Am 21. Juni hat der PEGA-Ausschuss eine Bestandsaufnahme der Spyware-Anbieter in der EU getätigt. Ziel der Anhörung war es, die Expert:innen zu hören, um eine Bestandsaufnahme der aktuellen Landschaft der Staatstrojaner-Anbieter in Europa zu machen.
Von der Anhörung gibt es ein Video, aber kein offizielles Transkript. Dahere veröffentlichen wir ein inoffizielles Transkript.
- Date: 2022-06-21
- Institution: European Parliament
- Committee: PEGA
- Chair: Jeroen Lenaers
- Experts: Edin Omanovic (Privacy International), Stephanie Kirchgaessner (The Guardian), Dr. Ben Wagner (TU Delft)
- Links: Hearing, Video
- Note: This transcript is automated and unofficial, it will contain errors.
- Editor: Emilia Ferrarese
Stock-taking of EU spyware providers
Jeroen Lenaers (Chair): And now, without further ado, I immediately jump to the next point because we are running horribly late, which I take full responsibility for. We move to the hearing on the stocktaking of EU spyware providers. We have three speakers who will intervene today remotely. Mr. Edin Omanovic, who is the advocacy director at Privacy International. He leads the research on export controls and investigates transfer of surveillance technology. We’re also pleased to welcome Stephanie Kirchgaessner, who is the Guardian’s U.S. investigations correspondent. And last but not least, we’ll hear from Dr. Ben Wagner, the assistant professor at the Faculty of Technology, Policy and Management and director of the AI Futures Lab at DU Delft. You will all have the floor for 10 minutes for your introductory remarks. Please also feel free. And I guess you were in a position to follow the first part of a meeting to reflect on those exchanges we’ve had as well. So I first passed the floor immediately for 10 minutes to Mr. Omanovic and to all three speakers. My, my sincere apologies for the delay in the programme. You have the floor, Mr. Omanovic.
Edin Omanovic (Privacy International): Thank you so much. If I may, I’ll maybe just kind of respond to this afternoon session. I’m left feeling somewhat con-fused, to be perfectly honest, but also very impressed.
Jeroen Lenaers (Chair): Colleagues, could we get some silence in the room, please. Thank you. Please.
Edin Omanovic (Privacy International): I think what we saw today, we heard that the Pegasus revelations were completely incorrect. Yet we also heard that they shut down certain customers as a result of those revelations. And it was claimed with absolute certainty that some certain customers, some certain people weren’t actual targets of Pegasus. And yet we also heard that they have very limited ability to actually investigate their customers use of that technology. We heard that NSO cooperates with investigations. Yet we also know that they haven’t cooperated with the authorities in Mexico and still don’t. And yet we also heard that the refrain from certain customers that are presumably iPhones. Yeah, they were happy enough to sell their technology to Saudi Arabia and were under no illusions as to what kind of regime was in place in Saudi Arabia. And we also know that even after they stopped providing support to Saudi Arabia, that they actually went back after a certain period of time. So I’m somewhat confused by the testimony and also somewhat impressed that they managed to make it out without trying. So well done to him. And I think there’s a lot of stock being put in at the Ministry of Defence’s export control procedure in Israel. I wouldn’t say that’s completely irrelevant, but I would say it’s close to irrelevant. And just because something is controlled doesn’t mean that human rights are going to be protected as a result of that. In fact, when Amnesty took this to court, we are still unable to see what kind of human rights assessment Israeli authorities takes, what kind of tests, what kind of evidence it has collects in front of it to know whether or not to approve a licence. What we do know is that the Ministry of Defence has consistently privileged intelligence, diplomatic and economic interests over human rights interests. The Israeli Ministry of Defence has approved exports to Myanmar. South Sudan are used in the Commission of Grave Human Rights. And we also know that it continues to approve exports of surveillance technology to regimes, for example, across Central Asia that boil people lives. So I don’t think we can put that much stock in the fact that the technology is licenced, to be perfectly clear.
So and to kind of get on to the global surveillance industry, I’ll try and be quick about this to go to the first side. So really, what do we know? Unfortunately, it’s not very much. As we heard from today, the companies continue to kind of throw vague and reasons around commercial secrecy and national security. I think not just because it suits them to avoid scrutiny, but also because I think it would kind of revealed just how easy it is to hold them accountable. And I want to kind of go through that today. So it’s failure of the type. Dinosaur’s Tales is really just one type of surveillance technology being sold by hundreds of companies around the world. Our last systematic review in 2016 found over 500 of them, and these are the ones that sold explicitly surveillance technology for government and users for surveillance of these companies. This they are full spectrum of tools ranging from spyware, also techniques that Mr. Gellman alluded to which take advantage of vulnerabilities in telecoms networks to spy on people anywhere. Two huge Internet monitoring tools which sweep up Internet traffic nationwide. Reliable. So while I think spyware represents probably the most invasive tool, even something as wiretap and technology basic as wiretapping, technology poses huge risks without appropriate controls. For example, we saw wiretapping technology being used to intercept the calls of diplomats in North Macedonia. I think it’s important to keep these kind of technologies in mind and the broader surveillance industry, especially if you consider regulatory and policy options, because the usefulness of these is highly dependent on the type of actor and the technology that they sell. So next slide, please.
When it comes to spyware, a real kind of basic level. You actually have commercial companies who sell relatively sophisticated spyware to non-government users for things like spying on your spouse or employees, but which can be used quite effectively. So for example, so it’s an ally of Anonymous to have reported that kind of commercial off the shelf malware has been used to target journalists and activists in India. So these kind of companies are really separate to this relative relatively specialised industry consisting of relatively few companies that market them for governments such as NSO. So these are mainly headquartered in countries with large intelligence agencies like Israel. But really that doesn’t tell the whole story and is so good. For example, have subsidiaries and holdings across Europe and the wider world and even export from some EU member states. Related to these are companies which specialise explicitly in developing exploits and which are then bought by spyware companies and used directly by intelligence agencies. But they don’t provide, for example, and training or updates. And then separately, you also have mercenaries who can just pay to hack into targets for money, or they are state sponsors. So for example, it finds persistent threats. And then it’s important to distinguish these types of companies from those which don’t actually sell any hardware software, but will carry out surveillance as a service. So I think there’s probably unknown thousands of these operating worldwide in hubs like London and you might imagine private investigators in trench coats, which is why a lot of them are. But they’re also now multinational companies made up of spooks that work for corporate as well as government clients. So I think last week the representative from Facebook talked about a company called Black Cube, and recently their employees were sentenced in Romania for at the behest of a senior intelligence official attempting to hack into the emails of the country’s head of anti-corruption and who is now the EU’s chief prosecutor. Next slide, please.
So yeah, with regards to the types of companies who sell spyware as software and then the training and the maintenance that goes with it, I would say actually, in fact, it’s relatively few of them that have been reported less than 20 active, though likely there’s significantly more given that we only know about these through the investigative work of journalists and groups like censorship and Amnesty. And I think the fact there is relatively few of them is actually a huge opportunity here. And I think it makes taking action against them actually quite a bit easier than the committee and anyone would actually imagine.
So if you go on to the next slide, please, I would say these are some of the most urgent reforms.
So first, the EU should use the sanction powers already available. So the EU already has some of the world’s top researchers singling out NSO Group and others in these abuses. If these companies don’t meet the criteria for targeted human rights sanctions, then really nobody does. So these need to be used in the same way that the US has already passed equivalent measures to hold these companies accountable and to really send a strong message to the others.
Secondly, the EU Member States and the Commission need to actually implement the dual use regulation. So after a decade of negotiation, reform to this regulation was agreed last year, which really governs the export of many of these tools. These no need to be implemented to actually stop exports to regimes that would use it in violation of human rights, and then make sure that all member states actually report on the exports that they have approved and which ones they’ve denied, similar to, by the way, what they’ve been doing with regards to arms exports for years. This really go a long way in not just increasing transparency about the industry, but also mean that the public parliaments and oversight bodies are able to really scrutinise this decision making.
Third, EU countries need to ensure that any procurement of surveillance technology is subject to sufficient safeguards. So, for example, by ensuring that there is we go, that any use as we go through necessary and proportionate and that is transparent. So that again, oversight bodies and the public know which powers governments are using. We heard earlier today that NSO group likely has customers in up to 50 countries. Yet we only know of a handful of countries that actually have laws which specifically govern the use of spyware. And we would argue even these failed to meet the requirements of international human rights law. So it’s obvious and apparent that these tools are going to be abused because there’s no legitimate and no legality in place to actually govern their use.
Fourth. And this one’s too important. Device manufacturers and the software vendors should extend the life span of devices and software they produce and sell for as long as reasonably possible until customers when updates will stop. So ultimately, for all people, you don’t need really sophisticated zero day exploits that are worth millions to target them, especially when most people can actually afford the latest iPhone. Most people don’t actually update their software religiously at all. And this would go a long way in protecting people around the world, and particularly people who are some of the most vulnerable.
Fifth. EU bodies need to reform leverage and condition their support to non-EU countries to improve human rights protections. So unfortunately we’ve seen EU support being provided for training and equipping intelligence and police agencies around the world and surveillance techniques for things like stopping migration to Europe. The end result of this and what we’re going to have is a neighbourhood of entrenched authoritarians around Europe’s borders who will not only know how to use this technology to target their own people, but they’ll be able to use it to target Europeans as well. So these programmes need to be reformed to not only stop support and surveillance practises which pose a threat, but to improve protections through things like legal assistance and provide support to civil society and regulatory groups who are trying to keep some of the most abusive spy agencies in check, essentially on shoestring budgets. Final site, please. Yeah.
I just want to kind of finish by emphasising this is really about more than just one company or even about the industry. Feeling tax will be disastrous for you and its people, not just leaving them vulnerable to some of the most intrusive surveillance ever seen, but also undermining the EU’s own vital interests. So the EU and its Member States spend billions on things like supporting rule of law journalists and protecting human rights around the world, all of which are being jeopardised by the likes of NATO. Now, given the rise of countries like China in the technology sector, there’s really no shortage of companies and countries who want to sell surveillance. And whether you like it or not, the EU is actually in a race with these countries who are exporting their technology and really with it their vision of what the future of the world is going to look like. So I think the real question here is what should the role of the EU be here? It could do nothing or it could actually do worse and join them in a race to the bottom that essentially promotes authoritarianism, a time when democracy is in retreat around the world. Or it could support efforts to blunt the impact of this industry by ensuring that protections are in place. So let’s kind of finish up there. I want to emphasise this is an absolutely serious problem and much more serious than just one company. But the solutions are there. We already have the evidence. We know what needs to be done. The EU has the power to do it. The only thing that we’re not sure about is if the political will is there and if the EU is able to stand up for its interests or just watch them be destroyed by what is a mercenary surveillance industry. So with that, I want to thank you and I look forward to any questions.
Jeroen Lenaers (Chair): Thank you very much, Mr. Omanovic. I immediately pass the floor to Ms. Kirchgaessner. You also have 10 minutes. Also remotely connected.
Stephanie Kirchgaessner (the Guardian): Hi, my name is Stephanie Kirchgaessner and I am a journalist with The Guardian. I’ve been a journalist based in Washington, D.C. I’ve been a journalist for 22 years working for the Financial Times and The Guardian. And since I’m speaking before this committee, I’d also point out that I’m a dual national. I’m an American citizen and also a German citizen and therefore a citizen of the European Union. Thank you for the invitation to speak about Pegasus and NSO Group, and I’ll be happy to answer your questions.
I first became aware of NSO Group and the Power of Pegasus in late 2018, following the murder of Jamal Khashoggi, the journalist and Saudi dissident. It’s an important case for you all to consider when you’re trying to understand the link between government spon-sored surveillance and physical violence. There is no evidence that Mr. Khashoggi was personally targeted with Pegasus spyware. But we do believe that the mobile phone of a close associate of his with whom he was speaking with on a regular basis, a Saudi dissi-dent named Omar Abdulaziz, who was living in Canada, was targeted by Pegasus spy-ware. And this was discovered through the good work of Citizen Lab at that time. And to this day, NSO’s said, it has nothing. It had nothing to do with the murder of Jamal Khashoggi and that it checked its records and that he was never targeted with Pegasus. What our later reporting revealed through the Pegasus project, which I’ll get to a bit later, is that Khashoggi’s wife was targeted months before he was killed and that his fiancee and other friends and associates were targeted in the aftermath of his brutal murder. And it’s important to understand that even if a person is not personally targeted by this kind of spyware, the way that it works is if you target all the individuals in that person’s circle, then you may as well be targeting them. We have strong reason to believe, therefore, that the Saudi government was fully aware of discussions and plans that were discussed be-tween Khashoggi and Omar Abdulaziz in the months before he was killed by the Saudi state. They would have heard about the two their plans to try to counter Saudi propagan-da, which is obviously a huge lever of power for Mohammed bin Salman and Omar. Ab-dulaziz has publicly said, sadly, that he believes the fact that his phone was hacked by what has been identified as a network associated with Saudi Arabia, has been linked and is partly responsible for Khashoggi’s murder.
The further I got into the NSO story, the more victims I learnt about and clients. Citizen Lab and Amnesty International’s security lab are the world’s experts on this issue and had already reported that the United Arab Emirates had tried to use spyware against a promi-nent dissident in the UAE, Ahmed Mansour, who is currently in prison. Other clients have included Bahrain, Kazakhstan, Morocco and Mexico, amongst others. I know this ques-tion has come up. I have reason to believe, based on my extensive reporting, that proba-bly most European countries have been clients of NSO group in some fashion, even if it’s quite limited, except for France, I believe, but and maybe some other exceptions. The company has always said that its technology is only meant to target serious criminals and terrorists and that it saves lives. But what researchers and journalists have found over and over and over again is that it is a technology that has been systematically abused by its clients. This abuse strips victims of the right to privacy. It also means that dissidents such as Omar Abdel Aziz, for example, who escape an autocratic regime, are never fully clear of the threat that those regimes pose to them. They can literally be followed wherev-er they have a phone.
For journalists, the use and abuse of this technology does create a chilling effect. Sources can be identified, and as long as it is known that a journalist can be targeted in this way, the vital work of journalism is stifled, which has a direct impact on our democra-cies. The extent of this abuse became evident globally in 2019 when it emerged that about 1400 WhatsApp users had been targeted with Pegasus over a two week period. I’d like you to keep that number in mind when you think about how extensive this technolo-gy is compared to some of the numbers we’ve heard in the previous testimony, about 100 of. Those individuals that WhatsApp said were members of civil society in 2020, The Guardian and its partners, our partners of El Pais, were the first to reveal the way this technology had been used against politicians in Catalonia. Specifically, Roger, Trent and two other supporters, pro-independence supporters. And this was a likely case of domes-tic espionage.
I’ll be honest that before the story was published, I was sure it would be a major story in Europe and would be treated like an earthquake. I was sadly mistaken, and I believe that this body who I’m speaking from, France, did not really take this story as seriously as it should have. That may be because there was not much sympathy for the victims in this case. But as we can see, if one political party is spied upon by one’s own country, then it’s really possible it can happen much more broadly and widely, and it’s a dangerous phe-nomenon. Last July, The Guardian and 16 other media organisations from around the world published the Pegasus Project, an investigation into NSO group that was led and coordinated by Forbidden Stories, the French non-profit. With the help of Amnesty Inter-national Security Lab, we revealed dozens and dozens of new victims and alleged victims of NSO group clients, including activists, journalists, diplomats, world leaders, lawyers and businesspeople. Unfortunately, I don’t have the time to delve into every story we re-vealed, but our stories were based on a leak of tens of thousands of phone numbers that we determined had been selected by NSO Group’s clients as possible targets of surveil-lance. The clients we focussed on included India, Rwanda, Morocco, Hungary, the UAE, Saudi Arabia and Mexico. NSO repeatedly has denied, as it did in the previous testimony, that has anything to do with the mobile phone numbers, which it said were not linked to NSO clients. Some of the people who we believe were possible targets of surveillance include a real call, the editor of the Financial Times. And we also found in our reporting that especially in Mexico and India, this was a tool that was used for the purpose of do-mestic political espionage.
I would also note that a small fraction of those phones were tested by our partners at Am-nesty International, and there was a very high correlation of some Pegasus activity on those phones that we were able to test. And there was also corresponding information because of the data stamps, date stamps, rather, in the data. That did correspond with some of that Pegasus related activity. As I mentioned, we found evidence in Mexico that NSO’s technology appears to have been used as a tool for domestic surveillance. In France, a number of French politicians and leaders, including the number of Emmanuel Macron, were in our data and also has denied that any client targeted Mr. Macron. But I’d also note that it was later confirmed by analysis that the at least one serving French min-ister, Francois Gerardi, was that his phone contained trace traces of Pegasus activity. The issue was especially egregious in the UK, where we focussed on many cases where the UAE appears to have targeted individuals. I personally focussed on the sad case of Allah Al Siddiq, a young a young human rights activist who was living in the UK and who was aware that her phone had been targeted. We have just passed the one sad one year an-niversary of her accidental death in Oxford in a car accident. But she really suffered un-der the knowledge that she had been targeted.
So I really think it’s people like a lot that we should be keeping in mind as we discuss these issues. It’s also recently been reported that Downing Street itself has come under threat of Pegasus, although we haven’t identified what number specifically within the Downing Street Network was targeted. Citizen Lab did find some evidence of a targeting using Pegasus of the highest levels of British government. Sadly, to this day, we have not heard that Boris Johnson’s government, which has a very close relationship with the UAE, has said it will investigate or get answers from the UAE about this extensive target-ing. We do believe that NSO has dropped Dubai and Saudi Arabia as a client because of the high profile cases of abuse. And it’s also been reported in The Guardian and else-where that NSO’s suggests that it can no longer that its clients rather can no longer target UK based phone numbers.
I’d also add there’s no way to confirm that information independently. More recently, Citi-zen Lab confirmed the gist of our 2020 reporting on the abuse of Pegasus in Spain by Spanish authorities. It found that dozens of Catalan civil society members were targeted and infected with mercenary spyware, including Pegasus, and some victims included members of the European Parliament’s legislators and members of civil society. There’s also often been a point made that the Pegasus technology does not necessarily work in the US against US based phone numbers. But I would note that many Americans around the world have been targeted, including State Department officials in Uganda. We have recently reported and I’ll wrap this up at The Guardian that and along with our partners at The Washington Post and Haaretz, that NSO group is in talks to sell its technology to a major US defence company called L3 Harris. Our story prompted a senior White House officials to express very grave concerns about that potential deal. And it’s one we are watching closely and one I would encourage you to ask the company about.
What’s clear is that this technology is not going away. My personal view is that there should be a robust debate about the tools the authorities need and should use around the world in legitimate investigations to thwart crime and terror attacks. However, this is not really the debate we’re having right now because the debate around NSO group is very much one of a lack of accountability and the abuse of this technology, including by members of the European Union. And there’s been very, very little accountability. So hopefully this is the good start to that. For that to change. Thank you.
Jeroen Lenaers (Chair): Thank you very much. And before I pass the floor to Mr. Wagner, if the members who would like to take the floor afterwards to ask questions about this, please indicate so during the contribution. Mr. Wagner so we can make up the Speaker’s list. Mr. Wagner, you also have the floor for 10 minutes. Thank you.
Dr Ben Wagner (TU Delft): But thanks for the kind invitation. It’s a pleasure to be here. I’d like to emphasise again that the debate we’re having right now is possible because of the great work of civil society journalists and researchers who’ve made this debate possible. And I’d also like to accurately what’s been said now by the previous speaker, Stephanie Kirchgaessner. If we ignore victims of surveillance today, we will inevitably ourselves become victims tomorrow. And sadly, as I believe I have to show in this presentation, we have quite a long history of doing this. I could go to the next slide.
Over the last ten years, this is very briefly an overview of the last ten years of the regula-tion of surveillance. And I think the regulation of piece by piece of the global surveillance ecosystem. Then we’ll talk a little bit about the global surveillance ecosystem itself. And then the next ten years of the surveillance regulation and the surveillance ecosystem. So briefly, who you know, who’s talking to you? My name is Ben Walker, and I’m a professor of media, technology and society and director of the Futures Lab at Team Delft. And I’ve been working closely between the technological and the social science side to try and understand how we can talk about global surveillance in a slightly different way. Next slide, please.
So if we look at the last ten years, for me, this is quite interesting because almost exactly ten years ago to this day, I gave a presentation about exactly these technologies in the European Parliament to a different committee. At the time it was the to our subcommittee about a report that we prepared. And all of the recommendations that you’re discussing now and on the table were already on the table them. However, what is interesting about this report is it was focussed on the EU’s external policies, so it was focussed entirely on trying to communicate to the outside world how the harms that were being created by these surveillance technologies were having harms across the world.
If we go to the next slide, we can see that both in Syria extensively surveillance technolo-gies were used, as you’ve already heard in the terms of Jamal Khashoggi, and these technologies were used at the time in a way that was clearly causing harm, clearly caus-ing great problems, but didn’t necessarily raise the interest that it should.
Now, if we see on the next slide that there has, and I’m sure you’re familiar with an exten-sive shift in the dual use regulation, this is a step, an important step that goes in the right direction. But as mentioned already by Privacy International, it has not yet been imple-mented far enough. And at the same time, it can be noted on the next slide that many other states, including the United States themselves, have gone much further in terms of blacklisting and limiting the possibilities for certain groups to engage. So what I’m basical-ly trying to suggest is that by limiting our understanding and willingness to support certain victims over others, we are going to put ourselves in the situation that we all necessarily become victims of the same global surveillance industry.
If you look at the next slide, you’ll see that it’s only the case that we actually decided to take meaningful steps in this direction after senior EU politicians were attacked after the US State Department phones were hacked. It’s only when these steps took place that there was actually a willingness to explore meaningful, deeper regulatory steps that go beyond what was already there. And this is highly problematic. You could even say we’ve unleashed an industry that we have not been sufficiently willing as Europeans to regu-late, and now we’re seeing the consequences of that.
This is a slightly British influenced slide, the next one, but I think it’s clear that in many ways the global surveillance industry is coming home to roost, even if it’s not just causing problems in Europe, it’s also causing problems in the rest of the world. So if we look at the global surveillance ecosystem and try and understand it, we have to also acknowledge that it’s very broad, very wide and has grown to the point that it cannot be regulated by any one actor. Now, the Pegasus Project and many of the other aspects that you’ll be dis-cussing here are just a small aspect of that project. But what’s unusual about this specific type of spyware compared to other types of industry, if you could go to the next slide and then the one afterwards is that it’s actually a publicly funded surveillance ecosystem. So that is an enormous possibility and an enormous opportunity for public sector stakehold-ers to have a meaningful impact on this industry. So let me reiterate again, this is a list now of the clients of hacking team, one of the now slightly less active European spyware providers. This is public taxpayer money exclusively going to spyware providers around the world, but also going to the NSO group. And this is not just the case in Europe, it’s the case in the whole world.
And if we go to the next slide, we see that the list continues. It doesn’t stop. It doesn’t in any way limit itself to just the European context. But it should be clear that this is taxpayer money being used to fund a surveillance ecosystem. Now, if we take this for the next ten years and try and meaningfully interpret what? It means. What I should be very clear is that if we allow this surveillance ecosystem to exist, as we allowed it to exist around the killing of Charlotta Shoji, if we allowed it to exist around the context it was being used against Syrian activists and dissidents, then not just Jamal Khashoggi will be vulnerable, but also the president of France. And this equilibrium may seem a little bit strange or con-fusing or perplexing, but it’s this ecosystem that’s without regulation, without limits, and with also without prevention will inevitably engulf all potential clients because potentially clearly, as we’ve heard from the many revelations that have been made again and again about Pegasus and about many other forms of spyware, anybody can potentially be a ter-rorist and at least be considered a terrorist in the context that is being used. The state-ments that have been made by the company in the previous session are almost too ab-surd to take seriously. And it’s made in a way that either big tech is blamed for protecting their customers. The technology should be just considered neutral without obvious, clear harms being considered, and regulation needs to be put in place by governments. This is basically acknowledging that they have moved into an area where there is insufficient regulation and make money off of it. The only challenge, of course, from a European con-text is that we expect redress from an Israeli company. And I would encourage you to also invite all of the clients of this Israeli company to the European Parliament. Where was the Polish Interior Ministry? Wherever the German police, wherever the many other docu-mented clients using these and justifying how they use them and why they use them. I don’t think we can expect private companies from outside the EU to solve the problems that are created, not just outside of Europe but also inside of it.
And this also goes if you go to the next slide, to the wider challenge that I think we face. What essentially is happening is we’re taking short term security gains as European soci-eties and say in this case, it’s an emergency. We desperately need this type of surveil-lance because life is in danger. And then again, life is in danger. So again, we create these short term, potentially even true security gains. But what we create in the long term is an ecosystem that is publicly funded and that is essentially vastly, significantly unregu-lated, and that causes huge problems in the long term because it makes any actor in Eu-rope potentially available. And of course, sooner or later this will be misused, whether it’s in election campaigns, whether it’s in so-called corruption cases. And again, while some of these may be used in legitimate contexts, there is a real serious issue with the way in which we understand and interpret what are legitimate uses for these technologies. And unless not just we have that conversation, but we also establish clear guidelines that are not governed by private companies, but by public authorities instead. We will struggle continually to get to a situation where we actually have control and meaningful govern-ance over the surveillance ecosystem. Now, on top of that, as already has been men-tioned, but again, I want to emphasise there is no protection or redress for those harmed. So this means that even some of the worst harms that we can think of. Edin Agranovich just already mentioned numerous of the challenging human rights situations that human rights defenders across the world. And here we’re just again, a few short examples. There are many more than you could list on one slide. Why is there no mechanism by which we can ensure that those harmed by these technologies receive meaningful redress? We still assume in some way in our regulatory frameworks that the designation of terrorist or oth-erwise problematic individual that is being spied on is somehow legitimate and that there should be no meaningful redress for these individuals. And that assumption means that the victims of surveillance receive no redress and no protection, even after it’s been acknowledged that the surveillance was illegitimate. So don’t just want to provide prob-lems, but also a few suggestions on potential solutions. What can we do about this? Next slide, please.
So. I applaud the European Parliament for creating this committee. It’s extraordinarily im-portant to this point in time to take this form of surveillance seriously. But we need to talk about the whole surveillance ecosystem and not just the Pegasus spyware. We still live in a situation as in Omanovic and many other speakers have already mentioned. EU funds should never be used for surveillance technologies and yet they are consistently. We can also talk about in of a surveillance ecosystem that as we’ve heard, is not particularly large, that if you think about surveillance as a form of pollution in society, you would also want to prevent investment to it and similar that you would also want to prevent investment in carbon products, for example. This is a technology that can only be invested in in very limited circumstances. And even then, as it pollutes society and causes these problems, making everybody potentially available, the human rights violations are so great that we need to consider that in a meaningful way. At the same time, there needs to be mecha-nisms that prevent European governments who clearly have a strong interest, as we’ve heard from journalists, possibly most European governments, from purchasing these sur-veillance technologies, from purchasing them. It would be quite comparably easily possi-ble compared to perhaps other regulatory frameworks, that tariffs are introduced for pre-cisely these surveillance technologies to ensure that if they are purchased, we also can use these tariffs to create resources for the victims to be provided with redress, to ensure that if they do become victims of these surveillance technologies, their limitation of the human rights and the harms that created them could at least be both studied and under-stood, but then also redressed in a meaningful way. And I think those tariffs could provide an extraordinary opportunity to that. At the same time, as we have heard again from many other speakers, existing dual use controls are insufficiently transparent and are not suffi-ciently implemented in a way that would acknowledge that these technologies are not just some random technologies, but they cause active, meaningful harm on a day to day ba-sis. And finally, in terms of mechanisms to provide redress, we have I mentioned already heard extensively from other speakers. But again, redress is a huge problem. And finding resources for tariffs, fines or other mechanisms to meaningfully provide redress to victims is important. Since this already is not taxpayer money wasted on these products, I don’t think there should be more taxpayer money wasted on it, but certainly tariffs and fines could be a mechanism to provide resources for that and to keep in mind that there are al-ready European programmes in place, either through NPR or through the Freedom Alli-ance Coalition Digital Defenders Partnership, that are systematically there to protect and promote the support of those who are already most vulnerable to attacks. Those are the individuals sure to be hearing from, and those are the individuals where we really need to think about how we can support them more. Rather than allowing an Israeli company’s definition of who is a reasonable surveillance target, as we’ve seen, basically anybody to be considered a consistent and meaningful way of governing the global surveillance in-dustry. Thank you very much for listening last night.
Jeroen Lenaers (Chair): Thank you very much, Mr. Wagner. So far I have on my list Sophie in ’t Veld, Karolin Braunsberger, Ms Pelletier, Saskia Bricmont, Róża Thun, Mr Puigdemont. So I would say we do one round, we group the questions and then we give our guests the possibility to respond. I mean, I think it’s the only way to be a little bit considerate of the time frame. So I started meeting with the rapporteur. Sophie in ’t Veld.
Sophie in ’t Veld (Renew): Yes, thank you, Chair, and thanks to the three speakers before I put my remarks and questions. Could we please get the slides in particular from the last two presentation? Because they’re very interesting. I think that as a first remark, I entirely share your concern and your frustration. Mr. Wagner referred to DEWA, where you reported two already ten years ago. Well, I was also on the 2014 European Parliament enquiry into PRISM, which was very similar and indeed I don’t think that any of the recommendations has been followed up. And as a matter of fact, if I look at the current debates around the e-privacy regulation and I also take note of the fact that a lot of people who show justified indignation about Pegasus are at the same time also those who are pushing for more a more space, more powers for governments to engage in surveillance. And in that same vein, you spoke about redress in your in your last with the last slide. I know from experience that redress exists only on paper. I have actually taken a particular member state to court over surveillance, and that was six years ago. I’m still waiting for an answer. It’s in the Strasbourg court now, but even if I get an answer in the end, if you have to wait six years, then it’s no meaningful redress. Let’s be honest.
A couple of questions. You gave an overview of the myriad of companies who are engaging in all this. And I entirely agree with you, given that it’s a commercial business and a fairly shady commercial business, I don’t see no reason why it should be publicly funded. And I would be very interested in in getting all the information on the table, maybe with help of the Secretariat, on how much funding is going into that. But so NSO is in financial trouble and they are apparently looking for a partner to take them over. And the American partner we heard about what is it, L-3 Harris But we also hear persistent rumours that Mr. Peter Thiel or to capital would be interested. We hear that Mr. Sebastian Cortes, the former chancellor of Austria, who is now working for Mr. Thiel and Palantir, that he was flying to Israel to see if he could broker a deal. And I get very I’ve made the point here before I get very worried at the sort of the combination of Pegasus volunteer and Donald Trump. I think that’s a toxic cocktail. Can you give us more information about this then, just random order of audit logs? Mr. Gelfand Yeah, I’m coming to you to. And Mr. Gelfand told us that they do keep the audits logs. But would you not agree with me? Maybe Press International that audit logs contain metadata which are personal data and therefore governed by the GDPR and therefore it would be illegitimate.
And then third last question. How do you see the likelihood or the possibility of EU governments who are not allowed to spy on their own citizens, let’s say hiring non-EU governments to do the dirty work for them, given that the spyware can be used across borders and that the only obstacle to that would be legal. But if they don’t care about legality, then do you think that they are hiring cert, uh, third country governments to spy on European citizens and maybe the Commission.
Jeroen Lenaers (Chair): Thank you. Karoline Braunsberger.
Karolin Braunsberger-Reinhold (European People’s Party): Thank you. First of all, this I’m talking in German just to warn you, this is all going in a similar direction. And what I feel is that what we’ve seen was not a neutral message. If we look at the one quote which this related to being the victims tomorrow, and I think that this is quite concerning. We have a problem and we need to get control of this problem. And they’re talking about software being banned. I think that this goes too far. Software will be used by we and obviously we need to combat organised crime and terrorism. And this is important for everybody to say that we want to control this. We want to abolish it. That’s not the right way. This is this is too much of an overreaction. Now, it would be good to get neutral information and not panic excessively. Therefore, my question is to the experts. Now when it comes to the software is are you serious when you talk about banning the software? Obviously, it’s important to be informed in advance so that when we’re talking about the security agencies. Obviously now obviously in intelligence agencies need to be able to ensure security. Thank you.
Jeroen Lenaers (Chair): Thank you. Róża Thun.
Róża Thun und Hohenstein (Renew): I am somewhat astonished about what I have just heard. But back to our three speakers. Thank you very much that you were today with us and shared with us your immense knowledge and experience and what you and the conclusions that you draw from everything that you observed. And so and I am sure if you followed our meeting with and I saw Representative, I am sure that you also have the feeling that we do that there is no control whatsoever over this myriad that has infiltrated myriad of spyware that are that pollute, pollute Europe. Let’s concentrate on Europe. And now this is really I mean, you didn’t say that directly, but when you think about those positions from Saudi Arabia or other countries under dictatorship and their surrounding was back to, well, we can discuss, in fact, taking part or somehow participating in horrible criminal deeds. And this by. By devices that should protect us against criminal deeds. So this whole evolution is worse than anything that Orwell could have imagined. And now we are here in order to prevent it for the future. And I’m very happy when I hear from you that we should be tougher with the regulation that we must regulated, that we must stand firm, protect the European citizens about against this kind of harassment that we all experience here directly or indirectly. And in addition to that, we pay for it because this is our taxpayers money and we have no control whatsoever. But in order to control it and this is, in fact, our duty in order to control this surveillance in many cases is illegal. Well, do you have a clear hint or suggestion? What if you were on our place? How would you propose to control it? Thank you very much.
Jeroen Lenaers (Chair): Thank you. Saskia Bricmont.
Saskia Bricmont (Greens): Thank you very much to the three of you. And I must say that you provided us again with more information through three speakers in a few minutes, then more than 2 hours hearing of. And so that didn’t provide us with satisfying answers like total lack of transparency. And I think it just gives us even more reasons to go for a strong regulation. But I heard also from you that regulation and especially from Mr. Wagner wouldn’t be possible because it’s so big. It’s so broad’s so could you please come back on what you said? Just what do you think? As members of this House, how could we possibly regulate, if it’s possible at all, in your view, or if we would, if we should go further? I would say that hearing and so earlier, I would immediately, again, plead for a moratorium on the possibility for this company to sell its spyware technologies and go for a possible ban. To me, the proportionality between the means, the objectives of such spyware, saving lives, and I hear from the left side here in this house that some seem to try to legitimise this. These words is, to me shocking when we see the amounts of impacted people and potential impacted people. And as you rightfully mention, all this with public money, with a total absence of accountability from both sides, companies and governments. So, yes, I would like you and maybe the other guests also to dig a little bit into this, into your recommendations and how to really have an efficient regulation and if it’s possible at all. Because I heard also NSO saying we need international regulation. Okay, fair enough, but we’re not there yet. Coming at EU level, how can we be efficient by doing so? And also on the question of redress, because you rightfully mentioned that there’s no protection or redress of the current people. And as you mentioned, there’s this whistle blower possibility, but of course, it’s also relying on the governments themselves. And so there to if you have any recommendations, I would be interested to hear them. Thank you.
Jeroen Lenaers (Chair): Thank you. Anne-Sophie Pelletier.
Anne-Sophie Pelletier (Left): Thank you, Chairman. And I think experts, for everything you’ve heard. I think you’ve given us a lot more food for thought. The end. So person who spoke before you did. Now, according to you, this spy software is mainly done for by governments, or is it essentially for private people? And secondly, is this contributed to Pegasus of the European organisations to damage civil society? Which other stakeholders in the EU and the whole world can we support here within this committee to help us to contain together Pegasus and others like them?
Jeroen Lenaers (Chair): Thank you. And the last speaker on the list, Monsieur Puigdemont.
Carles Puigdemont i Casamajó (Non-attached): Thank you. A very specific question. You have shown us various extremely useful recommendations, but after the following the session with the NSO Representative, we got a question to ask you. Wouldn’t it be useful to add as a as a recommendation, we’ve got to learn how to classify in order to have the possibility to have an investigation on the part on the abuse of software. It’s basically it’s the chicken and it’s letting the fox to the henhouse, because here NSO would fulfil an investigation where he’s going to show that that product that is being used is being abused. So it’s not perfect. And secondly, it’s going to act against a customer who could stop temporarily being a customer. We’re talking about customers because they’re paying money. They’ll have to look for somebody else so that they’ve don’t have a big interest in punishing a potential customer. So my idea of following this experience, it’s not the right time for independent authorities with independent experts. I have the responsibility to carry out and deliver fulfil a type this type of research dossier. We can’t trust NSO. So could we may be something that the institutions or a really independent body could be in charge of carrying out this investigation so that we can see whether there has been a violation or an abuse by the part of the client.
Jeroen Lenaers (Chair): More to our three guests. There were quite a significant amount of questions and not much time left. So I would ask you in the in the same order to try and as brief as you can reply to the questions, if you would take about three or 4 minutes, maybe max, and then hopefully we can have all the answers also still interpreted. So please, Mr. Omanovic, I give you the floor first.
Edin Omanovic (Privacy International): Thank you so much for those questions on the funding point. And I would definitely highlight the fact that a lot of these customers apparently are European countries and also a lot of EU research money goes to the sector. So for example, the Horizon projects and give millions to surveillance companies and also companies which own spyware companies. So for example, Elbit in Israel has a product called Save on a subsidiary called Cyber Bitte, which produces spy-ware. So that’s definitely something else to look at with regards to the audit logs. Again, it’s just one of these kind of imaginary documents that we don’t actually know why. It looks like there’s no way to verify what the statement and that was made, whether or not it’s accurate. We don’t know what information is there. And there’s kind of a pattern of promises and compliance measures that were made today that we have no actually way to scrutinise or to comment on because we don’t know what it is and whether or not this technology should be banned. So and I mean, what smarter people and lawyers, perhaps international, have looked at this and basically concluded that it would be very difficult to ever argue that given the intrusiveness of this technology and the security threat it poses, they would ever meet the requirements of international human rights law, principally around legality and necessity and proportionality. But there are some things that you could do to try and, for example, improve safeguards and protections. But of course, there’s a need for all kind of measures to be made to kind of stop terrorism and those who mean us harm. The evidence, however, particularly with regards to NSO, suggest that it’s being used, for example, against investigators who are trying to investigate the massacre of dozens of kids, their parents, journalists and even the kids of journalists. So what we’re talking about here isn’t just trying to stop that kind of and crime was really, I think, needed. The evidence, like I say, exists. You already have the power to sanction entities where credible evidence exists of human rights violations. That would be a definite first step. So I would encourage the committee to recommend.
Jeroen Lenaers (Chair): Thank you very much, Mr. Omanovic. Then we pass the floor immediately. Ms. Kirchgaessner.
Stephanie Kirchgaessner (the Guardian): In terms of what’s needed or what could still be gleaned. I mean, there is just basic information about what member states, how they have used this technology and whether they are clients. Obviously, they sometimes leave using third parties, I believe, to acquire the technology. So it might not be very straightforward. And we’ve had very little transparency even from European states about, you know, who the clients and so forth and which of them are clients. So that’s the first question. I would say while I do think there needs to be governments and authorities need to tackle this issue, I think there is a lot of work that probably can be done with major technology companies who it’s been. You know, WhatsApp was at the forefront of this, but since then there have been many companies who have joined them in condemning the abuse of this technology, which in the end of the day is used against their own clients and customers, and specifically Apple, Microsoft, Google and WhatsApp, like I said. So I think it might be important to get their point of view about technological fixes as well. They probably do need to do a better job securing their phones and their products. Other than that, I just think the that information about victims and accountability in the form of crimi-nal investigations in member states and in the accountable parties that needs to be at the forefront of action. And finally, I would say one needs to keep in mind that there’s a whole area that we’ve never really delved into, which is the security of this technology. Once it’s being handled by a customer, the actual individuals who are operating the technology, how secure is that technology? How do we know that how it’s being used? There is a whole raft of questions. So I wish I could provide more answers, but we’re still working on it.
Jeroen Lenaers (Chair): Thank you very much. And then, Mr. Wagner, you have the last opportunity in this committee today. You have the floor.
Dr Ben Wagner (TU Delft): Thank you so much for the excellent questions. I will try to first respond to one question in German and then the other an Eng-lish, if that’s okay. One opinion was expressed that the opinion expressed was not neu-tral. I have to refute that because it’s based on facts. And I’m sure it’s the same for other speakers. My intention is not to scare anybody. It’s about documenting reality in society. The reality. And there is an increasing feeling that. That Opposition’s for example in. The connexion has now gone. And this perhaps people feel that the possibility of being moni-tored has become very normal. Obviously, this is very concerning. It’s not our intention to scare anybody. It’s just simply to reflect what the reality of the situation is. It is something which other countries have experienced a great deal. But unfortunately, we’re seeing this phenomenon increase in Europe as well. It’s important to be transparent, like any institu-tion. And we. This is here to be able we are able to work within the framework of the Con-stitution. Now, often there are companies that are based in tax havens, and they things happen in countries where human rights are not taken into consideration as much. We need to look at why this situation has become that way.
We encounter, because we were asked repeatedly about regulatory solutions. And I would be would not want to suggest that I can provide any one solution. But I would rather argue that you need a multitude of solutions to respond to this challenge. It may be worthwhile to consider a moratorium. It may also be worthwhile to consider increasing export controls. It may also be worthwhile to consider that while the industry continues to exist similarly to the DSA, where you have a certain amount of resources that are taken from the industry every year to fund this regulation, that this also should be the case for this industry. Because please keep in mind that right now the customers are using it with public money. So at least a similar amount of public money should be spent on ensuring redress, ensuring effective regulation, and ensuring the mechanisms in place and ensure that that public money is not wasted. That should, of course, be additional costs that go to the customers and not to all public taxpayers at all. So I think there are real mechanisms possible to create a change. And I do think that if we are concerned now about not just redress but dealing with the industry as a whole, I share the concerns that have been mentioned here about different elements of the spyware industry or the surveillance industry coming together. And I really think we need to find a way to ensure that the existing fetish, shady commercial business practises are at an absolute minimum made transparent. It’s impossible that we know that public European money from public European governments are being spent in Europe. And when the committee asks who this money was spent on and who it was spied on, that you do not receive an answer. Again and again and again. And if that is what, as European citizens, we accept as the governance of these citizens situation, then we should indeed be concerned because anybody then becomes a potential target. And that has nothing to do with me trying to scare anybody. It’s simply the empirical reality of a global surveillance industry which exists unregulated, where it is easy to cheaply buy products which allow for people to be surveilled. And I don’t think that’s a Europe we should want to live in or that we should at want to allow that form of governance to exist. But at minimum, if we create transparency, if we at minimum ensure for redress, and if we at minimum ensure that those people who are in these situations and are affected by it have meaningful redress mechanisms, I think we can go a long way. And as we’ve also mentioned, there is a great deal that exists both in international development cooperation and in terms of foreign policy. There’s a lot that can be done in terms of conditionality, for example, to make sure that if we work together with non EU member states in whatever context, that that collaboration is founded on human rights. And that foundation also includes not trading and not dealing with these surveillance technologies and not then ensuring that they will not eventually come back can be used in Europe. Thank you very much for listening.
Jeroen Lenaers (Chair): Thank you. And first of all, thank you also to the interpreters for allowing us a couple of more minutes is much appreciated. Thank you to the three guests who spoke this afternoon and my once again, my sincere apologies for the delay in our programme. But I think it was an interesting session and a not so traditional session of a committee meeting in the Parliament. Maybe, but we are also not a traditional committee but a committee of enquiry, so I think this was useful. There is another point of order from the rapporteur.
Sophie in ’t Veld (Renew): Two points of order. I would like to thank the Chair for the flexibility. I think that was the wise decision. I think it greatly contributed to the quality of the session, this one so far. But what I wanted to ask is to if you could circulate an email asking all the members for questions, contributions, I don’t know, but by the end of this week or something like that, to then be sent in writing to the speakers.
Jeroen Lenaers (Chair): Yes, we will do so. Thank you all very much. We have the next meeting of the committee on Thursday, the 7th of July at 10:00? And I look forward to seeing you all there. Thank you very much.