PEGA-UntersuchungsausschussStaaten verheimlichen Missbrauch von Staatstrojanern

Der Untersuchungsausschuss hat eine Studie zum rechtlichen Rahmen beim Einsatz von Staatstrojanern erstellen lassen. Der Co-Autor Quentin Liger trug die wesentlichen Erkenntnisse der Studie vor. Wir veröffentlichen ein inoffizielles Wortprotokoll der Anhörung.

Quentin Liger sitzt neben dem Chair Jeroen Lenaers auf dem Podium.
Quentin Liger stellte den Parlamentarier:innen die wichtigsten Erkentnisse der Studie vor. – Alle Rechte vorbehalten Europäisches Parlament

Am 5. Dezember wurde dem Ausschuss die Studie zum rechtlichen Rahmen beim Einsatz von Staatstrojanern von Quentin Liger von der Asterisk Research and Analysis GmbH vorgestellt. Die Studie konstatiert ein „Versagen“ der Geheimdienst-Kontrolle. Die Autor:innen der Studie empfehlen, bessere Regeln für den Einsatz von Staatstrojanern zu verabschieden und auf eindeutig schädliche Techniken zu verzichten.

Weil es kein offizielles gibt, veröffentlichen wir hier ein inoffizielles Transkript.

  • Date: 2022-12-05
  • Institution: European Parliament
  • Committee: PEGA
  • Chair: Jeroen Lenaers
  • Expert: Quentin Liger (Asterisk Research and Analysis GmbH)
  • Links: Hearing, Highlights, Video
  • Note: This transcript is automated and unofficial, it will contain errors.
  • Editor: Tim Wurster

Presentation of the study

Jeroen Lenaers (Chair): Good afternoon, colleagues. It’s a little bit past 3:00 already, so I propose that we get started.

We have interpretation today in the following languages. German, English, French, Italian, Greek, Spanish, Hungarian, Polish, Slovakian, Slovenian, Bulgarian and Romanian. And if there is nobody in these comments on the agenda, I consider it adopted, which is the case.

So, I move immediately to the second point of our agenda, which is the presentation of the study as part of our committee’s planned work. The coordinators requested several studies due to be carried out through the support of the policy Department of the European Parliament. Several proposals were made, and three studies have been commissioned with a view of covering the aspects that the political groups wanted to address. Today we’ll have the presentation of the first study and the two others will be presented at the beginning of 2023 so that we can also still feed into the work of the rapporteur and the shadows on the report. You have received the draft of the first study last week.

We’ll now have an exchange with the authors of the report on their findings. The first study is titled The Existing Legal Framework in EU Member States for the Acquisition and Use of Pegasus and equivalent surveillance spyware. It provides a description of the legal framework, including oversight and redress mechanisms, governing the use of Pegasus and equivalent spyware in a selection of Member States and to present the results of the draft study. Welcome, Mr. Liger. Year of Asterisk Research and Analysis, who is also here present on behalf of his colleague. Merely a good day. I will give them give you the floor. To present the study, you will need about 10 to 15 minutes. And then afterwards we’ll have a round of Q&A with the colleagues present here. So, I need to give you the floor, Mr. Liger for about 15 minutes.

Quentin Liger (Asterisk Research and Analysis GmbH): Thank you very much. And thanks to all of you for inviting me to present the study and for having commissioned it. So as the Chair just mentioned, the study is focusing on the legal framework in Member States, and it was commissioned by a policy department. See it was really an update on a study we did for the Libya committee in 2017 on hacking the legal frameworks for hacking by law enforcement. And that original study was commissioned in light of some high-profile cases where law enforcement authorities were seeking to have access to phones, our computers of certain people. There was the San Benito Bernardino case in that in the U.S. where the FBI was trying to access an iPhone. And also, in light of scandals such as FinFisher, which at the time was was quite high.

So, we were asked to update the study in light of the Pegasus scandal and to look at the legal framework in selected member states to describe the example. They put mechanisms in place in those Member States to look at the international standards. So, the European Convention on Human Rights under the court case case law from the Court of Justice of the European Union, as well as other elements such as the Venice Commission from the Council of Europe. And finally, to make recommendations to the EU and other institutions.

In terms of scope, we looked at France, Germany, Greece, Hungary, Italy, the Netherlands, Poland and Spain. We didn’t look at Italy twice. That’s just a mistake I made on the slide. And what we the reason why we chose those Member States is the original few work member states that were covered in the in the 2017 study. But we added Greece, Hungary and Spain because they are member states where the use of Pegasus or equivalent spyware became quite clearly a problem.

We were asked to focus on the legal framework. So, looking at the definitions, sanctions of of spyware, hacking and equivalent definitions and to look at exceptions. So, elements of the generally criminal procedural code where the use of either spyware or other especially investigative techniques was allowed, and how what were the ways in which this was allowed? And to finally look at oversight mechanisms. So, both ex-ante mechanisms leading up to the decision to use special investigative techniques and ex-post mechanisms after the event looks like.

So general overview of what we looked at of course there’s a fundamental right or. Cornerstone of the European legal order, the right to privacy, the right to have one one’s personal data protected, freedom of expression, the right to free, fair trials and other such rights are enshrined in the Charter of Fundamental Rights of the European Union, in the European Convention on Human Rights, and in a lot of the countries that we cover, also in the constitutional law or constitutional provisions of those those member states, there are, however, restrictions. They do exist. And they are also enshrined in the in the Charter of Fundamental Rights of the European Union or Article 52 one. But those should only happen in very specific cases. So, cases where there is a threat to national security, to public space safety or other similar elements, and they need to be proportionate. And this is where the use of spyware and Pegasus in particular is particularly problematic because of the proportionality of the use of such invasive techniques can be seen as a as a as a go going beyond those restrictions and finally, safeguards when such special investigative techniques are used, should be in place. We are talking about judicial safeguards, democratic safeguards through parliamentary and redress.

One of the first cases where limitations exist, and this was very much the focus of the previous study, is in criminal investigations of the international standards. And here it’s mainly the case law from the Court of Justice of the EU, except that some limitations to those rights that I mentioned earlier on should exist as long as they are in accordance with law. And this is the Schrems to case from the Court of Justice as long as they’re necessary and proportionate. That’s the digital rights Ireland, I think, case from the Court of Justice and they should have a legitimate aim such as national security, which was which the Court of Justice was found was legitimate in The Hague without trial. You do. In that case, some other elements must happen, such as the victims should be notified. This is this is a case full of the from the European Court on human rights. What we looked at in the countries that we looked at, the Code of Criminal Procedure or equivalent form allows for those limitations. And generally, what happens, it sets the public prosecutor that that is in charge of requesting the use of special investigative techniques. And it’s up to a judge to grant that there are certain changes or certain small differences in some member states or in France, for instance. So huge districts don’t investigate. The judge can ask for those techniques to be used. And another judge, she’s deliberated that the procedure is in charge of allowing it. The type of crimes for which special investigative techniques can be used include the vary between member states. But all the member states have a fairly consistent and coherent and comprehensive list of of crimes.

So, in the Netherlands, for instance, any crime that is that can lead to pre-trial detention is one where special investigative technique can be used. In Italy, for instance, it’s any crime that carries a sentence of four years in prison or over, plus other crimes such as paedophilia can warrant special investigative techniques. However, there are some problems. So, one of the examples which we found in the 2017 report is that in Italy, for instance, the use of hacking by law enforcement was the method of choice, especially given in the country. Initially, hacking was not seen as wiretapping by the courts, and therefore a technique that was allowed that changed in, I think, from 20 2015 onwards in Poland, the police act that was changed a few years ago changed the Code of Criminal Procedure, saying that evidence could not be considered inadmissible in court on the ground that it was obtained in violation of procedural rules, which of course hampers a lot some of the safeguards that are that are in place here.

So that is one of the big things here, is also the use of special investigative techniques and spyware by intelligence services. The standards are of international standards are fairly similar to the one I mentioned above. But it’s quite important to hear also mention the work of the Venice Commission that looks specifically on at the intelligence agencies and signal the. And agencies. And given the need, the secretive nature of the work of intelligence agencies, they have a they suggest a slightly different approach, taking into the center of the concept of accountability, which is mentioned by the Venice Commission, as being able to give an account or an explanation of actions and to suffer the consequences, take the blame or undertake to put matters right if it should appear that errors have been made and as the procedure is used in criminal law, not always possible with the Venice Commission suggest as a standards or a series of control.

First of all, internal controls within the intelligence agencies. So, they talk about the culture and the quality of the staff and their commitment to democratic principles. They talk about the clear need for clear decision-making process, clear rules, and they talk about independent oversight in terms of parliamentary control. The Venice Commission talks about the need to have parliamentarians exercising that that control with expertise in the field of intelligence and recognizing that it takes time for it to happen. Therefore, they need to have some parliamentarians involved in oversight for some time that a parliamentary committee should be able to ask and request reports from the intelligence services and not be dependent on intelligence services, sending them reports, and that the concept of autonomy in terms of judicial control and the independence of judges is obviously quite important. The need for specialist training. But the Commission also highlights the risk of case hardening. So, the risk of certain judges maybe being too sympathetic to intelligence services if they stay too long in in a kind of judicial oversight role of intelligence services, and therefore the need to update that or to to change the role of judges on a regular basis. Expert bodies are particularly important in specialized intelligence agencies. So, it signals intelligence is mentioned, especially because they can have a very tailored role to specific intelligence agencies.

If we go to the next slide, please, if we look at the oversight and redress or frisk going to look at the ex-ante oversight so that the procedure for criminal cases and for it so for law enforcement authorities and for intelligence agencies in the country, we looked at are generally reasonably similar. Some of the differences in law is that there’s often a specific prosecutor or magistrate assigned to an intelligence service who can take the decision or allow the use of special investigative techniques. So, there is a special prosecutor in Greece for the UAP. There’s the magistrate of the Supreme Court for the CNon-attached. In Spain, for instance, in the Netherlands. They have a there’s a three-level kind of check. First, an internal need for intelligence personnel to ask them to try to convince their internal lawyers to use special investigative techniques. Then there’s approval by the minister in charge. And finally, there’s an Investigative Powers Commission that is composed of magistrates and technical, one technical expert who provide a binding opinion on whether that technique can be used.

But there are some clear problems, first of all, because unlike in some cases like the Netherlands, the rules for intelligence services using those techniques are not always clear. And we have had difficulties in some member states identifying what the rules are. Second of all, even when a court has found problems so the case of Hungary with their job, when visa case where the European Court of Human Rights asked the country to change its law, to add safeguards in cases where intelligence services make use of special investigative techniques. But the government has not changed. The law clearly shows that there are insufficient safeguards in terms of ex-post mechanisms.

One of the main problems that we’ve identified is that even though there are parliamentary commissions in most of the member states that we looked at, they’re not very effective. In Spain, for instance, the official secret committee, I know it’s not the real name of the committee, but only convened for the first time in two years after the Candiru scandal. Emerged in Poland. The same also called a or created a committee to or there was a committee to look at the use of spyware in them in the country. But nothing much has happened. There’s a Senate committee looking at it, but given it doesn’t have any investigative powers, it has allowed ministries not to respond to that. The Senate committee, which clearly shows some of the problems. There’s also in terms of mechanisms the on these persons, again, where they exist in all member states. But the role their role is often reasonably ineffective because either the enquiries that they can look at are limited in scope or there’s very little they can do in terms of redress. So, this is again a problem that we’ve identified in in all member states.

But probably one of the most damning elements of the failure of ex-post mechanisms to function properly is the fact that all cases where Pegasus has been used, that you have been looking at in this committee, have been highlighted by investigative journalists, by civil society organizations, by private, private people. It has in none of the cases where we’ve looked at has it been identified by an oversight committee like these.

Finally, we were asked to provide some recommendations. I’ve listed a few here. You will see that there are more in the in the report, but I’m going to try to group them together. The first one follows a little bit what the Venice Commission says, but it’s calling Member States to adopt and implement clear and effective rules regulating the use of special investigative techniques, especially when they are as invasive as spyware. And that includes guarantees and clear definitions of what we mean by, for instance, national security. And here, it’s also important to remember one of the things that the Venice Commission says that the European Court of Human Rights case law should be seen as minimum rules, not standards.

Second, the member states should refrain from using techniques with a clear detriment, which have a clearly detrimental impact on their own fundamental rights. And in addition to that, the effectiveness of those methods should be monitored on an ongoing basis to ensure the proportionality of the techniques in general, then that the Parliament could request the Commission for legislation placing reporting obligations on to surveillance technology companies in the EU and potentially to ask them to provide aggregated information on surveillance activities.

And finally, which is not on the list here, but which I think from the research we’ve done is quite an important one for the Parliament to continue its work in supporting whistleblowers and the independence of the press. Because this is how we know about the, the, the Pegasus, the use of Pegasus rather than through, through the mechanisms in place. As you mentioned, the report that is being finalised, this is a draft a draft report. We’re still working on it. So, the version you have will be slightly amended, but we really look forward to hearing questions and comments and suggestions that you may have to work on the report and give you a final version very soon. Thank you.

Jeroen Lenaers (Chair): Thank you very much, Mr. Liger. I think this was very, very elaborate already, and I think much more is in the is in the study. I’m sure there are many questions. I’ll ask myself to slow down in speaking. That is very good, and I’ll try to do so, but I will immediately pass the floor first to our rapporteur, Sophie in ’t Veld.

Sophie in ’t Veld (Renew): Thank you, Chair. And thank you, Mr. Liger. Um, I think I’ve not been able to read every detail yet, but I think your conclusions and your findings coincide 100% with our own conclusions and findings, just that, you know, we, we don’t have the expert knowledge that you have. So, it’s it’s somewhat it’s reassuring on the one hand that you seem to confirm what we thought.

At the same time, it’s not. I would have preferred to be wrong, to be honest, because the second point is but this was of course, part of your, um, of your, your study is that the, the rules are one thing and we can see that the, the rules in many countries are already deficient in themselves. But then even when the rules are on paper watertight, if they are, you know, the practise is a is an entirely different ballgame. Serge remark is that, you know, part of the checks and balances should also be the European Union and its laws and institutions. That doesn’t work either. I mean, we have treaties that are also a framework for action of the member states, but that doesn’t work either.

My question to you would be have you found an example of a member state that has a precise and accurate definition of the notion of national security in the sense that it clearly demarcates the area? You know, the situations in which the national security regime kicks in and exactly what the national security regime means. I mean, in what situations, uh, you know, which rules apply or do not apply? Do you, do we have an example of that somewhere? And could that be an example that we could maybe use for our, our own recommendations? Thank you.

Jeroen Lenaers (Chair): Thank you, Mr. Liger.

Quentin Liger (Asterisk Research and Analysis GmbH): Thank you very much. Well, to answer your question, no, we haven’t found that one. It does remind me of one interview that I did have with when expert who claimed and maybe they were right that it was on purpose because having a undefined concept of national security allowed that allowed intelligence agencies or organisations using such tools to use them in an ad hoc basis.

They were saying that not especially in a in a, in a purely negative way because of course it can be used badly. But their idea was that it did allow for, for the legal framework, for the practise to adapt to the situation in certain cases. Whether one can agree with that, you know, this is a different thing. But to answer your question, no, we haven’t really found anything we can, I think in the next stages look specifically for that. But in the countries that we looked at; we didn’t really find anything like this.

Jeroen Lenaers (Chair): Thank you. Hannah Neumann.

Hannah Neumann (Greens): Thank you, Mr. Chair, and also thank you to the authors of the study. And you clearly point out in your study that there are a number of international and EU frameworks or requirements that kind of govern the use of spyware. And I guess we can all agree that international and EU frameworks have a legal higher legal authority than do national approaches. And you also said that in your study and let me just quote for the context. So, for everyone who hasn’t read the study, you say member states should draft or review their laws in a way to respect the requirements developed by the European Court of Human Rights, the Court of Justice of the European Union, the Venice Commission and the Council of Europe. So, to ensure that this law respect Article two of the Treaty of the European Union values and notably democracy, the rule of law and fundamental rights.

I’m trying to get a bit beef to the bones. And you said that there are basically in your study, you see aspects that this should apply to. The first one is the legal framework that legitimises or allows for spyware. The second one is democratic oversight structures, and the third one is redress and victim protection. And I’m now trying to understand with your study where you’re looking at a considerable number of member states. Are there any EU member states that in any of these three aspects or in all of them really meets the requirements that you set out in your study? If yes, which Member State is it so that we can use that as an example? And if there is none? Well, you could also say that, but then we really have a problem. And maybe one follow-up question. You also mentioned that in some cases there is a discrepancy between the legal frameworks on the one hand and the actual implementation. So maybe if you could also point out that EU member states where you would say the discrepancy is the highest.

Quentin Liger (Asterisk Research and Analysis GmbH): Thank you very much. Thanks for your question. And thank you for having read the study and setting of the recommendation in in more detail. We haven’t found a member states where those standards follow international law, there’s always something. What we have found, though, is that some member states are closer than others.

So, then there’s a there’s two elements, as you say, there’s the legal framework and then there’s the practical implementation. To take an obvious example and not an obvious example, but the legal framework apart from there are problems. But the legal framework in Poland is not as bad as one might say, but the implementation of it is very poor. The fact that the Public Prosecution Service is hierarchically linked to the Ministry of Justice is a clear problem of independence. The same can be, say said in terms of public prosecution for funds, for instance. But we even though some countries and I would maybe use Germany and the Netherlands as examples of countries where there’s probably more robust mechanisms in place.

The examples of best practise that that we found and there are a very few who have to say in our study is this, this a technical committee in, in the Netherlands is a three-person technical committee. So much so that I think Germany was looking into it a couple of years ago because having a committee made of magistrates so, so, so people with a legal background and a technical background looking at requests for the use of, of sources of only spyware. But it’s a technical interception method and having their conclusions, being binding is something that is quite powerful in that term. And I think more generally the Netherlands has quite an open oversight of intelligence services compared to others that I can remember how it’s called. But there is a committee overseeing the work of intelligence and security agencies in the in the Netherlands that publishes annual reports on its activities. And this is something not saying it’s perfect, but I’m saying that it’s something that’s certainly better than what we’ve seen in other member states.

Hannah Neumann (Greens): Thank you. Just one sentence to get this straight. You say that no EU member state as of now meets the legal requirements set out by International and European Court of Justice rulings on the use of spyware. Is that correct?

Quentin Liger (Asterisk Research and Analysis GmbH): I I’m not sure that with the research we’ve done, we can give such a definite answer, to be honest. What we have found is that because there’s a lot of a lot of the methods are quite secretive. And we have had difficulties identifying the kind of very practical procedural use of and decision-making process of spyware. We I don’t think we are in a position to have such a definitive answer. I think it would require a more in-depth study and probably a more focussed one. So, I wouldn’t go as far as that. But I wouldn’t go. I’m not sure that it’s complete. It’s a million miles away from the truth.

Jeroen Lenaers (Chair): Thank you, Jordi Solé.

Jordi Solé (Greens): Thank you, Chairman. And thank you, Mr. Liget, for this for this draft study. I have questions.

Firstly, you have identified in your study several weaknesses in different EU member states legal framework concerning the use of spyware, notably weaknesses in in the sense of lack of accountability in the acquisition and use of the and the likes, also lack of independence of the oversight mechanism and ineffectiveness of redress mechanism in global. You picture a situation which is concerning because of the lack of guarantees. Don’t you think that it would make sense to address these flaws, these weaknesses, to set the standards at EU level, at EU level legislation when it comes to set the same standards for every member state when dealing with this kind of spyware technologies. And secondly, you state in your study, and I quote that since the fundamental rights risks of using such tools are unlikely to meet the proportionality test, the regular deployment of Pegasus would not be compatible with the EU legal order.

So that means that, or I understand that that implies Pegasus being such an intrusive tool. It goes straight against fundamental rights, like the right to privacy. But then in your recommendations, I don’t find any recommendations regarding a moratorium or maybe a complete ban of these tools, given that implications in human rights and fundamental rights. So, my question is, why don’t you recommend a moratorium or maybe moratorium and then or both things, a moratorium. And finally, a general ban, otherwise stated or asked, is that any use of Pegasus or similar spyware? That wouldn’t be obvious if by its nature, given the intrusiveness of this of these tools and shouldn’t be, if we are, as we are concerned with fundamental rights, shouldn’t we be thinking about a ban of distortion? Thank you.

Quentin Liger (Asterisk Research and Analysis GmbH): Thank you very much. So first of all, on your point and it brings to a point that your colleague produced, he made on the importance of doing this at the EU level. One point. Just to answer your previous point, we might agree that European or international law is, is has primacy over national law. I am not sure that all the governments in the countries we looked at completely agree with that. But I think there’s definitely something to be said about the EU level, especially because we’re talking about tools that are used in different jurisdictions as you are very much aware, because a an agency in one member states decide to use a spyware on someone’s phone, that person can be located in other jurisdictions, as has been the case with some people.

So, an EU response would obviously be in an ideal world, the best thing. I’m not an EU law expert, so I will not be able to talk about the competences of the EU and what can be done. But that’s certainly that’s certainly something. The second thing that the quote you mentioned on the invasiveness of a figure, this is actually not from us. This is from the European data supervisor. But it’s not it’s not a conclusion that we very much disagree with the authors of this report from the. There’s certainly something that we could. We as I said, it’s draft report. And we could certainly reinforce some of our recommendations. That’s something that that we’re still working on a little bit.

The one thing that we want to be careful about is not providing recommendations on things that we are not completely certain about. And this is not a technical study. We’re not technical experts. And. A moratorium on spyware. Is that something? I don’t know whether a moratorium on the use of spyware or the use of Pegasus type spyware. And if so, where do you put the limit between the invasiveness? I don’t think that is something that this report is well has answered. And I’m not sure it’s really within the scope of what we do. We certainly don’t disagree with the spirit of the recommendation. But if we do include it, we would have to be very careful as to the wording we want to use in order to stay within what we’re talking about and which we can talk about within this report.

Jeroen Lenaers (Chair): Thank you very much, Mr. Liget. And I have some questions of my own. Maybe you’re following up on this on the sort of the limits on invasiveness that you referred to in your study. Did you come across a definition of spyware in the national legal framework of the of the member states? And is there a member states where in the legal framework there is like an order of invasiveness or whether there are certain checks and balances for certain types of spyware to be to be used.

Secondly, you briefly mentioned Poland with regard to the fact that you can use evidence in in a court proceeding, even if it is if it is gathered through illegal means. I think this is the fruit of the poisonous tree doctrine. Is that anywhere else in Europe or you can do that? And is there no and no fundamental principles in European law or Court of Justice rulings that or the Venice Commission that say something about that?

The same goes for clear decision-making procedures, which was one of the requirements, I think, from the Venice Commission. Did you find anything in your study about what kind of information provision is necessary to make decisions? We have heard from many member states that, for instance, a judge is either giving a lot of requests for authorisations, for use of spyware in this in a small period of time. Or they only get information that does not stipulate the kind of technique that is going to be used for the evidence gathering or not the name of the person concerned, but only reference to a phone number or something. Is there is there anywhere?

Well, a good example or not at all about what kind of if we have clear decision-making procedures about what kind of information would need to be provided to a judge or another authority in order to make that work. Very much can relate to what you said about it’s difficult to find out what rules are actually in place in certain member states, which is also very peculiar in a way, because these are the laws that rule are democracies and you should at least be as an investigator, as a research or as a as a parliamentary committee, be able to find out what these rules are and which ones are in place. So, what were the main difficulties that that you experienced in that in that regard?

I would also, since we have some time to elaborate a little bit, maybe on you mentioned the court ruling in Hungary and the refusal of the government to change the law subsequently. If you could maybe add a little bit on that one general point of view that we have, which you kind of answer a little bit when you said that in Poland, the legal framework might be quite okay. But the enforcement or the implementation or the way it’s been done is difficult. This is, of course, in a number of member states where we have serious rule of law concerns. Can you have can you have checks and balances that are in line with international treaties or fundamental rights obligations? If there are fundamental questions about the independence of the judiciary, like we have in Poland and in Hungary and other work in the European framework.

And maybe on the on a follow up on the question that you’re easily asked as well, because in the last recommendations that you presented, if I don’t read it correctly, you say that refrain from using technologies that have a detrimental impact on fundamental rights and its effectiveness should be monitored. And I think the second part, when we ask for effectiveness of these kind of tools, we monitor it is something that this Parliament is quite in agreement about, but we don’t see it happening. Is there any of the countries you investigated where this already happens? And when you say refrain from using technologies that have a detrimental impact on fundamental rights, I mean, all of these spywares in general have a detrimental effect on fundamental rights, because that’s why it’s spyware.

So do you say you should stop using it or still there are situations when the checks and balances are there, and the fundamental principle are adhered to that you can also still use it. For instance, in the Netherlands, we had an alleged case of using Pegasus against the biggest drug criminal of the Netherlands. Surely it violated his fundamental rights, but his fundamental rights were not necessarily our concern in that respect. If I speak from my in my own opinion at least, how do you see that in in light of your recommendation? Thank you.

Quentin Liger (Asterisk Research and Analysis GmbH): Okay. So just a few questions. Yes, thank you. So, I’ll try to answer all of them. But if I forget one, please, please feel free to call me back on that.

The first one on the definition of spyware we have at the end of the report, and again, it’s a draft report. So, we need to quality assure here again and make sure that everything is correct. But we have instances of definitions of spyware where they exist in the national law. Generally, though, what we have found is that it’s not a definition of spyware. It’s more an existing element of the code of Criminal Procedure or the Criminal Code that applies to spyware. And this is bearing in mind that the use of spyware, like the use of hacking techniques, often comes from the use of a police technique of having a mandate to go and search someone’s home or someone’s private property. And in most countries, the law is still written very much in in that way. Again, the Netherlands is probably one of the few countries where the law kind of has been updated more regularly to reflect changes in technology. But I don’t think, if I remember correctly, your question was whether we could. That was an incremental element of invasiveness. We haven’t found that in any member state. But I think this is mainly due to the kind of historical.

Jeroen Lenaers (Chair): I just add to that because this question has been asked in this committee also on several occasions, because the difference is, for instance, when you when you get an authorisation for wiretapping, you then have the authorisation to start wiretapping from that moment. If you get an authorisation to use Pegasus, there’s very much you can do retroactively. You can go into ancient everything that ever happened on the phone basically, which is which puts it in a very different framework. But I’m not sure if it’s also legally in a different framework in any of the member states you investigate.

Quentin Liger (Asterisk Research and Analysis GmbH): So, so I, to be honest, I would have to go back and check clearly on that one thing I can say, but that refers a little bit more to the work we did back in 2017 which was extremely interesting is the use of hacking. So having access to all the contents of the person’s phone was that we found in some countries very often used to fish for information as well as going beyond the pure mandate of or what was allowed in a specific investigation. And there was a scope creep of the use of those techniques. It did create this is a bit of a side issue, but it did create a lot of problems also for law enforcement authorities, because suddenly they had terabytes of data to go through to analyse and they simply didn’t have the resources to, to go through that.

And in some cases when they in some countries, the law allows victims or families of victims to ask for certain elements of the criminal investigation that are not made public. It’s also a huge amount of work to go through that, to make sure that you can give the family of those. So, it creates a lot of problems beyond what it solves in inverted commas. It’s not exactly the answer to your question, but I think it’s the same problem and we haven’t really found anything there. There’s always the question of admissibility in court, which we haven’t looked at in great detail for, as you say, older data beyond spyware.

One of the additional things that that is sometimes a difficulty is that wiretapping or listening devices are often not allowed in a person’s home with the use or in the people, it depends on their on the country, but there are strong limits to privacy of communication and conversations within a person’s home, especially if you if you look at the family conversations or anything like that. In some countries, such as Italy, in some cases now it is allowed through the use of spyware to use those phones or those listening devices and use spyware to listen to and record conversations made in the privacy of one’s own home, which goes against the legal framework of some member states.

Your question on Poland was about whether we found other member states where this where the use of data collected, or information collected through. means that don’t follow the correct procedure due process can be used. We haven’t really found anything here. I think Poland is the one clear example. Again, referring to the 2017 study, we did find instances where courts did accept some evidence because a phone had been hacked. So, we’re moving a bit from spyware, but it works as well with spyware. If one had been hacked by law enforcement on a specific case and whilst investigating that case, information on another case was found and that was found to be admissible by court even of the court if the case was very different.

Your next point on the on the information that judges are provided with; this is quite a complex question because obviously and I think you’ve heard it a lot through all the hearings that you had in with the different experts you had in the member states. As you as you highlighted, the information provided to judges varies a lot. One element as well is that in part that this is due to the legal culture of the different member states. And I think it’s quite hard to identify a right or wrong way or I think there is a possibility to identify minimum information.

I think, if I remember correctly, Spain has a quite a clear explanation of what information a judge must be provided with and what information the judge then needs to provide that in his or her decision to allow the use of special investigative techniques. There are a few other member states like that. Spain is the one that that springs to mind. But whether it’s best practise, I’m not sure; it’s better practise than that, than other member states where as we know, in some countries, it’s very tokenistic, the information that judges are given. I think your next point was on the rules of intelligence services.

Again, it’s quite difficult to make to make a general conclusion because there are very different settings in different member states. However, our hunch and quite so difficult to find information is that in some country’s intelligence services have been very secretive and there has been a kind of public acceptance of the secrecy of intelligence services whilst in other countries democratic the democratic oversight. Sorry, and I apologise for the translators because I know that I’m speaking quickly. I’ll try to speak a bit slower. In certain member states such as Germany, democratic oversight of intelligence services is quite an important aspect, but it’s one that’s very entrenched in the legal and the democratic culture, which probably doesn’t exist in other member states.

So, we don’t have really an answer of way. But that’s very interesting because one of the things that the Venice Commission suggests or recommends is that member states. Adopt clear and concise rules on intelligence services. And I think that their idea is that it’s better to have something that is concise but clear that can be followed rather than rather than something that’s either very complex and hidden or too complex to be to be understood or followed by anyone.

Then on the Hunagrian case, which is, so this is a case which I’m not sure I will be able to go in great detail. I didn’t personally do the research on Hungary, so I’d have to go back on it. But it is a case by the Court of Justice through the European Court on Human Rights and the Court of Justice, which found that, I think, is that two lawyers who started the case against surveillance by intelligence services in Hungary, what the court found is that the grounds for the surveillance were in breach of Article eight of the convention. So, the right to privacy subsequently asked Hungary to adopt its law to put it back in line with the European Convention on Human Rights, which Hungary has not done, is a shortcut. Laws were presented, laws were discussed, and they disappeared in various ways. And I’m sorry I wouldn’t be able to go into detail because, as I said, I haven’t done the research myself. But I can get back to you in writing if you want from this.

Can you have checks and balances? If you have questions about the rule of law and the independence of the judiciary? It’s a difficult question. And I was having a conversation before this presentation about two cases, Poland, and France, which were, I’m not saying that the situation is the same, but there are similarities in, in the organisation of the public prosecution, for instance, now. From what I heard here, no one is talking about any problems in France, yet I’m sure there are many. But any problems specifically relating to Pegasus? The legal framework is not very different. Having trust in a government probably is not enough, because if another government comes in there in in power in France, the lack of independence of the of the public prosecution and the powers that they have might create other problems.

And therefore, twist will not twist in your question, but taking it from the other side. The importance of the rules is, or the rules are extremely important regardless of the of the government in place. However, without a government, a culture, a clear independence and a will to have an independent judiciary, it’s incredibly difficult to be to do anything we’ve talked about. Caselaw from the Court of Justice, we’ve talked about a treaty obligation. We’ve talked about things like that. Yet this Parliament still had to create a parliamentary enquiry on the use of Pegasus on things that according to law shouldn’t have happened. So, I’m not answering your question, but they’re clearly a problem.

And finally, on the effectiveness of some of the tools, we haven’t really found anything done on the effectiveness of the tools. What is done is generally done by civil society organisations. Sadly, while sadly it depends for whom, but the UK, which is not a member of this union anymore, is a country that has extremely strong civil society organisations that do a lot of very good work on the use and abuse of police and intelligence powers. And I, I remember seeing some of, some work that was done by it, by certain organisations there. I don’t have any, any specific examples in there in it in the EU27.

Now on anything done on the effectiveness of those tools. But of course, as you say it’s hard and that goes back to the question from Mr. Solé. Therefore, we refrained a little bit from saying what should be banned and allowed, because, as you say, there are instances where certain tools are necessary for the prevention of terrorist acts or apprehension of dangerous criminals. The question would therefore be on whether a drug law such as the one that was found thanks to Pegasus in the Netherlands, could have been identified and found using different, less intrusive means. And I think that’s the real question we should ask ourselves, and maybe we should ask intelligence agencies or law enforcement agencies to answer.

Jeroen Lenaers (Chair): They always love to do that. Let’s ask them. Ms. Novak.

Ljudmila Novak (European People’s Party): Thank you. Well. Speaking for myself I think that there are different rules when we say that the European Union is based on the rule of laws. And we have to think about the fact that we’re dealing with law, and we have to define what law needs to be complied with here. Now we need to have Democratic oversight of these intelligence services, but we need to be aware of where there’s potential for misuse. I come from a state where we have a committee in parliament for oversight of the intelligence services, where the majority of its seats are held by the opposition. This committee is often abused because parliament is formed of regional parties and opposition parties, and the committee’s role can be distorted. They can look at who they commission or what cases and to what end. So, I think if we are really serious about upholding the rule of law, we need to have a solid European framework that the member states have to comply with so as to avoid abuse and misuse. We don’t want to find a party or a coalition that’s been in power for a long-time making change to legislation. I think it would be better if we had a European framework that we could all adhere to.

Jeroen Lenaers (Chair): Thank you, Mr. Liger.

Quentin Liger (Asterisk Research and Analysis GmbH): Thank you very much for your question and for waiting for me to put my earphones on. I appreciate that. Yes, well, I think your framework would certainly be useful. I think what’s very interesting is to look at again, I’m referring to the Venice Commission’s work on parliamentary oversight, because it is clearly a very difficult question where we’re talking about, you know, an oversight mechanism that needs to be open enough to have democratic oversight yet allow intelligence services to operate within the constraints that they have, which are often quite secretive. And the secrecy is necessary and quite important for their effective work.

And I would encourage you to you probably have looked at them, but look at the Venice Commission’s guideline on that, because they do talk about the importance of having quite a mature, in fact, a parliamentary oversight committee. And my interpretation is that reading between the lines, they are trying to suggest having a – they talk about bipartisan or multi partisan in cases where there is a plurality of course – but I think it’s probably a non-partisan committee that they’re talking about where members have the know how to understand what is required by for intelligence services to do their work whilst and for intelligence services to have the trust that they can have conversations with those parliamentarians and that that information will not be leaked in the media.

And therefore, it’s quite a fine balance to find whether the solution is a new framework. I don’t know. I think I think there are guidelines that that should maybe be in place. However, again, I think that the local differences, the cultural differences in in the parliamentary structure, in the legal structure, and then the structure of the intelligence services is something to definitely, you know, keep in mind and to yeah, to take into account if, if anything is to be done at the, at the EU level.

Jeroen Lenaers (Chair): Thank you. Karolin Braunsberger-Reinhold.

Karolin Braunsberger-Reinhold (European People’s Party)): Thank you. I’m going to be talking in German. Thank you very much, Mr. Liger, for coming. I’ve got a question that follows up. On the question about the gradations in competences and responsibilities, he said No country has different levels, but I understand that in Germany we do have different levels. So, he might be listening only to telephone calls, or you might be listening in via spyware. And spyware is very limited in its use in Germany. No. Perhaps I’ve just misunderstood something that you are saying. Perhaps we’re talking about different things. So, I just wanted to check with you. Are you saying that there really is no country where there are different levels of intelligence collection?

Quentin Liger (Asterisk Research and Analysis GmbH): Thank you. Thank you very much for your answer. Now, I might have expressed myself wrongly. What I was talking about is, is within the use of certain technical tools, such as spyware, it’s very difficult to see what the level of intrusion is. Of course, you can talk about the gradations, such as a wiretapping of phones and locating someone by through the use of their mobile phone or by putting a GPS locator. That’s in a lot of legal frameworks, including the German, when, of course, it’s the use of spyware and what we mean by spyware, or are we using a spyware simply to where to locate a person, to listen to conversations, to access all the information on that person’s phone, to listen or record the voice or images from that person’s phone without that person knowing that that’s the kind of level of gradation within the use of spyware that I was talking about.

Jeroen Lenaers (Chair): Thank you very much. If there are no additional follow up questions to Mr. Liget, I would like to thank you, first of all, for your time to be with us today and for the study. I’m sure we’re all going to read it in in greater detail. Of course, I’m looking forward to the finalised study, but I think it’s very interesting and like our rapporteur said in the in the beginning of our contributions, very helpful also that some of the thoughts on the ideas we had ourselves are also backed up by, by the research you have, you have done, and it only improves also the quality of the work that we do.

So, thank you all. Colleagues, our next meeting is on Thursday, the 15th of December in Strasbourg. The hearing on spyware uses in third countries and implications for EU foreign relations, which we organise in association with our colleagues from the Offset Committee. So, thank you all very much and have a lovely Monday afternoon.

Quentin Liger (Asterisk Research and Analysis GmbH): Thank you. Thank you.

Deine Spende für digitale Freiheitsrechte

Wir berichten über aktuelle netzpolitische Entwicklungen, decken Skandale auf und stoßen Debatten an. Dabei sind wir vollkommen unabhängig. Denn unser Kampf für digitale Freiheitsrechte finanziert sich zu fast 100 Prozent aus den Spenden unserer Leser:innen.

0 Ergänzungen

Dieser Artikel ist älter als ein Jahr, daher sind die Ergänzungen geschlossen.