being competent, but then they simply ignore the inertia and even complicity of national authorities. And thus, the presumption of compliance by Member States has turned into pretence of compliance, and democracy is left out in the cold.
But the spyware scandal is not a national matter. Colleagues is very much a European matter. And we tend to look at it through the court keyhole of national politics. But if you connect the dots, suddenly an image emerges, and it is a an entirely European image. It directly affects the EU institutions. When members of the European Parliament, commissioners, and ministers and even government leaders have been targeted, and when the perpetrators, on the other hand, sit on the European Council or the Council, that affects the integrity of elections and of decision making in the EU. It also touches upon a wide range of EU laws like the GDPR, the law enforcement directive, the e-Privacy Directive, but also export rules, procurement rules and whistle-blower protection. The EU has a duty to act. The refusal of the Commission, the Council and Europol to act is, in my humble opinion, dereliction of duty. Nothing less in comparison. The US? Not exactly, let’s say loony lefties when it comes to security matters. They have reacted very rapidly and with determination. When the spyware scandal was revealed, they blacklisted NSO and three other companies. They launched a criminal investigation. Legislation on the trade in spyware is being elaborated as we speak. Moreover, while our own Europol claims it has no powers to investigate spyware attacks, the FBI has been spotted on European soil investigating. Because there are some dual people with dual citizenship who have been targeted. So, they are investigating in Europe and our own Europol says, oh, you know, this doesn’t concern us. Now it’s clear that measures have to be taken and in the findings document, I have suggested a number of initiatives which will come back in the draft resolution, which we will hopefully adopt next June.
However, regulation and measures are going to take a long time and I think we cannot allow the situation to continue in the meantime. I think there is an urgent need to act immediately in a couple of areas and I do not know in what way we have to tackle this. But colleagues, I do think that we need to look at this.
First of all, I think we need a conditional moratorium that will allow, on the one hand, for legitimate and responsible use of spyware by some member states to block the abuse of spyware by the other member states. I have set out four conditions which you will find in my paper.
Secondly, I think we should urge Europol to start investigations immediately into all the criminal aspects of the spyware attacks, corruption and the trade in spyware. I think it is really, really urgent.
Thirdly, the commission has to urgently and not wait until later, but urgently conduct conducts an in-depth and broad stocktaking of the application of EU law, in particular the dual use regulation, and not the usual superficial exercise of simply asking nationalist parties whether they have correctly transposed EU law. But the real investigation on the ground taking account of all available information from all sources.
Fourthly, I think we have to immediately set up the European equivalent of Citizens Lab. I think there are plenty of experts on our continent that will have to be brought together rapidly. We need our own resource here, a centre of expertise to help detect spyware attacks. Not a few years from now, but now swiftly. And I’m coming close to the conclusion. Chair There seems to be or there may be signs that EU money has been used and if that is the case, that would immediately justify an investigation by Apple.
Finally, I think the Ombudsman and the EPD, although they don’t have direct operational competences, they have ample reason to look into the matter and address their national members in several Member States. And I would like to conclude, colleagues, by thanking you, because I’m grateful that we managed to set up this committee because it wasn’t obvious this this time last year. But I do believe that this European Parliament can make an important contribution, because only the European Parliament seems to be able at this moment in time to hold this kind of enquiry contrary to some of the member states governments, all of them collectively, there’s not one guilty. They’re collectively trying to sweep this under the carpet. And I think it is the duty of the European Parliament to be the voice of Europeans. We will keep the issue firmly on the agenda and defend democracy. Thank you.
Jeroen Lenaers (Chair): Thank you. Thank you very much. Sophie in ’t Veld, our rapporteur. I will pass the floor now to the shadows present from each of the risk groups, all other members who would like to take the floor in this exchange, please indicate so by raising your name tags so we can take note of your request. Yes, Mr. Lebreton is on the lists. Madam Vozemberg and back in a moment. Yes. The shadow? No. Okay. Then we passed the floor for the EPP to Mr. Bilčík.
Vladimír Bilčík (European People’s Party): Thank you very much, Chair, and good afternoon to your colleagues. And I want to thank our rapporteur Sophie in ’t Veld for her presentation, also for the draft report. And I think my main message is that by next spring we should have a serious and credible report coming out of this committee. And I appreciate very much the draft, but I think there is still quite a ways to go to get to a serious and credible report which can seriously engage also with the other institutions and the member states and claim demands which will be hard to run from when it comes to specific issues. An example of the misuse of spyware.
I think we need to stick to the mandate which we have been given and be serious about the mandate and look really in a complex way at the scope to which there has been a misuse of spyware, Pegasus and other. Look at the level to which there has been a breach of fundamental rights and EU laws. And also look at the risk to everyone, including of course all of us, all individuals. And for that I think we need clearer language in the report. We need to have really a distinction between facts, facts and facts on the one hand, and assessments and conclusions. And we need to be clear about what is hypothesis, what is an assumption, and what we can fully establish as facts. I understand this is a very difficult exercise because we are working on the basis of sources which are limited. But I think we need to also be serious about the limitations with which we are working, because I think only then can we have a politically serious report and also a resolution which will come up with a set of next steps.
It is extremely important in that sense to have a very detailed look at the text. I understand we are dealing with some 50 pages and make sure that that text really is a text which is going to be hard to destroy once we adopt it. And this is why I say we need to have a serious and credible reports. If something is not a fact, it doesn’t mean that something else is a firm fact. There are many instances in the draft report which go along the lines it is believed by some. Does this mean that it is a relevant factor? Does this mean this is a credible factor? To what extent? By whom is it believed? Another possibility is that this might have happened. What does it tell us about what actually happened? I think this is why we need to have a very thorough look at the text when we discuss it in the shadow meetings, but also with everyone in the committee. I think all of us should be engaged in thorough fact checking and really delineate a clear line between what are the firm firmly established facts and what are the findings stemming from the questions we have asked. The missions we have undertaken, the hearings we’ve held, and then what are the conclusions that we can take? We are not here. And I should say we should really stick to the mandate. And it is really beyond our mandate to prosecute. It is beyond our mandate to establish criminal liability of selected individuals. It is also beyond our mandate to dissect the complex ownership structures of select companies.
We may want to dive into all of these subjects, but I’m afraid this effort and exercise might dilute the essential, namely a strong, serious, credible police report on a matter which I deem as an extremely serious matter, namely how individuals have been spied on. And I realise this is not ordinary spying. Spyware we are talking about here is beyond the traditional eavesdropping. This is a potentially a very dangerous tool in the hands of those who want to misuse it. And we’ve seen it already throughout our work, throughout our missions and our hearing. It can destroy individuals, their public lives and also their private lives. But I think we need to be very clear and careful when we talk about the instances when this happened and the circumstances under which this happened. And this is what I will try to work on as the shadow. On behalf of the EPP, I very much look forward to having a good cooperation on this because I think ultimately we should have a strong majority in this committee for this report, which again and also will be a sign of a strong and credible result of our political exercise. Thank you very much.
Jeroen Lenaers (Chair): Thank you, Mr. Bilčík, then, for the study. Ms. Kaili.
Eva Kaili (Socialists and Democrats) ): Thank you. Thank you, Chair. So, I would like to thank the rapporteur, Anne-Sophie, for her work on the report and also for collecting and making sense of the vast amount of public information and of course, the people that work with us, the figure secretariat and the shadow rapporteurs. For us, it’s the funny Victor and Hans. I mean, it is not easy to be able to navigate through this information and to present workable solutions with this report. But I think things are becoming a bit more clear. I just wanted to make some like underline some points, some issues that were already raised.
So, the draft report is an outcome to describe how it is acquired, deployed and of course, abused by member states. And we all agree that we need to have clear language on that to be to be credible. So, we need also to be able to convey a strong message and not get lost into the just analysis of the situation and try to strengthen some areas of the draft report. So, this is what we will try to do. We will try to work a bit on the definition of spyware. We don’t have a definition that we talk about, but we cannot clearly define it. So, this would be very important to talk about. You mentioned the competences of this committee to make sure we are in line. So, I think this is a very good start.
Then I’d suggest to take into account the relevant concepts we have in different files because we need to be relevant with other committees. The Media Freedom Act on spyware, the dual use recognition and cyber surveillance items, and the in these as a glossary of malware spyware. Now for the country specific sections, I would like to suggest that we are investigating all member states. We know the numbers are there. I mean, we know PEGA was acquired by at least 15 member states. So, for it for us, it would be important to either name or we the information that we have or none are to remain on the on the concept. But I think it would be an idea to specifically analyse all the member states legal framework for acquiring and using spyware. And this would be useful to be able to have like a comparison between the member states and to understand how the recommendation also can apply. So, I think this could overcome the problems because I mean, I understand this is a moment in time and maybe the moment we finish the resolution, we have more cases popping up, but we cannot just focus on today. We have to also analyse what’s happening in the past, previous governments, previous cases.
This is not the first time we are dealing with spyware. There was also another committee, I think around ten years ago then. I also agree that we need clear language and distinguish between facts, inferences, and assumptions. I think we need to agree on that. This would be I mean; this will come later in the in the work of the S&D those then an overview of the types of spyware and spyware industry. I think this would be important, maybe not all of them because there are some expensive ones, but there are also some cheap ones, but they have different functions. We need to be able to at least have a methodology to be able to understand or to categorise them somehow and understand in different regimes what can be exported and what would be able to operate in different member states.
Also, very important do not have loopholes there. I would suggest have worked a lot on the cybersecurity in the Non-attachedS two directives the Salto for us in the and I feel that this is the angle where we can call the commission to act because once you have a cross-border incident of violation of cybersecurity, then the Commission has a competence to participate and act. So, I think this is an angle where we can overcome them being hesitant to act. Now in the upcoming recommendations Sophie mentioned, and we have done already the working on my group, we have already gathered signatures to establish a European citizens lab, a lab where not only you can check devices, but it can also work on VPN services like seal cyber seals for a software surveillance software. So, we have done that.
So, I would call you all to make sure that in the next the possibility to table a pilot to all sign such a proposal. So, we get the funding to to start building it, as you know. I was responsible and together with our president, we established such a service inside the European Parliament, so it’s very easy to do it. We can do it also under ENon-attachedSA. And this is based in in Greece. I know they have now the capacity to do so and then journalists could also have access or activists and whoever feels that they might have their devices violated. So, some final suggestions, maybe also questions. So, we have the we don’t have a strong focus, but I think we will later on the external dimension of spyware. In the draft report, it’s extremely important because we don’t want to push the spyware outside that they can. I mean, third countries will have access to the tweet and not us. So, they can still use it in the same way. So, we have to understand it and to consider allegations of third countries using spyware to hack institutions or citizens and how they do it. What is their foreign policy? What is the export policy they have? You spoke about the Israelis being developing such companies in in European ground. I think it would be very important to keep working with them.
And then, Sophie, you mentioned the FBI doing a great job. Well, I’ve read articles that the FBI actually deployed the system here. Yeah, but I mean, they blacklisted, but they blacklisted them. They deploy also, PEGA. So, we have to understand that to acquire it, to understand it is one thing, but to acquire it and then deployed against the citizens or other governments. It’s interesting. I think we have to understand it’s a bit more on the proposed the moratorium on spyware in the upcoming resolution. I think it would be maybe a bit early now. But yes, we have to discuss about either listed on the country-by-country basis or for governments, of course, because we don’t even have the competency to go beyond that. But I mean several organisations and civil society called for some kind of a moratorium. I think we have to discuss it further such.
And then of course this is the part of the resolution where we will suggest an action plan. So that would be it for now. Thank again, I understand. I mean, when I talk about definition that the one thing is surveillance by governments where they can hack your tap, your phone, or your metadata. And another thing is like extreme evasive software. So, I think we have to have some distinctions there on the on the levels that they should be, I mean, at least recommended or allowed. Thank you again for you for your efforts. Thank you.
Jeroen Lenaers (Chair): Thank you, Miss Kaili, then for the greens. Hannah Neumann.
Hannah Neumann (Greens): Thank you, Mr. Chair. And thank you, dear colleagues. We have had first revelations about the use of spyware to crack down protests or to intimidate and harass human rights defenders. Already, a number of years ago and about a year and a half ago, we had first revelations about the misuse of spyware inside the European Union, which has prompted us, I think, to come up with this enquiry committee, which was more than timely. And I’m afraid we have not seen the end yet of all the revelations, something that almost every one of the experts that we heard here said, including those that sell spyware and including those that advocate for the use of spyware, was that the technology is potentially, potentially dangerous and it needs to be regulated well. And looking at our world the last eight or nine months on how well it is regulated in the European Union, I think we can conclude that there is a broad failure of regulation.
First of all, we have documented many cases, hundreds of cases where journalists, lawyers, activists, politicians have been spied upon with spyware based on political motives. We have seen that the legislative frameworks that should prevent this kind of misuse have failed in at least four European Union member states, namely Hungary, Poland, Spain, and Greece. We have seen and the rapporteur has already mentioned a number of cases, lax export practises and financial rules that are making us in the European Union complicit in the violation of human rights in search countries through spyware. We have seen that domestic control structures, democratic control structures in member states consistently fail either because Secret Service does not want to cooperate or because we see that until today, all the revelations that we have about the misuse of spyware is still coming only from journalists and civil society organisations and not from the structures that should be in place to prevent this kind of misuse.
And finally, colleagues, victims are left alone. One of the perpetrators, sometimes the own governments of the victims, have all the information from the victims’ phones. Victims until today have no formal information about why and on which grounds it has been spied upon them and colleagues. All of that is not happening in weird, autocratic, or dictatorial state. This is happening inside the European Union, which is the area in the world that is praised for the strongest democratic institutions and the strongest respect for rule of law. So just imagine how this is looking at in other places.
So, I think we can clearly say that the use of spyware is out of control inside the European Union. And it is, as Sophie said, our job to connect the dots, to expose the misuse and to stop it. And I have to say, I find this attack on EU democracy that we are witnessing here are so grave that I really hope we will be able to work together beyond national reflexes and across party lines to stop this. And one comment on the notion of facts. We have done nine months of fact seeking in this committee. We have listened. We have tried to listen to requisite representatives from the state. We have listened or tried to listen from representatives of the European Union institutions. I mean, if member states governments or if you feel uncomfortable or unfairly represented by the facts stated in the draft report, as of now, I think everyone, especially Member States governments, I mean, feel free to come here to give us your version of the facts or whatever you consider facts, and then we are willing to consider that as of now, not a single EU member state has cooperated with this committee. On the other hand, the facts presented by civil society organisations, investigative journalists have often proven to be more correct in hindsight than the official statements of governments.
So, I think the work that has been done by a few so far, including with all the citations and footnotes that feature look at our draft report, has been very thorough and very fair. Now, on the conclusions or recommendations put forward by the rapporteur, allow me to just make four statements and remarks, and I know we will discuss them further in depth. In line with the rapporteur. We as Greens ever think that the use of spyware inside the European Union at the moment is out of control, which is why we have to stop it immediately. And we have to call for the EU wide moratorium on the stop or moratorium on the use sale and export of spyware. Until this whole mess is sorted out.
Furthermore, we as Greens think that spyware is so intrusive and prone to misuse spyware such as predator, such as Pegasus, such as country Candiru that our ultimate goal should be an international ban, at least for highly advanced military grade spyware. But we are looking at the moment when it comes to less intrusive spyware and its use inside the European Union. We would also like to see a general ban, with only narrowly defined exceptions, based on an exhaustive list of cases ensuring that all legal safeguards are met and which these kind of safeguards, legal ones, but also when it comes to democratic safeguards, to transparency safeguards, could be that is clearly something we can discuss in the negotiations.
And last point on that is regarding the zero-day vulnerabilities that we have discussed at length we should altogether start using is treating the Sierra Day vulnerabilities as what they are, which is a security problem. Let’s be very clear. If we know and use Sierra de vulnerabilities for our spyware, others know and use this zero-day vulnerabilities for their spyware against us. We have seen this in the case of Spain, where the Spanish government was spying based on certain civil de vulnerabilities on the Catalans, while at the same time Morocco was spying on Spanish authorities with the same pseudo vulnerabilities. We have experienced that as the European Parliament just last week when Kremlin hackers used vulnerabilities against us that apparently have been there but have not been reported to tech companies to close them. So here I think that has to be key, if at all. We want to allow a very limited use of spyware.
And then one last point and Iraqiya briefly alluded to that is the dimension of third countries here. I really think we have to be a bit more consistent and a bit broader in the language that we have in our final report. In third countries, we have seen even more severe consequences happening from the misuse of spyware, including people ending up that of non-natural causes after they have been spied upon or people ending up in prisons because they have been spied upon by their own governments. And it’s quite clear that if we cooperate with the producers of spyware in third countries, by buying spyware from them, we give them the financial support they need, but also the knowledge to improve their spyware that is then used in these kinds of cases. So here also we become complicit, and we see that third countries use this kind of spyware to spy on us.
And this whole dimension, I think, is not strong enough in the report as of now but count on us to provide more language in general. I really think our negotiations should be guided by the assumption that it could also be our biggest enemy at the possession of this tools, using them against us and the foundations of our own democracy and the safeguards and the rules that we come up with have to withstand. This text and this test. And I have to say at the moment, I would feel very uncomfortable imagining that the tools that we are looking at that we have been describing are used by, for example, some strongly right-wing activists such as Shannon in the USA or others. So, in the status quo, I can clearly say I don’t feel comfortable that we have to change this. And dear colleagues, it is on us to make sure that this democracy remains sustainable.
Jeroen Lenaers (Chair): Thank you very much, Ms. Neumann, then for ID Mr. Lebreton.
Gilles Lebreton (Identity and Democracy): Thank you, Chair. Well, since the very beginning, I have been supporting the establishment of this committee, and I am not disappointed by the draft report. It’s a very good one and it’s definitely the product of excellent work and it gives us a lot of useful pointers. It’s broken up into three parts.
First is the use of spyware in the union. Secondly, the industry of such software. And thirdly, the capacity to react. I shall look at each one in detail. I think the first part is the most important because it gives us a very good snapshot of what has been happening in the European Union, and I think it’s very useful. So just a few comments. I think that the report would be even better. If it states facts and avoids value judgement, the facts speak for themselves. And I think we have to make a distinction between facts and assessments or evaluations which can be made by experts or others. And thirdly, as I have already said, I should like. That we look at the situation in each of the 27 member states, and this is another aspect which has been adopted. Five member states have been highlighted and others are mentioned very briefly, and there are some who are not mentioned at all.
So, I’m the first to recognise that there’s abuse of course in all Member States. But here I think the impression is, given that some countries are worse than others. And I think that, as I said, we should state the facts without coming up with value judgements. I don’t think that is the aim of this.
As far as the second part, the industry of spyware. There’s a part which refers to the companies which are involved in this software market. And I think we could improve this if we have a better methodology by classifying the companies, by type those who design the software. I think this is something very important and we should be focussing more on them than those who act as intermediaries.
And finally, the third section on the ability of the union to react to I come to the explanatory memorandum. It’s the part which I like the least, because here, quite honestly, we are going far away from what the main statement is, the very federalist approaches here. Paragraph 67, for example, the WHO actually looks at the competence of Member States for national security. And I think that there are a set number of ideas that add for Council 172 and 174. And I think that the council here is really pilloried. I know that they haven’t cooperated particularly well sometimes. And I think describing the facts, describing what happened is adequate without using certain terminology. Omerta? I don’t think that’s correct, because omerta is a vow of silence. And I don’t think this is the case. I think that each country individually is trying to protect its own little secrets. So, this is not exactly what I understand by omerta.
And finally on the recommendations. We haven’t spoken much about those. I think the recommendations should be reserved for the resolution and not be in the report. So, I think it would be better if we restrict ourselves to just outlining the facts in the report and come up with recommendations, collective recommendations in the resolution. However, just a couple of words on the moratorium. I’m not in favour of this because I think that spyware can be very useful to combat terrorism, for instance. So, I really don’t think we should lose sight of such things. I think a moratorium wouldn’t be good because as a Frenchman, of course, I’m particularly keen on combating terrorism. As for recommendations, I think that we should be focussing on recommendations for member states to legislate and specify cases when spyware could or should be used. And I think it’s important to refer to that and of course, to ensure that there is surveillance and control by independent judges. And I think that if we were to do that, it would be a win win situation, because our role is to make public opinion aware so that they put pressure on the state to legislate.
Jeroen Lenaers (Chair): Thank you Monsieur Lebreton. I don’t see Mr. Tarczyński or another representative of the ECR. So, I move to the left, Cornelia Ernst.
Cornelia Ernst (Left): Yes. Thank you very much. First of all, I should like to warmly thank the rapporteur. To produce a report under such difficult conditions is not simple. And so, I really must say that many things which are included are extremely valuable in terms of facts. And we want to work constructively with you on this. So those are my first points. I do think that the report is taking the right approach. I think it’s important to say that and on the facts. I think I have to be clear on what our point of view is. It is, of course, difficult to get to all the facts when governments don’t send representatives here and will not give us information. This is difficult. It’s a problem. So that’s the one thing. It’s easy to say yes. We’ve got to be very credible and not have any doubts in the air. Of course, this is the case. We have witness statements here. There are many issues which we can draw from procedure, infrastructure and the way in which that spyware is used and the impact which spyware has on individuals and also on processes.
In this context, I do think that we should really work conscientiously on this, properly on this, and also make sure that we listen to credible witnesses. I think that at one point we should perhaps be adjusted is this issue of Spain. I think that. And we have to look at this in such a way as we may have to extend the mandate so that we do go to Spain again. I think it is extremely important because there. Quite honestly, we have seen that there has been a lot of interference. And what we learnt today was part of that. But I do think that it’s clear anyway. And of course there are other instances which we need to look at in more detail.
Also, I should like to just emphasise the fact that we should remain flexible with a view to new developments which we may not be able to anticipate at the moment. I think we have to keep in mind that there are going to be new developments, new knowledge is going to appear and we’re going to learn from this on the basis of investigations that we carry out. And I think it’s clear that. We have to keep her country specific. Detail within this report. And look at some member states which definitely use this software who have purchased it and used it. They need to be looked at in more detail. So, I don’t think it would be particularly useful to list all member states. Okay, you can do that if you want. But I do think that if you do that, you perhaps are going to have to change your focus and just look at things in general more than look at the specifics. And I don’t think that that is the idea of this investigation, and I don’t think it’s the reason for having this report.
So, I do think it is correct to refer to specific member states. I support the S&P on what they have said. We have to look at the external dimension of spyware. In more detail. When it’s a question of third countries and others, this is something which we don’t have adequately in the report thus far. There are a number of cases that we know about, and I think that it is important to introduce this into the report as well. We would support that fully. What is very important to us is to draw clear conclusions. I think that is something which is crucial. It would be quite a good idea to set up a data centre. This is something that we should be discussing further in the future when we get to that point. And I think we have to send out a clear message as to how we should deal with such spyware. We feel that there should be a full ban on this spyware. Because there are often many other possibilities to achieve certain aims. Because this is an enormous interference in privacy, and it affects the whole of our environment to an extent that we have not yet seen before. So, I think we have to be consistent. And there’s major hope in the committee that we have set up here, hope which has been expressed by those who have been victims of this surveillance.
But far beyond that, people are looking at us. I think it’s very important that we discuss this. People are talking about directives. They’re talking about competences at EU level, which should be used in order to make sure that such surveillance, such a scandal is not perpetrated. And we need something binding. I think it’s something which everybody has made clear. And., I don’t think there’s any other parliament such as ours in the world which could really take on this job in the same way. What else? That I got in my notes. Yeah. So, I think that’s it for the moment overall. We are ready to negotiate reasonably, but that just one or two issues which we would like to take up and go into further.
Jeroen Lenaers (Chair): Thank you very much Ms. Ernst. And that concludes the shadow rapporteurs. I have two more members asking for the floor, Ms. Vozemberg and Mr. Cañas. As there is nobody else than we start with Ms. Vozemberg. Mr. Cañas has to leave, so, Ms. Vozemberg.
Elissavet Vozemberg-Vriondi (European People’s Party): Thank you, Chair. First of all, we owe congratulations to the rapporteur and the shadow rapporteurs because they have really worked very seriously indeed. They have spent hours studying data and finally they have put down on paper some very important thoughts which will be very useful for us as we move forward. A lot of what I have heard I would agree with and some of it I think needs to be discussed because I’m not sure I agree with it. I will focus, however, on two points mentioned by Mr. Bilčík. I think these very important points that this report has to be very specific. It hasn’t been to be general. And that would lead to people being confused about what we’re trying to achieve and what we’re trying to say. Secondly. We will have to agree that our committee. In its investigation on the basis of our mandate is not here to act as prosecutor. That’s not our role. Yes, we should investigate and take a look at what the facts are and especially if people’s rights have been violated. And we can take a look at how we can intervene in the sense that where legislation in member states doesn’t cover this part of the aspect, we can take a look at that, of course, but not in the report. And the report must be specific.
And what I don’t agree with, I of course, I respect everybody’s point of view, but it was mentioned that member states should be named. Well, I come from Greece and when our committee went on mission to Greece, I was there. And when people were asked questions, they weren’t they didn’t resist at all. You can assess their responses if you like, but in any case, they were cooperating with our committee. Other member states, as far as I have heard, did not cooperate and they didn’t even receive the committee. Almost as if it was an insult to that state. I don’t think our committee’s job will purpose and perhaps the rapporteur would agree with me on this. We’re not stigmatising member states. We’re trying to find solutions and answers to some very important questions and.
Again, to go back to Mr. Bilčík and what he said, it is dangerous for us to make hypotheses and draw conclusions without the facts and without proof. I have something in my very specific in my mind listening to Mrs. in ‚t Veld, who talked about this spyware usually being very expensive, which I agree with, but also that we have indications as to who might use them or deploy them. Actually, we don’t, because they may serve in private interests, you know, which requires, of course, a lot of money and can spend that money. But we don’t know this for sure. And I’m saying this because, for example, there is a Greek government clear position that the official Department of State, for example, the intelligence, the National Intelligence Service of Greece has not used or had access to this illegal spyware. This is the official position put forward by the Greek government. Now, if we write a report where we suppose that this malware spyware which attacked citizens, journalists, etc., and violates fundamental rights and that they were used by an official government to say that you have to have some serious evidence to prove it. Otherwise, you know, this affects the member state. And I’m not just talking about Greece, any member state.
And when I hear from Mrs. Kaili, the shadow saying that at least 15 member states have used this illegal software, this means that it’s even more important that we draft this report because we’re talking about Member States of the EU. I don’t know if this is true. You said 15 member states to do. This is what we know now. Maybe there are more, and we don’t know. Is that what you’re saying? That’s one more reason, because we are talking about all member states. We’re doing great work, serious work in this committee. And therefore, as someone said, and I would say that as well, this report has to get a majority and a strong one because that would mean that why we have different points of view, we are converging and that is that we agree on protecting people’s fundamental rights, which is very different from a timeline where of course we will all be putting forward our various amendments and we will take things very serious and we will go into great detail. But the contents of the report is one thing, and the vote is there for a completely different purpose. Thank you.
Jeroen Lenaers (Chair): Thank you very much, Ms. Vozemberg. And before I give the floor back to the rapporteur, maybe two short procedural points, because we have requested the extension of the mandate.
I am confident that we will get the extension on the mandate. We are all, of course, partly responsible for this. So, should we not get it, of course this will mean something for the deadlines and the procedural points that Sophie in ’t Veld raised in the beginning. And I also wanted to highlight that, of course, we are a specific committee in the sense that we will be working on the report and on the amendments and on the compromises. At the same time, we will continue with missions and hearings, etc.
And I, just out of respect for the people that we are still going to hear and we’re still going to meet, we count on the full flexibility of the rapporteur and the shadows that any findings that come out of hearings and missions can still be incorporated, even if they take place after the deadline of amendments, etc. I am just pointing out the obvious, but it’s important, I think, to also state that. I pass the floor back to our rapporteur for concluding remarks.
Sophie in ’t Veld (Renew): Thank you, Chair. And if we don’t get the three months extension, then the holidays will be cancelled for the shadows.
Jeroen Lenaers (Chair): Only for shadows!
Sophie in ’t Veld (Renew): Yeah. Okay. Thank you, colleagues, for this very rich first round. I’ll first make a few general remarks and then respond to some of the points that you have raised.
First of all, on the issue of as Vladimir said, it has to be serious and credible. A lot of remarks were made about, yes, but we need to get the facts. Things have to be verified. The point is, of course, that, as we have underlined all, that we do not get sufficient information from the authorities. Does that mean that we are empty handed? No. Does it mean that we can only rely on what we read in the tabloids? No, because colleagues here I would like to say something. There is there is a contradiction in the fact that this house is always singing the praises of investigative journalists. We we’ve even called a meeting room after Daphne Caruana Galizia. We have the Daphne Caruana Galizia prise.
So why then, when it comes to facts, which may for some of us be unpleasant, we don’t consider them to be a reliable source. Daphne Caruana Galizia herself, for example, before she was killed, she came up with a lot of facts that people dismissed saying, Oh, it’s all rubbish. Oh, it’s only the media. Oh, it’s only a journalist. Until it was true. I have the same experience for 15. More than 50 years ago, when we did an enquiry committee in this House into illegal or we called it extraordinary renditions by the CIA from this continent. And we got the same thing. Oh, but we have no facts. We cannot prove it. It’s only journalists, only hearsay, only victims. Until it was true, until actually George Bush himself said, but of course, we have black sites in Europe. We think it’s a wonderful idea. And it took many years because I think it was this year or last year when Poland for the first time recognised officially that there had been black sites 15 years or six years after we had the enquiry here.
So, I do not think that we can just dismiss evidence simply because it was dug up by journalists, because to be frank colleagues, they have come up with a lot of material that is reliable, that is original, that is certified. I have included, as I said, in the original 159-page document, which we will find on the EPP site. But also on my site, there are 989 footnotes. 989 I have tried to be as precise as possible and make, you know, everything I put in the report to make it possible to retrace it. Does that mean that, you know, all errors are excluded? No, it does not mean that. Does that mean that every assertion will prove to be proved to be true? No, it does not mean that either. Does it mean that we have a pretty clear and nearly complete picture of the situation? Yes, I believe so. And that is why I feel we have a duty.
And this brings me to the second point. We have a duty not to serve or attack a government or a political party or a member state. I think we have a duty to protect the democratic rule of law, and that is more important than party or country, and it should be more important to all of us. And that is why I mean, I’ve heard some people say, yes, but you’ve not treated all member states equally in the report? No, because they’re not behaving equally. You know, some are some governments are engaging in irresponsible use of spyware and others are not. But I’ve made it very clear, I’ve stated it also in my introduction. I think we can safely assume all member states dispose of one or more brands of spyware. All of them. I’ve mentioned in the report that, you know, if you look at the attendance list of the so-called while you’re Tepper’s bull, the annual fair of spyware, all the member states were there with the exception of Portugal and Luxembourg, but that was probably a coincidence. All member states have spyware, all of them.
Some governments are abusing it, most others probably not. Many of them are engaging in, let’s say, disrespect of the export rules. But all of them and there I disagree with Mr. Lebreton, who unfortunately has left. I do think there is a collective effort to try to keep the facts under the table. There is a collective effort. It’s in the letter of the council, you know, all the member states coming together. So even the member states who are very responsible and clean in, in their use of spyware, are responsible for covering up the truth. All member states, including my own.
Okay. So, I think that we should all come together regardless of our political preferences or our nationality, in the defence of the democratic rule of law. Then going into the substance of the matter, let me start with the the issue of the moratorium, because I think it is very important to understand what I’m actually proposing are not proposing a blanket a. Let’s a ban on the use of spyware. As of today, the moratorium is tailor made. It’s a moratorium that can be lifted on a country-by-country basis and basically means there for conditions to be met. All responsible and decent governments can meet these conditions. Those countries who cannot or who do not want to shouldn’t be using spyware because they’re abusing it. So, it would still allow the moratorium I’m proposing is, let’s say, a smart moratorium that would still allow the use of spyware in a responsible manner, but it would ban the use of spyware in those situations where we know there is abuse or a risk of abuse or something like that.
The for the four conditions to be clear are, first of all, member states have to show that they have in place a legal framework which meets the standards set in, for example, the case law of the European Court of Justice that they should do that anyway. A second one is those countries where there are allegations of abuse of spyware should immediately and fully and seriously investigate. I don’t think that’s an unreasonable condition. A third condition is that those countries who have issued export licences, which in hindsight turn out to be, let’s say, in violation of the dual use regulation, should be repealed. That’s not even a condition that they should do it by law anyway. Fourth condition, that’s more a real condition is that all Member States should commit explicitly to allowing Europol to investigate or join the investigations into allegations of illegal use of spyware. Now I think all member state governments who are responsible are able to meet these conditions.
So, and you know, they can all continue to use spyware for those cases of serious crime or terrorism or whatever. So, I would really ask you to study that very carefully then. One thing that I didn’t say my introduction, but I think it is important is that we and this also addresses a little bit the issue of the external dimension. I think if we are going to work, for example, on blacklisting or whitelisting, certain companies that we do not or do want to do business with. I think we should do it together with the United States and use our market power, because can we regulate what search country governments are doing? No. But can we somehow block, I don’t know, the Moroccan government from spying on the French or the Spanish? Can we block the Rwandan government? No. Can we use our combined market power as U.S. and European Union to enforce certain standards? Yes, I think we can. And I think we should then rapidly. Yeah.
On the external dimension a bit more. Yes, we are currently because of course we are continuing to collect information. We’re looking more at this external dimension. Frankly, I didn’t want to say too much about third country governments for the reasons I’ve just outlined because, okay, I can say a lot about what I think third country governments should do, but they probably care very little. I’m more interested in how does it affect the Europeans or how is the European Union? And this is something I’m worried about. How are we responsible for the experts in violation of the rules to third countries where it’s being abused to violate human rights? This is an aspect that we should look at very, very carefully. I would like to reiterate also against what Mr. Lebreton said. I am not for or against Member States. I’m not pointing any member states by the finger because I like them or dislike, quite frankly, I like most of the member states a lot. But we have to say it if, you know, if the democratic rule of law is being violated, that is our own, our only concern. On the concept of national security. No, Mr. Lebreton, I’m not against the concept of national security, but I do believe that it should be clearly, clearly demarcated and defined. And if we don’t go for a common European definition, that at least there should be the obligation for each member state to have a definition so that the law is predictable, so that we know what the special regime is and when it kicks in.
Finally, also to Mr. Lebreton, who said we need to have a kind of a division in categories of the different kinds of spyware companies. The problem is it’s not only spyware, you know, and that all these companies are not selling only spyware. They’re selling a whole range of products and services. They’re working together with other like Black Cube, for example, is a company that doesn’t sell spyware but is hired by NSO in order to harass the victims who are complaining against an associate. So, there it’s connected. It is difficult to make a categorisation. Besides, if Achille also said we need a definition of what spyware is here, but it’s constantly evolving. You know, we have a definition today and tomorrow it’s something else. So, I think we should look at the impact in particular and the kind of protections that we want to come up with. Okay. That’s I think what I would want to say so far.
Jeroen Lenaers (Chair): Thank you very much Sophie, that concludes our afternoon session. 20 past four, very efficient for the Dutch among us to see if we can beat Qatar on the pitch. Our next meeting is on the 5th of December, and I look forward to seeing you all there. Thank you very much. And have a nice afternoon.