PEGA-UntersuchungsausschussWie Staatstrojaner eingesetzt und reguliert werden

In der vierten Sitzung des Ausschusses beschäftigten sich die Parlamentarier:innen mit dem Einsatz sowie möglicher Kontrolle von Staatstrojanern wie Pegasus. Dazu hörten sie fünf Expert:innen. Wir veröffentlichen ein inoffizielles Wortprotokoll des Treffens.

Sándor Rónai spricht und macht dabei eine Handbewegung, vor ihm steht sein Namensschild, hinter ihm die Flagge der EU.
Der stellvertretende Ausschussvorsitzende Sándor Rónai vetritt in dieser Sitzung den Vorsitzenden Jeroen Lenaers. – Alle Rechte vorbehalten Europäisches Parlament

Der Ausschuss kehrte für die vierte Sitzung nach Brüssel zurück, um sich mit Details zur Verwendung und Überwachung, sowie mit möglichen Sicherheitsvorkehrungen bezüglich Überwachungs- und „Spionagesoftware“ zu beschäftigen (Wir bevorzugen den Begriff Staatstrojaner). Der erste Teil der Sitzung behandelte die Verwendung, der zweite Sicherheitsvorkehrungen und Überwachungsmöglichkeiten in Bezug auf Staatstrojaner. Wie immer konnten die Parlamentarier:innen im Anschluss an die Expert:innen-Statements Fragen stellen.

Von dem Treffen gibt es ein Video, aber kein offizielles Transkript. Daher veröffentlich wir ein inoffizielles Transkript.


  • Date: 2022-06-13
  • Institution: European Parliament
  • Committee: PEGA
  • Chair: Sándor Rónai
  • Experts:
  • Panel 1: Román Ramírez (Instituto de Empresa/Rooted Con), Michel Arditti (SCSWorld)
    Panel 2: Cindy Cohn (EFF), Duro Sessa (EAJ), Wojciech Wiewiórowski (EDPS)

  • Links: Hearing, Video
  • Note: This transcript is automated and unofficial, it will contain errors.
  • Editors: Julien Schat

Spyware – Use, supervision and safeguards

Sándor Rónai (Chair): Good afternoon to your colleagues. Now, we should start our meeting today. So welcome to the few and substitute members of the PEGA Committee. Interpreters for the following languages are present today. German. English. French. Italian. Dutch. Greek. Spanish. Hungarian. Police. We can Slovenian, Bulgarian and Romanian. Today’s meeting I will be replacing our c­hair. Miscellaneous.

Our first point of the agenda is the adoption of the agenda. So I would like to ask you whether we can adopt the agenda for today’s meeting. Oh, I see. No objection.

So we can jump to the second point on the agenda today, a hearing on the use, supervision and safeguards in relation to Pegasus and equine spyware. This hearing will be divided into two parts. The first one dedicated to the use of spyware. And to learn about it, we will have to pleasure to welcome two experts. We will start with Mr. Román Ramírez Gimenez, independent security advisor and cybersecurity professor and Institute to the Empress, a founder of Rooted Can before the intervention of the second speaker, Mr. Michel Arditti founder founder of SCS World, an international security advisor company focussed on international cybersecurity. We will give them the floor for 10 minutes each and member will be invited to ask questions afterwards before the question and answer session. Still based on the catch the eye and one minute per question with the possibility to ask a follow up question as well, I invite the panellists to answer immediately after each questions and not exceed 2 minutes for their answers.

After short break, we will continue with the second part of this hearing dedicated to safeguards and supervision. For the second panel, we will have to have the opportunity to listen and ask questions, questions to three speakers. We will start with Wojciech Wiewiórowsk, the European Data Protection Supervisor, then Mr. Duro Sessa, President of the European Association of Judges. And finally, Mrs. Cindy Cohn from the Electronic Frontier Foundation. The modus operandi will remain the same, which means these minutes to 10 minutes for the presentation of the speakers, followed by a question and answer session. Still, based on the catch, the eye and pingpong principles, we will end this meeting with a few closing remarks. So after this short introduction, let’s start our meeting without delay. With our first panel. I would like to give the floor to our first speaker, Mr. Román Ramírez. Mr. Ramirez, you have the floor for 10 minutes.

Assistant: Dear Mr. Ramírez, you can press the speak button once at the bottom of the page, but here it is.

Román Ramírez (Instituto de Empresa/Rooted Con): Sorry. Good afternoon. Thank you so much for the invitation. And I think this is really interesting. A mother and today just two to focus on the use of the Spanish tools. Today the technology is so quick and so powerful in many means that pretending to allow our law enforcement agencies and other agencies like, for example, the typical intelligence agency and other groups that are working in the government, they’re pretending to let them develop their job is quite difficult because not only technological devices, for example, mobile phones, computers, operating systems in general, all the technology is incorporating protections and have a lot of anti intrusion and the espionage capabilities. But even regulations, for example, GDPR are focussed towards the protection of citizen rights and fundamental rights. So in this scenario, this kind of technology is devoted to the interception and to the control, the remote control of devices. Typically they are in the middle of the regulation and the fundamental digital rights side. And in the other side, in the other side of the line, getting into a lot of issues in privacy and of course, exposing this fundamental rights that we are supposed to protect from the from the institutions. So the main problem here is that imagine a device that is difficult to access and has encryption and protection in higher levels of capabilities. And imagine law enforcement agencies trying to do their duties, investigating a crime and cybercrime and other typical scenarios where they have to investigate.

So in this scenario, I see two parts. One path is they’re trying to make technology weak, the making encryption weaker, and, in my opinion, affecting all the citizens in the European Union. So in my opinion, this path is not good, is evil, because we will reduce security, the quality of encryption, the quality of the technology for all the citizens. And we have the other path that is where this kind of this category of tools, they are playing these tools. For example, Pegasus is one, but, you know, there are many of them and Candido bla bla these kind of tools, they try to exploit vulnerabilities and in their hardware and in their software and operating systems to take advantage of higher privileges on the technology and take control of their device. So if law enforcement agencies, they have to perform their duties, in my opinion, they need to have a way to access devices when necessary. In my opinion, the only moment they will have the proper permissions to do so is after a court or a judge has say so. Okay. So in my opinion, the previous scenario where encryption is weakened or technology has not, all the capabilities they have in privacy and protection is not a feasible one and makes no sense because we have a scenario where only after the courts say, you can and I judge, I authorise the procedure, the law enforcement agencies and other agencies will go ahead in intercepting and they gain control of devices. So in my opinion, this opens only the possibility of these kind of tools, the remote administration tools, the rats or remote control tools or the whatever the name you want to to give them. We absolutely need a law enforcement to be able to perform their duties. It is necessary. So in my opinion, the response that no way these tools is not our response because it is not addressing a problem that the technology has the main concern, it will be the control. But in my opinion, this is something it will it will be discussed in the other tables. But in my opinion, we need this kind of access, but not in our global automatic and by design way. But in the other and the other. So the only solution I see for the future is with these kind of technologies.

The main problem is to control them, I say. The control is very important here. Just to give you a reference with the in arrangements, for example, for nuclear materials and this kind of things, they extend it for cyber weapons and other technology. So my opinion, this is a good approach. This should be regulated, of course, because democracy and fundamental rights are to be protected. Every single citizen needs to be protected and has a perimeter around that, the fundamental rights. But when I called that this another representative for democracy, don’t forget that whenever I judge or whenever the court is involved, the democracy is playing there. We need to give technology or tools to law enforcement agencies or even espionage agencies that are regulated and in procedures that are regulated. We need to give them capabilities and the tools to to to be able to perform their duties. So if we need to go to this future where this kind of tools like operations are similar, in my opinion, there will be players that will be in the table. We may not like the way the market works and in my opinion, it is necessary a lot of control, a lot from the single starting point of the technology to their use in every single device that should be controlled by the court. With a lot of our victory and these kind of things. But the tools, in my opinion, are necessary. So this is just for my my brief introduction. Thank you.

Sándor Rónai (Chair): Thank you very much, Mr. Ramirez. Now I give the floor to Mr. Michel Arditti.

Assistant: You can press this big button once at the bottom of your page.

Michel Arditti (SCSWorld): Thank you and glad to be with you today. And so we prepared a presentation to explain the few points which are very important when it comes to lawful interception into products like Pegasus. So what we wanted to introduce is that of course the use of such tools is regulated in every country. Most of the countries which have such products and tools do not sell it to anyone. A little only two governments and two specific agencies. So it’s highly regulated. Exactly like weapons. It requires export licences. However, the point we wanted to discuss is that the use of such tools has become incredibly more and more complex. And so it’s not common these days to have rogue states or to have the criminals using these tools and to define a little about this complexity. We have to imagine that in the past, intercepting a phone was all about intersecting intersecting the GSM communication. But today, the complexity is in full growth, at full base, and so be it. In switching networks or 4G networks, the encryption is a lot more difficult to break. In 5G, it’s even even more complex because then everything has become virtual. And it means that this kind of technology with GSM interception is not available anymore except for big states, typically European states or American states. So this is why the industry has turned out to other solutions, which would be to intercept intercept of phone directly. But this also now requires more and more technology. And if we can discuss a few scenarios, the two main scenarios which are known are the one called strategic, which means interception in a mass at country level or tactical. And this is the one which is used mostly in the world. Tactical means that there is a portable interceptor and that’s the police officer. All the agencies, while intercepting someone, need to be very close to that person. They need to be very close to the target. And a document was a target will be connected. So even so, when it is a tactical, there are a list of three requirements because we are never sure that a good equipment will be able to intercept. And so it’s not something like a press of a button which would deliver results when it comes to mass interception. This was really popular 15 years ago. And so this tattoo system, which all for most interception, do not exist on the market today because the use only the GSM technology and they are not able to intercept the new communications where most of them are encrypted. So because of this this complexity, it requires no to have a team, the team of specialists and a team of law officers who are able to build a judicial case where not only they will build a case and collect phones, phone numbers, contacts, but also maybe computers. And they will start intercepting these targets by utilisation, of course, of a judge. But this work is not enough. It requires more teams to understand the context and more pre requirements, depending on the brand of the phone brand and the kind of system which is in use on the phone and the kind of elements which you need to be, the kind of elements you need to collect to elaborate a bit more. Nowadays, the phones are very heavy in memory. And so if you start collecting that like photos, material, contacts and videos, it will take so long to to collect that it’s most of the time.

Assistant: Excuse me. Mr. Arditti, there is a problem with the translation.

Michel Arditti (SCSWorld): Is it about the pace of.

Assistant: My colleagues are telling me that the the quality of the sound. It’s not a good one. So that’s why the translation in Spanish. It’s not French. In French, because the Hungarian is working. I just checked it.

Michel Arditti (SCSWorld): So. Okay. And please let me know if I can continue.

Assistant: Your patience for 2 minutes. Okay? And of course, we can continue. Thank you very much for your patience, Mr. Arditti. The floor is yours again. And please, please continue your presentation.

Michel Arditti (SCSWorld): french due to missing interpretation

Assistant: I’m afraid the English booth is not able to interpret. The sound quality is not compliant, which is potentially damaging to the interpreters health.

Sándor Rónai (Chair): The team is telling me that the quality of this sound is very, very bad for them in order to to translate what you are saying. So I have to turn to her colleagues. Is it the.

Assistant: Background sound question to the translators because they think this is here in the Room? I guess so. Now we are in Brussels and this actress, we can hear very, very and it’s very loud in the when when he talks.

Sándor Rónai (Chair): We are going to investigate this issue. Please. Please wait 2 minutes. Okay. So our technical team needs 5 minutes in order to improve the quality of this sound. So please stay with us. And we try to solve this case, this issue, and maybe we can continue our meeting, not like in Strasbourg last time. So thank you very much.

Sándor Rónai (Chair): Thank you very much for your patience. Our colleagues try to improve the quality of the sound, so I hope we can continue our meeting. So I would like to give back the floor to Mr. Arditti to continue his presentation. Arditti the floor is yours if you are here.

Michel Arditti (SCSWorld): french due to missing interpretation

Michel Arditti (SCSWorld): We are a company that specialises in telecommunication, was founded in Switzerland. We worked for the government for big international groups. We have a lot of telephony equipment that allows us to understand. How to legally intercept. We give advice for this kind of things to several governments and have developed our own anti interception equipment whilst being fully legal. The issue with cyber threats is that it’s the infection rate of telephones. Is always high, both from governments and illegally. There was an average interception rate of 20% for telephones four years ago, which is huge. There are three trends in terms of interception companies such as France intercepts. 20 million per second, that’s mass interception. And are huge numbers of successful attacks and mobile phones are the big targets of governmental organisations and criminal organisations. These attacks, which were very popular around 15 years ago, have become very difficult. This slide shows you how complex things are of various different levels of intervention to attack a telephone. And nowadays it’s no longer possible to do it without a very high grade equipment and reserve products that are only available in big. Developed countries are difficult to use. So in terms of scenarios, this shows that different attacks work differently in different scenarios and it’s very difficult to deploy. There seems to be a crackling background sound.

Assistant: It seems the sound seems to be coming from the speaker who’s touching the microphone.

Spanish Speaking: If someone could ask the speaker to stop touching the microphone line, that would help the sound quality.

Spanish Speaking: But I’m afraid the sound quality is deteriorated again.

Assistant: Because it lacks some type of unit.
Sándor Rónai (Chair): Excuse me, Mr. Arditti. The translation stopped again.

Sophie in ’t Veld (Renew): Your punishment.

Sándor Rónai (Chair): Our colleagues are telling me that you should stop touching your microphone. Because that’s why the sound is bad. And the quality is not enough to have the opportunity to translate your your words. So please do not touch your Micro.

Michel Arditti (SCSWorld): I understand.

Sándor Rónai (Chair): Thank you very much.

Michel Arditti (SCSWorld): Thank you.

Michel Arditti (SCSWorld): Standard attacks, which were very popular and have reached rates of 80% of telephones over the last few years have dropped considerably because they don’t work anymore on big European networks. Next slide. So this is a big challenge for legal interception companies such as in this area. For example, the three big challenges of working in a globalised world. Attacks need to be international. It’s very complex because a film, a firm like NASA, grants an operating licence to a country for that country only, and giving that criminal networks don’t operate elsewhere. They don’t operate just in one place. It’s very difficult to pursue them end to end. And then it’s difficult to gather, gather legal evidence because there’s a huge amounts of this data and it’s terabytes of data and criminal proceedings now that need to be transmitted. And that can’t be done with a SIM card. You can’t just go and get all that data off a SIM card. It needs to be filtered. It takes a lot of investigative work. Thirdly. What’s very difficult is to reconcile reconcile the multiple information sources. That would be photos, images, text messages, emails, WhatsApp messages, telegram messages. Next slide. We’re up against huge numbers of service providers in messaging, and most of these services are very highly encrypted, meaning that the content of messages is not accessible for interceptors. So there’s an additional difficulty there, and that’s not all. There’s also fragmentation of communications, given that there are lots of different applications. Criminals can start a conversation on WhatsApp, for example, and carry on. In Telegram I can do that with 20 different apps on various different phones. Meaning that the interception work. Has become a full time job. It’s very complex. And generally speaking, most messages get through the net of those who want to intercept them. Obviously we draw a distinction between tactical and strategic interception, tactical interception and local. Where you have a squad of police officers who need to get close to the target. They want to intercept and try and do that in quite a short amount of time without being noticed whilst at the target is communicating. If the phone’s off. Nothing can happen. So. They try and put a Trojan horse on the phone, which later, when the phone is connected, will filter the data. But these types call solutions. Have issues. They don’t work all the time. You need to be close to the target. You need to find them and then you need to ex filter the data. And when that’s done that leaves a trace, which is difficult because criminals find out. And that means they can find they can trace that’s tracking so they can cut the communication line. Allowing an interception that would allow interception companies to gather information looking at strategic systems. There are two types. There are mass interception set ups, very popular around 15 years ago. Very difficult to use that kind of thing in the modern world where the encrypted part of interceptions used three and four G is used up. And that’s not the priority. Mark And that’s why interception has moved to more case by case attacks where it’s done phone by phone a distance to try and get the content. And that’s why a company such as NSO set up Pegasus. Which is a surgical tool. Case by case. Looking at the mode of operation. Firstly it needs to use a centralised platform. So each country or country that buys this kind of solution sets up a management platform and deploys a team that can set up attack scenarios and doctrines and tries to attack phones one by one. Then he needs a lot of data fusion capacity, data margin capacity, because you need to merge the data from about 50 different phones for an investigation. And that means lots of photos, lots of SMSs, his phone calls and so on. It’s like all types of messaging. So that’s very complex. It’s very complex to analyse fast, and that means highly experienced squads because otherwise you’re drowned by all the information. And this, this kind of tool is known as the poetic brain, which is a brain that can analyse billions of items of data. Just to show you the typical architecture of this kind of system when sold to a client, it’s a lot more complex than you might imagine. So there are various different telephony operators, used data centres, operations centres. Lots of service. And then to tactical access to mobile data networks. So this kind of configuration isn’t clear for newcomers. It’s very hard to operate without governmental agreement. In terms of what the equipment looks like, it tends to be disguised in a backpack, as you can see here. The radius of operation is 30 metres, so it’s very much surgical operations we’re looking at here case by case. Looking at the user interface, this is what interface looks like. Once again, it is extremely complex. Technical network data, which shows you which phone is targeted. But we haven’t yet got to be able to see the data here. So it’s not the press booking system. All of this happens linked into a command and control centre. Where people know the objective of the mission, they know the target is. And. They? Stay on the phones with our agents to been intercepted in various different countries throughout the mission. Usually interception just happens once. Once again. And it’s not as clear as you might think. You don’t know exactly who the phone who’s the phone is? You get radio frequencies that you then look at. And it’s only once you’ve started to identify the phone amongst all of the ones you can see on the network that the interception begins. So it’s a complex operation. And to show you what the equipment looks like for this interception. I should say it’s portable, but it’s not exactly something you can put in the handbag more or more like some police cars or military vehicles. It takes a lot of energy. Next slide. And this kind of equipment needs specific highly technical antennas, which work better when. When the fixed parts of them. When they’re moving. Excellent. So I wanted to show you just how complex the situation is now for and assumption systems. And we can open debate. About. The way, the ways we sell and use the equipment. Which is something that makes which make more sense about this kind of solution. Thank you.

Sándor Rónai (Chair): Thank you very much, Mr. Arditti and I apologise for the inconvenience. It’s now time to open the question and answer first part of to all members based on the principle of the catch the eye. Please raise the hand if you want to ask a question. But before that, I give the floor to our rapporteur, Sophie In ‚t Veld, for the first question. Sophie, the floor is yours.

Sophie in ’t Veld (Renew): Yes. Thank you, Chair. First, just very short question to Mr. Ramírez. I would just like to understand your intervention, where basically you say spying on people is a really good thing, but it just has to be done within the limits of the law. I think we’re all here because that’s precisely not what’s happening. And I also I mean, everybody is entitled to their political views, of course, but I don’t think that was the point of today’s hearing. To Mr. Arditti, I was just I have to say, I was listening attentively to your presentation. There’s still a lot of technical things that escaped me, but we would be very grateful if we could have the slides and look at them with a bit more time, maybe a few questions. First of all, you indicate what we’ve heard before that this kind of operation does. But evolve has to involve a country’s government. It’s almost impossible for an individual or a company to do this. But we know that some countries have developed their own systems and other countries do not have that capacity, and they are buying commercial products like Pegasus and similar products. But if I listen to your presentation carefully, then it’s not enough to just buy the software. You actually need a lot of capacity and knowledge to also run it and to to process the information that you get, the data that you get. So. So if if governments don’t have that knowledge and the capacity themselves, how does that work? Do companies then provide that kind of services as well? Because I think I mean, we’ll be hopefully meeting within his own next week. And one question that’s been burning in our minds and we haven’t had any any proper answer to that, is, are they able to. Do they have access to the data? Are they, in other words, watching as well? You know, are they also inside? Well, hopefully not all our phones, but some of the phones. How much information do they have, not just in the show, but also similar providers? And then another question is, you also indicated that a company like NSO gives a licence to a country which is already quite funny, but or. Well, it’s more bitter irony really to use it in, in one particular geographical area within one jurisdiction. So how is it then establish I mean, if people move across borders, then how do they establish that that that is happening and that they’re moving to another jurisdiction? And what does the what does the company do in in such a case? And finally, I would like to understand a little bit better what the role of your company is. Are you just studying these phenomena or are you providing services? Or can you say a bit more about that?

Sándor Rónai (Chair): Thank you very much, Sophie. Mr. Arditti, the floor is yours again.

Michel Arditti (SCSWorld): Yes. Thank you. Thank you very much for the questions. The companies which sell this kind of product such as in saw. Only sell the product and a part of the product that is that that is the Trojan horse or rather the vector, which allows you to put the system on the phone. But. Obviously it doesn’t just stop. There is a dichotomy there which allows any company to have an access to the data and participate in the action. This is always managed by government agencies, which obviously have to make an effort to develop further in this field. Some countries get the technology, the they equip themselves with the technology. The big countries, the United States. The European countries, Russia and China. And Pakistan, which has a very powerful system of their own and which is self-sufficient. Then you have the other countries which don’t have this technology and obviously have to buy it from providers. The providers don’t operate, but they provide solutions of high quality. Although sometimes they don’t provide good quality and we don’t have a solution which functions in the long term. That’s something which telephony companies are aware of. And the manufacturers, IHS and Apple and Google and so on have actually blocked access to the rare companies, which can provide access more reliably. Now there are some providers who sell their solutions very dearly and others actually allow them to have a sort of subscription for them. You don’t want to pay up front for something that might not work. We have specialised in protection of telephony as well. We provide that and we test and recommend systems to block attacks and allow better privacy. There are three solutions here with an operator, and the operator is protected to work with a SIM card and it’s a SIM card which protects or try to protect the telephone. But that’s much more complicated.

Sophie in ’t Veld (Renew): Then second because Mr.. Did you say in this this is this is something, as I said, where we have not got a conclusive answer until the day. If today you say a company like NSO has no access to the information, they’re just providing the software. The problem is that NSO itself always says, Oh, but we’re absolutely sure that our customers do not make illegitimate use of the software. How can they verify that if they have no access to the information here? This is the question. We never. Sorry. I mean, this is something that we need to understand in particular as we’ll be talking to them next week.

Michel Arditti (SCSWorld): And yes, well, once again, that’s an excellent question. By definition, companies try not to be dragged into illegal action. And that is why I can guarantee you that there is a kind of border and there is no access to the data. And that there is legal use because their client commits himself to that, risking otherwise losing their licence. And big countries in Europe are provided. But there are other companies which supply to other countries which are slightly less respectful of compliance and. And that’s a situation in which you’re more likely to find irregularity or illegality. But. When you have the interception vector, it’s not operated in complete visibility. And there’s nevertheless a surveillance capacity. If you want a guarantee. That all the tools are properly used. Then there’s got to be not just goodwill, but also you have to base yourself on the technical side of things. When a product is sold with a licence, then the licence only for that country with the number for that country. Just to give you an example, take France. They ask for a solution and ask for a licence for Belgium. You can do that. France, if it buys this kind of solution, asks to be able to identify French devices even when they are in roaming. So let’s say that those countries which we hear about in the media, for example, Saddam. These are unlikely situations to arrive because technically speaking, they’re not possible. And. There’s a lot of rumour about this kind of practise. There are restrictions in place. Nevertheless, these are very complex systems. And when we see that a third country has used and then saw a solution, for example, to spy on the president of a European country, well, that’s not very credible, because the country in question would have very competence services, secret services. So we find it hard to understand how a badly equipped country would be able to actually do that. So we can’t really lend any credibility to this kind of rumour. But of course, deviations from the norm occur. We have rogue states, we have attacks which happen, and there are these practises in existence. But not for these reputable companies.

Sándor Rónai (Chair): Mr. Arditti. Our dear guest, Mr. Ramirez, would like to take the floor. So, Mr. Ramirez, I’m going to give the floor to you. Please. A floor is yours.

Román Ramírez (Instituto de Empresa/Rooted Con): I’m going to switch into my own life, which is little more comfortable for me to speak to you in Spanish. Now, at no time did I say that I liked the fact that spying was going on. I just said that we have the law 11022 which regulates all of these matters, and police and judicial authorities are empowered in certain instances to carry out espionage, to gather information in relevant cases when commissioned to do so by a judicial authority. I’m not saying that I like that. And there have been various cases such as those uncovered by hacking team or other companies which devote themselves to doing that. I was just saying that the intelligence services and certain agencies, those who are trying to fight crime and cybercrime in particular, have been empowered to carry out such activities. But I do think that in my view, we’ve been a little bit naive, particularly when it comes to NSO and Castro and others. The problem is not so much whether or not we should use these kinds of technologies, because I think, unfortunately, we are going to have to use them, rather, whether and I think this is a subject for another day, another discussion, whether certain comprehensive or extraordinary rules will have to be applied to them that will have to be constitutional and democratic oversight over them of a very high level. Just to set the record straight. That is my approach.

Sándor Rónai (Chair): Thank you very much, Mr. Ramirez. Then I would like to give the floor first to the EPP, who says we don’t.

Juan Ignacio Zoido Álvarez (European People’s Party): Thank you very much. And thank you very much indeed to the keynote speakers who have been on the panel this afternoon. And. We have been able to resolve some of the issues that we have. And translation, I think that the various ideas I have shared with it are extremely important for this committee because we’re trying to analyse the situation on the one hand and try and prevent abuse on the other. And the abuse of this kind of spyware is absolutely crucial. And so it’s important that we understand exactly how it is used for legitimate ends and precisely what objectives are being pursued. And so that is why these contribution extremely valuable. One of the problems is, of course, is that criminals are always one step ahead of law enforcement and intelligence authorities. The fact of the matter is, is that a lot of what we’re hearing has ceased to be topical. Now. There was the Bonnot Gang. In France, which was notorious, there was a group of anarchists who would attack banks and the police would try to pursue them, but in vain. So you may well have the. Best technology available. And this has now become one of the primary concerns of our law enforcement authorities. And it seems to me that it is. Very difficult for us to come to a situation in which criminal gangs have technology, enjoy technology, which is superior to that that our law enforcement authorities have at their disposal. And that is why we need to try and close this technological gap. That would be my first question. And then I would ask you whether we will need spyware ourselves in order to clamp down on drugs, trafficking and other forms of crime effectively. And finally, when it comes to confidentiality, could we have a specific example of the way in which these technologies have made it possible for us to detect crimes in a way that would have been possible if we did not have access to them.

Sándor Rónai (Chair): Which is coming from the S&D, Łukasz.

Łukasz Kohut (Socialists and Democrats): Thank you. Thank you for the for all those continue. And also I hope there will be no problem with the translations. A few weeks ago, the experts from Citizens Labs confirmed here in this commission committee that Pegasus does not always intercept the information from the telephone, but they can also add new messages, new information on the phone, and it is practically impossible to differ between those informations, those that content. And it is a real threat for democracy if opposition, all the judges are on surveillance. Now the Polish government has no Pegasus because the Israeli government refused to prolong the licence. However, the media have just informed that the Polish services are in possession of new applications. So my question is, are the tools that are on the market now capable of intervention in mobile phones to the same extent as Pegasus? Thank you.

Sándor Rónai (Chair): Thank you very much Lucas. The next question is coming from the Greens. Mr. Soy, the floor is yours.

Jordi Sóle (Greens): Thank you very much, Mr. Chairman, and thanks to all to the two of our guests this afternoon. I have one question, two questions, indeed, for Mr. Arriti. The first one is that I would like to understand what does a client, let’s say a government exactly get when buying software like Pegasus? They just get the software, as I think you said, or they also get somehow technical assistant or they also provide training for those officers that will use that software. And what about the servers, the servers where all this information is downloaded? Who who is doing that? The maintenance of this of the servers controlling the flow of data and information between this disk servers, that’s the company here also play a role. And you also said that companies like NSO only, I mean, they get the commitment from their clients that they will only use their software when only when it’s legal. And my question is how you control I mean, how does the company NSO, for that matter, how does they do they control whether the clients really stick to their commitment or not? Do they control it at all? I’m going to switch into Spanish now to put my question, Mr. Ramirez, now you said. Very clearly that the use of this kind of tools would have to be very clearly justified in the fight against crime and cybercrime in particular, and obviously have to be subject to certain controls. What would happen, therefore? If there were to be attacks without judicial authorisation, as has been the case. Indeed. In the case of certain governments. So if there is no prior judicial authorisation. And if those attacks had absolutely nothing to do with crime or cybercrime, rather, were designed to try and ascertain. What a certain politician or opposition politician was seeking to do. I mean, regardless of the kinds of arguments you would use to try and justify those kinds of interventions.

Sándor Rónai (Chair): From the I.V.. Mr. Lebreton The floor is yours.

Gilles Lebreton (Identity and Democracy): Thank you very much. I would like to put a question to each of our speakers. Mr. Ramirez, first of all. You said that in an ideal world, you wouldn’t have. Any kind of these listening exercises going on without judicial authorisation. And that’s a surprise to me because that’s not the way we do things in France. Now you have a wire tapping, as you might call it, which is decided upon by a judge as part of legal investigations. And then you would have the secret services deciding to carry out espionage. And we have a law dating back to 2015, which was enacted by a socialist government to remains in force. And it’s up to the prime minister on his or her own authority to decide to use spyware following an opinion from a specialised committee which does not provide an opinion. And such review is made up of politicians. So elected representatives, as well as judges and prime ministers, have decided to depart from any such consultation and decide on their own and find in their own grounds for such authorisation. And in fact, they’ve gone even further than that because in cases of emergency Secret Service, they will decide for themselves on the use of such spyware without seeking prior authorisation from the Prime Minister. And that is why the Constitutional Court decided to scrap that provision. So it’s a peculiar state of affairs and of course France has been traumatised by successive terrorist attacks and decided that we needed those provisions to fight more effectively against terrorist attacks. So my question really is, do you not think that in the fight against terrorism, it is not something that can be envisaged in a democratic state that we move towards, such as the system, although, of course, there may be abuses. Now, if anybody feels that they’ve been a victim of such a system, of course, then they can then take their case to the courts to stop data. But of course, you have to be aware that such spying has taken place. So this is the paradigm that you developed. Mr. Marias, if you like. Now I have a more concise question for Mr. Arditti. Thank you very much. First of all, I learnt an awful lot. You were saying that it’s actually rather difficult to use this spyware. And I take careful note of the fact that the state such as Morocco, in your view, would not have been able to spy on French leaders in France, which I have to find, which I have to say I find reassuring. But do you not think that powerful multinational companies have the means to use these technologies? I’m talking about the tech giants. Of course. Thank you.

Sándor Rónai (Chair): Thank you very much, Mr. Lebreton. We collected this four questions, and I would like to give the floor to our experts in order to to answer these questions. And after that, we will have a second round as we have three more questions. So, Mr. Arditti., I would like to give the floor to you first.

Michel Arditti (SCSWorld): Thank you very much. Now I will try to answer the questions that have been put to me, first of all, as to whether other companies or countries that manufacture these types of spyware and whether they have the same function as Pegasus. Well, the answer to that question will be yes. Everybody is trying to do the same thing. Do they leave traces? Yes, they do. It’s all very complicated because whenever you do penetrate a telephone, it takes time to gather information. So you’ve got a software embedded in the telephone which would then transmit information and data and all of those operations leave certain traces. Now, that was the paradigm for interception at about five years ago, but the situation has deteriorated over the last five years. You go from GSM to 5G and there you’ve not yet found a way to move on from 5G. And then when it comes to interception technologies, operators of course are now protecting themselves and manufacturers are protecting their handsets increasingly effectively. So it’s working less and less well and you’ve got the exponential increase in the quantity of data. And so there is a link. Between this and Mr. Lebreton question. The interpreter regrets that the sound has deteriorated is no longer possible to interpret.

Sándor Rónai (Chair): Excuse me Mr. Arditti, the translation is not working now. So could you please repeat what you told us a few weeks? Please do not touch the Michael. Maybe this is the problem again. Thank you very much.

Michel Arditti (SCSWorld): Thank you. When it comes to companies who are offering these kinds of solutions, the question was whether they also offer or provide a service or training, whether they have service and whether they control those services. Well, first of all, yes, these companies do offer training, but not services, but it’s theoretical training, which means to say that, in other words, it’s usually not in situ in the field. It’s customers who have to set up their own teams with the relevant know how and they will wargame a number of different scenarios and would then use tools which on their own would not work well enough. So they have to determine which scenarios would work well and those that are worth testing out. So as to whether the company runs a service as well. Absolutely not. Customers who buy these services will set up their own servers in order to camouflage their activities. They don’t want anyone to know ever what is going on, and so they would certainly not and trust any provider with the running of their service. Now, what is a real problem for the software engineers is that they have no control over what is happening now. You’ve got certain safeguards, first of all, the code of the nationality which is being attacked, and then you have a very limited number of attacks going on at any one time, one or five simultaneously, which seriously limits the possibility of daily attacks. And if you compare that with what is being done at state level, those that have the technology that is we’re talking about millions of calls being spied on. And then we’re talking about. Numbers, a similar level for the Internet. Now, when it comes to anti-terrorist legislation, it’s important for that surveillance to be carried out prior to attack. And that is why it’s so difficult to grant authorisations and allow any kind of a judicial body to analyse situation. It’s all about preventing a risk. Now, whether any crimes have actually been prevented, thanks to the use of NSO, technology will absolutely. In France as well as elsewhere in Europe, terrorist attacks have been prevented thanks to surveillance operations facilitated by and so they have been used widely by states represented here in the European Parliament who are customers of NSO as well as other customers. And Mr. Lebreton, you are also asking exactly what the role of the tech giants is in all of this. Now, in actual fact, is extremely difficult to intercept telephone calls because the networks do not make it possible to actually trade the amount of data which is out there these days. However, the big tech companies do push for the use of the cloud, so most of the data on your telephone is actually in the cloud, which is run by the tech giants. I mean, you’ve got a phone, for example. Your information will be up there in the Google Cloud and you can, you know, allow your information to be observed by Apple as well. You’ve got Google and Samsung as backup and they will transfer all of your data into the cloud and they exploit that information pretty anonymously. And that is where, I’m sorry to say there’s a lack of oversight, because it just so happens that not only do they exploit that data, but then they sell it on. So people who are looking for information from your telephone can buy it. Now, it appears to have been anonymized, but you’ve got the big data and artificial intelligence data these days which make it possible to de anonymize data and go back to the original. For example, when you’re looking for somebodies address and you’re looking for what kind of purchases they make and the way in which they travel to and from work. Well, you know, it’s pretty easy then to discover their identity. So certainly the tech giants are even more of a threat, in our view, far more serious threat to societies than those companies that are selling solutions to combat terrorism and crime because the tech giants are doing what they’re doing at a global scale.

Sándor Rónai (Chair): Thank you very much, Mr. Arditti. I turn to Mr. Roman Ramirez, as I would like to give the floor to him. Mr. Ramirez, the floor is yours.

Román Ramírez (Instituto de Empresa/Rooted Con): Thank you very much. I will reply to many of those questions all in one go, including some of Mr. Lebreton, because I don’t actually think that. Governments should do anything that contravenes fundamental rights, which does not enjoy political and or judicial oversight. So this excuse whereby there’s an emergency or an exception can never apply when it comes to justifying the breach of citizens fundamental rights. We, of course, have judges and courts, and I think they are absolutely crucial in this whole process. I mean, I don’t know how things work in other European countries, but certainly in Spain we have courts who are responsible for granting authorisation to the intelligence services. That is certainly the legal order that applies right now. And certainly I think that the ombudsman in all European institutions would agree that we have to support all of those efforts and improvements can of course always be made. Now, I would just give you a very brief explanation of the way in which computers and telephones work. I mean, basically, they’ve got the nucleus, the operational system, and then the user, but you’ve got the kernel space and you’ve got the user space. So any successful attack on tools made by NSO or by other companies will try to take over everything which is in the kernel space. So that is essentially the privileges that the computer has and nobody will then know that they are connected. And anybody who claims anything different simply doesn’t know how technology works. And hacking team published information about all of these tools because they were clearly identified functions to try and track Islam, Islamist terrorism, as well as child pornography. Now, all of these technologies exist not necessarily then used for nefarious purposes, and that is why we have to have oversight over them. I think most of these questions are going to have implications for all of those who claim these extraordinary circumstances in order to harm democracy. We have got the intelligence services and security forces. And clearly, they are not acting in accordance with the law. And that is why they will call for extraordinary powers, because they are not ordinary citizens. All of this takes place against a backdrop of extraordinarily complex technologies. And it is the fact of the matter is that all highly developed softwares are very difficult to crack, and you can only do so with tools such as those supplied by NSO. It is very difficult then to make this technological breach because attacks, attackers have to be in the vanguard technologically, but they also have to be subject to no legal constraints. But ordinary citizens, of course, could only use tools to guarantee their own individual privacy. So. We have this idea that technology is a form of magic, and it’s certainly extremely difficult for our intelligence service to fight against technology. And if you have, for example, criminals who are able to use what we call stenography, which is a kind of encryption which allows you to work with images and sound. If you’ve got criminals who know how to use this kind of encryption effectively, then it would be extremely difficult for the intelligence services to catch up. And that is why you need judicially authorised operations to pursue these kinds of crimes. And I’m going to give you just one more example. When applications. Came out to monitor COVID. One of the questions I was asked most frequently whether these kinds of applications would be used when courts came to investigate certain crimes. And I think that that would be a very bad thing, because we need everything to be subject to judicial oversight, not only. In the case of ordinary citizens, we have to ask in all cases for that extraordinary authorisation.

Sándor Rónai (Chair): Thank you very much for your answers. And then we should start this second round of the questions. I was coming from the from the members. The first is coming from the SND group, Hannes Heide. Hannes, the floor is yours.

Hannes Heide (Socialists and Democrats): Thank you very much. But it looks like Pegasus is the Internet for spyware. Software is expensive to get experience, but it’s comfortable. Software. Spyware. I would. There are names that are like trademarks, I imagine other manufacturers origin in terms of where they come from, what area they’re from. I’d like to know about this. And also I’d like to know about spyware that might be cheaper or easier to get or illegally accessible on the darkness. If that’s the case, what kind of thing can that software do? Another question is, is there any kind of anti-spyware software available? Is can you technically protect yourself? How? Thank you.

Sándor Rónai (Chair): Thank you very much. The next two questions are coming from the Greens. Actually, the first question is coming from our vice president. This is Levi here, another photo source.

Spanish Speaking: Thank you. A couple of questions. Firstly. A specific one. Michel Arditti said. The what you buy is part of the product. I’ve got this right. Can you tell us a bit more about what part you don’t buy, what parts? Do states still, Kate, when they buy Pegasus. You also said that the contract is limited in terms of number. Number of. In terms of number of mobiles you can intercept. What would it be, 20, 100 or 4000? Could you tell us a bit more about that? Are there any other kinds of limits, such as across borders? And this is something that’s come up from the rapporteurs question how is that done technically? In terms of getting. Intelligence from different countries that have had hunger pangs, infections such as Hungary, Poland, Spain. Because that hasn’t happened. We’ve got. We don’t get access to numbers of phones, in fact, in outside Spain. So could you tell us about the technical side of things there, please? And then Mr. Garcia. You went into one of the objections we have in this feud in this committee, which is how to stop citizens, students and so on being attacked in the future, such as we’ve seen in Spain, Poland, Hungary. What can we do within the legal framework we have? We need to improve things there and they have big impacts when there are attacks. If you’ve got any ideas, then that would be great. What can we improve legally? We’ve got the rest of the year to go into that side of things. What do we need to do? What mechanisms do we need to come up with so that politicians and the man and woman on the street can deal with this apparently legal situation we’re up against? When you say there’s legal and legal spying because why if states can this mechanism. NSA doesn’t know who they’re spying on and there’s no impact because countries shouldn’t be legally spying on citizens or political opponents.

Sándor Rónai (Chair): Thank you very much, Diana. The next question is coming from Saskia. The floor is yours.

Spanish Speaking: Thank you very much. Thank you to our two guests. Those clarifications and it’s emerging, Mr. Ramirez. We’ve set out what we need to do in terms of beefing up judiciary controls, political trials. But what are your recommendations in terms of controls to be set up? Given your expertise on this? Mr.. To if you’ve got any more pointers, then that would be good. Mr. Hart is trying to get this straight because we’ve got an idea about the technical support and so it gives its clients. You’ve said that you need a theoretical training without intervention on the ground or operational. What? Contractual link is there between NSO and its clients. How long does it last? Is it once the software is being used? How does it work specifically and legally between the company and its clients? How do things work there? Do you have any examples of contracts clauses? Between the two because once the software is delivered, there’s technical training and so it started. Is there no more interaction between the two? Is that how it is? Where is the government in this relationship which grants the export, the export the licence for its use? So is it up to the Government to authorise the parent or in the contractual relationship between the industry and the client? Is there room for the government? If you’re talking about Pegasus here for the Israeli government or others of other government governments who need to grant licences. Thank you.

Sándor Rónai (Chair): Thank you very much. The next and actually the last question is coming from the renew rules at noon. The floor is yours.

Róża Thun and Hohenstein (Renew): Thank you very much, Chair, and thank you for your presentations. So we have just heard that it always has to be justified before anybody can be spied upon. But the question which we repeatedly here I not the question the answer that we repeatedly hear is that those who give the permission to special services to spy upon someone, someone that usually do not know how the spy world functions, how much it collects, so what happens afterwards with the data, etc., etc.? Is this so really? And the second issue. And so. So, so. So how does it happen? The permission is given them. But is this a real permission? Secondly, even for espionage. But if it’s espionage larger when there is a case of danger of a terrorist attack or whatever, there are surely many people who are spied upon and nothing was found. The fact it was unjustified said they were spied upon. Do they ever learn about it that someone collected also extremely intimate, that whatever about their life, what happens with those data? Do they have access to them? Will they be deleted sometime? Do they have of the guarantee? But especially do they know he do they have a right to know about it? And secondly, are they compensated if they were spied upon in an illegal or not justified way, nothing was found against them. And thirdly thirdly, we we heard several times that there are intermediaries between NSO and those final users of the spying, of spying, as was quite simply, what is the link between those intermediaries and NSO? How does it function between the two services. Yes. And the and the service space and the last linked to it probably is a Mr. Arditti said that you can spy only within one country. Whereas we have a case in Poland when a lawyer who was targeted by Polish services there, it was proven to him that when he was in Italy continued to be targeted. Does it mean that the Italian services had to be implemented in the whole process? If Mr. Reynders Commissioner Reynders received from Apple a warning that he may be spied upon, does it mean that the Belgians were spying on? Commissioner Reynders, how are we to understand this? Thank you very much.

Sándor Rónai (Chair): Thank you very much, Rosa. I was wrong. It was not the last question, because now I would like to give the floor to Ms. Neumann. The floor is yours.

Hannah Neumann (Greens): Thank you for allowing me. And I will be very short. But because my colleagues were speaking of the issue of justification. So who needs to justify who has been spied upon? And the issue of export decisions for me is the question. If we export spyware to a third country government, let’s say, for example, Egypt, which happened, who checks the justification of each and every person that is spied upon? Do we just trust the Egyptian government that they do that according to their procedures, or is that part of their export decision that it’s been checked case by case by case, it would be spied upon. And the similar question basically applies to Pegasus and NSO, for example. How is Israel handling that? So do they just give it to UAE and then that means they have to sort it out in their own procedure? Or is that justification check done case by case?

Sándor Rónai (Chair): Thank you very much. I would like to give the floor back to the experts first. Mr. Ramirez, the floor is yours.

Román Ramírez (Instituto de Empresa/Rooted Con): And thank you, but also questions mixed up. I’ll try and take a few at a time. I was particularly interested by the question about what kind of controls how to implement them. If a policeman is armed, then there are a number of checks put in place. Such as checking munition, having weapons coming out. You have to sign the gun in and out of that. For this kind of tool. Spyware or remote wrenches, terrible remote steering of equipment. There are procedures where there is the encryption of the tool, where the token only being used. If there are four or five or six people that have signed it off, just as there’s a separate separation between the judiciary and the executive and national government. So you can have separate authorisation groups, meaning that all everyone needs to agree with these before using the tool. And the sound quality is deteriorating.

Román Ramírez (Instituto de Empresa/Rooted Con): Of course, this kind of with manufacturers saying this isn’t happening, but there is evidence that shows that there is not much oversight in there. So. But yes, there can be control mechanisms simulating weapons coming out. As for other players that use physical things like guns and rifles and so on. A take control registry can can can do with this. If you’ve got a judge who signs a ruling that says who has the keys to the software and the authorisation is given and all of that documentation can be laid down and the use of the tool is done within the team where everything is signed in a register for democratic checks to be carried out if necessary. All of that can happen under the Official Secrets Act and the various bits of legislation for all of this that can be done. Those checks can be done. As to whether the people involved want to do that, that’s another thing. Now, I would like to put a concern to you. The good. What can happen here is that people can take these tools further. So you need to take the right steps to make sure that there are controls. In the legal side of things as opposed to chaos elsewhere in terms of the licencing and how all of this works and how it’s checked. Well, once again. I don’t want to just put out opinions if I don’t have direct evidence to have indirect in terms of how things work. Things are a bit questionable here. We’ve seen this in other cases where you’ve seen companies that have come up with similar products or governments that have used these as and when they want wanted with infecting people that have happened, people who’ve turned out to be innocent. So this is very similar to how forces used. I as a citizen have a social contract relating to how weapons are used. And if someone uses a weapon weapon wrongly, and if they’re in that case that’s in extremist, then the consequences should be an extremist. And it’s not just a case of being in line with the current set up, but the victim needs to be compensated and given a public apology if necessary. That means. What does that mean, that all the spying was illegal? Well, I don’t think so, because looking at the logic that we’ve seen in various different cases, many are backed up by a legal ruling. And there will be channels for the judge to use another procedure where their peers can see whether there’s been some not. But this is the Democratic model we’ve all signed up to. Thank you.

Sándor Rónai (Chair): Thank you very much, Mr. Arditti. The floor is yours.

Michel Arditti (SCSWorld): Thank you very much. Well, just to reply to these very pertinent questions. The Green MEP asked me about the part which is provided by companies such as and issue and not the vector. Well, this. Part A allows permits a connexion to the Internet. And permits allows us to camouflage or hide where the attack is coming from and to implement collection services. Service. And you have to take data out, extract it. And these servers are usually on the premises, that is, with the governments on their premises, and therefore there wouldn’t be access on the part of their parties to that information. And there are rules about data analysis. You need a lot of preparation and know how to be able to process this. Not everyone can do this. So it’s, again, a question that the governments can do. They have the means. They have the teams that can use these platforms in their legal investigations. So that’s a very important point. And there was a question. But it’s about whether or not other similar software exists. Yes, indeed. We’re not going to go through all the different meats on the market. We have about 30 main players well spread out all over the world and they try to come up with the same performances and so with relative success. As we said, however, at the beginning, the situation has now changed and two years ago we had a different situation from what we have today. Today only a very few players can guarantee or if they provide, it’s not in a sophisticated enough way and the attacks can happen. And we also had a question about the contractual link between a company like NSU and its client. So if you ask us what we are selling, well, it’s a number of accesses and infections over a certain period of time, and that’s all these infections. Cuts are not guaranteed. That is, it’s up to the client to target the devices and to identify a criminal, a player. We’ve got burner phones that are used at one once, once only. And before you can have a solution. To fight criminals and spying, you have to carry out this enormous amount of pre preparation and which requires a great deal from the surveillance system. Otherwise it just doesn’t work. And I also had the question about the functional functioning of export licences. Well that’s. Similar as it is for war material. That is, the Government prepares licences for countries which have no possibility of having the export. And this is all very specific, so very tightly controlled and these systems are not available freely. Of course we have the dark web where you can find anything and everything. We find, for example, data which have already been intercepted. He also asked about the role of intermediaries. Agents. Well, that’s trying to convince the client that a particular instrument is adapted to his problem. And these are very expensive. And they require platforms and infrastructure which are difficult to deploy. It’s time consuming. So an agent on the basis of the information about the country and the target can advise them. We’ve the different kinds of situations such as people trafficking or organ trafficking. So what are the most appropriate tools to manage that? As you can well understand, therefore these are all very complex issues and we have attacks which are mainly managed by the governments. If we have slip ups, well, it’s usually due to a lack of control and lack of checks. It’s true. And we’ve however and we must deliberately mention this. We have a disproportion here. And because we have. A great deal of data which we were not even aware of is being collected. And this is registered so that when you have a phone, you you have everything recorded there. And it’s not just that most of the users are not even aware of this. So it’s very important, in our view, therefore, to continue to regulate the activity of companies which come up with devices such as Pegasus. They’ve got to be aware. They’ve got to react and react to the power of the big tech companies. We haven’t done this in the past and often we’ve got this situation which the users are not aware of. Just to give you two or three. Points which are pertinent here when you programme your phone in order to register, for example, your password. You provide this password, which you think is specific to your phone, but it’s the operator or one of the big tech companies which manages that who who knows who’s aware of that? And when you click on your button for Facebook or Google or you give a Google access to Facebook, you don’t know what all the data that’s going to be connected there. So these are the main challenges that we face concerning privacy and digitisation in the years to come. Who the big tech companies are able to quite blatantly check everything.

Sándor Rónai (Chair): Thank you very much, Mr. Arditti, Mr. Ramirez, thank you for lending a helping hand to our work. Thank you for your presentation. And I just want to thank all the participants of the first part of this meeting. Thank you also for your questions.


Panel 2

Sándor Rónai (Chair): Now, please let me just as the secretary, have to ensure that the speakers of the second panel are all mine already. Yes. Yeah, as far as I can see, the answer is yes. So let’s continue our work with the second panel dedicated to safeguards and supervision. I give immediate the floor to Mr. Wojciech Wiewiórowski to the European Data Protection Supervisor. The floor is yours. Mr. Wojciech Wiewiórowski.

Wojciech Wiewiórowski (EDPS): Thank you very much. I hope that you can hear me. And I hope that the quality of the sound is enough. I’m sorry. I would like to say I would be very happy to be with you at this committee meeting. But actually, that’s not anything to be happy about that we have to discuss the problem, which is with us security for a long time. And we already, as the European Data Protection Supervisor, we have presented the similar position of the IDPs at the meeting of the Libya Committee in late November 2021, because the problem of Pegasus and similar software is present in the activities of the data protection authorities, and therefore already some years there are.

Sándor Rónai (Chair): Excuse me.

Wojciech Wiewiórowski (EDPS): That.

Sándor Rónai (Chair): The translation is not working in French, as I mentioned in Spanish, also not in Spanish. The Hungarian is working much. So we keep a three minute break. Sorry for the inconvenience. After that, we will continue our meetings.

Sándor Rónai (Chair): Dear colleagues, we try to continue our meeting. Unfortunately, our technical team tries to improve the quality of the first picture, but it. So this issue is not solved yet. That’s why we are jumping to the second speaker. Who is Mr. De Rossa? I would like to give the floor to him. And when the quote is enough, good. Then we will return to Mr. Wojciech Wiewiórowski. Mr. Sessa the floor is yours. Thank you very much.

Duro Sessa (EAJ): Good afternoon to everybody and I am really pleased to be here and to and to participate in this very interesting meeting and whatever of what I heard in the first panel was really enlightening. Also, my my view on to on this problem, I will try to speak something about the role of judges and in this exercise of of surveillance. So I think the furthest from this point of view of judges. There are two aspects. 1/1 is when the judges are granting permission to surveillance. And the second aspect is protecting persons and citizens from breach of their human rights caused by surveillance. So in the first question, there is it is these cases are very particular ones because those who are the subject of the cases do not know that surveillance is ordered against them. And later on it is very difficult for such persons to challenge the results of such kind of surveillance because it is something which is used and is a good faith doctrine which allowed us to use those evidence. Even nobody, the person who is who is subject to it is not has any knowledge of of such exercise. The second problem is more practical, but also very important, and that is that authorities, sometimes prosecutors, sometimes police. And that depends on the honour to sit on the national system, look for the judges who are more likely to to grant such permission from those who are not. And as as it is, I think, very important to to to mention that the any country should have very strict laws on this issue and for judges is not to in principle to grant or not to grant these surveillance methods, but to ask the right questions before delivering such kind of decisions. Because at the end of the day, the judges are those who would protect the breach of human rights on the second side, and that is how to protect citizens. I think we should rely on on the European Convention on Human Rights, basically two articles. One is an Article eight Protection of of Family Life and Article 13, which guarantees the right for effective remedy on any decision or any any action which has been brought by the authorities. So in the general rule or the Article eight, everybody has the protection of private and family life is protected, and that is basic. But in the second section of this article, there are some exceptions when this can be done and there are some conditions which have to be fulfilled to evaluate such such breaches as lawful. First, it has to be in accordance with the law. It has to be this necessary in a democratic society. It should be in the interests of national security, public safety, or economic well-being of the country. So on that basis, the there was a very rich case law of the European Court of Human Rights, followed by the European Court as well. And one of the questions, which I think is also important to answer, do we need control of a judge or it is also allowed to have controls of some other bodies and within the government? So. From the judgements of the European Court of Human Rights, it is absolutely clear that some control is necessary and it could be before granting the surveillance or after it. But as it is said in class and others versus Germany in 1978. But it is still a judgement which is is can be followed in these these days. It is that it is desirable to entrust supervisory to control of a judge. Also in one later case from 1990, it is here versus France. The court clarified that it is that surveillance has it needs legal basis. And there are two aspects of that. First, that it has to be law in a wider sense of it, and that that law has to be very clear so that there are no no any questions, how to understand it. So from this judgement, this was a Germany. There are some requirements which the European Court of Human Rights addressed as necessary to to be solved in the law. First, it should be solved defined the categories of people liable to monitoring sake. The second, the nature of the offence is subject to surveillance. Limits on duration of such monitoring. The procedure to be followed for storing the data, the prosecutions to be taken when communicating data, and the circumstances in which data is erased or destroyed. So this is what every law should have in the national legislation to clear, to create the frame when this surveillance has to be can be done. And for judges, of course, to check every time was it done according to the law? And that is the position of every national judge in any member state. What is also important to mention here, it is a case of Szabo and we say versus Hungary, where the principle of strict necessity has been set up, and that that means that this necessity to breach the private and family life can be only done, not if it is necessary in democratic society, but additionally that it has to be strict necessity. And that is later on what the European Court of Human Rights, the European Court of Justice, and also accepted as a principle in some of its judgements in digital rights. Ireland and the Sheriffs versus Data Protection Commissioner. So as I could just come to the conclusion any breach of Article eight or that human right for protection of of private life has to be strictly a necessity in the society to protect the values which are perhaps at that moment more important than those which are protected by the Article eight to come to to the conclusion. I think that to I could just say that the judges are facing different legal system and different rules of surveillance anyhow. Their role cannot be excluded. Nevertheless, if such control is introduced before the surveillance is granted, or only after it has been conducted, or both, and if the society wants to trust the judges to control this exercise, they should not just put judges in charge. That is, I think, not enough. They should be provided with sufficient training possibility to study comparative examples and good practises. And and the working conditions are seen a concern for efficient and effective protection of human rights. And one additional question before the judges could come, and that is the question of damages when these exercises is not lawful or when they are subject to. The unlawful surveillance and the state are not protecting them, you know. Thank you.

Sándor Rónai (Chair): Thank you very much, Mr. Sessa. Our technical team informed me that they couldn’t improve the quality of the incoming sound. But if Mr. Wojciech Wiewiórowski can speak English, then we can continue his presentation when possible. Then I would like to give that the floor to Mr. Wojciech Wiewiórowski

Wojciech Wiewiórowski (EDPS): Thank you very much. As this is my life and this is my plan to speak English throughout the whole presentation. So once again, thank you for the possibility to present the opinion of the European Data Protection Supervisor in this important topic. As I said, we already presented it to the Olympic Committee in the end of November when we sat at the same time. The general point of view on the subject of the surveillance technologies that are right now available and to Pegasus itself. But I understand also from the previous panel that we are going to talk not only about this very this very software which was provided by the NSO, but also the other is similar to technology and similar software being around the use of the such targeted digital surveillance tools clearly interferes with the fundamental rights to privacy and the protection of the personal data in the EU. And it may adversely affect other fundamental freedoms, such as the freedom of religion and expression and of information, the freedom of assembly and the freedom of association. Since we rely more and more on smartphones in our life and today are more and more possibilities which are given to the smartphones, not only the connexion, which is equivalent of the telephone connexion and equivalent of the masses, but also the things which are connected, as we did with the telephone, access to the large databases and to the systems which are used either by the public authorities or by the companies. We have to say that the law which exists in many of the European Union countries is rather still reflecting the way how the interception of the telecommunication has been done in the nineties of the 20th century or the very beginning of the 21st century. And if such spyware tools are available at the market, this means that anyone who has the power and the money to purchase, such as spyware tools, have a full access to our lives and to we have to add that that also means that this that this access, even if it’s not that easy at the moment, will be much more easier in the years to come. So we cannot restrict then the possibilities only to the big companies and the state authorities. And we have to be used to the fact that such a software will develop in in order to be accessible for the smaller clients. And we, of course, noted that the that the software both from and the SO have been used for different purposes that were often as often justified by their national security. And that’s also true that some of the data protection authorities in the member states have been asked for the decisions or assessment that if this the use of this software have been done in this national security context, because if so, it should not be in the in the understanding of some of the governments. It should not be the part of the discussion in the European Union institutions. Nevertheless, we as IDPs recognise the topic much more important for the very essence of the right to privacy and the right to data protection. The distribution and the use of this far worse is a long story, standing as a serious concern. And I would like to remind that in 2015 there were already some recommendations on what the EU should do after so-called hacking scandal. Amongst our recommendations then to the European and the national legislators was to use this and the use and dissemination, including inside EU of the surveillance and interception tools and related services should be the subject of the appropriate regulation, taking into account the potential risks of violation of fundamental rights, in particular right to the data protection. After this first hearing. In the European Parliament. The European Data Protection Supervisor has issued the first the separate document which called for some actions and proposed some recommended some steps to be taken as far as the supervision of this of this kind of software is concerned, because we have to admit that the use of certain software, which is which is interfering into the privacy in the very total manner, have been somehow recognised by the Court of Justice of the European Union and the European Court of Human Rights, which, when they went into said that the national security grounds and the fight with the terrorism may create exceptional situations where such such a tool can be used. So despite we think that the general rule should be the ban for the use of the software, which is depriving people of the privacy. And that’s the one which we are talking about. We understand that there might be the situations which are which are treated as exceptional. It’s not to the data protection supervisor to say that that’s where is this border between the depravation of the of the right as a whole and the exceptional circumstance that can justify the intrusion and terrorism and organised crimes posed a serious threat to within the European Union and globally. And the detection, prevention and prosecution represent important objectives of the general interest that may justify the limitation limited exercise of such and such a software. But of course, it has to be done under the strict control, the control which is provided by the judicial authorities. And I think that the previous speaker said about that in the very clear manner. So let me finalise this presentation by recall with recalling the recommendations which have been given by the European Data Protection Supervisor in the last documents armed intrusive surveillance systems. We call for strengthening the democratic oversight of the surveillance measures which are developed in many EU countries. We have the example of France, which was explained Elisabeth, in the previous panel. And then the second thing is the strict implementation of the EU legal framework, especially on data protection, especially the law enforcement directive, which is still not the case. Judicial review. Both ex-ante and ex-post should be real. It cannot be mere formality. We are aware of the scientific scientific researches which show that in some countries that all their motions all day and all the motions from the police for this kind of with this kind of interception are accepted, which seems to be an extraordinary success of the of the police and the strengthening of the protection of of offer to by the criminal procedure, strengthening, not losing it as it happens in some of the countries, even if there was no rule of the poison of the fruit of the poison tree in some of the countries, that we should remember that if the proof is the evidences have been collected illegally and they anyway can be used in the criminal procedure, that does not remove the criminal responsibility of the person who collected them, even if this is the person who works for the police or the services. We also call for reducing the risk of data originating from the undemocratic and abusive surveillance practises to reach the database of the European Union, and that is connected with the problems of the and the resources stored by Europol. We call for the countries to stop using national security purposes for legitimately politically motivated surveillance, which seems to be the case in several of the reported cases in the European Union addressing it. We also. To address the rule of law problem, which should be included in the discussion since the way that the people who are mainly fighting for our security are forced to to use the tools that are developed in order for that is something which makes me really very it puts me in a very difficult situation. When I start talking with with the police and law enforcement authorities wanting to have the possibility to defend the citizens and finally empowering the civil society to bring the awareness of the public debate forward. And the last sentence, we have to remember that this tool will be preferred for the reasons of the cyber war or the military purposes in the member states of the European Union. And if so, we have to be aware of the fact that they will exist even if we are in favour of Ban. We are afraid that we have to talk about the control over the, the use of the software which is in the hands of the state authorities theoretically prepared for the national security purposes. Thank you very much. And I’m ready to answer the questions.

Sándor Rónai (Chair): Thank you very much. And I have to apologise for the inconvenience. We come to the end of our list of speakers today with the intervention of Mrs. Cindy Cohn. Mrs. Cohn, you have the floor now. No.

Assistant: You, Mrs. Cohn, you can press this big button once at the bottom of your page.

Cindy Cohn (EFF): Wonderful. Good morning. Well, it’s morning where I am. Thank you very much for inviting me to come and speak and also for the accommodation of the time that I received Diamond. I’m based in California. I wanted to talk to this committee about the view from civil society, at least from the Electronic Frontier Foundations view. And, you know, we have been watching the problem of state sponsored use of this kind of malware for a very long time and have been horrified that even before Pegasus but certainly since Pegasus, that the misuse of this against journalists, human rights defenders and ordinary people all around the world, if has tried several different attempts to bring accountability to this situation. And frankly, we need your help in order to do this. And I think it’s appropriate role for the European Parliament to take a lead on some of these issues. We recommend four things in order to try to create some better accountability around the misuse of this these systems. The first is, and the most important honestly, is we need support for real device security. These tools, these malware tools defend depend on the fact that the phones and other systems we use are simply not very secure. And in this regard, many governments of the world are really speaking out of both sides of their mouths. On the one hand, they say they want strong security, and on the other hand, they are engaged in ongoing efforts to undermine the security of the tools that all the rest of us depend on. And I want to specifically call out one that’s moving in the EU right now, which is the CSA proposal to try to create client side scanning or the kind of scanning to mandate access to the clear text of any communications that people are using. It may feel like this is not linked to the state sponsored malware question, but I wanted to reinforce this. These two things are linked. The efforts to try to undermine strong encryption in people’s devices end to end encryption that lets people have a private conversation, are unaware of the exact ways that these kind of targeted malware systems use to get into people’s computer. Unless we have strong device security, we’re never going to win against the malware things. In fact, it’s always going to be a balance. It’s always going to be a cat and mouse game. But right now, the governments are not coming down firmly on the side of people’s security, and we need to fix that. And one of the first ways is to reject this CSA proposal that is moving right now in the European Union. In terms of other things that can create device security. It’s very important that governments don’t hide, don’t share exploits when they find out about a security problem in a device. They need to share that problem with the device manufacturer and ultimately, if necessary, the world so that people can patch their devices. Security isn’t an end point. It’s a process. And when governments around the world hoard exploits and don’t share them because they want to be able to use them later, that creates an insecure system for all the rest of it. And government’s responsibility ought to be to make our devices more secure, not to make sure that they always have a way in. The balance is off right now. We know it’s always going to be a process. We know there are always going to be security problems. But the government government should be on the side of end users having as much security as possible and hoarding zero days and other exploits is not the right way to do this. The balance is off the second thing. So that’s the first thing is we need all hands on deck to make sure that we are making devices as secure as possible, networks and everything. If and a bunch of organisations around the world have created a certificate authority of free and available secure certificate, a sort of authority to try to protect people’s web surfing. Honestly, this shouldn’t be a civil society job. There shouldn’t be a private industry job. Government should be supporting end to end security all the way from mobile phones to networks to devices. And the idea that a private organisation like if a non-profit civil society organisation had to create one of the basic building blocks of network security and make it available free to the world, that should indicate to you that something’s broken in the government’s responses to security. And of course, we created this in part because of the recognition that the national security infrastructure led by the United States was infiltrating our networks to. Security. So, you know, we’re here talking about NSO Group, we’re talking about specific malware and targeted malware. But this is intertwined with mass surveillance. It’s intertwined with basically the failure of governments around the world to take a strong and undivided stance in favour of secure networks, secure devices to protect people around the world. Next, we need to create real remedies. Many of the other speakers have talked about this from different frameworks. I want to talk from the framework of the actual users who are targeted by this surveillance. We need two kinds of accountability. First, we need direct government accountability thing doctrines like sovereign immunity, which blocked a case that if brought in the United States against the government of Ethiopia for tapping in to the devices of an American citizen here in the United States. That lawsuit was blocked by sovereign immunity. That’s inappropriate. The sovereign should not be immune from spying on people in other people’s country. People should be able to have the same kind of redress against that gov’t, that kind of governmental spying as they have against private spying. And second, the companies who sell these kinds of spying devices should be liable in the countries where they impact people or in in in terms of global jurisdiction as well. So we need liability for this for the governments and we need liability for the companies for spying on people. This will create a hopefully a bit of a counterpoint to the kinds of impunity that we’re seeing all around the world now for this kind of spying. That and I think that will take the kinds of thinking both ways, both to try to create liability and second, to try to deal with some of the jurisdictional blocks that exist right now. I’m happy to go into any of these in depth, see if has done this in depth, but I only have a few minutes, so I just want to flag some things that are getting in the way of redress right now from an organisation that’s been trying to do this now for well over a decade. I also think that we need to empower and we’re seeing a few of these cases right now, but we need to empower the companies who have been spoofed in in these situations to also have liability. I think this committee is familiar with WhatsApp suing NSO Group. Apple is also suing NSO Group for basically misleading users in the way that their malware works. So you think that you’re getting an iMessage, but it’s actually a piece of malware. You think that you’re getting a WhatsApp message, but it’s actually a piece of malware. This is a misuse of the trademarks and the goodwill of these companies, and we’re very supportive of the litigation that has been launched by these companies, but it has a very narrow window to go through, and I think that it would be very helpful for there to be a widening of that so that the companies whose good names are besmirched by the misuse of this malware have the ability, the standing and the ability to seek redress for that. I think it creates a tremendous counter weight to the kinds of impunity that we’re seeing now, and it doesn’t foist all the responsibility on accountability, on the victims who often don’t have the same kind of resources. So there’s work that could be done there to make those cases easier and broader and available in more places in the world than they are now. The third step is to create stronger incentives for companies to not sell these kinds, this kind of malware. And I think I’d be remiss if I didn’t point out that right now, at least the while, this is something that’s a problem all around the world, the leaders in this, whether it’s NSO Group or the other companies, are doing it. Many of them are based in Israel. And I think it’s time to have a strong conversation with the government of Israel about the kinds of steps that it could take to stop these companies, many of which are reusing governmental, tech, developed technologies. As far as we can tell from selling these around the world to unsavoury users who are misusing them if they’re the U.S. State Department, put out know your customer guidance in 2020 for companies to rely on when they’re deciding who they might sell this kind of technology to. I think that that guidance is not strong enough and we need more of it. But certainly putting pressure on companies who are selling into this market to do a better job of sorting out which which countries are going to misuse this are obviously going to misuse this and which art is tremendously important. I would note that NSO group is presenting right now at ISIS, which is one of the national security vendor conferences, I believe it’s in the Czech. A public right now they’re a sponsor and still presenting their wares right now at a conference in Europe. So when I’m talking about impunity, I’m talking about serious impunity, that there has been no accountability, or at least not significant enough if this company still feels like it can sponsor a conference to sell their wares inside Europe. We have a lot of work to do. We are supportive of the moratorium of a temporary moratorium on government use of these. Until we get real accountability measures in place and real oversight in place, there is plainly not enough right now, given the murders and other actions that we’ve seen with the misuse of this, we have more work to do around accountability. And so if supports a temporary moratorium, we know that’s not going to be a full fix, but it’s a strong message to send and we think that it’s appropriate in this situation. We were pleased to see that the Special Procedures Group of the Human Rights Council of the United Nations also came out in favour of a moratorium because of the serious human rights issues going on right now. We think that’s the appropriate way to go, but it shouldn’t just be a stopping point. So a real device security, which I think is the most important piece here, governments have a role to play, but we know this technology’s always going to exist. We know there are narrow circumstances in which the national security infrastructures are going to want to have it and use it. So giving users as much protection as possible ought to be the priority of governments around the world. Real remedies, real accountability, real accountability, both before sale and after sale for the companies that are developing this and the governments that are using it and a moratorium on government use. Those are the four steps that we think would help get us to a slightly better place in this. But this is an area where we’re going to need diligence. It’s important and it should be a priority. So thank you for your time.

Sándor Rónai (Chair): Thank you very much to Mrs. Cindy Cohn. Let’s open our question and answer first with the traditional first question of our rapporteurs Sophie in ’t Veld.

Sophie in ’t Veld (Renew): Yes, thank you. I have many questions, so I’ll try to be very, very quick. I have questions to all three our speakers. First of all, to Mr. Duplessis about judicial authorisation. So we heard about cases in one of the member states concerned whereby judicial authorisation had been sought for some cases, but the judges afterwards discovered that they had not been given all the information. So they said, you know, we took a decision, but on the basis of incomplete information. So what should be done in such a case could, let’s say, to the government who sought authorisation. Can the government be resumed? Can it be taken to court? Should there be sanctions? Have you have you a minister? What about exposed verification? Shouldn’t there be a sort of automatism whereby judges who have authorised also afterwards check if indeed the operation complies with the grounds on which the authorisation has been granted? Has the Association of Judges discussed these cases that we know of? Have there been comparison? Have any has any action been taken? And then what if a government in, let’s say, a member state A engages in a spying on a person who is in the territory of member state B because in that case, a judicial authorisation in a member state A is circumvented. Well, member state B as well. So there is no judicial authorisation, even if it would be legally required. And that means that your authority as judges is being undermined. It would also have, in my view, an impact on judicial cooperation within the EU. Let’s say European arrest warrant, Europeans, European evidence warrant e-evidence. And let’s not forget that if e-evidence ever sees the light of day, it will also set the standard for information to be shared with the American authorities. Final question to you is national security? I always wonder how national security can be used for an exemption to certain rights and protections if there is no legal definition of what national security is. There isn’t a single definition. To Mr. Wojciech Wiewiórowski. Can you say if this has been discussed in the context of the EDP and if action is considered against certain governments? What about the Hungarian DPA specifically, where we have big question marks over its independence? And I have a question to you as well as to Mrs. Cohn. What about the trade in exploits? Should it be outlawed? Because clearly, this is this this plays an important role for, you know, the malware. And one last question to Mrs. Cohn. Are you aware, uh, we know that NSO is apparently well, they’re trying, first of all, to, to get the blacklisting reversed, but they’re also considering maybe splitting the company so that certain parts could resume their activity in the U.S. and other parts could not. Have you heard any rumours of, let’s say, this company splitting parts of it being sold and may be acquired by maybe Mr. Thiel, maybe Palantir or others associated with them? Have you heard any rumours about that? Thank you.

Sándor Rónai (Chair): Thank you very much, Sophie. Before I give the floor back to our guests, I would like to ask you, please keep in mind, maybe we so we have a lot of key answers won’t be translated. It’s just a reminder. But I would like to give the floor first. Mr. Wojciech Wiewiórowski then Mr. Sessa and after that, Mrs. Cohn. Mr. Wojciech Wiewiórowski, the floor is yours.

Wojciech Wiewiórowski (EDPS): Thank you very much. I can say that the question has been raised at the meeting of the European Data Protection Board, but no action against the data protection authorities or against any other institutions in any coordinated action has not been taken mainly because the in the of the only decision that we know from the Data Protection Authority is recalling the national security as the basis for the activity of the of the Government. And the DPP is not discussing the problems of the national security this way, but this topic is coming back and I believe that it will come back to the DPP because this is not the only country where to add that when the problem of the Pegasus is reaching the Europe, it is that the protection authorities. We also want to pass to the European Data Protection Board to information about the actions of the national level which we have been informed in about, and which may and may concern the members of the national parliaments and members of the European Parliament about trading in the exploits. But once again, we are in favour of ban and in favour of checking the list of the possible export and import import limitations which the European Union is using. As far as this kind of the this kind of surveillance measures are concerned. Well, exploits, of course, may mean very different things, and some of the exploits are in use and today are exported and imported by the EU is by the EU entities, no matter if they are used for the surveillance technologies or for fighting with the with the cybercrime. And that’s I guess the question is, were the questions which were directed to me.

Sándor Rónai (Chair): Thank you very much, Mr. Sessa. The floor is yours.

Duro Sessa (EAJ): Thank you. I will try to answer everything, but I’m not sure that I get all all the notes properly. But the crucial point is that the judges can control surveillance if they have enough independence and enough autonomy. And that is up to the European Parliament to secure that in every country of the European Union. That is the case and we are now facing that in many countries. They are that the measures are taken to narrow this independence and autonomy. And so I think that we are very in a very serious grind because it can be a copy paste for other countries to follow that path if that is not going to be stopped. There are two levels of surveillance. The first is one which is granted by it to judges in most countries, but it is not evidence before the court and cannot be used. Another one is granted by a judge investigating judge or in some countries, the prosecutors who have the same position as judges when they read the proper investigation is started and this evidence can be used before the court. But in all the cases, there is the judge or the panel of the judges who are reading those evidence and which can say this is enough or not or this is not properly collected and we are not going to allow it in the case. And it did. Our decision cannot be relied on such kind of evidence, but it is case to case basis, and it can be that the answer for that cannot be given directly for every case. But there are there should be rules in criminal proceedings which would allow such kind of of control from a judge. And the issue above to do what is the national security issue? I don’t think that anything can be put in in law because the life is going rapidly. But sometimes the common sense has to be used in that kind of of cases. You’re saying, again, that the judicial control is done in the final phase in the court proceedings, which are controlled by appellate court, then by the by the Supreme Court and sometimes for the European supranational courts. So this is the control which judicial can provide. And so far the European Association of Judges was not dealing with this issue, but perhaps now is the time to do so. Thank you.

Sándor Rónai (Chair): Thank you very much, Mr. Sessa. Mrs. Cohn. I would like to give the floor to you.

Cindy Cohn (EFF): Thank you very much. And thank you for those questions. In terms of the first one about trade in exploits. I, you know, if does not believe that government should be hoarding and trading in zero days, I don’t mind if they buy them as long as they then because there is a robust market for these things. But hoarding them is the thing that we need to stop if they want to buy them and then work with the companies to fix the problems. That would be a useful thing for the government to do. Its when they buy them and keep them. I would submit that at least in the United States context, I’m an American lawyer. The export regime, I don’t believe is the appropriate place to think about these kinds of exploits. We are supportive of a ban, but the U.S. export regime has not proven to be particularly effective in this. And there are a lot of side effects from the way that the export regime has been applied in this and other software context. And most importantly, we didn’t have encryption freed from export control until the work that my organisation and I did in the 1990. So I am somewhat sceptical of the U.S. export regime being the mechanism here. We are supportive of a ban that’s a lot simpler and we think that government should not be hoarding the zero days. I also would note that, you know, Israel presumably has export actually does have export restrictions that didn’t seem to be effective here to protect against the Pegasus tool. It would be great to get some straight answers from the Israeli government about this, but my understanding is everything they did was perfectly consistent with the trade rules in Israel, which strikes me as indicating that we need to do something other than add things to the export restrictions. In terms of the rumours about the company splitting, I have not heard those personally. I did not check with my team however before coming here today and some of them have their ears a little closer to the ground than I do. It would not be surprising to me to see corporate shenanigans like splitting and renaming and rehoming. We’ve seen that across this industry with company after company that has been identified, targeted and uplifted, simply morphing into something with a different name or a slightly different structure and continuing onward. I think that that that has been the case in with other companies hacking team and some of the other ones. And so I think it’s not at all it would not at all be surprising to me, but I have not heard any rumours as of yet.

Sándor Rónai (Chair): Thank you very much. First, I’d like to ask our rapporteur, Sophia in ‚t veld, if she has any follow up questions.

Sophie in ’t Veld (Renew): No, not for now. Okay. Maybe at the end. I’ll listen to the other questions first.

Sándor Rónai (Chair): Thank you very much. Then I turn to Mr. Juan Ignacio Zoido Álvarez, The floor is yours.

Juan Ignacio Zoido Álvarez (European People’s Party): Well, first of all, I’d like to thank our speakers this afternoon because. Well, we’ve not had a technical problem, but I would like you to do everything in future to see to it that the rights of all of us are complied with. And we would like to have interpreting, as per the normal format, as an obligation throughout the Parliament to prevent any recurrence of this in future. Notwithstanding those translation problems, what the participants had to say was extremely interesting, and all of this has become rather fashionable. Unfortunately, for a few days now, we have been talking about the problem of gun control in the U.S. The immense majority of European citizens believe that the key to resolving this dramatic issue is linked to the way in which we regulate those who are entitled to use arms. And I think the same applies to cyber vigilance because we have to look at what the implications can be if these technologies fall into the wrong hands, extremely serious for our individual rights, as well as for our democratic societies. But the flip side of that is if they are in the right hands. So in other words, in the hands of the law enforcement and intelligence authorities of states which are governed by the rule of law and which provide for appropriate safeguards, then in actual fact, that is being used to protect our freedoms and to protect our democratic societies. And we therefore have to have a well-designed system. And this is precisely what we’re talking about right now. And I think that the format of judicial oversight is particularly well-suited to avoid interference on the part of the executive or from politicians. And I think that on that score, we are all on the same page. I would like to make a. Specific. To put a specific question to our speakers and of course, we have not analysed the specific situation each country we have looked in Europe. But I would like to know from our speakers what forms of best practise are out there, which countries do have supervisory machinery which has proved to be particularly positive so that we can take it on board in this Parliament when we come to draught and adopt our report.

Sándor Rónai (Chair): Thank you very much. The next is the S&D group. Mr. Hannes Heider, the floor is yours. Thank you.

Hannes Heide (Socialists and Democrats): There was one detail when Mrs. Cohn presented she you were talking about the conference in the Czech Republic where products software is presented. I want to ask, what are the circumstances of this conference? Of this conference? Who are the hosts, the presenters? And who is the audience for an event like this?

Sándor Rónai (Chair): Thank you very much, Saskia Bricmont from the Greens. The floor is yours.

Saskia Bricmont (Greens): Thank you very much for those very interesting questions in particular. And I’d like to. Ask the speaker from EFF. About what happens when there is a request from the intelligence services. According to you, is there a harmonised system in place amongst the member states and have you got targets with the names and why the request has been made? Or is it general within the framework of the case being pursued or security, national security, according to which the judges don’t actually have access to a name, but rather a target, which could be a political objective. And that leads me to my second. Comment on the question of national security. The European Commission has received a response from Poland and Hungary. Question on the question of national competence. We’ve had there should be no interference because it’s a national question. And I’d like to hear your views on this, because we keep hearing this argument, which is increasingly problematic in terms of the rule of law and so on. And where this particular argument. It causes infringements of fundamental rights and in particular. The protection of privacy and private data. Personal data. The EPP as a legislator, well, it should be able to respond, but I would like to hear what you have to say about national security and what margin of manoeuvre can be established when we talk about proportionality and so on. So I hope I express myself clearly, says the speaker. But I’d like to understand from you how we can get over this issue of national security in order to actually come to grips with any infringement and the absence of legality in the use of this kind of software. In national states practised by certain governments. It’s quite clear that all the member states have. Their software and Pegasus are equivalent. And as members of the Parliament, many of us have learnt through joint journalists that there are leaks and there is illegal surveillance. As the European protection of data IDPs. Have you any kind of lever or information, rather, on about the use of this software in certain member states and what kind of operations are being carried out with this? Not all member states have surveillance committees. Well, I’ll stop there. Thank you very much.

Sándor Rónai (Chair): Thank you very much. Now, I would like to give the floor back to our experts. So first, I would like to give the floor to Mr. Wojciech Wiewiórowski.

Wojciech Wiewiórowski (EDPS): Okay. Okay. First of all, I actually be okay. First of all, I would like to say that I fully agree with the rapporteur, Ms. in ‚t Veld,, about the problem of the national security being an exception. I fully understand the roots of that, but it is high time to say whether exactly the borders of that. Even if, for the reasons of the general data protection regulation, they are somehow set in the text of the of the law. But we know that this problem is much larger than the data protection, the data protection law. So that that is still the gap, I may say, in the notions which are used for the reasons of the European law. The meeting in Prague, in Czech Republic that we heard about is the meeting of the Training Youth of Ice World Training and its Europe branch is organising that at the moment in Prague. And indeed, and this is the main sponsor of this event and about it’s hard for me to to say about the countries which were the problem of the Pegasus software exist because EDPs is not providing the researchers like that being responsible for the for the supervision of the EU bodies, agencies and institutions. However, we have been informed as IDPs about the cases in Hungary, in Poland and in Spain, though these are the information from the complainants. Therefore, the complainants who wished in the different forms started to do action. Also, the European Data Protection Supervisor.

Sándor Rónai (Chair): Thank you very much, Mr. Sessa, the floor is yours now.

Duro Sessa (EAJ): Thank you. I’m not sure that I can give much help to in to answer the question which was posed to me because I don’t have overview of the of the practises in Europe, how it is, how it works in many countries, what is for sure. And that is that this is mainly covered by the, by the criminal procedural laws where the standards of, of reliable evidence is there and who has to, to, to prove you before before the court, his or her case. So it is that is the bottom line which has to be followed. What what is also for sure, and at least it is in my country that always these targets have the name. It is not general one. It is always and it has to be explained why this is necessary to to fulfil the requirements which are which I already stated and which come from the case law, the European Court of Human Rights. And probably it is the same in, in any European country at least, which what we could advocate is to have some general rule from directive or order from the European Parliament, at least for the cross-border cases, which are most of them in that kind of, of, of cases against persons who are, who could be the subject to this kind of surveillance. I’m sorry. I can’t give more, more detailed answer to this, because it is not actually my my field of expertise.

Sándor Rónai (Chair): Thank you very much for your answers. And no, I would like to give the forms this call.

Cindy Cohn (EFF): Hi. Thank you for those questions. I’ll try to go through them in the order. First of I, I think represented Alvarez asked about other countries and where where there might be best practises. And I would say that I’m not aware of a country that I would hold up as having best practises. I think Europe has because of the necessary and proportionate idea, which is really deeply embedded in European law. Europe is well positioned to actually take a strong stance on this, but I don’t know that I could point to a country that’s doing a very good job right now. I think part of the importance of these hearings is that there isn’t a good model yet. And I think this this body could do a lot of help to a lot of countries around the world by setting out a better model than what we’ve seen so far. And I think that it’s impossible to go too far in this area without really addressing the secrecy problems, because certainly the secrecy, you know, why are we finding out? Because of what’s going on, because journalists are getting access to things and telling us revealing things. It’s because our internal systems are being thwarted. And the normal role that both governmental and organisations like yourself play in helping with oversight of these things is blocked by secrecy right now. That’s a tremendous problem in the United States. I think it’s also a problem in Europe. So I think that that that setting standards for what’s appropriate to remain secret from the public and also secret from the oversight bodies and the way that that works is just going to be something that we’re going to have to address before we can get to the place where we can feel confident that the necessary and proportionate standard is being met. Because I think that’s where a lot of the mischief hides in terms of the conference, I believe the other speaker pointed out, well, it’s an ISIS conference. This is a conference that helps train people who do national security surveillance and other national security steps. And the conference is being sponsored by NSO Group. Right now in the Czech Republic. It’s often a place where companies go to also have a version of a tech conference where they try to sell their wares to government. So I think the important point for this agency is that it is just business as usual over on the national security side, as if Pegasus and the problems it created and the people it has helped kill are just not relevant to the conversation. And I think we need to pierce that veil, that idea that what goes on in the national security side just has no accountability on the civil side is the fundamental question that we’re addressing now and the fact that NSO Group is sponsoring the standard conference for national security folks learning their trade should indicate to us that something is deeply, deeply wrong in the way that that side of the conversation is going forward, as if murders don’t matter, as if human rights abuses don’t matter, as if that’s just not in, you know, that’s just not their side of the problem. They need to be accountable. And, you know, human rights aren’t human rights with a national security exception. That means they just don’t apply like you just turn it off when you’re when national security is invoked. That’s not how it works. That’s not how it’s supposed to work. But I have to tell you, that’s the way it’s working right now in Europe and in the United States as well. So our names in the context in the United States, I don’t think that’s your irrelevant question. The question about whether names are given and other information is given at the time that the surveillance is approved in the context of mass surveillance, the answer is no. Individual names are not given at the time of judicial review. Certainly under the United States rules, under the under the way that mass surveillance work. But targeted surveillance should still require identification of targets in the United States. It’s hard to know how often that’s happening because of the secrecy in which this stuff is shrouded. But we certainly know in other contexts courts have been surprised to learn that the thing that they approved and then what actually happened were very far divorced. But I think we discover those things by happenstance right now because there isn’t oversight, there isn’t following up at the level that there ought to be. But again, without some real effort to break the secrecy, it’s it’s hard to know, right? We’re just generalising from the pieces that leak out, just like we’re forced to generalise around how Pegasus is used around the country because of the work of journalists and things leaking out, rather than because we have regular, accountable oversight that we can trust. So I also want to point out something that I think was was mentioned briefly. Which is that there is a presumption in the national security world that the national security tools are kept very carefully and they’re only used when needed and that they never leak out. And I think that, again, reality has a way of interfering here. You know, the NSA’s had a huge leak of its surveillance tools. It had a you know, so we can’t assume that just because this is happening under by the national security and the intelligence agencies that, A, they will always use it properly, because I think the evidence shows that’s not true or B, that it will never leak out and be used by buy by criminals to spy on people, not just, you know, governments that don’t abide by the rule of law and human rights abuses. But private entities as well misuse these tools all the time. So one of the reasons why we support a moratorium and also a lot more oversight here is because I think the presumption that you can trust the National Security Agency authorities around the world to keep these tools to themselves and only use them for good just isn’t borne out by the evidence. And that’s only the evidence we see. I think there’s a lot more going on that we have not found out about yet. So the role of this committee and the European Parliament is tremendously important to try to bring balance back and stand up for human rights. Human rights should not be something that gets turned off when national security is invoked. And I agree with a member in felt that the lack of definition of what national security even means is a tremendous problem here. But even in the context in which we have agreed upon definitions, there’s more work to be done. Thanks.

Sándor Rónai (Chair): Thank you very much for your answers. Actually, for the second round, there is only one question left behind by our vice president Diana Riba I Giner.

Diana Riba i Giner (Greens): I would like to ask a couple of questions. A couple have already been answered, so I’ll change them. But Mr. Sessa Duro. I would like to ask you about criteria, because you talked about the norms and regulations, not the laws the judges need in order to grant these kinds of warrants or authorisations. So what kinds of rules do you have in mind to the existence of all countries now? Our country has got about a year to do this work. And. I would hope that we would be able to stay in contact. We’d like to know what kinds of rules and procedures that countries may have in place, even partial ones, for the granting of such authorisations. Now, secondly, we know other countries have bought Pegasus. I have said 2000 to have used the system. To carry out. Espionage in the case of Spain, for example. More than 60 people have been spied on in Catalonia, and we have been told by the government that there was judicial authorisation for that spying. But everything is shrouded in secrecy and so we haven’t had any such information made public. So my question to you is how we can be transparent? How can we look to locate these authorisations? I mean, you may know of such situations in which member states have granted such authorisation to the secret services, and we’d like to know that so that we can do our work as a committee. Got a question to Mr. Andy. I would like to know. About Apple or other companies who have denounced NSO for some of its spyware? Or what about access to victims to denounce these cases, I would like to know from you whether you have any indication of companies or individuals have been spied on. And whether there’s any scientific proof that they have actually been spied upon so that they can lodge a complaint with a court. So we like to. Know whether victims have evidence that they’re being spied on by their own governments and whether any such spying activity was authorised by a court and whether they are able to access justice. I don’t know whether you have any instances of practise in the U.S. which might be helpful to us. Thank you.

Sándor Rónai (Chair): Thank you very much. Now I would like to give the floor back to our guests. So, first of all, I would like to give the floor to Mr. Wojciech Wiewiórowski.

Wojciech Wiewiórowski (EDPS): Thank you very much. I don’t think any of the questions was directly sent to the European Data Protection Supervisor. Let me only add to that. According to my knowledge, apart from the situation where the government admits that despite the concrete persons, there is no possibility to get to know, both in technical way, who actually did the spying. So in this sense, I don’t believe that such information is deductible from the evidences, at least the ones that I know about. Of course, I mean the both Pegasus this time in the. There was a question before which I would like to address very short shortly. That was about the two examples to be taken into consideration about the good solutions. I wouldn’t say that this is a good solution to the very end, but we have to assess the systems that exist at the moment in Europe in similar techniques us that the under rapporteur Mr. can attach indeed with the UK system having a very strong concerns at the beginning and to changing his mind after the amendments done in the UK situation. I probably would not go that far with the acceptance of the UK solutions, but the methodology to assess was simply the things to be taken into consideration.

Sándor Rónai (Chair): Thank you very much, Mr. Sessa, the floor is yours.

Duro Sessa (EAJ): Oh. Okay. Thank you. Thank you again. I think the answer to the question which has been posed is answered from the from the judge’s point of view in the European Court of Human Rights case, Hugh versus France, which I mentioned, where the court said that any privacy limiting powers need a legal basis. So it has to be in accordance with the law where the law is understood as not only as a statute, a statute, but also of the laws of the lower right. By using the term law, the European Court also says that the law has to be understandable, that it should be accessible to the person concerned who must in forever be able to foresee its consequences for him and or her, and that the measures taken have to be compatible with the rule of law. So as the European Court says, the laws have to have the reasonable clarity in the scope and the manner of exercise of the relevant discretion conferred on the public authorities. So it is always case to case basis. And once when this surveillance stops, I think there are also rules of access to information and a European regulation on that issue, which also allowed the persons to to have access to the data which has been collected. So for judges, when they will have a death kind of case, they will have to rely on the European Court of Human Rights, which explains and understands the convention.

Sándor Rónai (Chair): Thank you very much for your answer. Now I would like to give the floor to Mrs. Cohn.

Cindy Cohn (EFF): Thank you. Thank you for your questions. I think the main question for me is, you know what? What did the companies like Apple and the other companies do? Did they identify victims? And as we understand it, to the extent that they had identifying information, Apple did identify the victims of Pegasus and let them know that they had been compromised. Several of them have mounted litigation in various places around the world. I think that some of the good work that we could do here is to look at some of the obstacles that the victims face in seeking redress and see if there’s work that we can do to to get those out of the way. One of those is that it is often difficult to have scientific proof of exactly what happened and what was exercised by it. The way many of these malware systems work, they can erase themselves from the systems. In fact, a lot of the good work that Citizen Lab and others have done is to find the, you know, little trails that sometimes are left behind by these systems to try to point out when when they have been compromised. But knowing exactly what was compromised and how it’s worked is is not all that easy. A bus system is when the systems are well-designed. And that has proven to be a big barrier for some of the victims because they can’t say exactly how they were hurt. They know they were spied on. But actual, you know, the kind of direct causation can be very difficult for predators. So I think that that that is a problem. And it’s something that the law could take some steps to try to make a little easier. Proving that you were infected is hard enough. Proving exactly how you were infected and how that surveillance was used to then later harm you is proving to be an obstacle that I think the Parliament and the rules around the world could help give some guidance to governments and to to courts about how to think about these kinds of problems, because it’s not like these people aren’t harmed. It’s that they’re harmed. And then the evidence of how exactly they were harmed has been covered up by the malware or the system. The other thing that and I mentioned this in my original presentation that I think it’s important to highlight here is that Apple and WhatsApp have gone further than just announcing. They have actually sued NSO Group for misleading the users who rely on you know, you rely on the fact that a message is coming in from iMessage if you have an Apple phone to think that it is encrypted because that’s what Apple does and that it is a legitimate message and not a piece of malware. And we really, you know, again, if is never shy to be critical of the tech giants and the role that they play in other places, in this instance, they’ve done the right thing. And I think it’s important to stand with them in those cases and to point out that, you know, in these instances, while the cause of action is protecting their trademark and their good name, the people who are ultimately protected by that are the users. And I think it’s a bit of a travesty that the trademark arguments are stronger than the You Spied on me arguments in the US courts. But I will take any lever I can take to try to protect people against malware. And and this is an area where, again, while we are highly critical of these companies in other areas, we we think that they are doing the right thing and it’s worthy of being supported. The other legal hurdles are jurisdictional. I think that member in Bell’s point about, well, what about if it gets approved in one country and then it is done in another country, and how that kind of arbitrage and evading of judicial review is happening in this area is another area that’s worthy of European wide conversation, because we are seeing this kind of arbitrage, we’re seeing these kind of jurisdictional games being played when victims are trying to protect themselves. If has a case against dark matter right now for which is another company that has engaged in spyware that’s resulted in gross human rights abuses in this instance of a Saudi Arabian human rights activist and dark matter is claiming that, you know, even though they hid as an apple iMessage in order to install spyware, U.S. jurisdiction is not appropriate. But in many of these situations, the government that is doing the spying is the government. And where they did the spying is under that government’s jurisdiction. So we need you know, that’s a place where people cannot get relief. So we need something closer to maybe not universal jurisdiction, but broader jurisdiction for victims. To be able to seek redress because often the government that either, you know, created the where where the software was created in the in this instance, I believe it’s Abu Dhabi or the government that actually used the tool in this case was Saudi Arabia are not going to be places where somebody can get redress. And so we need to think about how do we open the doors to redress in places other than the repressive regimes where these these things happen or the regimes that are turning a blind eye to what their companies are doing?

Sándor Rónai (Chair): Thank you very much. As we come to the end of this question and answer session, I want to thank all the participants for their very impressive contribution to our work today. So thank you very much once more. And now we can continue our work with the third point of the agenda. It’s the chair’s announcement. So I would like to share the information that’s at the coordinators meeting. On the 10th of May. The Coordinators decided to add us to the Commission’s programme, added five hearings to the hearings programme and approved three studies. That’s the only one announcement I have to share with you. And now it’s the first point of the agenda and the other business I cannot see and the other is this. So the last point on the agenda is the next meetings. Dear colleagues, I suspend our meeting until tomorrow morning. We will start again at a tomorrow morning at 9:00. I wish you all a very pleasant evening and sorry once more for any inconveniences. Have a great evening.

No Tracking. No Paywall. No Bullshit.

Unterstütze auch Du unseren gemeinwohlorientierten, werbe- und trackingfreien Journalismus.

Die Arbeit von netzpolitik.org finanziert sich zu fast 100% aus den Spenden unserer Leser:innen. Werde Teil dieser einzigartigen Community und unterstütze jetzt unsere Arbeit mit einer Spende.

Jetzt spenden

0 Ergänzungen

Wir freuen uns auf Deine Anmerkungen, Fragen, Korrekturen und inhaltlichen Ergänzungen zum Artikel. Bitte keine reinen Meinungsbeiträge! Unsere Regeln zur Veröffentlichung von Ergänzungen findest Du unter netzpolitik.org/kommentare. Deine E-Mail-Adresse wird nicht veröffentlicht.