Am 30. August hielt der PEGA-Ausschuss eine Anhörung zum Einsatz von Staatstrojanern gegen Bürger:innen ab. Die Anhörung konzentrierte sich auf die angebliche Untätigkeit der Mitgliedstaaten in Bezug auf die Beteiligung von Einrichtungen in der EU an der Entwicklung, Verbreitung oder Finanzierung von Pegasus und anderen staatlichen Hacking-Tools.
Von den Anhörungen gibt es ein Video, aber kein offizielles Transkript. Daher veröffentlichen wir ein inoffizielles Transkript.
- Date: 2022-08-30
- Institution: European Parliament
- Committee: PEGA
- Chair: Jeroen Lenaers
Panel 1: Claudio Guarnieri (Head of Amnesty International’s Security Lab in Berlin), Miriam Saage-Maaß (Vice Legal Director of the European Center for Constitutional and Human Rights, ECCHR), Jean-Philippe Lecouffe (Deputy Executive Director, Operations Directorate, Europol)
- Links: Hearing, Highlights, Video
- Note: This transcript is automated and unofficial, it will contain errors.
- Editor: Emilia Ferrarese
Panel 2: Clara Portela (Law School, University of Valencia), Rosamunde Van Brakel (Research Professor Chair in Surveillance Studies, Vrije Universiteit Brussel)
Spyware used against citizens
Jeroen Lenaers (Chair): All right. Good morning. Colleagues, if everyone could please take their seats. Good morning and welcome to all full and substitute members of our enquiry committee. I hope you all had a good summer. Although I have to say that with all the developments regarding Pegasus and similar spyware for the members of the Baker committee, surely there was a lot to digest in terms of work also during the summer recess. But I do think it once again shows the importance of our work and the fact that we really need to continue and dig in deep here. Today we’ll have two hearings of our committee, the first one this morning on spyware used against citizens and this afternoon on spyware, victims and remedies. We have interpreters present for the following languages German, English, French, Italian, Dutch, Greek, Spanish, Hungarian, Polish, Slovakian, Slovenian, Bulgarian and Romanian. I should also mention that we have been informed on Friday that the interpreters strike would restart this week until the 12th of September. We have tried to make all our guests for the hearings today come to Brussels to be with us in our presence. But of course, since we only were notified Friday, there are still some speakers that will be connected remotely. Of course, I don’t know if all interpreters here today are on strike, but if there are problems with the interpretation of remote speakers, then at least you know the reason. But there is not much we can do about that now. So, I propose that we continue the hearing and try to do it to the best of our ability. And I move to the first point on the agenda, which is the adoption of the agenda for this morning’s meeting. If there are no comments or requests, and I consider it adopted that we move immediately to our hearing. Now, for this particular hearing, the groups want a different experts on the alleged failure of Member States to act in respect of the involvement of in the EU, in the development, dissemination or financing of Pegasus and equivalent surveillance spyware, including the supply chain in terms of technology and its exploitation insofar as its breach of union law, including Regulation 2020 1821, will have two panels for this evening. For this hearing, we will start with Mr. Claudio Guarnieri, who is the head of Amnesty International Security Lab in Berlin. We will have Dr. Miriam Saage-Maaß, who is the vice legal director of the European Centre for Constitutional and Human Rights. And we’ll have Mr. Jean-Philippe Lecouffe, who is the Deputy Executive Director of the Operations Directorate at Europol. And then the second panel will consist of Dr. Clara Portela, who is from the University of Valencia, and Ms. Rosamund van Brakel, who is a Ph.D. researcher at Tilt View. So without further delay, I will start with the first panel. I will give the floor to Mr. Guarnieri, the head of Amnesty International Security Lab. You have the floor for 10 minutes, please. Yes.
Claudio Guarnier (Head of Amnesty International’s Security Lab, Berlin): Thank you. And firstly, I like to thank the committee for the kind invitation. My name is Claudio Guarnieri. I’m Italian and European. And as mentioned, I’m work as the head of security lab at Amnesty International, been researching the cyber surveillance industry for over ten years. And I specialize in technical investigation and cyber attacks and providing, excuse me, digital security support to human rights defenders. Next slide, please. So, one could argue that the many spyware revelations over the last year and also the year prior, more than anything, could represent a truly European scandal. The revealed targeting of human rights defenders and journalists and political oppositions and even government officials is without any doubt unprecedented. Some called it a crisis of democracy. I see it right here as a reckoning with the reality of an abusive mercenary spyware industry, which has been allowed to flourish unchecked for quite a long time. And I might say there were plenty of warnings on the way. Next slide, please. As a matter of fact, and despite companies like NSO making the headlines now believe it was European companies which for long ago created the blueprints of what we have now as an out of control industry that we are addressing today. Companies like the German FinFisher and the Italian hacking team pioneered not just the mercenary spyware business, but the abuses it became known for over ten years ago. First reports emerging started emerging on the roles of these companies, in the monitoring of journalists and crushing of dissent. With the advent of protest movements known as the Arab Spring, contracts of these companies started emerging from offices of secret police and democracy activists. Protest organisers and media organisations started receiving booby trapped emails, carrying exploits and spyware manufactured in Europe. So for over a decade since mercenary spyware companies profited over countless abuses and made a mockery of the law. Next slide, please. So, these European companies provided us with early example of this industry deflect attention, muddies the work of the investigators, and bend the rules to their advantage, all in the name of profit. For example, in 2014, after research conducted by colleagues from Citizen Lab and I revealed the presence of accounting spyware in Sudan, a United Nations panel initiated an investigation and requested answers from the Italian company in relation to potential sanctions being infringed. Hacking teams repeatedly evaded the investigations, rejected the legitimacy of their enquiry, and then eventually rushed months later to unofficially suspend the country in order to be able to later claim that that no commercial relationship with the country. Next slide, please. Later, as a result of as reports of measles started piling up quite rapidly, the Italian government imposed a catch all regime on a King team, meaning that they requested validation of every steal of the progress of their products due to human rights concerns. The company immediately went on the offensive and Leger to close leverage, to close relationships enjoyed with senior officials in government, intelligence and law enforcement, and eventually succeeded in reversing the measure and pressuring the Ministry of Economic Development to grant them a global licence for export. And this was at the height of the introduction of European Export Control Regulation resulting from the changes to domestic arrangement, more or less around the same time. So Hacking team, for example, managed to position themselves as virtually an extension of the government and as a national security asset in order to discourage regulation and enforcement, which was extremely concerning. Next slide, please. And this all of these while as reported by Privacy International. Back then I can team appear to be at least partially owned by Fin Lombardia, which is a financial service agency owned by the region of Lombardy in Italy. So using public funding. Next slide, please. Cyber surveillance companies know how to leverage their power, play around the rules, or even avoid them altogether. Following the case of the German spyware manufacturer FinFisher, it became apparent, it became apparent that existing existing regulations were insufficient. When confronted with the alleged export of the company’s spyware to Turkey in 2017, the German public official shared that the national licencing authority not only did not receive and request from any licence request from FinFisher but did not receive any request at all for any export of spyware. Since the entry into force of the law in January 2015, which is pretty wild. Next slide, please. If you haven’t had the opportunity to do so, I strongly recommend to watch this short documentary called Spy Merchants by Al Jazeera. From 2017, I believe. Through hidden microphones and cameras. And they discovered how some European companies managed to work around export control regulations and sell to sanctioned countries through dodgy sister companies and mislabelled packages and so on. Next slide, please. These are not just cases from the past. The European cyber surveillance industry still goes strong. This is the sponsor list from the European edition of SS World, which just happened in June in Prague. If you’re not familiar with the ISIS World is a series of trade shows that critics mockingly called the wiretap, first of all, where surveillance vendors of all kinds showcase their products and engage with prospective customers from all around the world. Next like this. Out of all of those, these are European companies. Granted, not all of these are spyware manufacturers. This surveillance industry is quite diversified, but nevertheless indicates that Europe is fertile ground. Mind you also that some of the companies that I blanked out, I did because they were so big I couldn’t even determine which countries they were from. Next slide, please. These are some of the European mercenary spyware companies the press reported about in the last few years. Undoubtedly, there are more than this that we just do not yet know about. How many more is hard to tell, especially in countries like Italy, where there seems to be a particularly florid market. You might recognise Momenta Labs, which is the continuation of hacking team and intellect sign, which on site trucks. The producer of the predator spyware found in Greece. The Austrian the s r f was just last month. Last month, the subject of a report by Microsoft detailing exploits and spyware they found use against law firms and banks. Only yesterday, journalists from Lighthouse reports published fresh articles on some large surveillance operations of a subsidiary of the Italian, R.C.S. It’s also worth noting that there exists in Europe and elsewhere, of course, an underbelly of boutique companies specialised in researching and developing or brokering exploits for known software vulnerabilities. This shops provide exploits for consumer platforms like Windows, iOS and Android and hard of vulnerabilities in software like from Safari and messaging apps, which we all use. Spyware vendors lend leverage these exploits for the delivery of their implants. So these companies are a critical part of the mercenary spyware industry. But despite that, we know even less about them. Next slide, please. Another element to consider is the European presence of other companies. For example, in the case of NSO Group, it appears to leverage a very complex network of companies based from Luxembourg to Bulgaria and Cyprus. Next slide, please. They’re not the only ones. Journalist last year also reported that competing mercenary spyware company Pipedream also leverage a company in Cyprus to export their product. Next slide. Please. These are the results I received from about a dozen for your request. I filed in Italy in 2019 requesting details about origins and destinations granted licenses of expert four for intrusion software and related items that were controlled under the customer arrangement. So how do we make sure that such and useful information is being delivered to the citizens and to the public? Under the new recast dual use regulations, transparency must improve for such critical information and should not be withheld under the pretext of business secrets or national security. So transparency reports and Member States should disclose more information about the license experts they grant, which should include the number of applications for each item that is being controlled and the name of the exporter, the destination, the description of the end user, the intended use, which agents have been involved in that export and whether that license has been granted or not. Information we had in the past over a long period of time until kind of new regulations come into place, contributed to the pack opaque nature of the industry we’re dealing with today. Next slide, please. So currently we’re faced with numerous issues that need to be addressed reining in an industry that was born out of outdated and inadequate regulatory frameworks, not just in the field but also in the use of spyware, is going to be challenging. It’s going to be trying to put putting back an evil genie back in the bottle, which is difficult. We’re faced with a lack of transparency over exports, lack of accountability for the companies, a lack of remedy for those who have been victimised by their use of mercenary spyware. In this regard, I’m happy to see the committee hearing directly from targeted individuals this afternoon. European Union needs to sharpen its laws, hold companies to account, as well as member states which contribute to human rights risks by letting the unchecked surveillance industry continue to operate from its territories. With that, I thank you for your time and your attention.
Jeroen Lenaers (Chair): We thank you, Mr. Guarnieri. It was very interesting, and I’m sure there will be many questions also from our members. We will first hear from our two other panellists and then we’ll open the floor for questions and answers. But thank you. Thank you very much for that. We move immediately to Dr. Miriam Saage-Maaß was the vice legal director of the European Centre for Constitutional and Human Rights, and she is connected remotely. So, I pass you also the floor for 10 minutes.
Dr. Miriam Saage-Maaß (Legal Director, European Center for Constitutional and Human Rights (ECCHR)): Thank you very much. Also, thank you very much for inviting me to speak to you.
[interpretation in another language than English for a few sentences]
We are a human rights organisation that uses in particular the legal tools to hold European companies to account for their involvement in human rights violations. We have been looking into the sector of surveillance technology companies since 2012, as we believe this is one of the high risk sectors in which companies can seriously violate human rights. In our previous work on trying to halt surveillance technology companies to account companies like True because we’ve seen that before or since usher in a lot of times we’ve been very unsuccessful. So we filed complaints in the UK and Germany very unsuccessfully with no resolution. We have been filing several criminal complaints in 2014 and following against different companies located in Germany, alleging the criminal violation of data protection laws and espionage, or also when it comes to software, spy software that was exported to allegedly support exported to Syria to the Syrian regime. We also alleged aiding and abetting torture. Neither of these allegations are criminal complaints have been leading anywhere. There’s one successful criminal investigation so far undertaken by German law, comparatively successful investigations so far undertaken by German law enforcement, which is the case against FinFisher, which has also already been mentioned. So in the FinFisher case, together with other groups, we have been finding a criminal complaint again with the prosecutor’s office in Munich, because that’s where FinFisher has its headquarters, alleging a violation of the dual use regulation that went into force into 2015 from publicly, publicly available data. We know that since this regulation has come into force, the German government has granted no not one single licence to a surveillance technology company for exporting that technology. And at the same time, there has been clear forensic evidence that the spy software was found in Turkey, Egypt and Myanmar, targeting journalists and human rights defenders without any existing export control license. FinFisher defended itself by arguing that the software was not actually exported from the EU but from an outside of the EU location. And so apparently the question, the legal question here in that case was does that mean, you know what, how do you define the place of production of a case and how do you define the place of export? And obviously, is it possible to simply say we’re sending off the software from a different location outside of the EU and thereby trying to evade the EU regulation from everything that we know is the process. The law enforcement agencies in Germany did not find that a sufficient excuse. So in end 2020, the prosecutor’s office decided to raid the offices of the company as well as private homes of leading managers. They confiscated the men at the company’s assets and in the aftermath the company needed to file insolvency. So this is one example of where a stringent and decisive law enforcement can actually go against individual companies and their managers for violations of the EU regulation. At the same time, our experience clearly shows that there needs to be a comprehensive and improved regulation, as well as there needs to be a clear guidance to all member states law enforcement agencies that, you know, investigating into the responsibility of these spyware companies needs to be a priority and it needs sufficient and knowledge and resources also on the side of law enforcement. When it comes to the regulatory framework, we would say that what is needed right now is a moratorium on the sale, transfer, use and import of any surveillance technology that is so highly intrusive as Picasso’s, but also Aston Martin, Spy and others in order to, you know, fight to create a robust human rights based regime for for the sale and import of these of these softwares. What we need is and I think that has already been mentioned, we need clearly more transparency on software being exported and imported. There needs to be a comprehensive and publicly available information on a yearly basis. What we also need is we need an enhanced and very clear human rights based assessment of how and when to grant a license. I think we’ve seen this and also an arms exports control laws that there are numerous flaws because they are not human rights based. So the human rights assessment needs to be a human rights impact assessment after the sale of an export or an import needs to be clearly built into the process of granting licenses. And then we also it definitely needs to have a catch all mechanism, which means that the surveillance technology, that all kinds of surveillance technology must be covered by the EU regulations. And we need a clear and also a clear regulation that companies, surveillance technology companies need to adhere to the international renown, human rights, due diligence standards. And then again, as I said, we need to and I think you will have the second tunnel and that there needs to be a serious emphasis on access to remedy for those that have suffered from some of this intrusion of software, especially when it comes to intrusion. Software is clearly one of the at the moment, but one of the prime ways in which civil society actors, human rights defenders, journalists, democracy activists are threatened, are targeted and seriously impaired on the ability to move to access to freedom of expression and to realize their human rights. This is something severe. At the risk of being surveilled is something that we encounter on a daily basis whenever we talk. In our case works on many other topics when we talk to activists, lawyers, also in in different countries around the world and human rights activists. And so, therefore, this is a very serious topic. Thank you.
Jeroen Lenaers (Chair): Thank you. Dr. Saage-Maaß very interesting as well. And thank you also for sticking to the time that will allow us many questions and answer. All the members can be participating. We will now move to Mr. Jean-Philippe Lecouffe, Deputy Director of Europe. I would like to ask the members who would like to take part in the Q&A session after Mr. Lecouffe contribution to already indicate by raising your reason you call it so that we can start immediately after his intervention. Thank you. Mr. Lecouffe, you have the floor.
Jean-Philippe Lecouffe (Deputy Executive Director, Operations Directorate, Europol, The Hague): Thank you, Mr. Chair. Dear members of the European Parliament. I would like to thank you for inviting Europol in front of this important committee. In the following minute, I will. I would like to give you a brief overview of Europol’s work and how it relates to the subject of your enquiry. But first, with the reference to the title of this three. Let me come straight to the key points. We are not in Europol intercepting communications. We are not going undercover. We are not doing any surveillance. We are not even arresting criminals because Europol have no executive power. Because Europol is the EU Agency for Law Enforcement Cooperation and Agency, acting according to its mandate given by the legislator in the strict framework of the law and under the supervision and close control of this supervisory authorities. What we do at Europol is to help law enforcement authorities to protect citizens, EU citizens, from the threat of cross-border, serious and organised crime and terrorism. In line with the rules set out by Article 88 of the Treaty of the Functioning of the EU and our Europol Regulation. We are supporting the Member States by facilitating information exchange between the law enforcement authorities via our secure channel of communication. You know, we are cross-checking information and providing data analysis support for our law enforcement partners with the aim to reveal the links between the investigation across the borders, the links between suspects of crime and terrorism, and to provide new leads for investigation. We are assisting in the coordination of large cross-border criminal investigation. We are providing expertise on criminal matters and threat assessment for policymakers. We are providing technical and forensic support, if requested, like we do, for example, like we did, for example, in the case of the murder of Daphne Caruana Galizia. We are also supporting our partners financially. We finance operation coordination meetings and investigation. Let me underline that we only support national authorities upon request or after their agreement. The national competent authorities are always in the lead of investigations. These investigations are conducted under national laws and under judicial oversight. Any piece of evidence put forward with the support of Europol will ultimately be discussed and challenge in front of the court. As I mentioned, Europol’s activities are controlled and supervised. Our work is overseen by several actors and institutions, of course, by you, the European Parliament. And we are often in the Liberty Committee to explain what we are doing. Also by the Joint Parliamentary Scrutiny Group, by the European Data Protection Supervisor, supervising all our activities in relation to personal data and link is doing this in close cooperation with national data protection authorities. Europol, as well as also its own internal but independent data protection function that control and and visas on data protection matters regarding data protection. We can see that we have the most strict regime of all EU agencies, which is normal because we are only a lot of personal data. And soon we will also have a fundamental right officer active within our organisation in line with our new mandate. Our management board is also controlling us, is composed of representatives for national from national law enforcement authorities or from national ministries of justice or home affairs. All these rules and act also ensure that we are working compliant with our mandate, with fundamental rights, and with the rules of data protection. On organised crime and terrorism. What do we see today from our unique position in the EU? It is sad to say, but in many of our cities organised crime has never been as powerful and sometimes as visible as it is today. Local turf, world against criminal amongst criminals. Trafficking drugs are taking place in our territories. Firearms are trafficking on internet and illegal business structures, launder criminal money and undermine our economy and society. Too many of our EU fellow citizens and visitors are victims of crime in our streets online, and often it is the most vulnerable ones. Are we most successful in fighting organised crime and terrorism? Yes, I think we are in the EU. Several terrorist attacks were prevented in the past years. A few weeks ago we presented to the Nobel Committee our terrorism report in which we presented arrests and prevented attacks. In the past year, thanks to an improved cross-border cooperation, thousands of criminals were arrested in hundreds of cross-border investigation that can prevent some of our citizens to became a victim. But are we still running behind? Yes, despite successes and new approaches. Crime continues and some even see that organised crime and the threat of organised crime is increasing. Criminals and terrorists are smart. They often have extended financial proceeds of their career or their crimes to invest in more criminal activities. They use state of the art tools to hide themselves and to hide their communication from law enforcement, and they use oddly trustable techniques to launder the proceeds of their crimes. Too often we run behind and innocent citizens become victims of organised crime or even are multiple times victimised. Therefore, it is important that law enforcement can also use the accurate and updated tools and methods to prevent and fight crime and terrorism. Of course, these tools have to be used in full compliance with fundamental rights, European and national laws and data protection rules. Because a tool. Being a software or weapon is no more than a tool. What is important is by whom it is used according to what rules and order, under what supervision and control. And more important, what is important is how to prevent the abuse of these tools. Finally, I would like to give you some words on Detangling. I think it’s important that the protection and fundamental rights already starts. For the moment, we receive an information or data and it remains throughout the full chain of support that your report is providing. For example, we do not just accept any piece of information without closely assessing it. If data provided to Europol fails through those check, it is not. It will not be accepted in our databases. It is rejected and the contributing partners form this kind of safeguards intend to minimise the risk that the data of our citizen incorrectly become part of a criminal investigation. Now to sum up, I would like to underline that we are supporting the EU Member States and partner country in the fight against the most dangerous criminals and terrorist network, fully in line with fundamental rights laws and our strict and robust data protection regime and our regulation. Europol has no mandate in the area of interception of civilians. Europol has no executive power. Europol rose is to support national law enforcement authorities with their cross-border criminal investigation against serious and organised crime and terrorism. And it is in line and fully compliant with fundamental rights and data protection rules that the protection and fundamental rights in Europe are not only a cornerstone of our work, but it is a key for the success and for of the acceptance by the citizens. Chair and distinguished members of the European Union. Thank you for inviting Europol today. I’m open and ready to answer the question you may have, thank you.
Jeroen Lenaers (Chair): Thank you, Mr. Lecouffe. We will start now. The Q&A will start as usual with a round of rapporteur and coordinator.
Sophie in ’t Veld (Renew): Uh. Yes, thank you. Thank you, Chair. And thanks to all the speakers. I’ll start with Mr. Lecouffe. You gave a fairly general overview of the tasks and responsibilities of Europol, but I would actually like to hear you say a little bit more about the specific topic, and I would like to understand how Europol sees its own role, because, as you said, your Europol doesn’t act only at the invitation of Member States, but since two months you have new powers which say that the when the Executive Director considers that the criminal investigation should be initiated into a specific crime, which concerns only one member state but affects a common interest covered by union policy, he or she may propose to the competent authorities, etc.. So Europol now has the powers to propose an investigation. Does that mean that the member states will accept? Maybe not. The don’t you have when you have the power to initiate it, don’t you also have an obligation to do so when you are made aware of possible criminal activity that affects, in this case, not just one country? We’re talking we’re talking about possibly all the countries of the of the European Union, but certainly Greece, Hungary, Poland, Spain, Cyprus, Bulgaria, Italy, money flows going through Luxembourg and Ireland, EU institutions being affected. And there are indications, not legal proof, but that is the job of the police to find legal proof of criminal activity and there are more than enough hints. So why doesn’t Europol use the new powers to propose such an investigation? Because frankly, and this is my second question, I’m a little bit worried that with every day, indeed every hour that passes, evidence is being destroyed. It’s being destroyed as we speak. I’m very surprised to see, for example, that the Greek authorities have not raided the offices of intellects, in essence, and confiscate all the material there that no servers have been confiscated. So the point is that you seem to think that you serve the member states, but sometimes occasionally the member state authorities themselves are the problem. They’re part of the criminal activity or shielding the criminal activity. So I would like to hear you reflect on that then to Mr. Guarnieri. And Ms Saage-Maaß must offer a couple of very quick questions. Can you say how would you regulate the trade in exploits and vulnerabilities because you’ve both mentioned it? I think it’s an important aspect. Can you say a little bit more about how you would see the possibility of enhancing the Wassenaar Agreement so to make sure that we regulate beyond the European Union? Can you comment on the documents that were leaked two or three days ago or were published, rather, in the Greek media, the leaked intellects of Russia, and the leaked confrontation in a closed forum on the sale possible sale of intellectual spyware? Can you reflect on the possibility of, let’s say, registering or labelling spyware or having a better legal definition of spyware or surveillance technology for the purpose of export licencing? Because quite frankly, if I see a company like collect intellects advertising the sales of software solutions, you know, I always joke that my vacuum cleaner has software solutions in it too. But spyware is of an entirely different nature. Do we need a better legal definition? Uh.
Jeroen Lenaers (Chair): Could you please come? Okay.
Sophie in ’t Veld (Renew): This is. This is it for this first run. Thank you.
Jeroen Lenaers (Chair): Thank you. So we will take the questions in the order. So I first pass the floor to Mr. Lecouffe.
Jean-Philippe Lecouffe (Deputy Executive Director, Operations Directorate, Europol, The Hague): Yes. Thank you for your question. It’s through the Article six of Europol regulation has been changed slightly in in the last revision of our mandate that our new mandate before we had the opportunity to, to propose to member states to initiate an investigation and there were two Member States involved. And with the new regulation, it’s only if one is involved. First, we have always to check and to relate to our mandate and our mandate. There’s a list of the criminal offences that we are. She pushed to investigate and this list is linked to serious and organised crime and terrorism. And so we have to check first. If the, the offence is in, in the framework of this list and then after we have to assess the situation, especially what is key is if the member states initiate by themselves, by itself an investigation and most of the time it is the case, or if the national authorities give an answer to the question that was asked. For example, I learnt this morning that the Greek parliament opened an investigative committee on the issue in Greece. So there is an investigation starting. So we, we, we and the parliamentary one, so we don’t have to interfere. But each time we assess is it in the framework of our mandate, is it useful that Europol is asking to the, to the Member States and to the rule enforcement authority if they want to, if they want to open an investigation. And at the end of the day, in the framework of this Article six, it’s for the Member States to decide if they want to answer to Europol request or not. So we are assessing the situation in each case.
Jeroen Lenaers (Chair): Thank you. And then for the other concrete questions. First, Mr. Guarnieri and then Dr. Saage-Maaß, too, to add to that.
Claudio Guarnier (Head of Amnesty International’s Security Lab, Berlin): Thank you. All of those questions are very important and very complicated questions as well. On the first one, talking about the trading exploit and how to regulate it. It is a difficult subject. It is one that has been highly contested and highly debated within the private sector as well, because of the fact that exploits can be used and are part of some legitimate security research as well as legitimate security auditing practises. The problem comes when these these industrialisation of and hoarding of security vulnerabilities goes into play of abuse and where the discovery and weaponization of vulnerabilities that are not reported to self their money effectuating within a certain timeframe contribute essentially to an industry of insecurity, really that affects all of us because it is ultimately, you know, hoarding issues in that forums that I mentioned, we all use not just human rights defenders and activists, but everybody that makes any use of consumer technology. So there is definitely exploration that needs to be made at the very first level, understanding what is the nature of this industry and what is the nature of this market on which we know very little because impartially. And companies that operate in that space are extremely secretive, partially because of the fact there is no current legislation, as I understand it, that allow, at least for some means of transparency, to understand what is the size of this market and where are these companies present. There needs to be a European debate about the introduction of some form of vulnerability, disclosure and equity processes where, you know, some rules can be established to make sure that if the utilisation of zero-day is as such, that means if you’re not familiar with exploits for vulnerabilities that are not known to the manufacturer and they’re not therefore being fixed and they’re not patched. So they are currently live. This needs to be regulated if we want to allow for their use, which is something I’m not necessarily convinced of, it’s necessary. We’ve seen many cases of law enforcement making use of spyware systems without necessarily making use of exploits of this kind, at least not of exploits that are affecting all of us and that software manufacturers that have the at least the opportunity to understand and deal with when it comes to the question on the fastener arrangement. Granted, I’m not a legal person. I’m a technical person at heart, but I do think there are means for improvement. As always, as I mentioned in my opening statement, definitely strengthening of the transparency of transparency rules for Member States on the process of granting expert licences and receiving licences, not just on what has been approved. So disclosing in the public report by the Commission more details about it, as well as incentivising Member States to be as equally transparent about the business of the companies within their territories. So as I mentioned, you know, making sure that these public documentation include more details than what we used to have in the past, which has been extremely insufficient. And another aspect which I touched upon is the issue of remedy, which is one that we have been kind of talking about for a long time, which is member states. Companies need to be obligated to provide some kind of some form of mechanism of remedy to to victims and of unlawful surveillance that have not been heard, that have not been given justice. And these need to be baked in, in any regulation for the dissemination of these software by this industry regarding the leak of the intellect. I’m not super familiar with it. I have seen some news passing by in regards to some contractual details of a potential sale of a package containing both exploits and zero-day exploits and spyware of quite a sizeable amount of money, if I recall. I don’t have any particular insights to share other than to demonstrate that this is an ongoing risk. As I recall, from what I have read, that there’d be some distribution and sale of these exploits effect models of devices that are very recent. And therefore, we have to assume, as always, that our consumer devices are as vulnerable as ever. But I don’t I’m not too familiar with that particular case. As for the legal definition, again, I’ll remit more informed judgement to my colleague from NCC. H.R. But I might say that. I’m not so much concerned of strengthening the legal definition, which I think have been all right, although for sure there must be room for improvement. But as you highlighted, often time, the issue is the fact that we don’t even know what the companies are in the business of. You’ve mentioned the one case about intellectual, but there’s many other companies also highlighted in the report from Light Lighthouse yesterday that advertise all sorts of vague, nondescript services and products. Well, at the end of it, really, they’re selling surveillance systems. So the lack of transparency and lack of obligations to really, really be publicly upfront about what is the business of many of these companies is, I think, a big problem in trying to understand what the market is if they’re not transparent in the first place. And also, I think it’s in partially to respond to the previous speaker, but I think it’s also important to understand that when talking about mercenary spyware and capturing the essence of it, I think it’s important to understand that comparing it to just any other tool is a bit, I would say, naive in the sense that I wouldn’t compare a can of soda to a handgun, although there are both tools. Spyware is an extremely invasive piece of technology that allows for many forms of access at once intercepting communication, location, tracking, seising data at rest, turning the devices in, and an environmental bag which are all different kinds of investigative powers that are all combining. One is, from a technological perspective, an unprecedented amount of access that one can obtain with just one single piece of technology. So it needs to be treated as such and with particular care. Thank you.
Jeroen Lenaers (Chair): Thank you. And Dr. Saage-Maaß, particularly on some of the legal questions that were. Yes.
Dr. Miriam Saage-Maaß (Legal Director, European Center for Constitutional and Human Rights (ECCHR)): Thank you. Well, first of all, on the definition of cyber surveillance technology, obviously that is a big challenge. Also, we can counter that also in in the case, because a lot of times companies also cooperate. So one may produce one part of the surveillance technology that’s and only in contribution with other parts, it actually becomes an intrusion software. So which again, I think is also not an unusual it’s not an unusual thing that we are facing that in globalised economies, the law is always a little bit behind. And this has difficulty of capturing actually the most recent technol, technological and economic developments. So but what that means is and I think you’ve, you know, as you’ve hinted, that we need them most broad definition of cyber software and we need a broad definition so that more and basically all kinds of technology, even if it’s at such, seems to be unproblematic. It needs to be undergoing the licencing process. And then that’s acting. And as I said before, the licencing process must be guided by a robust human rights risk impact assessment. And I think that is something that also would need to be much clearer now and should be contributed to the massive mark if us in our regulation that the assessment of whether an export of them of of the surveillance technology or the dual use technology is legitimate or not needs to undergo a human rights assessment. And I think that’s yeah, I think that’s what I would want to stress most of all. I think in addition to this, we also need and I think there is a parallel and you know, and also at the EU, you know, the discussions around a robust human rights due diligence framework for companies. And I think that is also something that needs to and this is what’s happening now at the EU is actually only something that has already been established at the international level. Mrs. UN Guiding Principles. And so I think there also needs to be a reference to the human rights, the genuine human rights obligations of companies. So it’s not only states that must be regulated companies, but companies themselves have human rights obligation. And that is something that also surveillance technologies have. And I think that’s something those companies are absolutely not aware of.
Jeroen Lenaers (Chair): Thank you very much. We continue with Mr. Zoido on behalf of the EVP.
Juan Ignacio Zoido Álvarez (European People’s Party): Thank you very much. Thank you to everyone who’s participated in this hearing today. So thank you to the chair and to everyone who took part thus far. I have a question for Mr. Lecouffe. You work in Europol. But you also have also worked in public service for many years. You’ve worked on Defence and Internal Affairs. You have experience within the EU and outside of the EU. I believe that. What you know from the field can really help us. I’d really therefore like to pay tribute to the important. Role that you have played. Over the years. And Kenosha. This is an encrypted network which is used by many criminals. In Spain and in the Netherlands. This tool falling into criminals hands is one of my major concerns, and I’m worried. That our security forces might not have access to the necessary cyber surveillance tools. So should our intelligence agencies deal with current security threats without the use of spyware tools and surveillance tools? What do you think? Of course, all of this has to be in line with human values and unnecessary controls. And could you give us any examples regarding confidentiality of this information? Has the use of this software ever been decisive in protecting European citizens? And I have a second question for Mr. Guarnieri. We saw that there were some scandals with your organisation this summer. So it’s difficult for me to see your organisation as neutral, but I will try my best. I want to remind you that Amnesty International’s own director said that you had become a tool of Russian propaganda. It would be regrettable if there were a secret political agenda behind what you’re saying. But I believe and hope this isn’t the case. In any case, you are heading up a major office. So which country or which group of countries is ideally using this spyware? Who is using it correctly? And do you think that EU countries. Are the ones who can guarantee the best use of this software, or is it the opposite? Do we have less respect for privacy in EU than other parts of the world? And then I heard some details in your presentation. But I want to know. Why do you think there are more and more European companies? Involved. Why do we have companies such as NSO? Who are the clients of NSO? And do most of these companies come from the same country or from different countries who are using NSO?
Jeroen Lenaers (Chair): Mr. Zoido We will also take these questions in the right order. And I think on the point of amnesty, I think you’ve made the point. Mr. Guarnieri is here because of his technical expertise, as he will also answer questions in that regard mainly. Mr. Lecouffe first.
Jean-Philippe Lecouffe (Deputy Executive Director, Operations Directorate, Europol, The Hague): Thank you. I would like to speak in French. Thank you very much for your question. Well. As Deputy Director of Europol, it’s very hard for me to comment on the operational experiences of the gendarme in France. I, I’m not speaking on behalf of France. I’m speaking on behalf of Europol at this point. So it places me in a difficult situation really, to be able to take a position vis a vis investigations have been carried out by French authorities. What I can perhaps say is that such investigations were organised under the authority of the managed magistrates which were supervised. These investigations on certain topics that you’ve mentioned and they have caused some large scale debate and discussion in the media and in the courts. So I think that’s just part of our system of rule of law. And I’ve tried to say in my opening speech. And I will agree with my neighbour when he says that these are not just tools, these are highly invasive instruments and it’s in everyone’s interest to keep a close tab on their use. I think. When it comes to. Legitimate use. You have to have a clear legal framework. You have to have the legal supervision by the judiciary because it’s the judiciary that’s going to be able to determine how far one may go and one’s use of certain tools when carrying out investigations and always taking into account principles of proportionality, which are key pillars of our legal system. So. That’s precisely what the forces of order and the police force, in fact, in Europe have been doing. Now, as I say, it’s very difficult for me to comment on investigations that are not closed at this point and where the rulings have not yet been pronounced. So. What I will say is that criminal groups do have almost unlimited financial firepower and can use high tech solutions. They are using state of the art technology in very effective ways. And in some of the investigations we’ve been able to carry out, we’ve been able to see these groups themselves establishing encrypted networks that will allow exchanges to happen exclusively between criminals, criminal actors. You see certain phones being sold only within criminal networks in order. So. And so what I would say is that if you want to protect European citizens, then you have to have a robust legal framework that would allow the police investigative forces to have the right tools, the right instruments that they require to be able to fight crime effectively while guaranteeing, of course, citizens rights and the rights and liberties of citizens are safeguarded. Now, you must understand that, you know, it’s a police means and a police force as a vocation, as their duty and mission to protect the values that we all hold dear.
Claudio Guarnier (Head of Amnesty International’s Security Lab, Berlin): Thank you. Well, firstly, Amnesty International’s mandate is to defend human rights and privacy and freedom of expression, as human rights are threatened by the use of such technology. And so I’ll answer to the question of merit to this hearing as to which countries in the European Union make use of these kinds of technologies is hard to tell in preciseness because of the fact that generally they are used in secret, their commercialisation is in secret that we can expect, or that most European European countries make use of technologies like this in some way or another, or at least some kinds of technologies of this type has become someone’s standard de facto in many in many cases, despite kind of a lack of public debate. I feel that has not quite adequately happened over the of the last decade. And I do believe that the European Union has a certain extent or an example globally to defend in defence of the right of privacy. For example, with the introduction of the GDPR. And I do believe it has an obligation to go even further in that, to set even a stronger example to the world as to what good regulations are and what good controls and oversight are for very critical industries such as this. It’s hard to tell why and are kind of numerous companies in Europe that produce and sell these types of technologies. I think it’s partially is an historical matter. It is an industry that in some way is spun out probably at the right time, technologically speaking, from early companies that were based out of Europe. But as we know, these exist and as extended further beyond. There is similar companies pretty much the world over at this point. Europe obviously is a very developed and industrialised part of the world where a great information technology talent comes from and that has developed over the years. And this obviously contributes as well to the production of technologies such as these. Some countries seems to be more kind of active than others when it comes to the production and sale of technologies like this. As I mentioned, early, Italy is has been seen for a long time and kind of as a prime developer and exporter of technologies like these. But undoubtedly, there’s many other companies in many other countries. Thank you.
Jeroen Lenaers (Chair): Thank you. There was no concrete question to Dr. Saage-Maaß unless you want to ask him to take it in the next round. And I move to Mr. Heide on behalf of SnD.
Hannes Heide (Socialists and Democrats): So thank you very much, Chair, and thank you to the panellists. One question from just before wasn’t fully answered. It’s about the market, the customers, the companies and the product. And there are trade shows and I’m quite surprised that there are nine European companies on the market. So it would be interesting to hear a little bit about more about the market within the European Union. As far as we heard from another producer outside Europe that he’s only selling to governments. So what is the profile? What are the characteristics of these companies? And I also want to ask, are their competitors or do they have special products? As we heard already, that there are some parts of products produced or on the market by companies like this. And I also want to ask on this Andy Street office, do they also present tools for protection against this spyware that is on the market and that is produced by companies like this? I also want to ask if criminals or criminal organisations are also customers of spyware, as you have already mentioned, or the companies always tell us that their products are to protect us from organised crime but is also organised crime and interfered with material like this. And a last question. You also mentioned to insolvency of company. I want to ask what happens with the spyware and the tools they produced after an insolvency and what happens with the data that they have? Thank you.
Jeroen Lenaers (Chair): Thank you. I think that the market slide you referred to came from your presentation. First, give the floor to second year and then maybe on the insolvency issue, we move back to Dr. Saage-Maaß.
Claudio Guarnieri (Head of Amnesty International’s Security Lab, Berlin): Thank you. Well, yes, are there are a lot of points, so I’m trying to wrap my head around some of it, but. So first thing first, the list that is captured in those slides is not a comprehensive list as what are at least companies that are somewhat public being involved in that market by exhibiting to this particular trade show. There isn’t a whole lot of information about in public, at least about what is happening in these kinds of trade show, because they are not public. There are only reserved for vendors and law enforcement or government officials. So it is not something that anybody can just walk in and see and see what happens on the inside. But it is a trade show that has been happening for a very long time, I think over a decade by now. And its primary focus is sort of creating a marketplace, let’s say, specifically for surveillance technology of different kinds from spyware manufacturers to more traditional wiretapping systems to more novel technology, you know, and all sorts of things that could fall within the realm of surveillance and generally law enforcement activities. Of the nine companies mentioned, there obviously is a selection from those that have been reported on in public by the press. So it’s by no means a comprehensive list. I’m very sure that the factual number of companies producing spyware is probably much larger than that. It’s hard to tell. Those are the ones that have been sort of either more vocal or more public or that have been kind of discovered by journalists in the process of their work. So it’s hard to have a full estimate of what is the real size in terms of production that is housed in Europe. All of these companies are. Most of these companies are diversified. So they will produce a number of different instruments, not necessarily just spyware, but also oftentimes multiple types of technologies that they sell sort of as a package, kind of in combination to a prospect customer. Some of them that specialise specifically on that alone, on producing exploits or spyware specifically. So in essence, they are competitors, I would say, although oftentimes you see them collaborating and cooperating on different contracts as well as we have read on the press. As for, I might not remember the last point of the question, but I hope I covered most of it.
Hannes Heide (Socialists and Democrats): If there is a market within organised crime.
Claudio Guarnier (Head of Amnesty International’s Security Lab, Berlin): I wouldn’t, I wouldn’t be able to comment on that. I would be very surprised if companies would. I mean I I’m. Hopeful that at least in that regard, companies are respectful of the law. But it would be very surprised if it’s found that legitimate companies still provision systems like this to anything, not just to organised crime, but to anything other than government agencies or in some cases even other potential companies and partners. But I don’t have any insight on this.
Jeroen Lenaers (Chair): Just Mr. Lecouffe wanted to briefly respond to that as well. Very.
Jean-Philippe Lecouffe (Deputy Executive Director, Operations Directorate, Europol, The Hague): Yes. If I may, I’d like to just add one element to the reply. Criminals and specifically cyber criminals often don’t even need these companies because they themselves have. I say, well, they employ hackers, groups of hackers to be able to. Use ransomware, which is one of the big plagues that we have right now that are infiltrating businesses, and then they themselves can infiltrate IT systems or telephone systems via SMS, text messaging, etc. So they don’t actually need these corporations to do this. They don’t have to sign a contract with them. They themselves use cyber hackers. It’s crime as a service, as we would say. So they use services of other crime criminals that supply these intrusion capabilities. Now, you have cases I know in France recently there was a hospital that was essentially shut down because of ransomware where €10 million needed to be paid out in ransom. And this is exactly the type of cyber criminals that are able to infiltrate the entire hospital system, block it, and then ask for the ransom to be able to unblock the system. So they don’t criminals don’t use these company systems. They have their own service services that they provide amongst each other.
Jeroen Lenaers (Chair): Insolvency issue?
Dr. Miriam Saage-Maaß (Legal Director, European Center for Constitutional and Human Rights (ECCHR)): Yes. So in principle, the software and the data that has been created by the company is still company’s the company’s property also if it goes into insolvency. The question is, what has been which know? What has the police when it raided the offices, confiscated it. And we are not representing any individuals in the case, no one and no victims of the crime. There can be no direct victims of a crime of violation of EU of an EU regulation. And we don’t know. So that would be the most precise answer you will get from the prosecutor’s office in Munich. But for sure they seised they seised they seised computers. They seised data at the at the company premises.
Jeroen Lenaers (Chair): Thank you. And then we moved to Renew. Róża Thun.
Róża Thun und Hohenstein (Renew): Thank you and thank you for your presentations. I must admit that the situation as we have been following it, analysing it from the beginning of this, of the work of this committee, is getting raising more and more of our concerns because also from USA we have the image of the European Union security of the citizens privacy, etc., which is completely out of control as you will see itself say. The list of the companies is much longer than what we hear of see all through the list of clients is also much longer than what we can imagine and nobody controls it. In fact, citizens are victims of crimes and unfortunately, governments are. If I may say so, part of this organised crime that for because we have many information about the Government’s uses of the system against journalists, politicians, etc., in an illegal way. So when I hear that that Europol has to ask the Government if they accept the launching of an investigation, investigation which may be directed against themselves, this seems to me complete lack of operation opera shall not lead to. I mean, it will not work, quite simply because our main concern is security of the citizens and the governments not overusing their powers and not spending our taxpayers money in a completely illegal way. And we have many cases I don’t want to enumerate those governments. So, frankly speaking, I don’t quite understand how Europol uses that legal, which you have mentioned. If you don’t if you cannot launch investigations in the member states against governments without them, without their authorisation, what? Because this makes the European Union and the whole control system, which we absolutely need and you all say this, that we need the control system, but it makes it, in fact, completely toothless. So I would like to hear your opinion about this.
Jeroen Lenaers (Chair): Thank you. I pass the floor to Mr. Lecouffe on the basically the mandate of Europol.
Jean-Philippe Lecouffe (Deputy Executive Director, Operations Directorate, Europol, The Hague): Thank you for your question. Europol can only act in line with the law and based on the mandate it’s been given by the European legislator. What the European legislator has done is to not make Europol a body which. Carries out governmental oversight so we can use Article six and we have to stick to the letter of that law, of that article. We have to ask the member states and we have to check whether there is an open investigation and then we can perhaps open an investigation. But is the member state that remains in charge of the matter? This also takes us back to Article four of the EU treaty, which says that national security issues remain in the hands of the member states. It’s not a shared competence. I can’t add much more at this stage. We simply apply the regulation, the Europol regulation, as it was decided on by the European legislator.
Jeroen Lenaers (Chair): On behalf of the Greens, Saskia Bricmont.
Saskia Bricmont (Greens): Good morning and thank you very much for your participation and interventions. I would like particularly to thank you, Mr. Guarnieri, and also Madame Saage-Maaß as civil society representatives. Without you your work, the work of a journalist, we wouldn’t be here. We wouldn’t know about the sprawling file in the EU, outside the EU. And I thank you even more. And I give you all my support because of the attacks you’re facing, trying to decriminalise your work instead of counter arguments. That’s the first point I wanted to make. I have a couple of questions. The first one is towards Europol. I hear you are acting inside the legal framework, but I have known Europol also keen to work more broadly when a need was identified and we adapted the current mandate to the reality of the ground. So I think here there’s probably something to dig into it and to see whether it should be part of the Europol mandate to have a broader view. Because of course you your work is to facilitate cooperation between Member States. But your work is also to ensure the EU legal framework is respected and knowing the situation and its ever growing situation inside the EU, but also the threat it represents present on a security level for the EU entirely, and not only for national security reasons, but for EU security reasons, I think there there’s something to explore. So I would like to know, knowing your experience on the ground, what support you can provide to member states, you could provide if you adapt your mandate to member states in order to at least prevent them from acting illegally. It brings me to question inside the current mandate of Europol. We also extended to your competences on research and innovation matters. So I would like to know if there are any related projects on spyware within Europol or in this centre. I would also like to know, linked to my first question, what is your reaction to the policy recommendations that have been issued by the other speakers? Because so far at EU level, if Europol doesn’t do anything and is not in charge, who is? So it brings me to my second part of questions too. Madam Saage-Maaß, you talked about many cases in Germany that didn’t lead anywhere. Can you tell us how many and can also tell us if it is also widespread outside Germany? If the situation in Germany can actually be applied to all the other member states or some of them. And what is needed at EU level to ensure the control you are currently ensuring and where public authorities are failing to, to, to do so. Do you identify any EU body that could be mandated to do so? Also, a question to you and to Mr. Gordon. In which concrete ways could the current dual use regulation be strengthened and transparency enhanced? You said that the EU should go beyond its current legal framework. You talked about a moratorium, at least the time that we adopt a stronger framework respecting human rights. But I have a concrete question. In your view, would a ban be effective? Would it be something applicable at EU level, at EU level? Also, considering what you said about the difficulty to have concrete definitions of cyber surveillance and so on, and considering the current national security exemptions that are always put forward by the governments. Thank you.
Jeroen Lenaers (Chair): Thank you. So we’ll start with Mr. Lecouffe, please, you have the floor.
Jean-Philippe Lecouffe (Deputy Executive Director, Operations Directorate, Europol, The Hague): Thank you very much indeed for all your questions. Now one thing is very clear. We do have some know how both technical, but also in terms of the technologies themselves. And we have an understanding when it comes to. Forensic science. We? Our good at understanding data traces when it comes to seised data and how that can be used in legal proceedings. So no, we don’t actually work on comms. So data in motion. And I think that’s a point that worth noting. So we do have some expertise, some knowhow in this field that we can share with member states. And that we can make available when it comes to certain criminal investigations. We’ve done that with the Maltese authorities. For example, when it came to the investigation into the death of Daphne Caruana Galizia, we looked at certain stored data on it which had been preserved on legally seised mobile devices. Now we also have a role to play as the face of law enforcement. On a European scale that is so we can really defend a European approach to law enforcement. And put sort of a human face on what we’re doing and also exchange good practise that’s really very much within the meaning of our mandate. And also the innovation lab that you mentioned. The research and invention work that’s been on there? Well, we don’t have any kind of project related to this sort of software. Spyware type software. When we have expertise, it’s more. To be able to support act as a support to member states in specific in the context of a specific investigation. So we try to pool and share practises and raise awareness on certain issues. But. And I’m sorry. I’m sorry to have to repeat what I’ve already said, that, you know, we can only act within the mandate that we have at the European level, and there are certain limits to this mandate.
Jeroen Lenaers (Chair): Thank you, Dr. Saage-Maaß.
Dr. Miriam Saage-Maaß (Legal Director, European Center for Constitutional and Human Rights (ECCHR)): Yes. Thank you. So the cases that we seen in Germany are criminal cases, a four, which does not mean that we did not look at many, many more than just in four. We found we from a civil society background have enough information that we find this at some is something we can submit to the prosecutors. I know that there have been investigations in Italy which did not lead a very far as well as in France, several investigations. What needs to be mentioned there is that one criminal investigation in France in this case has actually been has actually led to an indictment of company officials. So but, you know, this very few number of criminal prosecutions really does not does not say anything about how many potential criminal behaviours we are facing. And that company officials from the US European companies can be engaged with it simply. You know, those are the cases where that from a civil society perspective we’ve come across at least heard us on the moratorium. Well I think. Yeah. Well, yeah, there should be a hold now on exports until I think there is a robust regulation I think comparable to ban us to export bans when it comes to weapons. I think that is something that the European Union should be considering because in nowadays, as we’ve heard before, surveillance technology can be used quite as intrusively and as problematic as a and as you know, and in certain times also with deadly consequences as a as a weapon. And so I think, again, as I said, we need a very wide definition of cyber surveillance so that it does cover as many products as possible. At the same time, I do understand if if there’s something as robust as an export ban, obviously you may need to, for rule of law reasons, need to narrow down again then that definition, which means that but in general, when it comes to export licencing, the definition of cyber surveillance should be as broad as possible. Then when it comes to, well, is there an EU body, I don’t think that there’s necessarily an EU body that could and that could ensure better investigations and better law enforcement against surveillance technologies. But what is clearly needed, as we’ve also heard, as I mentioned in the case, that we looked into quite in depth and all. But also Claudio mentioned there are a lot of times cooperation between these different companies. And so that means different companies. Let’s say German, a German company is cooperating with a French and an Italian one, and the export goes then from Italy, for example, to Syria. So that means we need a cooperation between the law enforcement agencies to ensure that the full picture of how dangerous and intrusive actually the surveillance technology is comes together. And I think that’s but I don’t think that this is well, this is something that just member states needs need to look into more from what I understand and again, I think there we also come when it comes to how can how well also probably how can we as civil society and also as parliamentarians on the national level, push our governments to do exactly that, to cooperate better, to have a better also oversight over those technology exports, but also those companies. That means there needs to be more transparency. So that means we need to know better which licences are given out to which companies. And that is why we need this, this much more stringent transparency, transparency in the dual use regulation. So there must be publicly available data because otherwise if we don’t even know what we are talking about, we’re not going to, you know, go any further. And when it comes to also not much further, when it comes to law enforcement and civil society journalists, human rights organisations cannot really play the role if we are, you know, always, you know, just picking up the dots that that somehow come to light.
Jeroen Lenaers (Chair): Thank you, Mr. Guarnieri. The last two questions for the address. Do you have anything to add?
Claudio Guarnieri (Head of Amnesty International’s Security Lab, Berlin): Well, I’m going to echo most of what my colleague from Mr. Chandra said. But similarly, we also are advocating for a call to a moratorium, essentially just to give us the time and space to really figure this out properly and and kind of pull the brakes on on an industry that has gone that has gone wild. Other than that, I have mentioned before, and you mentioned as well, more the need for a strengthened transparency over the existing processes of exports and use. We wish to see, obviously, as I mentioned as well before, increased support and strengthening of legislation that could provide judicial and burden on judicial and non-judicial remedy to those that have been affected by these by cases of unlawful surveillance. Maria mentioned this as well before, but similarly, stronger screening measures need to be included in the process of experts taking much more strongly into account human rights concerns and safeguards when dealing with the transfer and sale and use of these types of technology. But above all, I think. The request. We require some better and stronger, enforceable legislation to, you know, require companies, mercenaries, spyware companies and the likes to really incorporate human rights or diligence processes in their activities and not let them self-regulate themselves as as have as they have done for a long while, because demonstrably that has not worked well. Other than that, I’m basically going to make a lot of what the colleagues have said. Also, I’m happy to to share some more detailed recommendations that I believe should have been circulated to you. But if not, I will make sure to, uh, to have them central to the committee members.
Jeroen Lenaers (Chair): Thank you, Mr. Lebreton.
Gilles Lebreton (Identity and Democracy):Thank you very much, Chair. I should like to begin by making a brief comment on the role of Europol that is emerged during our debate. There have been a number of questions as to what your report role should be, and as Mr. Lecouffe says, Article six of the Europol Regulation does not allow Europol to intervene unless a state proposes such action. And that means that the state can also reject that. In my opinion, this is good because Europol is to the service of the state and it should not have oversight because I feel strongly about the sovereignty of the Member States. Having said all of that, I would like to raise a question with Mr. Guarnieri. He spoke of a market of spyware and he gave the name of a number of different corporations, ten or so European companies that are part of that market. And what I think is surprising is that there’s a number of Italian companies, but he did not give the name of any French companies. So I was wondering, are there any French companies that are part of this spyware market? Thank you.
Jeroen Lenaers (Chair): Very concrete question to Mr. Guarnieri.
Claudio Guarnieri (Head of Amnesty International’s Security Lab, Berlin):That’s a good question. I am I’ve got to say, I could. Look into this question more and get back to you on top of my head. I can’t come up with any specific examples. Of course, there are companies from France in the larger sort of surveillance industry that Miriam actually mentioned before that we’ve been part of in some cases, and investigations. As for specifically spyware manufacturers, I can’t I don’t recall specific examples that I can control. I know. I’m sorry.
Jeroen Lenaers (Chair): Thank you. But I will take up that invitation to come back to that. And I pass the floor to Mr. Georgiu.
Giorgos Georgiou: I think this problem is much broader and more serious than we think. All we’ve seen thus far is the very tip of the iceberg. Former Heads of government, EU leaders. Journalists, activists, politicians. They’ve all been monitored. And some of the. Journalists even died. Think of Mr. Khashoggi, who lost his life in Istanbul, in the Saudi Arabian embassy. A year or so ago. The NSO company. Was promoting Pegasus and showed it to. The authorities of Saudi Arabia in Cyprus. And then. Then. There was data collection, personal data collection that ensued. Mr. Dillon was, uh. In charge of this with his company Whisper. And he had previously been in charge of security in Israel. And we know that whisper company collaborates with the NSA. So when all of this was happening, Mr. DeLeon said to Forbes. That. The software was so good that it should be sold everywhere. It was being sold like a like a soft drink. That’s how these companies work. And then if we look at intellects, intellects is behind Predator. Which has been spying on Mr. Andrew Luck in Greece. And that company also has ties with Mr. Elian and his. Company in Cyprus. Mr. Lecouffe, I know that your action is limited. I know that your mandate is limited. Your remit is limited. However, I listened to what you said and you say. The principle is to respect the law. But if you see that there are companies in Cyprus, Malta and Bulgaria and they’re breaking the law, shouldn’t you then do something? They’re breaking the law. These companies break. National and European law alike. And then they’re exporting their software. It basically pollutes and affects the whole of the EU. Shouldn’t you then intervene? I am drawing to a close now. Chairman. Mr. Lecouffe. Thanks to Europol’s cooperation with Cyprus. Have you been able to unearth and find out which? Software. Cypress House. Is it Predator? Is it anything else? And Mr. Guarnieri, I have a question to you. If we look at the European institutional framework, the Chair is asking the Speaker to conclude. I will, he says. So Europol has done very little. It’s very difficult for Europol to act. And there’s also a lack of will. The member states haven’t wanted to act as we’ve seen in Greece. Are you optimistic then? Mr. Guarnieri. Do you think that we can make progress and deal with this issue or. Are we just going to talk about this until the cows come home.
Jeroen Lenaers (Chair): To try and be brief in their interventions? Because we have many members that want to take the floor and everybody is entitled also to take the floor. First, the concrete question to Mr. Lecouffe and then to Mr. Guarnieri. You have the floor and also try to be brief in the answers, if possible.
Jean-Philippe Lecouffe (Deputy Executive Director, Operations Directorate, Europol, The Hague): I can be brief. In the past, and particularly with regard to the case that you raised Europol. Was able to assist the Cypriot authorities in certain cases in order to analyse and investigate the seised materials. Data was extracted from the devices and simply then delivered to the Cypriot authorities so that they could continue their investigations under national law. So in terms of the technical know how Europol can provide assistance in the context of such investigations. Now, at this present time we are not. Aware of any investigation. Relating to the issues that you raise for us to to provide our assistance that so far we have not been asked and invited by a member state to provide assistance. And of course, we will reply and respond to any request that is made to us by any law enforcement body from the member states. And with regard to the knowledge of software being used by member states, we have no such knowledge. We simply check and verify that data sent to Europol were seised in accordance with national law. And are in line with the working rules and regulations that govern your work. Thank you.
Jeroen Lenaers (Chair): Guarnieri, on your levels of optimism.
Claudio Guarnieri (Head of Amnesty International’s Security Lab, Berlin): Thank you. Well, I. I might say that I am hopeful and these being an opportunity for change to an extent that we never had before. And the existence of this committee makes me hopeful. I’ve been researching this industry and its very many issues for going over a decade and we’ve been, I think collectively as a civil society, waiting for opportunities like this to talk about these problems and address it. So if there is a time for and an opportunity for positive change, a thing that is now and I’m very much looking forward to the development and conclusions that this committee will come to.
Jeroen Lenaers (Chair): Thank you. Mister Puigdemont.
Carles Puigdemont i Casamajó (Non-attached): Thank you very much. Thank you. Two brief questions. First one to Claudio Guarnieri. We can find evidence of the use of a spyware. Thanks, I suppose, to some bugs in the software which leave traces on the devices. But today, these companies, I suppose, have improved their products and probably fix the bugs. So my question is, do you see a way to control effective use effectively with guarantees the use of a technology that can be undetectable? That is my concern. And the second question is to Dr. Saage-Maaß. The according the evidence collected so far, do you think the situation in the EU concerning the human rights has improved? Is more granted than before than control use of spyware? Is the EU stronger from the human rights point of view? Thank you very much.
Jeroen Lenaers (Chair): Thank you, Mr. Guarnieri.
Claudio Guarnieri (Head of Amnesty International’s Security Lab, Berlin): Well, indeed, it is challenging to conduct technical forensics of the kind that has been conducted by research institutions actually doesn’t allow bananas and others. It is challenging because it requires, you know, a deep understanding of the way that the targeted platforms operate and the way that they can be subverted, the way that platforms and phones can be subverted changes constantly. So it’s a continual sort of catch up game to understand what attackers and mercenary spyware companies are developing. It is also worth noting that there has been engagement from big companies such as Microsoft and MIT and others in the larger industry that have picked up this issue and are somewhat regularly sharing and publishing details about their own findings that oftentimes are in line and confirming what has been discovered so far. So there is indeed some increased attention to the issue, also from a technical level. But undoubtedly the problem of how to regulate something that is designed to not be discovered is something that is problematic, of course. Again, I’m not a legal expert, but I do see tensions and challenges in finding means to legitimise and legislate, especially in the context, perhaps, of criminal investigations, the use of technologies like this that cannot be as easily sort of retroactively documented. You know, if a device is being monitored with something like a sophisticated piece of spyware that has the ability to eventually remove all traces of itself, what kind of due process exists to ensure that that from a technical level, that interception is happened and was executed correctly, especially in light of all of the capabilities that these tools have. As I mentioned earlier, we’re not just talking about a single kind of purpose, but they’re able to tap into the various kinds of investigatory powers from, you know, wiretapping to search and seizure to target tracking and all that. So I don’t have a clear answer for that, but I do acknowledge that it is also, from a technical level, problematic thing and difficult problem that I’m very hopeful can be can be discussed in addressing in a larger forum.
Jeroen Lenaers (Chair): Thank you, Dr. Saage-Maaß.
Dr. Miriam Saage-Maaß (Legal Director, European Center for Constitutional and Human Rights (ECCHR)): Yes. So, first of all, on what can actually be regulated. Well, you know, companies like that are outside of the EU like NSO, that has been importing or selling Pegasus to European states that can that can be regulated through an import ban. So an import ban on certain products and certain encryption software products, surveillance products that are being produced within the EU by companies located in the EU can be regulated through export control regulations or export bans. Now, the invasion of those, and I think that’s what you implied, so the better the software gets, the more invisible it is. Who’s been selling what to whom? Because how do you trace it, obviously, that the evasion of these potential regulations is a question then of law enforcement. And then we’re back to the question. You know, while Europol maybe may maybe have limited competences, but from my knowledge, a member state law enforcement agencies have never tried to involve Europol to coordinate, for example, serious investigations into how companies have been or how the technology of surveillance technology has been used in a criminal way to targets ordinary citizens. So, you know, I think that we come to the question of political will and then on the question of human rights under more threat than they have ever been. And I think that it’s human rights are not at a better stage in Europe or elsewhere in the world at the moment. But I think it’s exactly that. That’s the use of the potential use of surveillance technologies and of the whole digital space and how to secure human rights in that digital space is something that we have no proper answer to right now. And I think it is something that the European Union and the European Parliament needs to look into deeply. So what how do we secure the respect for human rights while there are so much where they can be so invasive, so much intruded to software as that we are talking about. And so I think this is a great threat to. You know, to human rights and to European, but also all citizens and many, many other countries.
Jeroen Lenaers (Chair): Thank you, Mr. Arłukowicz.
Bartosz Adam Arłukowicz (European People’s Party): I will speak Polish. You can use the phones. I have a question. For Deputy Director Lecouffe. Sir. You represent Europol and you’ve come here to the European Parliament where we are holding a hearing where we’re trying to clarify how Pegasus has been used. Against citizens. In your first statement and in the statements that ensued, you explained Europol’s operations are essentially you underscored what Europol cannot do. Now, you didn’t say exactly what type of information Europol has on Pegasus. You didn’t even use the word Pegasus at any time during your speech. So what I’d like to know is does Europol have information of Pegasus being used against citizens in the EU? Does Europol knows? What information does your people have about the use of Pegasus in Member States? Does it know precisely which member states lifted the use of Pegasus licences in in because of use against citizens? And has it been used in terms of spying against Commissioner Reynders? Because we have reason to believe that there was a phone tapping in this sense. Now, what does Europol know about Pegasus use against the VI, the Deputy Prime Minister of Poland, or against the opposition in Poland? Does Europol have any information about the use of Pegasus in spying activities in Poland against the prosecutors, prosecutors who have carried out investigations that are uncomfortable for the government? Now you have said that Europol does respect all the rules that apply to it in investigating crime. But would you be able to give further information about what spying is being carried out by government officials against citizens? Does Europol have any information on this, on the use of Pegasus in Europe? And if so, what acts have you taken to fight this? Moreover, what would you do to try to persuade governments to not use Pegasus against its citizens if it were to turn to Europol to assist in protecting our rights? Mr Lecouffe.
Jean-Philippe Lecouffe (Deputy Executive Director, Operations Directorate, Europol, The Hague): Thank you very much for your question, Honourable MEP. I’ll try to answer as comprehensively as possible. So as I said, Europol has never used this kind of software, including Pegasus, because we don’t carry out interception. We were made aware of Pegasus as everyone else was when it was brought to light. We had not. Heard about it before. We didn’t know previously that this spyware was being used. Under our mandate, Europol doesn’t carry out. Checks in each member state as to which software is used. Based on the legal framework. If we are asked to. If we are turned to, we will do as our normal. Most states will support the member states. We will contribute to the member states investigations. So if we asked to, we will respond. As regards the powers under Article six, which were mentioned previously under that article we have. Had new powers. But I must remind you that this has only been in force since the end of June. So we can ask the member states to carry out investigations if no investigations have thus far been initiated in a member state. I’m sorry. To disappoint you, Honourable MEP, but I wasn’t in charge of Draughting the regulation law. We simply apply it. I feel that I’m being accused. We try to provide support. We try to use the means at our disposal so as to provide support to the member states in their action. That’s all I can say.
Bartosz Adam Arłukowicz(European People’s Party): I’m very sorry, but I didn’t get an answer to any of my questions. I wasn’t asking you about Article six. I was asking you about whether formally speaking Europol was aware of Pegasus and what was done against the spying on Commissioner renders and the Polish Foreign Minister.
Jean-Philippe Lecouffe (Deputy Executive Director, Operations Directorate, Europol, The Hague): Very briefly, I can repeat what I just said because I do believe that I was clear. We became aware of the use of Pegasus via the press. Like every one, we did not have information prior to that. And the information that you the questions that you raised as pertains to what is happening in Poland, we have not been informed by the Polish authorities to support them in those investigations.
Jeroen Lenaers (Chair): Mr. Cañas.
Jordi Cañas (Renew): Thank you, I’ll keep it brief. I’ve just heard what the Europol official said. Well, it’s a bit like the White House. You didn’t know the member states were using Pegasus. You didn’t know that there was. Phone tapping. You were the only ones who didn’t. I didn’t know. So. Yeah. I mean, you can carry out legal tapping and all of the member states carry out the tools to do that already with the legal tools. Logically, it’s logical the information services. And the police have software they can use. Those software is in line with the legal framework, in line with the law to carry out tapping activities to bug. Anyway, I have a question for Mr. Guarnieri. The role of civil society has been so key. Europol is saying that they only heard about Pegasus because of the whistle blowing. So this whistleblowing shows just how key civil society of the whistle blowing has been so important because it has disclosed and brought to light the illegal use of spyware. So actually, this isn’t software, this is spyware. So when the whistle is blown. We need to know that the whistle blowing is correct. You have done a lot of research. And there are some doubts about the methodology and the analysis that has been used by Citizens Lab and others. So there are questions about the analytical methods used to check whether somebody’s phone or device has been infected by spyware. Now you’ve said that there is a need to step up and improve transparency. But that applies across the board. We need to have greater transparency and supervision. But given that citizens lap. Citizens lab work hasn’t been assessed by peers or by amnesty tech. So given that state of affairs. Are the methodologies and analysis used by Citizens Lab? Correct. Can we rely on those results? Should their analyses be under be subject to peer review? Peer review? Should others assess the analysis of Citizens Lab so that we can check that what they’ve been saying is correct.
Jeroen Lenaers (Chair): This is on brevity in this house. I never follow the actual brevity. I give the floor to Mr. Guarnieri.
Claudio Guarnieri (Head of Amnesty International’s Security Lab, Berlin): So I think there are some various elements to this. The. Forensic analysis of devices is something that hasn’t been publicly documented for quite a while. And we have been, I think, very transparent about what the methodology is, the details of how the forensics are conducted and what kind of traces are being recovered, recoverable from devices. I might add also that in numerous occasions we have been given the opportunity to independently validate some of the results that other researchers, including Citizen Lab, have come to the conclusion of and. And vice versa. I’m. Very confident in the technical analysis that the researchers are able to do. I think that has been also very widely validated by many confirmations from many other actors, including, you know, the same manufacturers of companies, many, in fact, manufacturers of products that are under subjects of this kinds of forensic analysis. So in that regard, I think there is ample evidence to support kind of a lot of the conclusions that have been drawn on many of the reports that have that have come out. And, yeah, I’m not sure I fully address the question, but I.
Jordi Cañas (Renew): No, no, no. Very briefly, in any investigative process. The methodology is important and peer review is key to that. So very quickly, do you think that in investigations it’s right for third parties to have access to that and to assess the methodology that has been used with regard to the possible infection of devices? I don’t know. Whether there’s any such review in place for the citizens lab.
Claudio Guarnieri (Head of Amnesty International’s Security Lab, Berlin): Well. And we have conducted independent validation of some of the reports the Citizen Lab has published and confirmed the cases that we have had the opportunity to validate independently. These terms of transparency, of methodology, as I mentioned, we have published a report with our full methodology available to the public. We have published indicators that that have been associated with this forensic analysis, as well as technology and tools to conduct it. So. Yeah.
Jeroen Lenaers (Chair): Thank you very much. That we move to Karolin Braunsberger. You didn’t ask for the floor? But. Okay.
Karolin Braunsberger-Reinhold (European People’s Party): It’s okay. No, but it’s okay. Thank you very much. I’ll just do this in German. Thank you very much to you, but also to thanks to everyone who’s here. And I have a couple of supplementary questions. First of all, regarding the cases in Germany that you mentioned, Ms. Zacharias, you talked about many cases. And apparently when we asked how many exactly, you said, well, it was just a handful. And in the case of the evidence being present, there was investigation, but there’s a potential for more cases. So my question is, how many cases were the exactly and were the investigations where you were able to provide evidence and. My further question was what exactly would be your definition of surveillance software? Because obviously there are microchips everywhere in household goods, fridges, vacuum cleaners and so on and so forth. So we’ve heard that there should be a broad definition and everything needs to be checked and validated. So what kind of definition should we have? Is it a good idea to have a definition? I mean, should you have sort of supervision and on everyday household devices such as fridges as well?
Dr. Miriam Saage-Maaß (Legal Director, European Center for Constitutional and Human Rights (ECCHR)): In that case, let me reply to your question in German as well. We have submitted four cases. So and it’s only the FinFisher case that was investigated seriously and.
Jeroen Lenaers (Chair): Yeah. Okay.
Dr. Miriam Saage-Maaß (Legal Director, European Center for Constitutional and Human Rights (ECCHR)): English?
Jeroen Lenaers (Chair): Yeah. Yep. Just maybe easier to it to just make sure it’s English.
Dr. Miriam Saage-Maaß (Legal Director, European Center for Constitutional and Human Rights (ECCHR)): Okay. Sure. So, as I said, we filed for criminal complaints only in one. There were a series investigation conducted. I spoke about those. And I think probably we’ve looked at approximately. But, you know, something like ten cases that we have been internally looking into in coming in, in coordination with other organisations. So, um, but as I said, this number is not representative whatsoever because it just means it’s just dependent on how and where I or my colleagues get to read a report or hear about a certain evidence. So and the fact that the question of whether or not an NGO gets sufficient evidence also doesn’t say anything about the reality of the crimes being committed. And so, yes, I do tend to say surveillance technology can be so dangerous that it should be a very broad definition indeed. And I think we do need to better regulate exports, and we do need to better regulate our economies, because as we can see, that this technology can lead to death and can lead to the destruction of democracies. And so, yes, therefore, I’m for very wide definition of this, and this may cause a little bit more trouble for certain companies, but I’m pretty sure we will get around the parts of this world that they can still sell their refrigerators.
Jeroen Lenaers (Chair): Thank you very much. Ms Neumann.
Hannah Neumann (Greens): Thank you very much. And I have one very short and very simple question to Mr. Lecouffe. And after that, I would have to the civil society experts, you can answer with yes or no, please. In your introduction, you said that all these spyware tools are highly invasive instruments, and it is important to prevent misuse of these instruments. Would you say that inside the European Union and across all EU Member States if we were successful in preventing such misuse? Yes or no?
Jean-Philippe Lecouffe (Deputy Executive Director, Operations Directorate, Europol, The Hague): Well, the fact that your committee exists proves that there are things to do where they can is the answer they can give you. And I would like to come back to what was said before. We are not questioning the way the member states are working and it’s not because we don’t want is just because it’s one of the fundament of the Lisbon Treaty. The national security is the competence.
Hannah Neumann (Greens): We understood all that, would you say that there is anyone at the moment who can do that?
Jeroen Lenaers (Chair): No, no, no, no, no, no, no, no. I’m sorry. There was in the previous speaker some comments made about Europol report only has the rights to also clarify this not in response to you, but in the article to the other speaker. He does have a right as a guest also to address that.
Jean-Philippe Lecouffe (Deputy Executive Director, Operations Directorate, Europol, The Hague): So I think that it’s one of the fundamental of the of the Lisbon Treaty. The national security is the competence of the member states. We are not shying away from our responsibility in Europol. We do fulfil our role and we will do if we have requested in the framework of our mandate. It is the only thing that they can do. And I.
Hannah Neumann (Greens): And so we agree that there are problems and at the moment there is no one on EU level who can look into this problems.
Jean-Philippe Lecouffe (Deputy Executive Director, Operations Directorate, Europol, The Hague): I think that it’s what we all doing today discussing the topic publicly.
Hannah Neumann (Greens): So and thank you very short questions to the two others. And we only know about all these problems because of the revelations brought forward by civil society organisations and journalists. You all look into private companies misusing spyware or their spyware being misused. Who is looking into what states, including EU member states, do with their very own spyware? We know at least France has. Who else has and who is looking into potential misuse there?
Jeroen Lenaers (Chair): Thank you, Mr. Guarnieri. You want to go first on that?
Claudio Guarnieri (Head of Amnesty International’s Security Lab, Berlin): Well, we. Our work is centred around providing support and documenting cases of abuse and violations of human rights and attacks against human rights defenders, irrespective of who is the perpetrator of that particular attack. It just so happens that typically, at least when it comes to technical investigations, there are better means to conclude attribution when there’s kind of private entities involved. So I don’t really have an answer as to who’s on the lookout for kind of, let’s say, home-grown technology specifically. I think a lot of the focus has been placed on the private industry because of the fact that it sort of opened up and quote unquote, democratised access to these types of technology to a degree that it was not possible before, including to perhaps nations and agencies, that it would not have had the resources to. To obtain access to these types of technologies. I think that’s one of the reasons why it has become so central, but also because there are ultimately kind of central and primary producers of these types of technologies as well. So unfortunately, I don’t I don’t have any insights as to why necessarily all European member states do in terms of their own development capacities. Undoubtedly, especially, I suppose as intelligence agencies level, that’s certainly happening. But I’m afraid I don’t have a specific insight.
Jeroen Lenaers (Chair): Thank you. Dr. Saage-Maaß, if you have anything to add.
Dr. Miriam Saage-Maaß (Legal Director, European Center for Constitutional and Human Rights (ECCHR)): Yeah, briefly. I mean, I think it’s classic for civil rights organisation that are also looking into governments and they use their use of surveillance technology. No. And I think as you can see, there’s been the German constitutional court issued the ruling on BND. So the German intelligence foreign intelligence services. And whereas also on the question of how to use data at least. So I think there are other organisations. But I agree with Claudia. It’s also important to look into the private sector as it’s, it’s, it’s less regulated and I think it’s the parameters of how governments should it for companies are less clear than the parameters, the human rights parameters are for governments in the European Union.
Jeroen Lenaers (Chair):Thank you. Vlado Bilčík.
Vladimír Bilčík (European People’s Party) Thank you very much. This is just a very quick question to pick up on the whole discussion we’ve had about the role of the Europol. And I get the message you’ve learnt the things from the press and the media, just as others have. Now my question is and we kind of going around this, but you know who is too? I mean, the answer is we need to look at who is responsible national security, but who is responsible for the European security, especially when the European institutions might be under attack or threatened through spyware. My question is, how safe do you feel inside Europol that you’re not threatened, that you’re not under attack, that nobody’s following your work? Have you proofed your own work against potential spyware and other attacks which you might be exposed to? So let’s turn a question around and let’s see what you have done to safeguard yourself and your work in day to day business. Thank you.
Jeroen Lenaers (Chair): Mr. Lecouffe.
Jean-Philippe Lecouffe (Deputy Executive Director, Operations Directorate, Europol, The Hague): Thank you very much for that question. At Europol, we have files with personal data, and these are crucial files. We try to have the best possible protection of that data. All of the data that we have and that is stored in the Joint Chiefs of Staff at the in the Hague, at the airport offices and in all of the ways that we are communicating. Now, can I say that I am 100% sure that we are fully protected while we are never 100% sure. But what I can say is that we try to have the highest level of protection possible. Looking at what is being done and all of the cybersecurity issues that prevail. So we think that we have a very high level of protection, a good level of protection. But I cannot guarantee. At the time that I speak to you, that there is there are provisions in that would offer that 100% protection. Now, when it comes to the Joint Chiefs of Staff, I know that we have a closed circuit with a very high level of protection. I can say that. But when we talk about communication and communication systems, I would say that we are at the best possible we have the best possible level in place. That’s what I would say.
Jeroen Lenaers (Chair): Thank you. Before closing the panel, there was one brief additional question from the rapporteur, Sophia. Did you ask for the floor to rush it? Then I apologise that we first do Mr. actually. And then the rapporteur. My apologies.
Dragoș TudoracheI (Renew): I was with my flag up from the very beginning. Anyway, I was along with few other colleagues in this room in the team of shadow rapporteurs for the new Europol regulation. So I must say, Mr. Lecouffe, that I will be disheartened by the modesty with which you interpret your mandate. We fought actually quite hard in this Parliament and also in the negotiations of the Council for the current version of Article six, which is there for that one or 2% of cases where the phone will not ring from the member state. For those crimes where the member states law enforcement will not call for help with Europol, just as it happened already in several cases. So my question is, because I don’t think there is a doubt that the crime has been and is being committed against EU citizens. I mean, we have the Commission who has confirmed that there are effective phones of Commission officials. We have European politicians who are confirmed to be subjects of infected phones and so on and so forth. So a crime is being committed. Some member states already have judicial investigations, so their employer enforcement is doing its job. France, amongst others, but some others are not. So my question very simple. To Europol. Is on the basis of the current version of up to six and its spirit, when will Europol, how long will Europol wait? Until it will call a member state and ask for an investigation to be launched. Even if the member state will say no because they have the right under Article six. But when will Europe pull it hollow? Woolly tweets. If one member state or another is not actually doing anything to investigate this crime? And second, why is it that much secrecy around the use of this technology by law enforcement? Because, as you rightly say, law enforcement is fighting very sophisticated criminal tools in the hands of criminal organisations, so, rightly so, they would have the need to use themselves such tools. Why is it that we don’t have regular procurement processes for actually acquiring these tools? Why is it so secret? Thank you.
Jeroen Lenaers (Chair): Thank you. Before answering, I think Sophie would just briefly add to that question.
Sophie in ’t Veld (Renew): Yes, I would like to, because I wholeheartedly agree. We have created the new powers for Europol. It’s not a pick and choose menu for you, it’s a duty. Those powers were granted to you in order to protect the EU citizens. Refusing to use those powers is not an option, Mr. Lecouffe And if I look at the mandate of Europol and I’ll be more specific than my colleague here, I see in the list of crimes that fall within your remit, I see at least three which are relevant in this case. One is computer crime, also known as cybercrime. One is corruption and one is racketeering and extortion. So. I would say that there is ample reason or ample justification within your mandate, and it’s actually shameful that it was journalists who have uncovered all this with diligent and brave work and NGOs. And Europol is now saying, Oh, we haven’t got an invitation. We were taken by surprise by the media. You should have known. How are you going to stoop to reassure the citizens that you’re looking after their safety? And one last remark, also to Mr Lebreton.Europol is not working for the government. Mr. Lebreton, read the treaties because that would mean that even if governments are corrupted and engaged in criminal activity, that you would still serve them loyally. No, Mr. Lecouffe, you’re working for the citizens.
Jeroen Lenaers (Chair): Thank you. Thank you very much. Mr. Lecouffe, in response to the question of Mr. Tudorachel and add on by Mrs. in ‚t Veld.
Jean-Philippe Lecouffe (Deputy Executive Director, Operations Directorate, Europol, The Hague): I never said that we will not use and that we’d never use this new power that we have for two months. I never said that. I said that we are assessing the situation to see if we have to reach the law enforcement member states to ask them to initiate an investigation. It. Well, I’m sorry. We. We are not escaping from our responsibility. We are assessing if we have to do that. We are really thankful to have new power wells to put in place and to. We have a lot of things to do also in Europa in order, for example, to put on hold all the new competences that we have for two months. It is two months that we have these new competences. So how long you will wait? I don’t know. We have to assess the situation. I, I take the your remarks on board. We are we have I think that the message was quite clear today from you from. So we will we will assess the situation with the executive director to see what we have to do on that. Certainly. And again, we don’t have to question the way in the member states things are doing under judicial scrutiny and all the data that we receive. Are they needed by judicial authorities, national judicial authorities? We are not above a judge in the country. We are not above a judge. This is not the rule of law for me.
Jeroen Lenaers (Chair): Thank you. Thank you very much. Thank you to all panellists for their contributions to all members, for their questions and the clear signals that were expressed as well. I would thank you all more elaborately, but we have a second panel that we need to do. So thank you very much. And hopefully that you can be involved also in the remainder of our work here in the committee. And for any questions that might might come out of that, we will take a break of 4 minutes so we can change the panel. 4 minutes is all we get. And then we start at 11:30 sharp again. Thank you.
Jeroen Lenaers (Chair): All right, colleagues, thank you very much. It is 11:31, so I am one minute late, but we would like to start the second panel of this morning’s hearing. And we have two guests. First of all, we have Ms. Van Brakel, who is a research professor and the chair in surveillance studies at the university in Brussels. And we have Dr. Clara Portela from the University of Valencia, who is specialised in arms controls and sanctions, will both give both speakers at 10 minutes to give their contributions to the panel or to the committee. And then we’ll have 40 minutes left for questions and answers. And I really ask you also to be brief and to the point in your questions, to have the maximum added values in the answer and we’ll start by giving the floor to Mr. Rosamunde van Brakel, please.
Rosamunde van Brakel (Research Professor, Vrije Universiteit Brussels):Thank you very much I’m so as the person next to me said I’m a research professor at the University of Brussels, where I coordinate a chair and surveillance studies. And I also teach a course on the legal, ethical and social issues of artificial intelligence. I’m an interdisciplinary social scientist, and my current research focus is on the governance of law enforcement use of surveillance technologies. Thank you very much for the invitation to speak to this very important enquiry. The use of Pegasus by governments on citizens cannot be seen independent from the context of larger societal developments towards increased use of surveillance by Member States in the EU, as well as what is known as surveillance capitalism. Surveillance is increasingly considered as the solution to combat crime, control migration, control the pandemic, protect national security and as a result, citizens are increasingly targeted by surveillance in their daily lives. You could even argue that children are now growing up in a surveillance society. In addition to having a significant impact on fundamental rights and democracy, social scientific research on surveillance has shown that it can lead to a chilling effect psychological effects, such as feelings of fear, humiliation, stigmatisation and more in general to social sorting, loss of trust in government, leading to system avoidance, loss of life, chances for often already marginalised populations. Research has also shown that the current governance framework mostly addresses individual harms of surveillance and is failing to deal with dimensions, collective and societal harms of surveillance technologies. Now, spyware such as Pegasus, is seen as a tool that can be useful for law enforcement, especially in the context of the control of serious crime and terrorism. According to an article in The New Yorker, a senior European law enforcement official whose agency uses Pegasus said that it gave an inside look at criminal organisations. When do they want to store the gas to go to the place to put the explosive? He said that his agency uses Pegasus only as a last resort with court approval, but conceded it’s like a weapon. It can always occur that an individual uses it in the wrong way. It has now become clear that several law enforcement and intelligence agencies in several member states of the EU are using Pegasus or other spyware. However, how and to what extent they are using it remains unclear. Now I’ll talk a bit more about what is known about the use of Pegasus by law enforcement agencies in Belgium. In Bell in 2021, the Belgian Minister of Justice stated in an in an interview for a national newspaper that it’s absolutely legal for intelligence agencies to use Pegasus. However, he declined to confirm if the intelligence agencies were using it. According to an interview with a staff member of NSO in the New Yorker and also the Belgian newspaper The Standards, it is unofficially confirmed in security circles that the Belgian Federal Police is using Pegasus in the fight against serious crime, such as drug trafficking, child abuse and terrorism. However, the Federal Police has declined to confirm this and responded to the newspaper not to communicate about the technical and or tactical resources deployed as part of their investigations emissions. The Federal Police further stated that data interception is done by the police, according to a strict legal framework in a well-defined criminal investigation into well-defined criminal offences, and always after approval by and under the control of an investigative judge. Now. It should also be noted that this use of Pegasus is not and the spyware is not new in Belgium. WikiLeaks showed in 2014 already that Belgium had bought 13 FinFisher licences. Now I would like to discuss some concerns and challenges that come from research into the use of surveillance more in general, but also more specifically concerning Pegasus. A first concern or challenge is transparency, accountability and legitimacy for citizens in Belgium and around Europe. It is unclear how law enforcement is using spyware. There is no transparency and therefore public scrutiny is impossible. This is a larger problem with many surveillance technologies that law enforcement is not clear about how they are using the technology, what kind of safeguards they have implemented. Questions arise, for instance, about if law enforcement agencies are conducting the data protection impact assessments before they are using spyware. And if in these assessments, if they are actually conducting them, if they are sufficiently looking at risks to fundamental rights. All this is very unclear. And if you are aware of what happened a couple of years ago that the federal police in Belgium experimented with facial recognition software at Brussels Airport and did not conduct a data protection impact assessment. You could wonder if they are actually conducting them. Furthermore, it’s unclear what accountability mechanisms are in place to hold law enforcement accountable when rights are violated and what kind of remedies are out there. This is something that will be discussed later on. This lack of transparency and accountability can lead to loss of trust in government and raises questions of police legitimacy. Is law enforcement actually acting in the best interests of the citizens? A second concern in the Minister of Justice and other commentators have indicated that Pegasus is being used and the legal framework that has been put in place there for traditional wiretapping. However, wiretapping and Pegasus, spyware and other types of spyware is not the same. It has quantitative and qualitative differences. We can think of the scale of the data collection. The software collects huge amounts of personal data of the victims, and questions arise. What happens to this data? For instance, will big data analysis be conducted on this data? Secondly, the invasiveness, for example, being able to turn on the camera and the microphone on on a victim’s phone is much more invasive than listening into a conversation. In addition, however, this could also be part of traditional wiretapping. But it’s not just invading, being invasive for the victim, but also, for instance, for family members and children. Finally, the role of the software company in the case of spyware is unclear. It’s unclear how much power they have who would have access to the data due to have a vendor lock. Does law enforcement have to contact the software company to be able to update the software? Now, more research will be necessary to identify the quantitative and qualitative differences in detail. But in any case, it becomes clear that more strict safeguards are necessary than traditional wiretapping. Thirdly, procurement rules in general, legislation around procurement does not take into account human rights, social and ethical issues of new technologies. Often it is the cheapest company often gets the assignment. However, what we have now, for example, in Belgium, is that most cameras being implemented are hac vision cameras and are a technology developed by a Chinese company that has been implicated for human rights abuses. Force normalisation of surveillance and risk of function creep. How will the risk of function creep will be addressed? So function creep implies that surveillance is being implemented for one purpose. It gets after a while, gets implement implemented in other sectors or for other purposes. So for example, what we see in Belgium happening now is that whereby in first instance, automatic number plate recognition software and cameras were implemented for serious crime. Now there is a new law that allows customs to confiscate, confiscate cause of people who have not to pay their taxes. Fifth, Should traditional safeguards and accountability mechanisms are insufficient to respond to potential harms of new surveillance technologies and prevent abuse? More specifically in Belgium, law enforcement investigates judges but also overrides oversight. Agencies often lack the necessary interdisciplinary expertise about potential surveillance harms to make reliable assessments. There is need for innovative accountability and oversight mechanisms that goes beyond legal compliance, addressing social and ethical concerns, and involving citizens or citizen representatives where possible. Finally, lack of scientific evidence and research about effectiveness of surveillance strategies and technologies and the harms caused by them as a result of lack of funding of critical scientific research. There is a significant risk. There is significant research funding in the EU for the development of surveillance technologies, but in contrast, very little funding to research the harms for individuals, communities and society. There is need for evidence based policing and intelligence, which is informed by independent scientific research and evaluated frequently by independent scientific bodies. Questions arise. Is Pegasus and other spyware effective? Is there scientific evidence that actually supports this? For instance, I just read that the vulnerabilities that are exploited by Pegasus are now fixed in the newest models of iPhone and Android phones. Now, what we just heard about criminals having a lot of resources, why would they still use old phones? And then the quest. The question arises, who is law enforcement actually targeting with spyware? In sum, considering the issues mentioned, the current governance framework needs to be updated to deal with Pegasus and similar spyware technologies and importantly, new surveillance technologies in general. It’s I would like to argue that it’s necessary to not see the Pegasus spyware in a vacuum, but to consider it in the larger developments of the increased use of surveillance and to finalise a more general debate is urgently needed about the goals that society wishes to pursue with surveillance and the question of where for which and under what conditions. It should be used in a way that it does not harm citizens and society. Thank you.
Jeroen Lenaers (Chair): Thank you. Thank you very much. That was very interesting. And we move immediately to our second panellist, which is Dr. Clara Portela from the University of Valencia, who is connected remotely. So you have the floor for so 10 minutes.
Dr. Clara Portela (Professor, University of Valencia):Thank you very much. So, first of all, thanks for inviting me to take part in this discussion. So the presentation that you are going to witness has to do with a specific question. It discusses whether arms control or sanctions can be used in order to place an obstacle on the circulation of the spyware we’ve been talking about. Now, I’m going to anticipate that there’s no perfect solution. But in any case, what I’m going to do is to discuss the options now and to start to start with the spyware that we have discussing it can be seen as part of surveillance equipment in general. And this is a category that is part of the dual use regulation. So it’s not really part of our dual use regulation. It contains this surveillance equipment and it is also part of a number of sanctions regimes that the European Union has in place in the framework of his CFSP. Now, what are the options? What could be done in order to prevent the circulation of spyware? Well, one of the options would be to adopt a policy that only allows the export or the supply of surveillance equipment like Pegasus or. Well, it’s basically similar to two big issues to countries that have a sound human rights record and possibly that have also adopted adequate legislation regulating the use of such surveillance equipment. A second possibility would be to actually stop the supply of these of these of these surveillance equipment to one of the earlier earliest stages of a of sanctions imposition. Now, I actually have a brief displayed in or at the point in time in which the EU applies these sanctions covering the supply of sort of surveillance equipment that can be it can be sold to countries that are repressing. They’d they see this centre that are basically using these equipment for surveillance well for citizen surveillance. So we actually find that in the very initial state of sanctions imposition they’re in, measures that are activated tend to be individual sanctions. So in specific policy makers or rebel leaders or officials in the target regime are put on a certain list and they assets are frozen. And it is only when the crisis aggravates that the EU moves to banning also the equipment for internal surveillance. So this is actually something that only happens in certain cases and it’s well, it’s not very commonly used. So I mentioned here a couple of examples. One of them is Myanmar and another one is Venezuela. But actually, in other in other countries such as Nicaragua, I would put on the we don’t have these this type of off button. Included in that was the FSB measures. So here my proposal would be that the ban on supply of equipment that can be used for a for citizen surveillance like these spyware be moved to the first to the very end, this whole phase. So as soon as sanctions are imposed on a country in which there is a record of of repressions against civilians, these should be part of the package. So I think that we are done with these with these, like ever. So if a third possibility would be to actually blacklist the company producing the spyware. Now we know that the origin of the spyware Pegasus is with an Israeli company, but in principle, this is something that has not stopped the US from blacklisting the company producing this spyware. Now these a blacklist is a blacklist that is run by the U.S. Department of Commerce. And basically the company was blacklisted in November last year in well, it was included in the in this entity list for engaging in activities that are contrary to the national security or foreign policy interests of the United States. So basically, the consequences of being included in such a blacklist entails that the company loses market access so it can no longer operate in the U.S., it cannot purchase from its companies. And this is of course, this is something that can have a consequences for them, for the technical setup if they need services or computing services from them originating from the U.S.. Plus, there is also a reputational cost for the company if that is associated with being included on a U.S. blacklist. Now, in Europe, we don’t have the possibility of blacklisting these company because we have a number of lists in which we can we can impose an asset freeze and basically deny operations to individuals and companies overseas. But the horizontal sanctions regimes that we have in place at the moment do not include any listing criteria that would allow for the blacklisting of such company. So if the solution is something that we wanted to activate, there would be a need for creating a new blacklist that specifically targets companies and individuals that are responsible for these for the is for the protection of this kind of spyware. So for the time being, just the recapitulate. We do have a human rights sanctions regime that allows for the blacklisting of individuals or entities that are responsible for perpetrating severe human rights violations. We also have a blacklist against cyber attacks, but that’s a different it’s a different kind of action. And then we also have the in the anti-terrorism list, and there’s also a list that is directed against the manufacturing and use of chemical weapons. So in all of these four lists, we will have the possibility of blacklisting the well, the companies or the individuals that put in place this spyware or that that facilitate that. So what would be I mean, what would be the advantages and what would be the problems of following these path for basically from activating these arms control sanctions revenue? Well, the most obvious limitation is that these instruments are actually designed externally. So they would actually allow us to aim to stop the circulation of the of sort of against equipment from the EU to third countries or from third countries to the EU. But we wouldn’t we wouldn’t actually be able to stop it on a broader scale. So there would be no instruments for us to actually stop this application of this spyware outside the framework of the EU and with countries to which we would not it would not be supplying in such sort of business equipment. So this is an obvious limitation because it only has an external dimension so that it wouldn’t actually be able to contribute to making our citizens safer or to protect them from these from these spyware. And then at the same time, another aspect that is worth mentioning is that the companies that produce in spyware, they would be penalised for actually for simply producing the technology. While this technology also has applications that come in that well, that can help in enhancing the security of a citizen. And so if we think of the use of Pegasus and other surveillance equipment that can be applied in order to combat drug trafficking, organised crime or terrorism, I mean, basically these are two functions that could be well, that basically support them. They support the advancement of the security of our city or of our citizens. So from their point of view, it penalising the company and stopping the basically the availability of surveillance equipment. But they also have consequences for the, so to say the positive uses or they use that help in protecting the security of our citizens. So this is just to say that one always will one has to take into account both sides of the of the coin. Okay. So that’s basically all I wanted to share with you regarding the possibility of activating arms. Well, of activating arms control or technology control measures and sanctions in in order to obstruct the circulation of spyware. Thank you.
Jeroen Lenaers (Chair): Thank you very much, Dr. Portela. We go immediately into the Q&A. We start with the rapporteur, Sophie in ’t Veld.
Sophie in ’t Veld (Renew): Yes, I can be fairly brief because I would like to ask Professor Portela, you basically say that we only have instruments to control exports, but there is very little we can do in terms of imports. And we are this committee is mainly looking at the use or abuse of spyware within Europe against European citizens. But I did hear you say at some point that it is possible to impose or to blacklist people for reasons of cyber attacks. Well, I would say that this falls squarely within the area of cybercrime or cyber security, cyber insecurity. Would it be possible to blacklist people who are running these spyware manufacturing companies outside Europe or even inside Europe? Do you see any legal instruments for that?
Jeroen Lenaers (Chair): Please, Dr. Portela.
Dr. Clara Portela (Professor, University of Valencia):Thank you very much. So in well, the rapporteur just mentioned the possibility of banning imports, and certainly this would also be a possibility. This will be one of the consequences of blacklisting the companies that are producing the eyewear. So this will certainly be an option. Now, the only the only thing is that if we ban the import of these spyware, we are actually not influencing anything outside of the European Union, meaning that we still we can still rely on the fact that governments in third countries or actors in third countries will be able to use their spyware against our citizens. So we will simply eliminate the possibility that the European governments can legally acquire such spyware. But we could still see this and we could still see our phones infected by perpetrators outside of the European Union market. So, I mean, I’m not saying that this option is not there. I’m just saying that it has limitations because I mean, it basically this can operate perfectly across country. So as far as the is there a possibility of including the use of spyware under a horizontal sanctions regime against cyber attacks? I mean, for the time being, we have a we have blacklisted entities that are based in North Korea, in China and in Russia. And basically what these actors did was it was putting launching in big scale cyber attacks against a.
Well. Against European countries. So this actually shows that that’s the way that the threats might actually come from outside the EU as much as from within the EU, actually much more. It’s much more likely to actually find these threats originating from well, originating outside the borders of the EU. Now it’s a possibility. I mean, they still rightly point out the possibility would be to actually use that sanctions regime against cyber attacks in order to address the possibility that spyware is employed against our citizens in the in the. Well, the modification or the step that should be taken in order to allow these cyber these sanctions regime against cyber attacks to include also spyware. It would be a revision of the of the designation criteria. So in order to be able to include any entity or individual into the blacklist, you actually have to make sure that the designation criteria are formulated in a way that allow it. So basically, one could activate any of these options. One could either create a dedicated sanctions regime specifically for spyware against the citizens, or one could modify this hybrid attack sanctions regime. The only thing that’s just to emphasise or the only limitation is that basically this makes it difficult for these actors that have perpetrated the attack or these companies that have contributed to it or individuals who have facilitated it. They have these evade assets frozen in the EU. They may not receive payments. They lose they would lose any market access to their to the EU. They will then be able to transact with European actors at all. But this still would not completely stop them from utilising the spyware on them on the on will against EU citizens, particularly if they adopt the form of a front company. Because the in a so group, the Israeli manufacturer that produces the spyware is a clearly identified legal entity it will legal company in in the in the country of origin. But if we look at those entities that are blacklisted under the cyber cyberattack sanctions regime they are a blurry a foreign companies with a I mean without any clear legal framework that allows us to identify. So who is actually behind it? Is this a government controlled or a government instigated a think? Is this a completely. Well, a completely independent individual who just decides to go ahead with this attack without a without following orders from any official agency? So, I mean, this this is basically to highlight the problems are the limitations about the about the use of the oversight a horizontal sanctions regime. But in any case, what is clear is that it delivers a very obvious signal to anyone who attempts to use these spyware against EU citizens that they will be they will end up on the blacklist unless the perpetrators come from the EU itself, obviously. Okay. So I’m giving back the word to the moderator, please.
Jeroen Lenaers (Chair): Thank you. Thank you for the EP. Mr. Bilčík.
Vladimír Bilčík (European People’s Party) Thank you very much. Let me let me ask a couple of questions and tackle a couple of issues. One is, with respect to this whole field as a as a research agenda, because, you know, we are learning on a daily basis about various problems which kind of surface because of particularly media use with respect to illicit aspects of surveillance. My question is, and this is to Ms. Van Brakel, you’ve had a number of examples that you used from Belgium when you discussed, of course, the problem with surveillance and data protection. And my question is, when we look at the EU 27, how much do we actually know and how good, how solid is the research agenda here and what could be done also to support research in this field because it is a new field and to tackle the problem, we have to understand the problem first. So you referred to Belgium repeatedly, but my question is, you know, is this reference relevant for the U.S. or for the rest of the EU? 27 And in terms of secondary research agenda, what do we know? So that’s my first question. And if I may, I’ll raise the second one. And this is really to both our distinguished guests today. And that’s a question in terms of as is policymakers, what is what is the good balance we could strike between, on the one hand, the need to protect the privacy and the individual and the security and safety of the individual. On the other hand, to make sure that the law enforcement authorities have the latest technology, which they do need to have to tackle organised crime. And often the organised crime may be ahead of the authorities who are to tackle this organised crime when it comes to the possession of this technology. So what is the good balance and how do we best track it? Because there are two different public policy goals here and specifically may be. Let me ask Ms. Portela and that’s my last point on this issue, because you said that spyware such as Pegasus ought to be available only to governments which could have the adequate legislative framework or legal institutional framework. But you actually haven’t expanded upon this. So what would be, in your view, this is adequate legislative or legal institutional framework, because you talked a lot about the different sanctions and restrictive measures. But actually, if we turn it a bit more positively in terms of the law enforcement, what would be the potential safeguards to help us use this technology to fight organised crime? Thank you.
Jeroen Lenaers (Chair): Thank you. So first Ms. Ms. Van Brakel and then we pass the floor to Portela.
Rosamunde van Brakel (Research Professor, Vrije Universiteit Brussels):Thank you for the question. To start off with. Your. You saying that this is a new field. This is not a new research field. So. Within social science research and legal research. People have been studying surveillance technologies, use of surveillance technologies for at least a couple of decades. Problems, governance. Problems with regards to use of surveillance technology. Many of them are still the same as there were in the 1990s or the early 2000. Of course, we have new challenges now with Pegasus, with artificial intelligence, but a lot of the issues are still the same. And one of the things I mentioned, and that’s where I think I’m answering your question going beyond Belgium, is that the EU governance framework to dealing with harms of surveillance technologies is very individualistic. It’s from a human rights framework which looks at individual harms. Now research has shown that surveillance technologies often have harms for communities, for groups in society, for society as a whole. And these are harms that have not been seriously included in the discussions and in the governance framework and are, for instance, when looking at oversight bodies of the police, but also the whole data protection framework. It’s very much about legal compliance to the law enforcement directive, rights to data protection, regulation to the local legislations. But it doesn’t go beyond that. So there are no ethical questions about do we actually want to use these surveillance technologies that have such and such harms for society? Questions. So what I’m seeing in other research with regards to the use of data protection impacts by DPOs is that many DPOs are now saying we need we also need ethical assessments. And increasingly ethical assessments are now being conducted in advance of the data protection impact assessment. So there is there are these harms of surveillance technologies that cannot be addressed by an individualist framework. And that’s a European issue, I think.
Jeroen Lenaers (Chair): Thank you, Dr. Portela.
Dr. Clara Portela (Professor, University of Valencia):Thank you very much for these questions. So I think that I would like to address all of them very quickly. Now, the first the first issue has to do with research and as the previous speaker already highlighted. There is already plenty of research on this topic. So what I think that is needed rather than more research, is probably a better dissemination of the findings that have been achieved so far. Now, funding research is really not difficult for the EU because it already has a very attractive horizon in a programme. And I mean basically this there’s plenty of research that there’s been of already by the EU. I think that what would be needed here is to really to and it’s really to ensure that the findings are then communicated to the policy community so that it can help up in its decisions or that it can be useful for the for the policy process. Now, the question is to what is the right balance between protecting our citizens against organised crime, against terrorist activities, against drugs and on the one hand, and then against being sort of ape. Well, this is this is this is the big question. What’s the right balance? Where do you when do you draw the line? And how can you make a positive use of the of the spyware in order to uncover a planned operations, perhaps planned terrorist attacks that you cannot uncover with a well, using any regular investigation means. At the same time, how do you protect your citizens? So I think that here what would be necessary would be putting in place legislation internally at the EU level, well, at the EU level or at the EU member state level, regardless, which ensures that spyware is not used for any purpose other than in tracing illegal organised crime or terrorist activities so that it cannot be put to task in order to spy on citizens, spy on journalists, or basically hinder any activities that are perfectly legal and that are basically part of the of the democratic process. So as long as these legislation is sufficiently solid and that such legislation can also be enforced and is enforced in the in the in the countries in question, in the there’s no reason why the spyware cannot be will cannot continue to the work. So basically the best tool for protection or the most viable tool for protection would be the existing existence of this legislation and then the detection and punishment of any deviation from that. So this actually brings me to the last question to the last question, which is.
Jeroen Lenaers (Chair): Be to try to be brief in the answers, because just a limited amount of time, I think.
Dr. Clara Portela (Professor, University of Valencia):I’m going to be I’m going to finish quickly. Sorry. So the question is to how well how the how criteria could be put in place in order to prevent the supply of spyware or surveillance equipment to third countries that my me. Mr.. You said is precisely that. Is there a candidate country that wants to purchase these services? Can it demonstrate that it has a solid legislation that bans undesirable uses of such spyware and that this legislation is actually enforceable? If so, there should be there should be the possibility of providing the spyware. I mean, here, what I’m thinking of is the model, well, is the code of conduct for the for arms exports that the EU adopted in 1998. So the idea was that before supplying any armaments, you have to check that the country have an auction rights record that it was not involved in, in violent conflict, and that there were a number of criteria. And if these criteria were not met, then they would not be supplied. So something similar following that model. Could be put in place for surveillance equipment. Thank you.
Jeroen Lenaers (Chair): Thank you very much. Mr. Hyde has indicated that his answers or his questions are already answered. So we move to renew Róża Thun.
Róża Thun und Hohenstein (Renew): But thank you very much for the presentations. But we all agree that what we really lack, what we don’t have in the Europe or that reaches further than just Europe, are those safeguards, those controls. The buyer has to present, as you say, the solid legal basis, etc., etc.. But now those should be made public. Or should. Shouldn’t we have in the European Union an institution that controls it? Or maybe there should be more obligations? Because you also talked about blacklisting, but we don’t even know how many systems there are and they probably are produced all the time and they are there not to be discovered. So difficult to blacklist those that hide the etc. etc. but maybe we should also make the operators more eligible or put obligations on them that they that they protect their users from being banned and report to a European institution. We must find a new way to protect our citizens from those breaches of human rights.
Jeroen Lenaers (Chair): Thank you. Do colleagues mind if we maybe group the questions now and then have a common answer, and then maybe if there are additional questions after that? So then we, we first ask Saskia to ask the questions.
Saskia Bricmont (Greens): Okay. Thank you to our guests for your presentations. I’m a little bit in the same the same line as Róża Thun. I have a question probably more for you, Ms. Van Brakel. If a member state is using a spyware under national security umbrella, or likely is it to disclose often why and with what safeguards it has been using spyware? I think the case in Hungary clearly shows there is no incentive to disclose this information. But actually, it also applies to other countries, including Belgium. In Belgium. Who controls since the revelations have has there been any involvement in the in the national framework? Um, and is there also an ad hoc framework in place in Belgium, for instance? Because that was the case that you used to avoid any human rights violations. If the government is using the spyware against citizens who will know and which access to remedy exists in Belgium and so on. Can you also. This is probably a difficult question, but you said there’s also an issue about the effectiveness of such spyware against the official reason it is is both by governments fighting criminality and terrorism and also the proportionality, considering the impact on fundamental rights on minority communities and so on. So do you have any assessment on the effective effectiveness of this technology in fighting criminality and terrorism? Do you have a correlation between the use of such spyware and the number of cases, criminal cases or terrorists cases that have been prevented through the use of such spyware? You also mentioned, and this is another example applying to Belgium, but Belgium is probably not the only one that put in place experimental projects in place, but using, for instance, facial recognition. And I think it also. Reveals a promise, one of the arguments used to justify the use of Clearview in Belgium, but the lack of knowledge of law enforcement, of the legal framework on data protection and the EU legal framework. I think this is also something important to highlight. And finally, I was also interested in you are an academic and how do you feel the evolution since the revelations of the public awareness? Because as you said, there’s no public debate around this. Do people know that those technologies. Served to.Seise, for instance, cars of people that haven’t paid their taxes? I don’t think this is known situation, for instance, in Belgium. Thank you.
Jeroen Lenaers (Chair): Thank you, Mr. Lebreton.
Gilles Lebreton (Identity and Democracy):I have a question for Ms. Van Brakel. She painted a rather grim picture for the situation in Belgium, and I must say it is rather surprising because in France this sort of espionage system is well established. And in fact, back in 2013, there was a mention of this lack of legal framework. And then following up from that, in 2015, a law was adopted to provide some sort of relative success because any case of state sponsored espionage must be approved by a specific special committee, which is made up of magistrates and parliamentarians. And so it’s not a bad system. So why is it that there was no exchange of good practise between France and Belgium? That does seem rather surprising.
Jeroen Lenaers (Chair): Thank you, Mr. Lebreton. Then I pass the floor back first to Rosamunde van Brakel to answer the questions that were raised. And then for the last word to Dr. Portela.
Rosamunde van Brakel (Research Professor, Vrije Universiteit Brussels):Thank you for the questions. What action or questions, I should say so concerning the you specifically say under the national security umbrella. So this is different from the national police forces as the national intelligence agencies do not have to adhere to data protection regulation and are exempt. However, there is clear oversight in place for these practises. And as I highlighted actually I think the other person who posed the question said I’m painting a grim picture, but maybe I should be a justice in the sense that I do think that Belgium has a good system in place whereby they have an investigatory judge who assesses if a certain technology or if wiretaps can be used. So it is someone who assesses it on the basis of information, and there are procedures in place to make sure that this is being used accountable. My. And there’s an oversight committee, committee I which checks intelligence agencies on such uses of technologies questions. So I think that there are some standards in place. However, what I was trying to get at was that some of the new technologies and new practises do not cannot be compared with the practises that the, the, the legal framework was designed to address. So some of the practises, such as Pegasus spyware, needs much more strict safeguards than a traditional wiretap, for instance. Secondly, the, the, the way the oversight oversight is organised is very much just judicial oversight. And as I’ve tried to make clear in my presentation is that there is more. There are more issues to be raised, ethical issues, societal issues to be raised, even, for example, what is the impact of the use of the technology on policing itself? These are questions that should be asked. And because oversight is only from a judicial standpoint, these are being ignored. So I would say there is a minimum of safeguards in place. However, this can be improved and needs to be evaluated. The problem is, and this is another thing I was trying to highlight, is that because everything is so secretive, it’s very hard as an academic researcher, but also civil society to actually find out what is going on. And so if we want to have a good democratic society with good safeguards, there needs to be much more public scrutiny. Of course, I understand that we cannot disclose all information about what is going on, but there should at least be some rethinking of current practises to make sure that a bit more public scrutiny can happen, at least for certain scientists to do an evaluation, for instance, because this is already not possible. Okay. Effectiveness. So if this if I’m aware of that, there is some kind of correlation between the use of spyware and successfully fighting crime. I have no idea. There is no scientific research that is looking at this. There is no funding for scientific research to look at this. So these are issues. I don’t know how you can do a proper proportionality test if you don’t even know if the technology works. Then experiments we use. Yes. Lack of knowledge of the legal framework. That’s a very good point. So it’s not only bad will from law enforcement, what you see is that a lot of law enforcement representatives have insufficient knowledge of data protection, regulation of the law of national legislation, but also of technology. So in the case of procurement decisions and technology companies coming to sell the products. Law enforcement often does not have the technological expertise to make an informed decision. Finally, revelations like NPR do people know? I would say until recently. Most citizens are not were not aware. So let’s say ten years ago, people were not aware what was going on. But I think now there has been more awareness in the newspapers by new civil society organisations in Belgium and a more lively privacy community in Belgium. I do think people are becoming more aware of what’s going on. However, these revelations, like NPR cameras, they often are. The information is in a newspaper article which is behind a paywall. So who is reading this? So this could also be research. You know, how aware are citizens about what’s going on? And then the second question about the grim picture and the French system and learning from good practises from other countries. I think what we see in Belgium and that’s not specifically in this context, but in general with general policy in Belgium, is that a lot of the policy structures are still very old fashioned and it’s very slow with changing policy structures that have been there since the 1970s. As I said before, I do think there is there is some good practise to be found in the system of having an investigative judge in place. But as I also indicated, I do not feel that with all new technological developments and all these new surveillance technologies that these invest in, these judges have the right expertise to make good assessments in this case. And then when I hear the committees judging this in France to have different expertise, as this could at least already be a step. Would I wonder with the French system you say it is a good practise is I would wonder is there evidence that it is a good practise? Is there an evaluation of that policy? Is it also only focussing on legal compliance or are ethical questions also addressed? So there. But in general, I feel. But that’s an impression that learning from good practises, even good practises from the Belgian government themselves is not happening much. So.
Jeroen Lenaers (Chair): Thank you. Thank you very much. We move to Dr. Portela for the last contribution. It is 1230, so officially our meeting has ended. But I’m happy to give you another 5 minutes to answer the questions that were raised to you as well. Please. You have the floor.
Dr. Clara Portela (Professor, University of Valencia):Well, thank you very much. In particular, me. Thank you for giving me the extra 5 minutes, but I don’t think I will. I will make use of them. Basically, in a nutshell, I will basically I will reiterate what my suggestion is. And there are so many drawbacks to a full prohibition of this spyware. First of all, the fact that the boundaries between internal and external cannot be surmounted. And secondly, the fact that there are also beneficial uses of this spyware from the point of view of protect the physical beauty of our citizens, that it would be best to adopt a conditional approach that does not completely ban the spyware, but that it make sure that it is exported only to countries which have an effective interest in solid legislation protecting citizens rights, and also that within the European one, the EU space, these citizens rights against the use of spyware for political reasons basically, or for reasons other than a prosecuting or even treating a serious crime or terrorist activities is in place. So that’s basically what my message would be in. Thank you very much.
Jeroen Lenaers (Chair): Our thanks goes out to you and to Ms. Van Brakel for your contributions here today. Also, thanks to all the members. We will close this morning’s hearing and will reconvene at 3:00 this afternoon with a hearing on victims and remedies in the same meeting room. And I would love to see you all there again. Thank you once again to our speakers and also here. I hope you’ll stay involved in our work for the upcoming year. Thank you.