Am 10. Mai 2022 traf sich der PEGA-Untersuchungsausschuss zum zweiten Mal. In dieser Sitzung ging es um die Funktionsweise von Staatstrojanern. Die Parlamentarier:innen hörten vier Expert:innen zum Thema.
- Date: 2022-05-10
- Institution: European Parliament
- Committee: PEGA
- Chair: Jeroen Lenaers
- Expert: Adam Heartle (ZaufanaTrzeciaStrona), Constanze Kurz (netzpolitik.org), Bill Marczak (Citizens Lab)
- Links: Hearing, Video
- Note: This transcript is automated and unofficial, it will contain errors.
- Editor: Emilia Ferrarese
Functioning of Pegasus and equivalent surveillance spyware
Jeroen Lenaers (Chair): Dear colleagues, it’s 10 to 2. As we have a full agenda for today’s meeting, I propose we get started. Welcome to today’s meeting, both for the colleagues present in the room and those who are connected online. We will have interpretation in the following languages today. German. English. French, Italian. Passive, Greek, Spanish. Finnish, Polish, Slovenian, Bulgarian and Romanian.
As the main point on our agenda today is the hearing on the functionality of Pegasus and equivalent spyware. With your permission, I would like to take point number three of the announcements first so that we don’t run out of time for that. And that is just to let you know that following the coordinators meeting on the 19th of April 2022, we had a written procedure that ended at the end of business on the 22nd of April. And in this written procedure, the coordinator has decided to hold delegations as missions to Poland, Israel and Hungary to hold hearings concerning Pegasus and other spyware to give you and to arrange studies and briefings covering Pegasus and other spyware. And for the second and the third point, the decision- making process on how they will exactly look is still ongoing.
I would also like to report that last week in Strasbourg, the committee’s bureau held a meeting with the Praesidium of the Pegasus Committee of the Polish Senate, and we shared information and exchanged views on the mandates of the two committees, and it was agreed that a joint meeting would be organised when the work has progressed sufficiently. So that is to give you the feedback on that.
Then we move to the election of the vice chairs, and we continue where we left off in our previous meeting because at our constitutive meeting our colleague Giorgos Georgiou, who was nominated for the position of Fourth Vice Chair. However, we lost connection with Mr. Georgiou before we could ask him if he accepted the nomination and whether he had completed the relevant declarations. So I will ask you this now we have you live in the room, Mr. Georgiou. You do. I ask you if you consent to being nominated and whether you have completed the declaration of financial interests relating to the code of appropriate behaviour.
Giorgos Georgiou (Vice-Chair): Yes, Mr. President, I accept. And I sent these documents.
Jeroen Lenaers (Chair): Excellent. So at the previous meeting, Mr. Georgiou was the only candidate nominated for the position of Fourth Vice Chair. I don’t see any other nominations. That means that we have one valid nomination, and I propose we accept the nomination of Mr. Georgiou by acclamation. Excellent. Then I declare the candidate elected by acclamation. I would like to congratulate our new fourth vice chair, and I invite you also to take your seat here on the rostrum if you would like to.
Then we move to the second point of our agenda, which is the hearing on the functioning of Pegasus and equivalent surveillance spyware. We have the pleasure to have with us online the following panel. Ms. Constanze Kurz from Netzpolitik, Mr. Adam Haertle from ZaufanaTrzeciaStrona, which I hope I pronounce correctly. Mr. Linus Neumann was an expert for the mobile IT security and Mr. Bill Marczak, who we’ve met before from Citizens Lab in Canada. This time we will first give the floor to our guests for 10 minutes each and members will be invited to ask questions afterwards. Now, as this is about the technical understanding and not necessarily about the political context, the Q&A session will be based on catch the eye one minute per question, with the possibility, of course, to ask a follow up question if there was no sufficient clarity in the answer. And I will then invite the panelist in order to make sure we get the correct answers to the questions to immediately off to immediate answer after each question, then the ping pong system, and also ask the panelists to not exceed 2 minutes for their answers. Now I will apply this principle of conciseness and effectiveness to myself first. So I will immediately give the floor to our first speaker, which is Ms. Constanze Kurz from Netzpolitik, who is connected online. Please, Madam Kurz.
Constanze Kurz (netzpolitik.org): As I know you have the translation, right?
Good afternoon. I’m going to talk briefly about how this surveillance spyware functions. We have about a decade of experience in observing how this spyware functions, and specifically for Pegasus spyware. Now from the point of view of the users of this spyware, there are basic functionalities: You can intrude into and use the camera, the microphone of the mobile phone, and you can download from there any data that has been stored. You can enter into Apple iPhones and Android. In addition to that, there are competitors to NSO Group that can attack other systems of mobile phones and in addition computers, PCs and so on, laptops. In addition to basic functionalities the spyware can also look into your call lists. It can keep your profiles, very useful for people involved in tracking and surveillance. And the spyware can take data down from your calendar. These are the basic functions.
It is also possible to ensure that not just messages like text messages can be intruded into, but also updates to the spyware in operation. Maintenance is provided as part of the normal service provided. Over the last ten years, this branch of spyware has developed into software that is very easy to use. You don’t actually need a lot of technical know-how anymore to be able to use it. Now it’s very easy for the spyware users to read WhatsApp messages, text messages and so on.
Various cases, the Spanish case for example, show that the spyware infections don’t actually require any action on behalf of the owner of the mobile phone anymore. And that is particularly dangerous and concerning.
The published technical reports show the technical capabilities of spyware in great detail. Many victims of this spyware have, in fact, given their mobile phones to be analysed. So we know a lot more about it now. These were just my introductory remarks on the very basics of how this software functions. Thank you.
Jeroen Lenaers (Chair): Thank you, Madam Kurz. And then we move to Mr. Adam Haertle, who is also connected online. Please, you have the floor.
Adam Heartle (ZaufanaTrzeciaStrona): I’d like to address two issues. One is the functionality and the other is the flow of data. Regarding the functionality, I guess most of you are already familiar with the functions that are the basics of functioning of Pegasus and similar software like reading the messages, reading the content of the phone, etc., etc.
But there are functions that we are not so fully aware of, even based on the documentation we have on the excellent research of Citizens Lab and Amnesty International. Based on the leaked contract, we’ve gotten that based on the marketing leaflets and so we can infer some functionality. So we know that the software in order to function has to have God like capabilities. It has to be an almighty administrator of the infected device. So if we assume that Pegasus fulfils all the functions that are advertised by NSO group, it has to have access to more functions that are not advertised. We don’t know if they are implemented, but they can be implemented, they can be, they can be used. We just based our understanding of the functioning of Pegasus, of the samples we have, but we are not sure if the producer is not using the capabilities it has from a logical perspective.
Pegasus is a is an administrator of your phone, so it can do anything. We know it can read files. So if it can read files, it can also read files called authentication cookies. So these are the small files that allow you to open a Gmail or Facebook account without putting back your credentials again every day. So your computer, your browser, your mobile phone remembers that you are you are you logging into Gmail, Dropbox or Facebook or any other cloud account? Now, if a Pegasus operator steals those files, they can impersonate you online, they can act as you. And it would be hard to distinguish your action, your real action, from the actions of the Pegasus operator who would love to impersonate a victim. We don’t know if it happens, but it is technically possible.
And if Pegasus has an ability to read files, it also can have – I’m not saying it has – it can have based on the rights it has in the system, it can have also the ability to plant files on the devices. We have no proof that it’s being done, but technically it’s possible. And the problem is we have no way of knowing if this capability, if this possibility is actually used, it is possible. We don’t know. We have no supervision over this process. We have no independent audits of how this Pegasus behaves on the devices, what it allows to do the operators. Because from a technical perspective, programming a function like planting files on a victim device is not a problem. It’s really simple. If you can read files, you can write files, it’s just one line of code extra to added to the software. So we cannot exclude that there exists a Pegasus version that is capable of planting files on victim devices because we have no supervision over how it is used, how it is built.
And another thing is that data flows. So there was a lot of talk about this and then so group and by proxy also Saudi special services know who is being targeted to know which data is stolen from the phone. So we don’t know that. But based on previous example of spyware, like the one from hacking team that was also hacked by some whitehat hackers, some good hackers, and all the data of a spy operator was leaked, all the messages, all the code, etc. We know that even the hacking team, which was a simpler solution to Pegasus, did not have such advanced capabilities, did not give the customer the capability to infect the devices themselves. The infection process was controlled by the producer of the hacking team tools. So I assume that in the process of infecting a phone by Pegasus the information if the phone is online, the verification, the first stage, the verification the phone is available for infection is done with the knowledge of NSO group. So in the so group should have the knowledge of who is being targeted. If you look into public communication by NSO managers and this of directors, they both claim they have no idea who is being targeted and that they supervise their customers if they are not abusing the system. So this is a contradictory statement and I think we should assume the worst case so they know who is being targeted and it’s totally possible from a technical perspective.
Then the vector of infection, the exploit that is attacking the phone, the most valuable part of the system that is under control of NSO. Based on the documentation that was leaked, the contract we’ve gotten and the marketing leaflet, we have no assurance that this part of this exploit is delivered by the customer, by the client, by the country that bought Pegasus. So we should assume that the expertise also delivered by the producer, by NSO Group. So NSO Group is, in my opinion, totally aware of who is being targeted and when, because it has to keep control over the most expensive part of its toolkit, the exploits that actually allow Pegasus to enter the phones of the victims without the victims knowing.
And then there’s that data that’s being downloaded from the devices. And it’s also technically possible that this data goes through NSO controlled servers. We don’t know that. We have no proof of that, but it is also technically possible. So we are operating in an area where we have no sufficient knowledge to understand if this is a legal process from end to end and if it complies with local and wider regulations because there is no supervision over it. From a technical perspective, there’s plenty of space for abuse and plenty of space for even endangering national interest by leaking the information to other external countries. And due to the lack of supervision, we have no way of knowing how things are actually happening. We can only be afraid that the worst-case scenario is possible. Thank you.
Jeroen Lenaers (Chair): Okay. Thank you very much. It was very interesting. I hear we have some problems connecting to Mr. Norman, so we will move first to Bill Marczak. I’m very happy to hear from you again. Bill, you have the floor.
Bill Marczak (Citizens Lab): Dear Chair, dear members, thank you for having me today. I’d like to give a brief overview of the technical functionality of Pegasus and similar spyware from my research at Citizen Lab. At Citizen Lab, I conduct research into how governments and other powerful actors use spyware to carry out espionage against journalists, dissidents, civil society targets. Often the spyware is procured from companies in this surveillance industry. And some companies I have studied in the past include Finn Fisher, based in Germany, hacking team from Italy and Cyber Orbit, NSO Group and Cantera based in Israel, as well as one of the more recent companies we’ve looked at, say trucks based in northern Macedonia. Now the term spyware generally refers to a software component that is installed on a target’s electronic device without their consent, and to facilitate third party access to data stored on the device or to the device’s functions. For example, some spyware can turn on the microphone or the camera of the device. These spyware tools, including Pegasus, have a generally similar method of facilitating government access to Target’s devices, both according to leaked documentation as well as my own research.
I’ll give a three-part description of the functioning of the spyware, but I’ll ask you to bear with me a little bit, because I’m going to describe it a bit out of order in the three parts. In Part one, I’ll assume that the spyware has been installed on a device. And of course, all spyware has to communicate back with its government operator. Well, because it’s taking information from the device and sending it back to the operator. So how does the spyware actually communicate? Well, once the spyware is installed on a device for spyware, code causes the device to periodically contact Internet command and control servers that are specified in the spyware code. And the purpose, of course, of this contact is both to send back information as well as to receive commands from the operator. However, the servers included in the Spiders code are often what’s known as proxy servers, also referred to as relays or hours. These are servers whose sole function, whose only function is to relay data back and forth between the device on which the spyware is installed and the ultimate destination, which is a command-and-control server located usually on the premises of the government agency who has purchased the spyware. And the purpose, of course, of using these intermediary servers is to make it hard to identify the final destination of the spyware. In other words, to make it hard for researchers or anyone else to identify what is the Internet address of the government agency? Which government agency? Which government is behind a particular instance of the spyware? Now the proxy servers used by the spyware are typically rented from online cloud-based server rental companies, often operating in the United States or Europe. And in the case of NSO and Pegasus specifically, we believe that it’s the company itself. In other words, NSO group that is initiating the rental and performing the maintenance of these servers on behalf of the operating government. Now, of course, it’s doubtful that they’re actually using their own name, NSO Group or that, you know, they’re using their company credit card or something like this to rent the servers. And it’s likely that the registration information, the payment information is going to differ for each customer or operator of the spyware. And I’ll also point out that there are ongoing questions about whether these intermediary servers might have some extra functionality beyond forwarding the information back to the government, because they seem to be rented by NSO group. You know, there’s a possibility they could introduce extra code or extra functionality to forward some information back to another entity, such as the company itself or another government. So that’s a good area, I think, for further investigation.
In part two of my three-part explanation here I’ll next explain how the spyware gets on to a phone, how it infects a phone. What is the process associated with that? Well, the first public analysis of Pegasus was done by Citizen Lab in collaboration with Lookout in August 2016. Look out being a cybersecurity company that focuses on mobile phones. So I obtained a copy of Pegasus from clicking on a link in a text message that was sent to an activist in the United Arab Emirates who received a text message saying New Secrets About Torture of Emiratis in state prisons. When I clicked on the link and captured the information received from the server, it turned out to be a chain of three what are called zero-day exploits. In other words, code to take advantage of bugs in the iPhone, which weren’t known to Apple brokers who buy and sell such exploits, sometimes paid millions of dollars for similar exploits. NSO documentation released by WikiLeaks describes this method of installation as an enhanced social engineering message. Of course, there’s also more powerful installation techniques, such as zero click exploits, which take advantage of bugs in popular messaging apps like iMessage or WhatsApp, which are known to the manufacturers of those apps. Often, in addition to sending the exploit to the phone, there is some sort of use of third-party services as part of the installation process. As previous panelists have alluded to. The phone needs to be somehow pinged to determine whether the phone is on and whether the phone is in a location that meets the licencing requirements of the customer. For example, customers of Pegasus might only be licenced to spy in certain countries, both in terms of checking the country code of the phone number that’s targeted, as well as checking the location of the phone to make sure it’s in an authorised territory. And of course, if a device enters a country that is quote unquote restricted, there might be a self-destruct command issued. Which in theory, although, as we’ve seen in practise, this is not the case, but in theory, it is supposed to remove traces of the spyware to prevent identification that the phone was infected.
So in part three, I’ll describe what exactly the spyware is doing on the phone, what sort of data is accessing. Well, as we’ve heard from previous panellists, the spyware essentially gives access to everything on the phone. So this includes information from chat apps, messaging apps. Even if the app is quote unquote, encrypted, it’s still possible to access the information before it’s encrypted or after it’s decrypted. And that’s the method on which the spyware works. The spyware, of course, can also take cloud tokens to log into your accounts. So even if the spyware gets removed from your phone, if you have, for example, your email signed in on your phone or your social networks signed it on your phone, and those log in tokens are captured by the spyware. Then the spyware operator can maintain persistent access to your social media and email, even if the phone is no longer infected. And of course, the spyware can also turn on the camera, turn on the microphone to gather data from the phone’s vicinity.
So that’s my three part explanation. And I would say that the key points that I want to emphasise are that the spyware is not simply a product. There is also this associated service which is important to keep in mind. And the service, as I’ve mentioned, involves in part setting up the servers and maintaining the servers through which the information from the infected devices flows back to the government agency and potentially other agencies. It’s hard to say for sure. Thank you again for having me. And I’ll yield to other panelists to finish up their introductory remarks.
Jeroen Lenaers (Chair): Thank you, Bill Marczak. I understand that we still have some problems connecting to Mr. Linas Norman, so I propose that until we have the technicalities sorted out, we will start already with the Q&A session in order to not lose any time. Like I said, we will do this in a catch the eye procedure. So everybody who wants to speak, please raise your hand and we will take the questions on a first come, first serve basis. And the first one to raise the hand was our rapporteur, Sophie in ’t Veld. So please.
Sophie in ’t Veld (Renew): Yes, thank you Chair. I think there is a…
Jeroen Lenaers (Chair): Sorry, but there were a lot of people raising their hands, so if you keep them up for a little bit longer, so we have the time to note you all down because I don’t wanna make any mistakes. Thank you.
Sophie in ’t Veld (Renew): We have to remember we have to remember what it was like. Yes. I think there is some irony in the fact that we cannot establish a remote connexion when we are talking about such high tech stuff. Thank you very much to the three speakers so far. I have some questions. I’ll just fire them at you. First of all, how okay. You’ve explained how it works, what it can do, basically everything. It can become us, if I understand correctly, it can invade our lives on the phone, but it can even impersonate us. It can, you know, so it can act on our behalf. How traceable is this? Because we get different information on different cases where sometimes clear traces have been found and it can also be reconstructed what exactly took place on that particular phone? In other cases, there don’t seem to be clear traces, but only indications. Can you say a little bit more about that? Then can you say something about…So the spyware is using the weaknesses and the exploit. Now, we know that, for example, Apple has fixed some of the bugs in the iPhones. But can you say something about how the spyware is then being upgraded to try and circumvent the new protection? Yes. Can you say something about the differences between the different brands? Because we’re talking about Pegasus the whole time, but there are different brands that are also being used by the European governments. What is the difference? This difference in capability or quality or even market share? Maybe. And then of course, of course, what we really need to establish is what you have already alluded to, is, you know, how can we establish that NSA for sure that NSO and its sister companies or brother companies, its competitors have access to the information. They know who the customers are. They are you said they’re servicing the spyware. They’re servicing the servers. They may actually have access to the data. Can we establish how much they know and how much they can do? Do know who the targets are? Thank you.
Jeroen Lenaers (Chair): Thank you, Sophie and I mean, these are questions. I’d go a little bit to all three of the panellists, so maybe if you allow, we’ll group three members and then the answer from three panellists so that we have a little bit of space. And then I move to Mr Zoido Álvarez.
Juan Ignacio Zoido Álvarez (Group of the European People’s Party (Chris-tian Democrats)): Thank you very much. Chairman, I’d like to begin by thanking our ex-perts. You’ve given us some interesting presentations and explanations. I think there are many issues that we’re going to have to go into in a bit more detail. But there are two are-as where I think there are still questions in the air. On the surface, something has been said. But first, I would like to talk about attribution. How is it possible to determine with cer-tainty who is responsible for a specific infection? I mean, currently there are suspicions of who’s the owner given the political circumstances and the beneficiaries. But how is it possible to technically confirm who is the author via some kind of digital forensics? So I’d like a bit more information on that, please.
And secondly, I’d like to know what happens to all the information that’s obtained. From people’s phones, from listening in, etc. How is it stored? Where are the servers on which it’s stored, located, are the backup copies. How long can this information be kept? Does NSO have access to that information? And what about the metadata on searches? These are questions that I’d like the answers to, if possible. And also, I’d like to know, to conclude, does NSO have access to the names and contact details of the people who are of interest to its clients? Thank you very much, Chairman.
Jeroen Lenaers (Chair): President and Mr… You want to look. I’m sorry. You want to. Please. Then you go first.
Hannes Heide (Socialists and Democrats): So I will be short. My question is, is an iPhone easier to infect because it doesn’t need a fishing SMS or mail? Is there any evidence that the user can use to tell whether their mobile phone is infected, for example, storage space? Does that go down? And I’d also like to know a further question. Many mobile phones are linked to laptops or maps of their iPhones. Can the spyware get hold of that information, documents, photos, etc., that are saved on the hard drive? Or can they only get access to the cloud where the photos are uploaded to? Thank you.
Jeroen Lenaers (Chair): Thank you. So there’s the first three questions then. Like I said, we’re going to group the questions. Three members each. I’m sorry, but you are not, because there were already a few members who raised their hands before I even asked for the raising of the hand. And I think you can trust me in being honest about who raised a hand and when. There is no need for that kind of ridiculousness here. Thank you very much. So I move back to the three panelists and I first give the floor again to our first speaker Madam Constanze Kurz.
Constanze Kurz (netzpolitik.org): Hello again. I will try to answer some of the many questions. I will switch to German again. I would just like to stress that in the case of this spyware, the fundamental idea is that it enables the manipulation of the whole phone. And I think this perhaps addresses some of the questions that we’ve heard. If you take a look at this kind of software that we’re talking about, the spyware has to attack the phone in such a way that it has all rights the owner has. That also means that everything can be planted or placed on the phone and that data can be manipulated.
So in technical terms those are the capabilities of the software. It would appear that the NSO group isn’t really bothered whether Apple or others take them to court, i.e. introduce legal suits against them. Apple has actually brought legal case against NSO. Other competitors seem to be a little more prudent.
I don’t think we should necessarily narrow our view and only take a look at Pegasus, because the NSO group is not going to have a lengthy future, which doesn’t mean that the spyware products will disappear. I think we should realise that this whole sector is making every effort in order to seek out vulnerabilities in smartphones and computers, in order to be able to intervene or interfere with phones. They buy these vulnerabilities and exploit them or sell them. It’s an enormous business, and we’re talking about a whole sector. Basically, they are acting in a the open.
Somebody asked where all this data is stored. Well, it depends very much on the individual legal situation of the country involved. The command and control server in the case of Pegasus is actually run and managed by the NSO group. I don’t know any recent example of spyware from competitors that would hand out the software relating to the spyware infrastructure. Most of them actually operate and manage the infrastructure themselves because obviously they developed the spyware and invested a lot of money.
On the questions of infections and attribution, i.e. do we know who is behind the infection? Very often, this is not just a technical question. There are certain technical and non-technical facts to consider. And then sometimes you have to go to the courts to try and determine these attribution questions, if you want to get evidence and proof as to who is behind these infections.
To Mr. Heide’s last question relating to iPhone users: I don’t know whether this was necessarily fully clear, but it is true that there are certain infections which fall under the heading of zero click where the user doesn’t have to do anything at all. As normal users it’s very difficult for them to protect themselves. If you take a look at the spyware market, it’s not only iPhones that can be attacked, but also Android devices. That was my attempt to answer the questions.
Jeroen Lenaers (Chair): Thank you very much. And then we move to Mr. Adam Haertle to see if you have anything to add to what Ms Kurz already said.
Adam Haertle (ZaufanaTrzeciaStrona): Yes. I leave the trace this question to the expert, Mr. Marczak, but regarding the new exploits, the question was how NSO and other producers of such spyware managed to infect phones, while Apple or other providers of services try to patch the bugs that are being used to look for infection. So it’s kind of a race and it’s always somebody is discovering new bugs in iPhones or in software installed on iPhones. Like, for example, we had infections via WhatsApp, so it was about WhatsApp that was used to infect iPhones. And both Apple and Facebook and other software producers look actively for those bugs, especially for those used in those attacks and patched them as soon as they are discovered, as soon as they are identified. But then there is plenty of people looking for those bugs on the market because they have high value. They can be sold for millions if they are, for example, those zero click bugs. So a way to infect your phone without your interaction. So these can be sold for millions. So there’s huge incentive for researchers with lower ethical levels to find those bugs and to sell them to people who buy them and then those people provide them to producers of spyware. So this is a constant way and we only discovered bugs that we used before. We have no knowledge of devices that are used today. At least that knowledge is not public.
I also like to address the question if iPhones are easier to infect than other brands. So I think this is mainly due to market fragmentation. So if you look at iPhones, you’ve got, I think like 90% of the market will be three or four models or generations, including two models per generation or three. It’s not no more than ten or 15 very similar devices. Most of them are running the same version of operating system. If you look at Android markets, then you have hundreds of devices with dozens of operating systems. If you multiply those numbers, you come to thousands of options of configurations of different types of phones. And what is very striking is that I have not seen publicly a sample of Pegasus on Android in the last four years. So either these are used less often. Probably the targets don’t use Android phones as often. All these are harder to produce. If you look at marketing leaflets, if you look at contracts that NSO signed and they were leaked on the Internet, you see they support Android platforms, but they mention several of like the latest Samsung phones, the latest Huawei phones, three or four latest models. So they support only the most popular models the more the more expensive models. But they can also support models on the request. So we have not seen publicly any more recent samples on Android than three years old, at least this is what I remember.
So it looks like iPhone is easier because it’s easy to produce one version of Pegasus that will attack, will infect like 90% of the phones for Android, there’s a separate version needs to be produced for almost a single device. So this is much more work and also less possibility of catching such a phone. Then there was a question if we can as users find evidence that our phone has been infected with Pegasus or any similar software. So I think there’s a huge trend of not showing anything to the user because this was endangered, the whole meaning of Pegasus, if users were able to identify the infection. So any thing like lower transfers, slower data storage, faster battery running out most likely are not indications of phone infection to verify for phone was infected before there’s a tool the MVP tool that can work on backups of iPhones that can verify for traces of the infection. But I hope Mr. Marczak will explain it closer as he’s more familiar with it. As for the question about connexion between phone and computer, this is a very good question because there are some producers of spy work that produced separate versions of spy ware that also can infect computers. But this is not based on the phone infection, so it’s not like the infection jumps from phone to computer. This should be very rare or not possible at all. It’s rather that a computer is infected separately, and the phone is infected separately. But they can be infected by the same platform that gives the operator access to both devices. So these are like two separate infections are needed to infect both computer and phone, but they are producers on the market that offer both capabilities to their customers. As for what happens to the information that’s being stolen, the only thing I can say for sure is that every customer of NSO that we are aware of, has also in the contract a list of servers that they need to set up to store that data. So that data for sure is stored with the customer, but in most likely it’s also accessible by NSO or other producing. Why do I say that? I worked like 15 years in I.T. security in many companies, and it’s impossible to use a system without the support for the system producer. So if anything breaks, probably there is a company locally on the market, the reseller like in Poland, we had the company that actually was the one that sold Pegasus to our government. It was a Polish company that has trained employees that are able most likely to troubleshoot simple problems. But if problems are more complicated, are quite unique and the local team is unable to solve them, it should be solved by the producer. And then the producer needs access to the servers. So even if the information is not flowing through the servers while it is being collected, I strongly believe that there is some way that NSO or any other spyware producer has access to customers servers, has full access just to troubleshoot the issues. So this access is not monitored by independent parties. So we are unable to tell if NSO is looking into that data or not. But they have the capability, I’m sure. Thank you.
Jeroen Lenaers (Chair): Thank you. And then Bill Marczak.
Bill Marczak (Citizens Lab): Thank you for those questions. So I’ll start looking at the questions regarding attribution. And I think there were questions regarding both the attribution to the specific spyware company as well as the specific government that might be behind an attack.
First of all, the attribution to the company is often easier, I think, than the attribution to the government, because the company essentially has a spyware product which they have to demonstrate, they have to maintain, they have to perform quality assurance on. And often these sorts of activities leave some sort of trace. So, for example, when we were attributing spyware to NSO Group, we found that they had quality assurance servers and demonstration and testing servers which were, you know, registered to websites like qa.nso-group.com which essentially were these command and control servers. So we were able to do a process of fingerprinting where we observed how the NSO companies servers behaved and then found similar behaviour for NSO customer servers. And that’s how we were able to essentially attribute attacks from NSO customers back to the producer of the Spyware NSO group. And we used a very similar methodology for attributing other types of spyware, including hacking team and Fin Fisher. It’s sort of a tried and true methodology to look for connections back to the spyware companies such as demonstration or quality assurance servers. And then once you’ve identified the network signature of an attack and attributed that back to the company, you can then start asking questions about the footprint that the spyware leaves on the device, even if it’s removed or even if the operator activates the self-destruct functionality, maybe there will still be some traces left behind on the device. And that’s where tools like MVD and other tools come in in trying to identify on a device. Are there any traces of the characteristic footprints left behind by Pegasus? So there’s specific names for various Pegasus, spyware components, which might be left behind in various phone logs on the iPhone. So MDT is checking for these characteristic names to see if there’s that evidence that those Pegasus components ran on the device in the past. Of course, it’s much easier to do this sort of analysis on an iPhone just because the iPhone keeps quite a bit more logs than an Android device. Of course, there is also the issue of Android fragmentation, which makes it less commercially lucrative for a company to develop Android spyware because there’s a much larger investment to target the much larger diversity of Android devices. So that’s certainly an issue. But also, if you look at tools like MBT, as well as analysis published by Citizen Lab and Amnesty International, it’s quite clear that it’s much harder to search for this sort of evidence on Android due to lack of log-in on Android. So that covers the attribution to two companies but attributing it to a government technically is quite challenging. As I mentioned, there’s this use of intermediary proxy servers to disguise the origin and destination of attacks as well as where the data is being sent back to. So that can be quite challenging. However, there are some techniques that can be used to link different attacks back to a single operator. So you can group them, you can cluster them. But it’s often hard through purely technical means to trace them back to a specific IP address or specific agency, for example. However, if you group many attacks together and understand that they’re all conducted by the same operator, and if you can get some sort of longitudinal information about that operator, so you can say where are all of the places that this operator is targeting or where are many of the places that this operator is targeting? Then you can build up a picture of who that operator is, and you can combine that with information that we know from NSO group contracts, which is that the default position or the default licence that you get as a Pegasus customer is that you can spy on numbers in your country. That’s sort of the basic package. So if your country acts, you can spy on phone numbers and country acts, on phones and country acts, that’s the base licence. So if we find an operator who is attacking or spying solely in country X, then there’s a fairly good deduction that you can make that it is in fact the government of Country X, because that is the default licence that Pegasus is sold under. So there are deductions that can be made, but through purely technical means it’s quite difficult to trace it back to a specific government operator, but it is possible to group these attacks. So that’s my answer to the question about attribution.
There were a couple other questions I just wanted to briefly touch on. So the issue of spyware migrating from a phone to a laptop. Again, I think it’s unlikely. However, there’s no reason in principle that a spyware company couldn’t build such a functionality if they wanted to. We saw very early versions of hacking team spyware actually have a sort of migration path that was the reverse. So if a computer was infected, the spyware could potentially jump to the phone rather than the other way around. However, that a very tricky infection vector, I think, to maintain and it’s easier to target the devices nowadays. Separately, I would say. As for the different brands of spyware that are being used, there was an interesting report recently in The New Yorker magazine where there’s this interesting quote that the NSO has a virtual monopoly allegedly of European Union countries in terms of which brand of spyware is being used. NSO is probably the widest both, you know, based on that quote as well as based on technical data that that we’ve gathered at Citizen Lab and that Amnesty International has also gathered. That said, there are certainly other vendors, other companies in play. So we’ve seen the case recently in in Greece, where it looks like the government may be using spyware from Skytrax, which is a competitor. We’ve also heard about this second Israeli company, Quadram, which may be selling to various European governments and of course, Kendrew, another spyware company, which mainly seems to be selling spyware for Windows and Mac rather than phone platforms. And, of course, there’s a very robust spyware industry that continues to flourish in Italy. So we’ve seen companies like Ask US lab or site for gate, which are supplying spyware, certainly domestically, but perhaps to two other countries as well. So there is a robust industry here, but NSO seems to be the one that has made the most inroads, I think, amongst the European countries. So I think the other panellists addressed most of the other questions, but I’m happy to chat more later if other things come up.
Jeroen Lenaers (Chair): Yes. Thank you very much, Mr. Marczak. I propose for the next round we take the reverse sequence of the speakers so that everybody else gets to answer the first questions. I move for the next three speakers, and the first one is Ms. Bricmont.
Saskia Bricmont (Greens): Thank you. Thank you very much for all this very interesting information raising many questions. If you don’t have the information on where the data goes and who gets access, the com-pany and further on and the intermediaries, how concretely could we find out? Because you suggest us to investigate further. Can you help us investigating on this? Who should we go to to find out? Is it the company or other actors? And how to get also insurance that the data is deleted if it’s deleted at all?
My second question is, is it possible to know who is after this researchers of vulnerabilities in the devices and to forbid to sell such information to buy said such information. Is it possible, in your view, to regulate at all this dark side of information gathering? And then is there any possibility to enhance security and to prevent such infection? Because as it’s always looking for, new vulnerabilities aren’t we always a stage too late in trying to secure the devices? Is it possible at all, in your view? And also, I’m asking questions on behalf of my colleague, Jordi Solé, who had to leave us. A question to Citizen Lab. What would you say to those who question forensic technology you are using is not reliable. What is your answer to them? You already showed us the methodology you use, but we would like a more political answer also to this question. On the question of the removal, do you know or can you explain us how it is technically done? How is it technically removed? And who decides when and who decides when the technology is removed? And then once it’s removed, do you know if there’s any consequence or impact on the affected device? And then finally, do you know or do you have any suspicion – and that’s my question – where the data goes after? It might go back to NSO. In the case of Big ESAs, do you have any suspicion the data could also be shared with the Israeli government or governmental agencies? Thank you.
Jeroen Lenaers (Chair): Thank you very much, then Mr. Kaczynski. Thank you so much for your generous patience.
Dominik Tarczyński (European Conservatives and Reformists): Thank you very much. I’d like to ask Mr. Marczak. I just want to make sure that they can hear the translation, I’d like to speak in Polish to our panellists. Can they – ? Okay.
Thank you very much. Mr. Marczak, from what you were saying about. It would appear that Pegasus is not the most serious problem because there are companies, there is software which seem to be more aggressive than Pegasus and there are very many of these other companies and softwares. So it would be useful for our committee to take a look not only at Pegasus, but also other types of more aggressive software. I have a report from Mr. Marczak dating back to 2015 where you describe an even more aggressive type of software for spyware, for devices produced in Munich. And this is called Finn Fisher, also Finn Spy and you yourself, Mr. Marczak referred to Finn Fisher today and these are very aggressive spywares developed and produced in Germany and exported, sold and exported to other countries, including Turkey and Journalists Without Borders filed a case with prosecutors and I’m interested about what you have to say, your knowledge about this issue and whether because we know that German journalists were affected. So is there a case going on against this company? And what does the Turkish government do as well? So I think it would be useful to know who is responsible in Germany, first of all, for developing this software and selling it to very many countries. Would that person actually suffer any kind of consequences for this? Because in Europe, obviously, we’ve seen that we have our own spyware that’s far more aggressive and has been developed in Europe.
Róża Thun und Hohenstein (Renew): Thank you, Chair. Thank you for those presentations. I hope that we can count on you also in our future doings that would be for us, surely very useful and helpful. I heard the central questions one about Apple. Do you think that Apple could have protected us better from our operating systems on our phones? Could they have been operated better? And why did Apple react so late? Second is well government by those systems. But there are intermediaries. What is the role of those intermediaries, namely in relation to NSO? They role with the NSO. And my next question is that the telecom operator, I mean, what is the role of the telecom operator in those various possibilities of infecting our phones or installing the system in our phones? You said that normally it’s within the operating system, within the country. But normally. But is there a possibility to infect a phone of someone who is served by a different operator or controls someone, spy on someone, in fact, let’s say at home. And then when the person travels, continue the action. Do you know maybe how much it costs? Do various governments pay different prices? Is there a possibility to compare those prices? And many other questions. But I will leave them for the future. Thank you very much.
Jeroen Lenaers (Chair): Thank you. Looking at the clock. I’ll take two more questions in this round so we can cluster it in three rounds in total.
Bartosz Arłukowicz (Group of the European People’s party (European People’s Party)): Yes. Thank you very much. Thank you very much, Mr. Chairman. I’m going to be speaking in Polish. I would like to ask Mr. Marczak a question. During the course of his presentation, you were talking about intermediary companies through which NSO offers certain services to their clients. I’d like to know whether I’ve understood properly. NSO carries out control and supervision. Of intermediary companies or specialist other companies that he works together with once the clients have bought Pegasus. And if that’s the case, then the NSA company is one of these companies that has access to all this, the spy data, which is on these intermediary servers. And I’d also well I think we’ve heard that Pegasus has been used by certain is it only by commercial companies or government agencies. Because the commercial companies perhaps could have acted as intermediary companies for governments. And then, Mr. Marczak, you also were talking about the following, i.e. that Pegasus can sort of switch off a phone or not operate if it goes onto another kind of territory. Have I understood this correctly? Is our kind of ban on the use of Pegasus, or does it react in some way to these restrictions in other territories? And then when it comes to the use of Pegasus for services between governments, for example, government buys Pegasus and carries out spying services for another government and government Y purchases Pegasus and then carries out similar services for the on a mutual basis with government ECS. Do you know, have you heard about these kind of things? And Mr. Haertle I’d like to know from Mr. Haertle whether you know about the fact that there is a company in Poland that has been training people on the use of Pegasus. Can you give the name of this company that has been training these government agents? Is that true? So did the company buy Pegasus from NSO? And the final part of the question which the government agency in Poland whose agents were actually trained by this company. Thank you.
Jeroen Lenaers (Chair): Thank you. Mr. Kohut.
Łukasz Kohut (Socialists and Democrats): Firstly, thank you for being with us especially. Thank you. It’s working? Okay. Especially thank you, Mr. Marczak, for your and your organisation’s effort, which led Polish citizens to find out the truth about the severe violation of civil rights in their own country. And the information released in the media indicates that the NSO group has its licence models. One of them is concerning the use of Pegasus cyber weapon, a link to close cooperation with the National Secret Service and an external company from a third country. Third country? Neither the companies, not from the EU nor ISDA, not the company from a NATO member country. And the EU has to remain the sole space for the European security of their citizens. Sensitive data. The situation when the private data could be exported abroad by a member state is not acceptable. And that is why I would like to ask about the exportation of private data out of the EU. Is it possible that still the company processes all data after downloading it during the cyberattack by Pegasus? Thank you very much.
Jeroen Lenaers (Chair): Thank you. Most of the questions, I think, were asked to Mr. Marczak. So I propose to give you the floor first to answer some of those.
Bill Marczak (Citizens Lab): Sure. Thank you, members, for those great questions. I’ll start off advertising as answering sorry, the question, the questions about citizen labs, technical methodology and the reliability of the methodology. So I will say that I’ve described part of the methodology in today’s hearing and other various hearings of this committee. However, a full description of our methodology is available on our Citizen Lab reports on our website, and I think it’s important to emphasise that the reports that we publish as you can, as you can read, they’re peer reviewed often by other organisations that have very specific expertise in this sort of spyware analysis, for example, Amnesty International. And the methodology is, is, is public to read and to comment on. There have often been questions raised by NSO where they say, well, there are problems with Citizen Lab or, you know, we doubt their findings, but they’ve never raised any specific issues as far as we can tell. Neither have any peer reviewers or any of the public raised specific issues with the methodology or our conclusions. I’ll also remark that there was a recent case in in the U.K. where I provided evidence in a court proceeding establishing that a target was hacked with Pegasus and the ruling in the case. The judge mentioned that in terms of my testimony, that I was a reliable witness and that the methodology was vetted by an independent peer reviewer appointed by the court. So I, I guess the overall point that I would make is, is that there have been these sources of peer review and the methodology is public. So I would say I would say that that, in my view, is reliable. And I think there haven’t really been any serious issues raised as to its reliability. On the contrary, there have been issues there have been allegations of the, you know, technical precision and the reliability of the methodology. There was another question, I believe, about the, you know, other types of spyware, specifically mentioning Fin Fisher. And I think the question, if I recall, correctly characterised Fin Fisher as a as a more potentially more aggressive type of spyware. And I think, you know, aggressive is a is a hard term to define. I think in terms of technical sophistication, I would say that that that Pegasus is perhaps more technically sophisticated and in terms of the customer. Base. I would say that Pegasus has a has a larger customer base then than Kingfisher ever had. Based on based on our research, Fin Fisher, as some of you may know, this corporate entity in Germany recently filed for I believe, filed for bankruptcy, sort of signalling that they’re no longer a major, major player in this space. And if I recall correctly, there was also a investigation undertaken, perhaps it was by that by the German government itself looking into potential violations of export law that may have occurred when the spyware was transferred to Turkey or Egypt or other countries. So I think that in terms of the landscape of companies, Fin Fisher is not necessarily one of the most active companies these days, especially given various financial issues and government investigations there. There were also several questions from members about these sort of licencing and end use of spyware in terms of, well, what happens if you cross a border when you with an infected phone or something like this? In general, there is this sort of basic licence that I mentioned where governments can spy in their own country. And of course, if you pay more money and an NSO approves it or whatever company it is, approves it, then there’s the possibility to spy in additional countries. So that simply requires more money and the approval of, of, of the company to authorise the espionage in that particular country. The role of the telecom operator was, was another question. And I think the FT, the telecom operator has a very limited role in most of these cases. A lot of the exploits and infection vectors that we’ve seen are through messaging apps, and they’re delivered over the Internet. So the telecom operator is, you know, delivering normal Internet data back and forth between the device. But there’s no specific role that they’re playing, as far as we can tell in most of these cases. However, it’s important to remember that there are other types of espionage that involve various telecom networks. For example, we published a report at Citizen Lab on a sister company of NSO group called Circles. I think we published this one or two years ago. And Circles basically tries to exploit vulnerabilities in the telecom network itself to access a much more limited amount of data. For example, tracking the location of a phone number or recording calls over the normal phone network, not encrypted calls, just normal calls and normal unencrypted SMS messages. So it accesses a much more limited set of data than something like Pegasus. But the advantage is it doesn’t touch the device. So it’s operating only at the level of the telecom network. So that is certainly a possibility. However, with things like Pegasus and the more invasive types of spyware, there’s really, as far as we can tell, no major involvement of the of the telecom network. There were a couple other questions raised about, I believe one gentleman from Poland raises a question about, you know, whether intelligence agencies using Pegasus might conduct operations on behalf of on behalf of each other. In other words, whether a government might spy on behalf of another government and that government might, you know, reciprocally spy on behalf of the first government. It’s certainly a possibility. There’s limited information I can provide from a technical basis. That’s more a political question in terms of intelligence cooperation between different government agencies. There was one also interesting question that I wanted to touch on about the pricing of the spyware. So, of course, there’s different price points for four different companies, but on the order of several million euros or tens of millions of euros, depending on the functionality. The countries that are being spied on, that’s an estimate, I think, of the price. And there is price discrimination, of course, where typically it’s, you know, law enforcement agencies who pursue more limited targets will pay less for equivalent functionality compared to a intelligence agency in a repressive country which might have, you know, larger financial resources to devote to this sort of espionage. So we saw this most prominently in the leaked contracts from hacking team, where the same essentially the same capability was sold to the government of Ethiopia for €1 million and was sold to a European government for less than €250,000. Same capability, just price discrimination based on the type of government and the type of customer. So that that is often something that we see. And of course the biggest reported deals involving Pegasus were. Governments like Saudi Arabia, where there was an initial price discussed of, I think $250 million, which I think is well above most of the what the EU customers would be paying for that. And I think I’ll leave the rest of the questions for the rest of the panellists.
Jeroen Lenaers (Chair): Thank you so much. And there were also some concrete questions from Mr. Adam Haertle, so I’ll give you the floor next.
Adam Haertle (ZaufanaTrzeciaStrona): Thank you. I’d like to add to the question about the price, because we have two data points to do based on leaked information. Publicly available, we have a contract with Ghana from 2015 where the price was $8 million for 25 concurrent licences. It means the government of Ghana is licenced to listen to controlled 25 devices at the same time. And once a device is no longer controlled, another device can jump into that licence. So this is a concurrent licencing model and we have leaked invoices from Polish case amounting to about 30 to 33 million zloty, which is more or less the same number of dollars, like a78 millions of dollars from 2017. We don’t know the number of licences that was bought in Poland, but it was speculated it was about 30, 35. So these are similar, similar valuations for the licencing of Pegasus in this case. As for the role of intermediaries, this is a very good question because if we look at the contract in Ghana, if you look at the invoices in Poland, we can see that the governments are not buying directly from and they’re sold. They are buying from local companies, which is very specific to this kind of business. I used to work for a telecom company and I used to buy legal interception solutions and they were always produced outside the country and were sold by so-called partners inside the country. This is a very popular reselling model in the art world where a local company is actually the one selling the solution. Why it sells the device. It’s from the original producer. So this intermediary role is a traditional all in the i.t i.t devices i.t services market. In this case, this is more important because I can say for polish regulations it is required that for systems that are authorised to process secret information, classified information that they can only be accessed by Polish citizens. So it is required that if a system is used for legal interception, it should be certified to protect secret information. Then only Polish nationals can be the ones supporting its training, its personnel, etc. etc. So it’s even a formal requirement and it’s also a business model. And so it’s obviously using in many countries that it’s uses local companies to actually sell those services, those products to its customers. As for the question about the Polish intermediary, it was Matic Limited Company. You know, it’s from documents, leaks by journalists from TV N24 Station. As for the protection of our phones, it can actually do better. It’s also a very good question. This is a hot problem and it has not been solved by the I.T. world in the last 40 years because more purchasing software, it causes sparks into software. No one is perfect and it’s really hard to produce 100% foolproof. Back to software. It is considered impossible outside very controlled environments like aviation industry, for example, when it goes under very rigorous testing, a very limited and very limited software, it goes through very extensive testing. And still they are a box. They are not critical box software in our phone is very complex. It’s beyond our imagination. How many work hours went into producing it and how many hundreds of people were involved? Thousands of people were involved in creating it. So there will be always bugs. We should not expect that our phones will be hackable anytime in the near future. But of course, phone producers and operating system producers in Apple is the same in Android. This is separate. They work hard on increasing the level of increasing the complication for the attackers so that you work hard to identify the bugs to prevent the box from happening and to patch the bugs as soon as possible. Of course, we always expect the company to patch back Fosters, so if somebody reports a bug, we expect it to be patched within days, not weeks, and not even mentioning months. It’s not always the case with Apple, for example, but it’s also the question of priorities. But I guess as far as we know, in the case of the boxes that were discovered, that have been used by Pegasus and. Other kinds of software to infect the phones. These were patched relatively quickly as far as I remember. Can we regulate phone producers in for is operating system producers force them to pass the buck small quickly. I guess it is possible this is doable. Taking enough initiative motivation that that we can actually patch the bugs faster. We can request them to purge them within seven days if they are being used in active attacks. Seems like a reasonable idea to force them to react more quickly to reports from researchers who discovered those bugs, especially if the bugs are being used to attack to infect our phones. As for the bugs itself, the question I rephrase it can we regulate the market for a box? This is also a very good question. I guess it is doable. As far as I know, it has already been in some form regulated in the United States that the researchers are under a framework that requires them to work with their purchasers under certain conditions. For example, China does not allow rights right now. The researchers who discovered bugs to sell them to other countries, they need to report them locally. So I would not be advocating for such a solution. In fact, the European Union then, of course, but looking into those processes, looking into those bug discovery process, and then what happens with the bugs that have been discovered can be an avenue of making it harder for NSO and other similar companies to acquire new bugs. We will not prevent them from infecting our phones, but we can make it more expensive. Therefore, reducing the phenomenon so making it harder will obviously help us to reduce this, this, this process. I think I’ve answered the questions I wanted to address. Thank you.
Jeroen Lenaers (Chair): Yes, thank you very much. I think most questions have been answered. Miss Constanze Kurz, if you have anything to add, feel free.
Constanze Kurz (netzpolitik.org): I think I can make it brief, I switch to German again. On FinFisher, the information is quite right. The company is insolvent and investigations are ongoing in Germany, particularly when it comes to a lack of legal authorisations. If we look back at the ten-year history of this spyware industry, we can see that sometimes insolvencies are used strategically. In the history of these kinds of businesses, we’ve seen these kinds of things happen relatively often.
I would just once again to emphasise about the current research on spyware: I think what’s necessary is more structured research on this sector. It’s not really happening at the moment.
One of the questions that were raised was what happens to the data of the espionage operation? Who can prove that it’s been deleted? In the affected state, there need to be authorities that are responsible for that. This spyware should be looked at by authorities. There are provisions that suggest that data should be deleted in the legislation of many countries. But the question is whether it actually happens. And obviously, we’re talking about intelligence services here as well. So it makes it even more difficult to know what’s going on.
I think the work of NGOs like Amnesty International or Citizen Lab, etc., is very valuable, but it’s not sufficient because it’s not enough to keep this spyware sector under observation.
And it’s very difficult to know whether legal provisions are being adhered to. And it’s not really possible to know whether technical provisions are being adhered to. In Germany, we have had occasions where these kinds of provisions weren’t being adhered to by state trojans in use. The possibilities delivered by this software should be limited by the law. But we have seen that these limitations weren’t followed in practice. So I think there are major problems here.
Perhaps I’ll just say one more thing about these security vulnerabilities. We can see how the prices for security vulnerabilities are developing. You have middlemen who are working with espionage companies and other businesses as well. So these security vulnerabilities are simply being paid for. It is a market that has been established over the last ten years, and this is something we need to deal with. The question is to what extent are we going to tolerate that market.
There was a question on getting rid of the spyware after infection. We’ve seen that not even deleting the espionage software is done properly sometimes. We’ve still found traces on mobile phones and computers after deletion.
And then a very final comment, if I may. I want to emphasise that we’re not only talking about the telephone that’s been attacked itself. There is also collateral damage sometimes for colleagues or those who are in the same place as the person who’s under attack because the microphone of the affected phone might pick them up speaking near that phone. Thank you very much.
Jeroen Lenaers (Chair): We move to our last round of speakers that left six colleagues to ask for the floor. Mr. Puigdemont. Madame Riba i Giner. Madame Novak. Madam Barley. Madam Neumann. And Miss Anderson. So if you keep your questions a little bit brief, we still have time for the colleagues to answer. So Mr. Putin will now see.
Carles Puigdemont i Casamajó (Non-attached): Thank you very much. Chairman, just very briefly, a lot of questions have already been answered. But just to confirm what I’ve retained from what we’ve heard. So firstly, it’s technically possible that someone can act in place, but it’s technically impossible to distinguish between what’s genuine and what’s false. And we have to be very aware and clear on that because that can have legal consequences. There are things that are being looked at by a court, for example, and in those circumstances you have to know. Whether there’s any software that can distinguish between a genuine false case. Second point I’ve understood that confidential data is. Accessible to workers at the company. So not only to public officials. I mean, most legislation states that there are people who. Can access confidential data because they work for the public sector or whatever. And it’s important to confirm that that others can as well. Thirdly, we don’t know where the attack comes from. That’s something we can’t know. And then again, we can’t be sure if the software has been deleted from our device. That’s what you’ve said. And in your experience. I mean, does that not basically sound like a criminal organisation at work? Thank you.
Jeroen Lenaers (Chair): Thank you. Miss Riba i Giner who’s connected online.
Diana Riba i Giner (Greens): Yes. Thank you, Chairman. Very many of my questions have been asked and replied to. So thank you to the guest speakers because they’ve given us an overall view of how Pegasus works. I have one specific question to Mr. Marczak from Citizen Lab. You explain to us how it is that we can find. Out which IP or or specific agent has been involved in a firm that’s being interfered with. You can find out who the operator is. So I would like to know, is it possible to find out who the owner is of the operator? If I understood this correctly, you said we can detect which country this person is in, which government of which country. So I would like to know whether you can tell us if it’s possible to find out which person, which company, which government actually controls the operator. There are a couple of other questions perhaps have not have been replied to Saskia. As a couple of questions. Where can we find the information we are? The Pegasus Committee of Enquiry in the European Parliament and obviously we’re going to be organising more hearings. We have certain lines of action, obviously. But who would you go to ask for information? Who? Could you give us some idea of who we can contact as well to find out this information? Thank you very much.
Jeroen Lenaers (Chair): Thank you, Miss Novak.
Ljudmila Novak (Group of the European People’s party (European People’s Party)): Thank you. Thank you for the floor. And thank you to all the experts that have shared many pieces of technical information. I use my phone quite a lot, but I’m not aware of what other people do with my phone. Not enough, at least. So, are there any safer or less safe channels? I do not use iPhone. I use Android system. So, for example, is the Viber Internet communication safer than if I sent SMS messages over the phone? Or maybe this is not even important if my phone is infected. So, what’s safer and what’s less safe? And then a specific question. My phone number has been stolen, it seems. Somebody calls me and I see a phone number. Then I see a country from Germany, from Poland. First, I actually responded because I thought that the caller called me. Then the person on the other side says, okay, go to your computer. You have installed software. I did not want to go there. And of course, I interrupted the call, but I got other calls later. So, I would like to know, is it enough for me to just change my phone number or should I actually change my phone, the device itself? So, what happens if you just answer the phone, if you just pick it up? Does this already mean if I pick it up that my phone is already infected by doing this? Thank you.
Katharina Barley (Socialists and Democrats): Yes. Thank you very much. Unfortunately, I wasn’t here right at the beginning, so I hope I’m not repeating some of the questions that have already been asked. A technical question. I’d understood, Mr. Hurdler, to say that the software is able to basically to get around all the protection mechanisms. And I think this refers to what Apple has introduced. If there’s an attack, um, trying to get hold of the camera, then the light goes on. But I think all of this is sort of switched off as well. And then verification, can the software also get round verification and then have a password verification and get into different apps? I know that messenger services have been referred to, but. There’s WhatsApp, but not only them, there’s Prima Signal Telegram. These are all messenger services as well. Are they also affected? And when it comes to costs. I’ve heard that it’s only governments that would buy these spyware because it’s so expensive. But listening to the amounts of money, I know the oligarchs have got ships that cost €6 million, some of the Russian oligarchs. So just paying out a couple of million for spyware, it’s not only government that will pay this. So can we really assume that it’s only governments that are buying this kind of thing? And a final point in the most prominent case, then commissioner for Justice Didier Reynders. That’s the most infamous case. Do you have any idea as to who may behind be behind that? Thank you.
Jeroen Lenaers (Chair): Miss Neumann.
Hannah Neumann (Greens): Thank you to on the speakers for many questions. So my questions would more be of the kind of follow up question kind. And the first one goes on this whole question of intermediary or proxy server. So I understand it correctly. They tap the phone, they take data from the phone, they put it on an intermediary server to disguise who actually does the tapping and then the information goes to whoever ask for this to happen. So my question is, I mean, is it technically impossible to store, to modify, to back up this kind of information on the intermediary server? Or do we have to take into account the possibility that whoever runs this intermediary server, as you often said, its NSO itself can do with the data, whatever they want to, without us or anyone who even makes this, I mean asks for this tapping and spying to know about that.
Second question goes more towards the most sophisticated kind of spyware I can do that, if I understand you correctly, is able to modify data on my phone or use my phone to produce other data. Is that true? And if that’s true, actually, that’s a big problem also for our political work, because I remember this enquiry to committees where we rely on emails or messages sent by one person to another as evidence of what they did or did not do politically. And if now we are actually in a situation where people can produce fake data and evidence with our phones without us knowing it and being able to prove it, I mean, then we are totally lost also in terms of our control function in Parliament. So is that in theory possible with software such as can do?
Third question am so I understand it correctly. If you just pay enough NSO spies on everyone, not just people with phone numbers from your own country. I have different information on behalf of NSO practises, so either in their status and that’s what they said in the beginning of the revelations they said, but we would go to every request and assess according to our ethical criteria if that person can be investigated or not. But now, if we ask them on specific cases, they would say, well, I mean, we are just the server, but we are not or the messenger. We are not interfering to that. So do they have the standards or the international standards like that one? And the last question and I am sorry, too, and Turkey could detect very early on attacks by UAE on its citizens and stop it. Why where EU member states service is not able to do that? And the last question relates to that. So we spoken a lot about this private companies that do spyware and surveillance. We know that some states, namely USA and also France, have state owned surveillance and we haven’t talked about that today. Are we not able to detect that? Are we able to detect that? Do we have knowledge about that one? Do they function the same way? Is it a totally different functionality? Do you look into these cases as well or do you as research only focus on the private ones?
Jeroen Lenaers (Chair) Thank you, Ms. Anderson.
Christine Anderson (Identity and Democracy): Yes. Thank you very much. Some of my questions have already been asked, so I can be extremely brief. I would like to pick up on the caller on the question picked up by the colleague, which I don’t think has been answered. Infection by the spyware or any kind of spy symptoms that could be identified by a standard user, i.e. that the phone is slower, that the battery gets used up more quickly, those kind of things. And Mrs. Coats, you were just talking about the fact. That. The problems of removing the virus from the phone. And what about user data? Now, do you have to completely reset the phone or when you made that comment? Did you mean that it was a completely new installation of the phone? A so-called flashing of the phone? No. But then it leaves traces of itself. But is it possible to completely protect your device or would the spyware be able to find a way around a new installation?
Jeroen Lenaers (Chair): So that would mean, I would say, 4 minutes for each panellist, because otherwise we’ll lose the interpretation service and then we pity. Since you have not had the honour to start yet, I would open the floor with Mr. Adam Haertle.
Adam Haertle (ZaufanaTrzeciaStrona): Thank you. I think shortly, if you believe your phone is infected, no apps, no communication is safe on that phone. You cannot detect it on your own. The easiest way is to actually replace the device flushing, updating the software. There are signals signs that advanced spyware can survive that. So if you want to be sure that your device is not infected at the moment, you just sell the old device and buy a new one and keep it on the most recent software that is available for your device and let the device be as recent as possible as well because it makes it a little bit harder to do. In fact, the newer the device, the newer the software, the less box, the vulnerabilities are available. So if you want to check if there is a software to communicate in a more secure way, it doesn’t matter if it’s free. Maximise Viber, telegram, signal, WhatsApp, whatever. Whatever you have on your phone or whatever you can see on the screen of your phone can be also seen by the spyware operator. On the technical level, at least some less popular communication apps are not served out of the box, but the capability can be purchased, can be built. So is is it that the only governments are buying the software as far as we know? Yes, as far as I remember in Mexico, there was a case where it was suspected that the users of the software were not government or local gangs. But I believe it’s like if the government is corrupt, then the access to the to that tool can also be bought by someone rich enough. But as far as we know, the artist and the soul has not been selling directly to any other entity than the governmental entities. Of course, under consideration which governments these were and what was their democratic culture approach? Can this proxy server be a source of data for? And then so can you protect it in a way that it will be not accessible to the producer of the software? I guess not. Not. It’s technically infeasible to protect a server in the way that the data will not be accessible. But above all, we have no control over how it is configured, how it is used, how it is used in production. We have no overview, we have no oversight over this process. So it will require an independent party, the independent trusted party that will actually verify at least the access to the server to check if anybody took the opportunity to to get this data or not. So without that without an external process, we cannot answer that question. As for a very good question about spyware used by other countries, Pegasus and other tools are both by countries that have not enough capabilities to build their own. So they are countries which do not need to purchase Pegasus as USA, France, Israel, Russia, China. These are countries totally capable of building their own and based on documentation leaked by Edward Snowden, we know that USA had a capability of listening Pegasus capability on iPhone a year after iPhone was introduced on the market already before Pegasus was even created. So I believe this these are available to those countries. They are not publicly known. They we have no knowledge of these tools being analysed by experts, at least not no public knowledge. But we are showing these tools exist because it’s obvious countries like that would like to have tools like that. That’s it for my part.
Jeroen Lenaers (Chair): Thank you. Mr. Bill Marczak.
Bill Marczak (Citizens Lab): Thank you, members for those questions. So there was, I think, a couple of questions addressed specifically to me. One of them was just notion of doing attribution back to a particular government or or finding out which country the operator is based in. And as I explained a little bit earlier, it’s technically challenging to prove which country or which operator the government is in using technical means alone. There is this this sort of deductive reasoning you can do if you identify a operator that is spying all the in-country acts, maybe you can make the deduction that this is country X’s government because of the default licencing model of Pegasus. There was also a question about sort of how to take some of this investigation further, who to who to contact, where additional sources of information might be. There are there are two ideas that that all that I’ll point out of, you know, potential further avenues of investigation. So the first one that I alluded to earlier is that there are indeed EU based server rental companies, cloud companies that are being used in some cases to host some of these intermediary servers. So presumably, there would be some information that those companies could potentially provide. Additionally, as has been mentioned by several panellists, the EU is of course, EU governments are of course users of Pegasus, there are customers of Pegasus in the EU. And my suspicion is that it’s probably a little bit easier to list if you’re thinking of EU members, probably a little bit easier to list the members who aren’t customers than the members who are customers. And, and based on what we see in, in, in other places, the likely mix of customers is probably some intelligence agencies, but probably also some police agencies as well. So potentially there would be some information that those agencies would have on the operation of the spyware. And they might have the servers on their premises, of course. Whether it is politically feasible to investigate that, I’m not sure. But from a from a technical perspective, there might be information there. There was also a question about, you know, another question about the sort of geographic authorisation and, you know, well, who might be might be authorised to spy, for example, on certain EU member states. And of course it is possible that a foreign government, in fact we have seen foreign governments conduct espionage in the EU. For example, there was cases in in the Pegasus project, I believe, of a operator that was suspected to be Rwanda that had authorisation to spy inside Belgium. And, of course, there was. There are other countries we’ve heard about Morocco in the Pegasus project quite a bit. And essentially, as is the case, as far as we can tell, that that if a customer pays enough, NSO will kind of let them spy in, in not necessarily everywhere. They have mentioned some limits. For example, customers can’t spy in Israel unless the customer is based in Israel and customers can’t spy in the United States unless the customer is based in the United States. But other than those sorts of limits from what we’ve seen, I don’t I don’t think there’s any evidence that there’s kind of limitations beyond that about where customers can spy. Now, of course, there have probably been changes and updates and maybe there’s more targeted. There’s more functionality, perhaps for blocking certain targets. You know, we’ve seen revelations that have been politically damaging to NSO group, for example, the revelations of spying on U.S. diplomats in Uganda. So potentially there are if there aren’t necessarily features, there are definitely, I’m sure, thoughts about how the targets can be more carefully, you know, detected when a government tries to target them to see if the target should be targeted or if it might, you know, they shouldn’t be targeted with a view that certain targets could cause political embarrassment or political problems. For now. So if they’re revealed. So that’s one thing to keep an eye on. As for the question about Kendrew. Yes, it is possible for Kendrew to make some very innovative use of the computers that are, in fact, shall we say. And one of those innovative uses that that we described in our citizens lab report and Microsoft described in their companion technical report to our to our citizens lab report, was that when a computer is infected, the cookies can be used directly on the computer to send messages as logged in users directly from their computer. In a way that’s very difficult to prove that that this was done. So, yes, it could lead to emails or Facebook messages, etc., being sent from that person’s computer when they did not, in fact, actually send them. And so that is, of course, quite concerning. And, you know, something to keep an eye on. But I will say that that it is extremely hard to build spyware that leaves absolutely no traces or no evidence of infection. So there might still be a possibility to establish that a computer or phone was infected, particularly if there are up to date or recent logs of the activity either on that computer or of the computer’s network traffic. And those sorts of logs could potentially even help detect spyware beyond Pegasus. For example, there was a comment about nation state or government spyware developed locally by, say, the USA or France, which has not yet been necessarily publicly captured or analysed. Two of the main groups that work in this space, of course, Citizen Lab and Amnesty Tech or Amnesty International, are not necessarily in touch with the types of targets that the U.S. or France would be hacking directly. You know, we mainly focus on civil society in certain countries, but I think that a similar methodology could detect those types of spyware, too. Thank you.
Jeroen Lenaers (Chair): Thank you very much, Bill Marczak. And I’m sorry we’re running out of time. I’ll give the floor for the last words to Constanze Kurz. Please refund. I ask for a little bit of hopefully support from the interpreters who stay a couple of minutes longer. Also, let Constanze Kurz do her last remarks in German. Thank you so much.
Constanze Kurz (netzpolitik.org): Thank you again for the questions. I would switch to German again. First of all, I’ll just talk a little bit about deleting. This deletion is part of the command and control server. It’s an attempt to delete from a particular device. This doesn’t necessarily succeed without a trace. The manufacturers of this kind of software make mistakes. There are flaws. I don’t want to repeat what has already been said by other speakers. Simply let me say we know quite a lot about NSO, technically speaking, and the legal aspects as well. We’re talking about, however, a great deal of political pressure which is at play. I would suggest to look at other companies that you know less about. Because there are many of them.
Now, there was a question with regard to iPhone, Android and what is safe, Messenger’s SMS, iMessage, WhatsApp? The spyware here always targets applications that people like to use. But there are also niche products. If you want to go for one of those, it might be a good idea if you want to avoid some of this hacking.
Now, other questions with regard to the hacking business. The big companies reside in the U.S., France, U.K. as well. But there are a lot of smaller vendors in other countries that are also developing quite a lot of equivalent spyware that is available. So we should bear that in mind as well. And finally, thank you very much indeed to the committee for having invited me.
Jeroen Lenaers (Chair): Thank you. I think we must have set some sort of world record for posing questions and answering in one hearing. So thank you very much. I could not have done them without the help of the interpreters, so thank you very much also for staying a bit longer. Thank you very much to our three panelists for the very elaborate information that they have given us today. I can only imagine that in the course of our investigations as a committee, new questions might come up and we can also always consider doing another one of these sessions further along in the year. But thank you very much for now. Our next meeting is going to be on the 13th of June from 3 to 630 here in Brussels. And I look forward to seeing you all there. Thank you all very much.