Last week the Hungarian Data Protection Agency finally published its report on the spyware scandal that shook the country last summer and that EU Commission president Ursula von der Leyen has called „totally unacceptable“. Journalists, lawyers and the security detail of the president all showed up on a list of phone numbers that had potentially been targeted with the surveillance tool Pegasus, manufactured by Israeli company NSO group and sold exclusively to governments. Journalists of the non-profit Direkt36, who broke the story in Hungary, were able to prove in some cases that the phones had actually been hacked – giving the government access to everything from phone calls to encrypted messages, locations and calendar entries.
Yet in the over hundred cases the agency claims to have investigated, it couldn’t find a single problem. All surveillance measures were legal according to the report, because they had happened to avert a „threat to national security“.
On an even more surprising note, towards the end of the 55 page report the agency’s director Attila Péterfalvi announced that there might have been a crime committed after all: by those „third parties“ who handled the personal data of Hungarian citizens, aka the database of phone numbers, without a legal basis to do so. It sounded like a threat towards Amnesty International and Forbidden Stories, the international organizations who had analysed the leaked database and passed it on to international journalists.
netzpolitik.org: When the Hungarian data protection authority published their report on the Pegasus scandal last week, they announced that they are planning to sue „the third parties“ handling the list of cellphone numbers with potential spyware targets. What crime did you possibly commit?
Áron Demeter: First of all, we are not sure that the third party the agency mentions in the report is us. But we are mentioned more than 60 times on the 55 pages of the public report. Which is relatively strange because our security lab only carried out the forensic analysis of potentially targeted devices together with Citizen Lab in Canada. This is not an Amnesty research and not an Amnesty investigation.
The report is quite vague, but they could be talking about Amnesty. But then the question arises whether it’s Amnesty International Hungary or the Amnesty International Secretariat based in London. It could also be Direkt 36, the news outlet, which broke the story in Hungary. Or it could be Forbidden Stories, the whole international consortium of investigative journalists. It’s totally unclear what the Data Protection Authority means by third party.
Regarding the crime: I think the Data Protection Authority comes to the conclusion that leaking the so-called Pegasus list to journalists and the journalists writing stories about the leak and the potential targets could be a crime. The report names a lot of crimes, from espionage to breach of personal data to hacking. It’s really weird to talk about it because we didn’t commit a thing. I don’t know. I really don’t know.
netzpolitik.org: Have you been notified of any legal measures taken against you?
Áron Demeter: We didn’t get any notification that we would be under investigation. But according to the Hungarian Criminal Procedure, the criminal authorities, the police or the prosecution service could investigate us without letting us know for six months or until they charge us with something. So technically, it’s possible that the investigation is already ongoing.
netzpolitik.org: According to the investigation published by Direkt36, there were more than 300 Hungarian phone numbers on the list of potential Pegasus targets. Attila Péterfalvi, who heads the agency, claims he asked you to provide a list of these numbers. Why didn’t you hand it over for investigation?
Áron Demeter: Because Amnesty International Hungary has never had this list, we never saw it or had access to it. This is something that we tried to explain to Mr. Péterfalvi three times in three different letters. But he either couldn’t believe it or he just forgot that we already told him.
netzpolitik.org: You referred him to Amnesty’s international headquarters in London. Do you know if he followed your advice and got in touch with the headquarter?
Áron Demeter: He did, at the end of November, I believe. I know that they were in touch and that Amnesty replied to him. But I’m not sure what the reply was.
„No surprise, but still shameful“
netzpolitik.org: The agency says it analyzed hundreds of cases reported in the press where people in Hungary were targeted with Pegasus, among them journalists, lawyers, security staff of the president. They couldn’t find any problem in any of those cases. Did that surprise you?
Áron Demeter: To be honest, not really. It’s a well known fact that the laws in Hungary around secret surveillance are very vague and surveillance measures don’t require any justification. Hungary already has a verdict from Strasbourg from 2016, which said that it’s a huge problem, that the Ministry of Justice can authorize any kind of surveillance measures against anyone without any oversight outside of the executive powers.
So it’s not surprising, but still quite shameful that the whole 55 pages of the official part of the investigation – because there is a huge chunk which has been classified until 2050 – that this public part was basically revolving around how Pegasus works and what Amnesty did wrong. Instead of talking about how it can happen that the Hungarian authorities secretly spied on investigative journalists and opposition leaders. It was quite sad to read it.
„Threat to national security doesn’t mean anything“
netzpolitik.org: According to the report the surveillance in all those cases was legal because those ordering the surveillance claimed it was about a threat to national security. Can you explain what that means and why it makes it legal to spy on journalists and lawyers in Hungary?
Áron Demeter: It doesn’t mean anything, at least not anything concrete. So it’s very convenient for both the Hungarian government and for NSO group, the manufacturer of Pegasus. NSO can say that they only allow customers to use Pegasus in cases of national security threats or organized crime. And for the Hungarian government, it’s basically a blank approval.
The corresponding law is very old, from 1995. It comes very handy in the hands of all kinds of governments who want to do secret surveillance around people they don’t like. Our government approves a government agency to spy on someone without any kind of reason or any external check on the whole procedure. So basically, the Secret Service goes to the minister and there is an automatic approval procedure, which means that the government approves the government to surveil people.
Those journalists that we know were surveyed by Pegasus are investigative journalists and photojournalists who are researching about government politicians or businessmen close to the government, following their trips on private planes and yachts. They were reporting on corruption and where the money is going. Treating this as a national security threat is a bit far fetched, I think.
„The government approves the government to surveil people“
netzpolitik.org: So the surveillance law was not created by Fidesz?
No, but it has a particular responsibility in not amending the law and not changing the system. From 2016 on when the European Court of Human Rights said this system is not okay, Hungary had the legal obligation to amend the laws. But Fidesz said that we cannot trust judges to make these kind of decisions, because they don’t see the big picture, meaning, the national security threat. And according to this reasoning, it should be the Minister of Justice who can see the big picture.
So the biggest problem is definitely the law itself and how the government is abusing this opportunity.
netzpolitik.org: What about the role of the data protection agency?
Áron Demeter: There are serious problems with the National Data Protection Authority and their independence as well. Attila Péterfalvi has been building this narrative in the public for months that Amnesty is somehow responsible for stopping their investigation and not cooperating. For months, he said that it’s our fault that he cannot conclude his investigation. This is quite strange, because the allegation was that the government is unlawfully surveilling people in Hungary.
netzpolitik.org: Would you say the agency is fully independent from the government?
Áron Demeter: Let’s say Péterfalvi has this tactic, he chooses very carefully when to go against the government. So in many cases, he and the whole authority are quite reluctant to act. And in these so-called politically sensitive cases, when there is a huge stake at risk, he’s either trying to prolong the whole decision making or to say something which favours the government.
netzpolitik.org: The Hungarian Civil Liberties Union announced that they’re planning further legal measures to push for an investigation of the Pegasus scandal. Are you involved in that or planning any measures of your own?
Áron Demeter: Not proactively. We give interviews around it, we are in touch with the journalists affected, but we don’t have a dedicated person or program covering this issue right now. We are mainly reacting. That could change in the next year when we have a new strategy or if there is an investigation against us.
„It wasn’t a big shock to Hungarian civil society“
netzpolitik.org: Are you aware of anyone from Amnesty in Hungary that was targeted?
None of our numbers were on the list, we asked to have them checked. But we already operate under the assumption that to some extent we are surveilled by the Hungarian government. The whole civil society assumes that. We all assume our offices and our phones and our computers are monitored, so in that sense, it wasn’t a huge shock to the Hungarian civil society. It was more like: Oh yeah, that could happen.
netzpolitik.org: How does this affect your work?
First and foremost, you invest a lot in digital and physical security outside of your infrastructure, both the office and all the devices that you use and you carefully consider who to talk to and on what kind of platform. I think that’s the most you can do.