Staatstrojaner-UntersuchungsausschussDie EU-Kommission verschweigt, wie oft sie gehackt wurde

Die EU-Kommission wurde mit Staatstrojanern wie NSO Pegasus gehackt, will aber nicht sagen, wie oft und von wem. Das geht aus einem Brief von zwei Kommissaren an den Untersuchungsausschuss hervor, den wir veröffentlichen. Auch die Regierung in Israel gibt wenig Auskunft. EU-Abgeordnete kritisieren das scharf.

Mann zeigt Smartphone-Display mit NSO-Logo
EU-Kommissar Didier Reynders mit gehacktem Smartphone. (Symbolbild) – Alle Rechte vorbehalten IMAGO / Belga, Bearbeitung: netzpolitik.org

Staatstrojaner wie NSO Pegasus werden alle 40 Minuten eingesetzt, sogar gegen Staats- und Regierungschefs. Auch die EU-Kommission wurde mit Staatstrojanern gehackt. Nach Informationen von netzpolitik.org wurden mehr als 50 Geräte der Kommission infiziert oder angegriffen. Doch die EU-Kommission schweigt dazu.

Im April berichtete Reuters, dass die Geräte von Justiz-Kommissar Didier Reynders und weiteren Kommissions-Beamten mit Staatstrojanern wie Pegasus angegriffen wurden. Daraufhin hat die Berichterstatterin des Untersuchungsausschusses Sophie in’t Veld nachgefragt, auf wie vielen Geräten das Untersuchungsteam der Kommission Infektionen gefunden hat. Die Kommission antwortete ausweichend: „Mehrere Geräteüberprüfungen führten zur Entdeckung von technischen Spuren einer Kompromittierung.“

Der Pegasus-Untersuchungsausschuss im Europaparlament hat nochmal nachgehakt und eine Liste mit 24 Fragen an die Kommission gestellt. Jetzt haben Justiz-Kommissar Reynders und Haushalts-Kommissar Hahn geantwortet. Wir veröffentlichen die Antworten in Volltext.

„Staatstrojaner zerstören die Demokratie“

Leider hält sich die Kommission weiterhin bedeckt. Wie viele Kommissions-Mitarbeiter:innen gehackt wurden, wie lange sie abgehört wurden, wohin die Daten flossen, wer die Überwachung beauftragt hat – all das will die Kommission nicht beantworten. Die offizielle Begründung: Sonst würde bekannt, wie die Kommission ihre Geräte untersucht. (Wahrscheinlich nutzen sie ohnehin die vom Amnesty International Security Lab entwickelte und veröffentlichte Software Mobile Verification Toolkit.)

Die Abgeordnete Sophie in’t Veld kritisiert die Kommission: „Die Antworten sind äußerst beschämend und zeigen, dass die Bürger:innen von der Kommission nichts erwarten können, wenn es um den Schutz unserer europäischen Werte geht. Die Kommission versteckt sich hinter ’nationaler Sicherheit‘ und Zuständigkeiten. Sie vermeidet es absichtlich, klare Aussagen zu machen und Stellung zu beziehen, und nutzt stattdessen eine vage und ausweichende Sprache. Die Kommission verhält sich beschämend still, während die nationalen Regierungen die Demokratie zerstören.“

Am Mittwoch wird Kommissions-Präsidentin Ursula von der Leyen ihre jährliche Rede zur Lage der Europäischen Union im EU-Parlament halten. Vor diesem Hintergrund ergänzt die Liberale in’t Veld: „Ich bin sicher, dass von der Leyen übermorgen erklären wird, wie bedeutend unsere gemeinsamen Werte sind. Aber vor diesem Hintergrund klingt das hohl.“

„Praktisch keine wichtige Frage beantwortet“

Das Schweigen und Verschweigen hat System beim Thema Staatstrojaner. Hersteller wie NSO geben nur zu, was ohnehin bereits bekannt ist. Kunden wie das Bundeskriminalamt verweigern sogar Informationen, die bereits öffentlich bekannt sind. Die deutsche Bundesregierung verweigert jede Auskunft über Staatstrojaner, auch die Ampel-Regierung schweigt, trotz eines Kapitels zu Transparenz im Koalitionsvertrag.

Selbst ein Besuch in Israel brachte nur wenig neue Erkentnisse. Im Juli reiste der Untersuchungsausschuss in das Land, wo viele Staatstrojaner-Firmen sitzen. In einer Pressemitteilung beschreibt der konservative Ausschuss-Vorsitzende Jeroen Lenaers den Besuch als „interessant und fruchtbar“. Doch intern bewertete der Ausschuss die Reise weit weniger optimistisch. Das geht aus dem Bericht des Treffens hervor, den wir an dieser Stelle veröffentlichen.

Eigentlich wollten die EU-Abgeordneten Verantwortliche des israelischen Verteidigungsministeriums treffen, das über den Export von Staatstrojanern wie NSO Pegasus entscheidet. Doch diese erschienen nicht. Stattdessen mussten sich die Abgeordneten mit zwei Vertreter:innen des Außenministeriums abfinden. Diese erklärten recht allgemein die Export-Richtlinien, wollten aber nicht sagen, wie viele Export-Anträge Israel ablehnt.

Die linke Abgeordnete Cornelia Ernst kritisiert das Verhalten der israelischen Regierung: „Das Treffen im Außenministerium in Israel war ein Slapstick. Die beiden Vertreter:innen übten sich im Leugnen, praktisch keine wichtige Frage wurde beantwortet. Wir konnten die Verstrickungen der Regierung in die rechtswidrigen Einsätze durch EU-Staaten also nicht untersuchen.“


Hier die Dokumente in Volltext:


  • Date: 2022-09-09
  • From: Johannes Hahn, Member of the European Commission, Budget and Administration
  • From: Didier Reynders, Member of the European Commission, Justice
  • To: PEGA Committee
  • Ref: Ares S(2022) 6767177

Honourable Chair of the PEGA Committee, Dear Mr Lenaers,

The Commission has received your letter of 15 July and the accompanying questionnaire regarding the use of Pegasus and equivalent spyware. The President of the Commission asked us to reply on behalf of the Commission.

This is a matter on which the Commission attaches the utmost importance. As you are aware, some aspects linked to national security fall outside the competences of the Commission and consequently access to information in this field is limited.

The Commission continues to follow with great interest the activities of the PEGA Committee of Inquiry on this issue, stands ready to assist in its work and looks forward to its conclusions.

You will find the Commission’s replies to the questionnaire attached. In summary, when dealing with the issues concerned, the Commission as an institution is following established security protocol.

Yours faithfully,

Johannes Hahn
Didier Reynders


Attachment

A) General questions

1. Does the Commission use spyware or has it used any spyware?

The Commission does not use and has never used spyware such as Pegasus or malicious software of any kind.

2. Has the Commission received any information that was attained by way of use of spyware?

As a rule, security and intelligence services never disclose the origin of their information nor the means through which this information was collected. This is also the case for the Commission’s Security Directorate partner services.

3. What safeguards does the Commission put in place to ensure that information received from the Member States or from other sources has not been attained using spyware?

In accordance with Article 3(2) and (3) of the Commission Decision 2015/443 of 13 March 2015 on Security in the Commission (OJ L 72/41 of 17.3.2015) (“Decision 2015/443”), security in the Commission is based on the principles of legality, transparency, proportionality and accountability. The principle of legality indicates the need to stay strictly within the legal framework in implementing Decision 2015/443 and the need to conform to the legal requirements.

The principle of legality is strictly applied to collection of information obtained from Member States and other entities, to the extent possible (see answer to Q2).

Moreover, as laid down in Article 6(1)(a) of Decision 2015/443, when taking security measures, the Commission ensures, so far as reasonably possible, that it only seeks support or assistance from the state concerned, provided that that state either is a Member State of the European Union or, if not, party to the European Convention on Human Rights (“the Convention”), or guarantees rights which are at least equivalent to the rights guaranteed in the Convention.

The above requirement seeks to ensure, in particular, that any action undertaken by the state in question respects EU law and/or the Convention, notably as regards collection of information subsequently shared with the Commission.

4. Which Member States use spyware, and what type of spyware do they use? Please indicate whether the information is confirmed or a suspicion.

The Commission does not collect or have information about different methods deployed as part of each Member State’s national security practices or the kind of products developed on their territory. The Member States’ authorities would be best placed to disclose such information.

The use of spyware technologies by national security and law enforcement authorities, where used ethically and in accordance with law (including EU law), may be effective and necessary law enforcement tools to ensure security and justice in the digital age. Law enforcement agencies need to use modern digital technologies to investigate in a digital environment and to counter the increasing use of technologies by organised criminal groups.

However, there are continuing reports of abuses and human rights violations due to the unlawful use of digital surveillance tools, such as data protection and privacy breaches, arbitrary arrest, or crackdowns on civil society and citizens. The investigation of such issues is the responsibility of each EU Member State. It can also be the object of monitoring and checks by the Commission. The Commission expects national authorities to thoroughly examine any such allegations and to restore citizens’ trust. The Commission closely monitors developments on this issue as reflected in the 2022 Rule of Law Report (COM(2022) 500 final) and it is gathering information to ensure that national rules are in line with the EU data protection framework and other relevant EU law.

We are particularly aware of the specific risks faced by journalists and human rights defenders in this regard, and call on all Member States to implement legislation and safeguards to protect individuals from unlawful surveillance, including any arbitrary or mass surveillance. Any such policies must be fully in line with international human rights law.

We will also support the development of new technologies to ensure internal security and cybersecurity for all.

5. Can the Commission provide an exact timeframe of its contacts with any Member State authority on the use of spyware? Can the Commission indicate per Member State:

  • Which date(s) the Commission received information about the use of spyware, and by whom.
  • Which date the Commission reached out with a request for information to Member States.
  • Which date the Commission received an answer, what the answer was, and how the Commission assessed this answer.
  • Which date the Commission will provide a follow-up, and in which form.

Following press reports and letters received from MEPs, in the case of Poland also from the President of the Supreme Audit Office in Poland (NIK), the Commission services sent letters to Hungary, Poland, Spain and Greece. The letters to Hungary and Poland were sent on 14 February, to Spain on 24 May, to Greece on 29 July 2022.

The Commission sought to gather information on the national legislative framework and on its interplay with Union legislation on the protection of personal data, in particular GDPR and the Law Enforcement Directive, including on the criteria used to define the scope of national security and how this is in compliance with EU law.

Hungary replied on 11 May and Poland replied on 29 March. Spain has not replied yet. Greece replied on 2 August.

The Hungarian authorities considered that the use of Pegasus in Hungary fell under the scope of national security and therefore not under EU law, and provided the provisions of their national legislation which define the scope of “national security”. The Polish authorities replied that they consider that the use of Pegasus by the Anti-Corruption Agency (CBA) falls under national security and that this excludes the application of EU law. The answer from Poland did not specify how national security is defined under the national law. In their answer, Greek authorities considered that the issue of whether the questions raised in the Commission’s letter fall within the scope of competence of the Union would be debatable. The Greek authorities informed that the judicial authorities will further investigate the case of the attempt to spy on the mobile phone of a Member of the European Parliament.

The 2022 Rule of Law Report has also been looking at national checks and balances in relation to the use of spyware.

The Commission will continue to gather factual and legal information, assess the interplay between national legislation and EU data protection acquis and will assess the issue in light of all available information. In particular, the Commission will follow very closely the findings of the PEGA inquiry committee.

6. In which Member States are companies (manufacturers, developers, suppliers, traders, etc) involved in spyware registered or do otherwise perform business?

See reply to Q4.

7. Which Member States have ownership interests in spyware companies?

See reply to Q4.

8. Which Member States have provided financing of spyware companies?

See reply to Q4.

9. Has the Commission or any of the other institutions/EU agencies provided funding to spyware projects?

No such funding has been provided by the Commission for spyware.

The Commission has never funded projects involving the Niv Shalev Omri (NSO) Group.

10. Which Member States have provided research funds to support technologies that are integral to spyware?

At this stage Commission services do not have such an overview of Member States’ funding.

11. What safeguards are in place to ensure that research funds of the Union are not provided to projects involving or supporting the use or development of spyware?

Under Horizon Europe legal framework all research and innovation actions funded under the programme must comply with ethical principles and national, Union and international legislation. Art 19(1) of Horizon Europe regulation explicitly requires that: “Actions carried out under the Programme shall comply with ethical principles and relevant Union, national and international law, including the Charter and the European Convention for the Protection of Human Rights and Fundamental Freedoms and its Supplementary Protocols”. This includes fundamental rights such as the right to privacy or protection of personal data.

Horizon Europe ethics appraisal scheme ensures a rigorous ethical evaluation and monitoring and compliance is closely checked at project level. All proposals considered for funding will undergo an Ethics Review carried out by independent ethics experts. The ethics review covers issues such as human rights and protection of human beings. Proposals with serious or complex ethics issues must undergo an ethics assessment. Non-compliance with these obligations during project implementation may trigger contractual penalties such as reduction of the EU funding or termination of participation.

B) Commission actions

12. What measures have the Commission taken to ensure that devices used by its officials/civil servants/agents are not infected by spyware?

To mitigate the threat emanating from Pegasus and similar spyware, the Commission cooperates continuously with CERT-EU, the Computer Emergency Response Team of the Union’s institutions, bodies, and agencies, and issues recommendations and guidance to CERT-EU’s constituents. The Commission has deployed an EDR solution (mobile Endpoint Detection and Response) on all corporate phones in September 2021 to tackle similar threats.

As an example of a more physical and visible nature, the Commission offers ‘CART Kiosks’, which are stand-alone systems allowing anyone to safely check USB sticks, CDs, DVDs and media cards for malicious content. These Kiosks are located in the main buildings of the Commission in Brussels and Luxembourg. In addition, the Commission includes advice on how to deal with similar threats in a number of awareness-raising briefings to staff.

13. What software is the Commission using to scan a phone for spyware?

The Commission has a dedicated team to perform security reviews on mobile phones with specialised hardware and software. The present letter’s public character does not allow further elaboration on the point, as this would reveal the Commission’s investigation methods and capabilities, thus seriously jeopardizing the institution’s security.

14. Does the Commission have an organised programme for scanning of phones?

The Endpoint Detection and Response solution helps the competent Commission’s services to identify potentially infected corporate mobile devices. Whenever there are indications of infections, a security review of the device is organised.

15. Does the Commission foresee to task an EU body /agency such as ENISA or the European Cybersecurity Competence Network (ECCC) to work on a common European approach to help detect the use of spyware targeting Europeans?

With the forthcoming proposal for a Cyber Resilience Act, the Commission will propose horizontal cybersecurity requirements for products with a digital element. Whereas this proposal is not suited to help detect the use of spyware targeting Europeans, it will help reduce and mitigate the presence of vulnerabilities in digital products, which are typically exploited by spyware. The Commission therefore considers that the Cyber Resilience Act has the potential to significantly reduce the overall attack surface and subsequently increase the protection of devices from spyware attacks.

16. It is known that a number of Commission officials/agents/civil servants have received messages from Apple indicating that their phones may have been targeted or hacked

  • How many Commission staff have been targeted? Can the Commission provide an overview of which DGs or which cabinets these staff are working in, while respecting Regulation (EU) 2018/1725? If not, which function/position did these staff hold?

The present letter’s public character does not allow further elaboration on the investigation’s present-day findings, as they would reveal the Commission’s investigation methods and capabilities, thus seriously jeopardizing the institution’s security

  • How and when exactly has the Commission become aware of targeting of devices held by Commission staff?

Following the Amnesty International and Forbidden Stories revelations, the Commission opened an internal investigation on 19 July 2021. On 23 November 2021, Apple sent official notifications to certain members of staff regarding their devices’ possible compromise by State-sponsored attackers. The present letter’s public character does not allow further elaboration on the investigation’s present-day findings, as they would reveal the Commission’s investigation methods and capabilities, thus seriously jeopardizing the institution’s security.

  • For which period were the devices of Commission staff spied upon and where (in which countries) were they during this time?

The present letter’s public character does not allow further elaboration on the investigation’s present-day findings, as they would reveal the Commission’s investigation methods and capabilities, thus seriously jeopardizing the institution’s security.

  • Has the Commission started an investigation into the targeting of devices held by staff?

All Pegasus-related information and findings are part of the investigation opened on 19 July 2021.

  • Has the Commission started an investigation into whether or not other staff in the Commission have also been targeted? If not, why not?

All Pegasus-related information and findings are part of the investigation opened on 19 July 2021.

  • Which actions have been undertaken by the Commission IT services and what are their conclusions?

To mitigate the threat emanating from Pegasus and similar spyware, the Commission cooperates continuously with CERT-EU, the Computer Emergency Response Team of the Union’s institutions, bodies, and agencies, and issues recommendations and guidance to CERT-EU’s constituents. DG DIGIT deployed an EDR solution (mobile Endpoint Detection and Response) on all corporate phones in September 2021 to tackle similar threats).

  • If any hacks were successful, does the Commission know where the collected data are stored?

The present letter’s public character does not allow further elaboration on the investigation’s present-day findings, as they would reveal the Commission’s investigation methods and capabilities, thus seriously jeopardizing the institution’s security.

  • Does the Commission know anything about possible clients of the accessed data?

The present letter’s public character does not allow further elaboration on the investigation’s present-day findings, as they would reveal the Commission’s investigation methods and capabilities, thus seriously jeopardizing the institution’s security.

  • Has the Commission initiated an investigation into possible clients who ordered the deployment of spyware

The Commission does not have the competence to investigate possible clients of such products.

17. In an answer to a written parliamentary question by MEP Eva Kaili, the Commission states that it has “raised the issue with the export control authorities of the Member States and with Israel, with a view to mitigating the risks associated with trade in these sensitive products.” :

  • What has been the aim of the Commission in this contact?

In its contacts with export control authorities from Member States, the aim of the Commission was to exchange views on the reports of misuse of NSO’s Pegasus spyware in violation of human rights and examine the scope for developing a possible common approach with respect to export from the EU of cybersurveillance items relating to Pegasus-type spyware.

In its contacts with Israeli authorities in the framework of the EU-Israel Subcommittee on Industry, Trade and Services of the Association Agreement between the EU and Israel, the aim of the Commission was to raise with the competent export control authorities concerns about these reports and seek indications on any related mitigating measures that competent Israeli export control authorities could consider taking in the future. To date, the Commission has not yet received any such indications from the competent Israeli export control authorities.

  • What has it discussed with the Member States?

The Commission exchanged views with Member States’ export control authorities on the reports of misuse of NSO’s Pegasus spyware in violation of human rights and on the scope for developing a possible common approach with respect to export from the EU of cyber-surveillance items relating to Pegasus-type spyware.

This discussion took place on two occasions; first, at a meeting of the Council’s Dual Use Working Party on 25 October 2021 and, secondly, the issue was raised a second time on 12 July 2022 in a short discussion at a meeting of the Surveillance Technology Expert Group.

  • What has it discussed with Israel?

In its contacts with export control authorities from Israel in the above-mentioned framework, the Commission raised concerns about these reports and sought indications on any related mitigating measures that competent Israeli export control authorities could consider taking in the future. To date, the Commission has not yet received any such indications from the competent Israeli export control authorities.

  • What were the responses by the Member States and the Israeli government?

Some Member States shared their views on the prospects for developing a common approach with regard to the control of export from the EU of such technologies, e.g. regarding the technical assessment of items exported to third countries, such as Israel, as well as regarding the assessment of related risks. The discussions with export control authorities of Member States did not address the import of such technologies, which falls outside their area of responsibility and outside the competence of the abovementioned groups.

The Israeli authorities shared general information on the procedure and identification of the competent national authorities for controlling exports from Israel of sensitive cyber-surveillance technologies, such as the Pegasus software, and preventing their misuse in violation of human rights. To date, the Commission has not yet received any indication from competent Israeli export control authorities about mitigating measures taken or planned in relation to NSO and Pegasus.

  • Is any follow-up planned to this contact?

Further to the two earlier discussions so far, there is no follow-up planned to the contacts with Member States export control authorities. With regards to the Israeli export control authorities, the Commission intends to return to the issue of possible mitigating measures at the next meeting of the EU-Israel Subcommittee on Industry, Trade and Services of the Association Agreement.

  • Can the Commission release the agenda and minutes of the meeting(s) with the Member States and Israel?

Any request to release the agenda of the meeting with Member States export control authorities in the context of the Dual-Use Working Party (DUWP) on 25 October 2021 should be addressed directly to the Council. The Commission’s current view is that releasing those minutes would threaten the protection of information provided on a confidential basis and hence undermine the security of the EU and of Member States because it would reveal Member States export control authorities’ assessment of export controls related to sensitive items, which are subject to foreign and security policy considerations, including human rights.

As regards the agenda and minutes of the meeting with Member States cyber-technology experts in the context of the Surveillance Technology Expert Group meeting of 12 July 2022, set up under the framework of the Dual-Use Regulation, the Commission considers that releasing such documents would also threaten the protection of information provided on a confidential basis by Member States’ export control authorities and, hence, undermine the security of the EU and of Member States by revealing assessments related to sensitive items and linked risks, which are subject to foreign and security policy considerations, including human rights.

The Commission cannot release the minutes of the meeting with Israel of 6-7 December 2021 in the abovementioned framework, which are still pending finalisation with the Israeli authorities. Any future release of these minutes will have to be agreed with Israel, and subject to a further assessment regarding any impact that such release could have on the international relations of the EU as there remains a clear interest for the EU in ensuring that third countries do not release reports of meeting with the EU without our prior agreement.

C) Commissioner Reynders

18. Can the Commission confirm that terminal equipment belonging to Commissioner Reynders or to other Commissioners or Commission officials were infected with Pegasus?

Following the Forbidden Stories and Amnesty International revelations, a dedicated Commission team of inhouse experts launched on 19 July 2021 an internal investigation, as in any suspected case of spyware infection. The investigation’s aim was to verify whether Pegasus had targeted devices of Commission staff and members of the College. As part of the investigation, the devices of the College members and some of their closest collaborators were checked.

Apple sent an official notification about Commissioner Reynders device’s possible compromise by Statesponsored attackers on 23 November 2021. Neither the checks done by the investigators before or after this date confirmed that such a software had succeeded in compromising the Commissioner’s personal or professional devices. Moreover, the Commission’s competent services inspected devices of additional Commission staff, who received similar notifications from Apple on that day; none of the inspected devices confirmed Apple’s suspicions either.

The present letter’s public character does not allow further elaboration on the investigation’s present-day findings, as they would reveal the Commission’s investigation methods and capabilities, thus seriously jeopardizing the institution’s security.

19. Regarding the notification from Apple received by Commissioner Reynders:

  • Can the Commission provide an overview of the exact dates of specific actions the Commission has undertaken following the notification of targeting by the Pegasus software on his phone?
    • Which date in November and where did he receive a notification by Apple on his phone?

Apple sent an official notification on 23 November 2021.

    • Which date was the IT department notified, and by whom?

Commissioner Reynders’ Cabinet informed immediately the competent Commission services.

    • Which date(s) did the IT department start and finish the investigation into the device, and what were the conclusions?

Following the Amnesty International and Forbidden Stories revelations, the Commission opened an internal investigation on 19 July 2021, which is still ongoing. The checks performed by Commission’s investigators before and after 23 November 2021 Apple’s notification did not confirm that Pegasus had succeeded in compromising Commissioner Reynders’ personal or professional devices.

    • Which date and why was the decision taken not to report this notification to relevant law enforcement bodies?

Notifications of this kind are received multiple times on any given day by the Commission’s relevant IT departments. Much like other notifications, this particular one from Apple did not signal a definitive infection, but the possibility of an attempt by the malware to target the corresponding device. In addition, none of the checks performed before or after the notification on Commissioner Reynders’ devices proved that an infection had indeed occurred.

    • Does the Commission not consider the (attempted) illegal hacking of devices and illegal spying a crime?

The Commission strongly condemns any illegal access to systems or any form of illegal interception of users’ communications.

  • Has the Commission undertaken efforts to trace back and find out from where the attempt/hacking was released?

The device checks led to the discovery of indicators of compromise. It is impossible to attribute these indicators to a specific perpetrator with full certainty. The present letter’s public character does not allow further elaboration on the investigation’s present-day findings, as they would reveal the Commission’s investigation methods and capabilities, thus seriously jeopardizing the institution’s security.

  • What is the Commission assessment of the fact that Commissioner Reynders visited Hungary and Poland in November, the month when he received the notification by Apple?

The Commission services do not have enough information at its disposal allowing us to draw definitive conclusions about a link between geolocation and a possible device infection attempt via Pegasus.

  • Will the Commission check the notification on Commissioner Reynders’s phone with Citizens Lab or other experts? If not, why?

The information made publicly available by Citizens Lab and Amnesty International did not allow to confirm that Commissioner Reynders’ devices were infected by Pegasus.

20. Has the Commission had any contacts with NSO before the revelation about the targeting of Commission officials or the use of spyware in Member States? If so, what exactly has been discussed, and when? If not, why not?

No.

21. Has the Commission had any contacts with NSO since the revelation about the targeting of Commission officials or the use of spyware in Member States? If so, what exactly has been discussed, and when? If not, why not?

No.

22. Has the Commission had any contacts with NSO in general? If so, what exactly has been discussed, and when? If not, why not?

No.

23. During the plenary debate on 4 May, Commissioner Hahn said that the Commission „is collecting information on the use of Pegasus“. Can the Commission explain exactly what it is collecting, and from whom/which sources? Can the Commission explain with which objective it is collecting this information?

As clarified above (cf. Q5), the Commission has already sent letters to some Member States following reports on the use of spyware. The objective of gathering factual and legal information is in particular to assess the interplay between national legislation on national security and EU data protection acquis.

24. The Commission has stated that it is „analysing the European Data Protection Supervisor’s ‘Preliminary Remarks on Modern Spyware’”. What is the Commission’s analysis or assessment of these remarks? What measures/actions could the Commission take to hold those responsible for marketing the spyware accountable and to protect the EU’s public freedoms and its tenets of democracy?

The Commission considers that is paramount that fundamental rights, in particular the rights to privacy and data protection, as enshrined in the EU Charter of Fundamental Rights and in EU law, are fully respected all over the Union. Some of the elements in the EDPS document corresponds to points made by Commissioner Reynders at the PEGA Committee. The Commission will take into account the EDPS analysis in its on-going reflection on spywares.




  • Date: 2022-07-20
  • From: PEGA Committee, Secretariat
  • To: PEGA Committee
  • Subject: Delegation to Israel, 18-20 July 2022

Meeting with Ministry of Foreign Affairs

The EP delegation was received by the following representatives of the Israeli Ministry of Foreign Affairs (MFA):

  • Ms Michal Weiler-Tal, Director for export control matters
  • Mr Assaf Moran, Director for the Department for European Multilateral Organisations and NATO

The meeting was held under the Chatham House Rules and consequently speakers are not set out below.

The PEGA Committee raised the concerns that no representative of the Ministry of Defence was present as they were the principally responsible for defence export control. MFA stated that they would give a full and complete picture of the Israeli export.

MFA continued by describing the Israeli export control system for cyber capabilities, such as spyware. The first regulation that applies to such capabilities came into force in 2010 and, though Israel is not a party, it follows largely the Wasenaar Arrangement. It is a two phase system, where a company would first need a marketing license to start negotiations for a sale and subsequently an export license if a deal is made. The total amount of licences per year is 30-40 000 for all defence products (no specific figure for cyber capabilities was give), however, as not all negotiations lead to a deal, the number of marketing licenses are much higher than the final number of export licenses. The MFA has to approve every marketing and export license. In the MFA, there are five persons working on defence export control. Requests for a license are assessed on the basis of a number of criteria, including human rights. Cyber capabilities may only be exported to government, and only for the purpose of crime and terrorism prevention. The MFA declined to answer how many requests were refused per year and said that they had no knowledge about any Pegasus licenses being terminated.

If a defence company acts in contravention of any license given, it may be given a fine. The use of commercial intermediaries, such as brokers, is standard practice and would not violate the terms of the export license as long as the party to the end-user agreement is a state entity.

MFA further stated that a process to make the rules for export of cyber capabilities stricter was initiated in the autumn of 2021. As a first step, the End-User Declaration that client countries have to sign was redefined. The new rules apply to new export licenses while existing licenses are subject to the old rules. The End-User Declaration sets out definitions of serious crimes and terrorism. The MFA did not specify what further steps this process would lead to.

MFA also stated that the EU Member States are viewed as countries with the highest respect for human rights and that no differentiation is made between EU MS with respect to defence export control. Israel is aware of discussions of whether all MS uphold human rights to the necessary degree but views that as an internal matter for the EU. Nevertheless, the assessment of a specific request is done upon the information available regarding the specific country.

As regards systems as Pegasus, the Israeli government has no access to any data collected. The MFA does not have the technical capabilities to assess cyber systems from a technical point of view.

As regards abuse of exported systems, MFA said that indications of such abuse would be taken into account in subsequent requests for export licenses but that it would not lead to any revocation of a given license. The MFA presupposes in their assessment of an application for an export license that cyber capabilities will be used in accordance with the undertaking in the End-User Declaration while no active follow-up whether this is the case is carried out. The sale of cyber capabilities is based on trust between countries, and Israeli authorities would only act upon `official‘ proof of abuse.

As regards statistics on how many terrorist events or serious crimes the use of cyber capabilities had helped to prevent, MFA stated that they did not have such statistics, but that they thought that Europol should have it as regards the EU.

Eine Ergänzung

  1. Deutsche Sicherheitsbehörden lieben die NSO Group und sie lieben die CIA-nahe US-Firma Palentir, welche vor einigen Jahren die Rasterfahndungs-Software (auf „Gotham-Basis“) „Hessendata“ an die hessische Polizei lieferte; ähnliche polizeiliche Software von Palantir wird mittlerweile auch in NRW („DAR“, soll dem Land NRW ca. 14 Mio. € gekostet haben) eingesetzt. In Bayern ist man deutlich kritischer und prüft nun die polizeiliche Palantir-Software („VeRA“) genauer.

    PALANTIR TECHNOLOGIES/ Recherche- und Analysesystem der bayerischen Polizei steht in der Kritik (stern.de, 8.7.22)

    https://www.stern.de/politik/bayern–polizei-software-von-palantir-technologies-steht-in-der-kritik-32522368.html

    Gotham am Main (Süddeutsche Zeitung, 18.10.18)

    https://www.sueddeutsche.de/wirtschaft/innere-sicherheit-gotham-am-main-1.4175521

    Bayerns Polizei setzt bald Software von Palantir ein (netzpolitik.org, 9.3.22)

    https://netzpolitik.org/2022/umstrittener-ueberwachungskonzern-bayerns-polizei-setzt-bald-software-von-palantir-ein/

    Datenschutz/ Angst vor Datenkrake – Polizei-Software auf dem Prüfstand (idowa.de, 8.7.22)

    https://www.idowa.de/inhalt.neue-software-angst-vor-datenkrake-polizei-software-auf-dem-pruefstand.078a73fd-386c-4595-bbb0-d070d3ae1319.html

    Beide Spionage-Firmen waren dieses Jahr auf der GPEC (gpec.de) in Frankfurt/ Main vertreten:

    NSO Group
    Luxemburg
    Halle: Halle 3 EG
    Standnummer: D45

    https://exhibitorlist-2-0.fairdesigner.de/catalog/?tenantnr=10169&tenant=EMW&eventid=GPEC2022&language=de&page=33&entries_per_page=10

    Palantir Technologies GmbH
    Deutschland
    Halle: Halle 3 EG
    Standnummer: D80

    https://exhibitorlist-2-0.fairdesigner.de/catalog/?tenantnr=10169&tenant=EMW&eventid=GPEC2022&language=de&page=34&entries_per_page=10

Ergänzung an Tim K. Ergänzung abbrechen

Wir freuen uns auf Deine Anmerkungen, Fragen, Korrekturen und inhaltlichen Ergänzungen zum Artikel. Bitte keine reinen Meinungsbeiträge! Unsere Regeln zur Veröffentlichung von Ergänzungen findest Du unter netzpolitik.org/kommentare. Deine E-Mail-Adresse wird nicht veröffentlicht.