PEGA-UntersuchungsausschussStaatstrojaner-Kontrolleure müssen unabhängig sein

Der Staatstrojaner-Untersuchungsausschuss verhandelte Anfang März Änderungsanträge für die beiden Abschlussdokumente. Anschließend diskutierten die Abgeordneten mit Experten, ob es ein europäisches Forschungszentrum zu Staatstrojanern braucht. Wir veröffentlichen ein inoffizielles Wortprotokoll.

Donncha Ó Cearbhaill
Donncha Ó Cearbhaill von Amnesty International. – Alle Rechte vorbehalten Europäisches Parlament

Der Staatstrojaner-Untersuchungsausschuss im Europaparlament soll Ende April seine Arbeit abschließen. Die Abgeordneten wollen in einem Bericht darlegen, wie Staaten und Unternehmen bei Produktion, Handel und Einsatz von Staatstrojanern gegen geltendes Recht verstoßen haben. Dazu kommen politische Empfehlungen für Konsequenzen, die das Parlament dem Rat und der Kommission überreicht. Die Berichterstatterin Sophie in ´t Veld hatte bereits Anfang Januar einen ersten Entwurf vorgelegt, über den wir berichtet haben.

Bei der Ausschuss-Sitzung am 9. März hatten die Abgeordneten die Möglichkeit, Stellung zum Entwurf zu beziehen und Änderungsvorschläge vorzustellen. Sie debattierten vor allem zwei Dinge für Bericht und Empfehlungen: Zum einen ein Moratorium, das den Einsatz, Handel und Export von Staatstrojanern vorerst unterbindet – mindestens bis die EU es schafft, Staatstrojaner gesetzlich zu regulieren und kontrollieren. Zweitens ging es erneut um das Schein- und Totschlagargument „innere Sicherheit“, mit dem viele Staaten das Hacken und Überwachen rechtfertigen.

Im zweiten Teil der Sitzung ging es um die Frage, ob Europa ein eigenes Forschungs-Zentrum braucht, das Wissen rund um den Einsatz von Staatstrojanern bündelt. Im Ausschuss kamen dazu Experten zu Wort, unter anderem auch Donncha Ó Cearbhaill von Amnesty International. Sein Team hatte im „Pegasus-Projekt“ maßgeblich daran mitgewirkt, das Ausmaß des Einsatzes des Pegasus-Trojaners öffentlich bekannt zu machen.

Wir veröffentlichen ein ein inoffizielles Transkript der Anhörung.


  • Date: 2023-03-09
  • Institution: European Parliament
  • Committee: PEGA
  • Chair: Jeroen Lenaers
  • Panel 1: Consideration of the amendments
  • Panel 2: Exchange of views on a European Security Lab / Research centre on spyware
  • Experts Panel 2: Professor Sartor (European Research Council), Professor Pierre Luigi Parcu (Centre for Media Pluralism and Media Freedom in the European University Institute), Donncha Ó Cearbhaill (Amnesty International)
  • Links: Video
  • Note: This transcript is automated and unofficial, it will contain errors.
  • Editor: Jan Lutz

Panel 1: Consideration of the amendments

Jeroen Lenaers (Chair): Okay. Good morning, colleagues. Welcome to our meeting of the PEGA Committee on this Thursday morning. We have interpretation in German, English, French, Italian, Greek, Spanish, Hungarian, Polish, Slovakian, Slovenian, Bulgarian and Romanian.

We have two points on our agenda today. First, the consideration of the amendments and secondly, an exchange of views on a European policy hub. If there are no objections to the agenda, I consider it adopted and I move immediately to point two of our agenda, which is, as I indicated, the consideration of amendments on both the proposal for a recommendation of the European Parliament of the investigation of alleged contraventions and maladministration in the application of union law in relation to the use of Pegasus and equivalence, surveillance, spyware, and also the consideration of amendments on the draft report on the investigation of alleged contravention of ministration in the application of union law in relation to the use of Pegasus and equivalence of alleged spyware.

For both of these reports, our rapporteur is Sophia in ‚t Veld, and all of the shadows are here as well. So I propose that we first pass the floor to our rapporteur and then we hear from the shadows and after the shadows, for all those members who would also like to participate in the in the meeting today. So for those who are not shadows, please indicate by raising your hand if you would like to take part in the debate as well. And having said that, I pass the floor to our rapporteur, Sophia in ‚t Veld.

Sophie in ’t Veld (Renew): Yes, Thank you, Chair, and good morning, everybody. I’ll give you a quick overview of the the state of play and and then in the debate we can go into the substance, I think. So there’s on the table a report and a resolution, and both are set to be voted, as you know, on the 26th of April to the report. A total of 1281 amendments has been tabled, which is an impressive number. But about one third of that are my own amendments, because as you may remember, in November, the very first document I presented exceeded the the limits of the administration in this House. So we’ve removed some parts, which we have then reintroduced by way of amendments.

But I’ve also introduced further amendments because since November there are a lot of new elements and developments and what have you there. Of course, given that the report has a couple of country specific chapters, if you want, there are many amendments covering one country or another. And we can also see that people have strong feelings about one country or another, one government or another. In the meantime, we have travelled to Hungary and we will still travel to Spain. So we are in a somewhat unusual situation that we are, as we are dealing with the amendments and the deadline for amendments has already passed that we still want to integrate new elements, but I’m pretty convinced that we can agree on, let’s say, joint text which can be submitted by by way of oral amendment or something. I’m sure that we’ll find some flexible methods for that.

On the resolution, 805 amendments have been tabled, including, well, 30 amendments by myself. They’re dealing specifically with some of the member specific recommendations with the issue of a conditional moratorium, with the issue of defining or demarcating national security and with common EU standards regulating the use of spyware. There so far, there have been three technical meetings and one shadows meeting, physical shadows meeting. We have three further shadows meetings planned until the vote on the 26th of April, and a series of technical meetings. So far, at the level of shadows, we have concluded compromise amendments dealing with the Poland chapter, with the chapter on other member states and the chapter on European institutions. At technical level, there are some further agreements that have to be tidied up. So on the chapter on the spyware industry and a series of recommendations in the in the resolution, that technical level talks are taking place on the Hungary chapter and the Greece and Cyprus chapters, Spain. We’re still working on draft compromise proposals, but I would like to wait until we have visited Spain so that we can finalise that at the next Shadows meeting.

So at political level, we will talk about the political issues that I just mentioned. So the conditional moratorium, national security and common EU standards for the use of spyware and also some member specific recommendations. So it’s all a bit we’re working in parallel on the reports and on the recommendations and in parallel to talking about compromise amendments. We are also still collecting new material from a number of countries. So it’s a bit a a complex process, but we’re getting there and I think we will be able to have compromises on everything by the 26th of April. And then maybe finally, I would like to make one remark. I mean, I can see that there are quite a few amendments seeking to delete parts of the reports in particular which are critical of of one country or another or uh, also some, some some governments. I find it very important, as we are negotiating, that we look at the principles and not the politics of it. And I also think when it comes to the recommendations that we we should take a very firm stance. Also keeping in mind that a a resolution is just a political recommendation. It’s not legislation. It’s not going to happen tomorrow. So we don’t have to hold back. And I also think looking at some of the amendments, we cannot on the one hand say spyware is a big problem when it comes to the recommendations, we’re not actually willing to propose any measures.

I mean, at some point we also have to be coherent. But again, I’m confident that even on the most contentious parts, we will be able to to come to an agreement and conclude the report at the end of April and then the resolution, I understand, but I’m also looking at the chair in the Secretariat. The resolution must be voted in plenary, but it doesn’t necessarily have to be before the end of the the mandate to figure. I believe it could also be as long as it’s voted in favour, then it can also be voted on another plenary. Yeah. Thank you.

Jeroen Lenaers (Chair): Yes. Thank you very much, Sophie. Just to confirm that last that last part, indeed, we can vote it also after the mandate of Pegasus has ended. And secondly, just to echo the first point that, yes, for me it’s also very important that we have the flexibility to take into consideration all the developments that are still ongoing and the experiences and the information we receive while visiting countries. So just the fact that the the deadline for amendments has officially passed, this should not mean that we cannot include new information. This is also what we said from the very start due to the the limited time that we have as a committee and the amount of activities that we do, it would be unfair both for our interlocutors in hearings and our interlocutors on missions that their views could not be included based on such a technicality. So I, I count on the flexibility of the rapporteur and the shadows too, to also allow for that to happen in practice. Then we move to the EPP, Vladimír Bilčík.

Vladimír Bilčík (European People’s Party): Thank you very much for sharing. Thank you very much to our reporter, Sophie in ‚t Veld. Do I understand this correctly, that we have a basically a joint discussion on both documents? I mean, we we don’t separate it. Okay. Just just to make sure this this is. Okay, good.

Jeroen Lenaers (Chair): We’ll not get the floor again after this lot or so do it.

Vladimír Bilčík (European People’s Party): Thank you very much. All clear. Let me make some general points and then maybe some specific points with respect to each of the documents. First, I really want to thank everybody engaged and especially the rapporteur for the extensive work. I mean, there has been a lot of work which has gone into producing these documents and there are a lot of people also behind the scenes in the Secretariat. And I think we need to acknowledge that this is extremely, extremely complex and I think we need to make sure that we make the best use of it also politically in this House. Now, we already are negotiating at the technical level and negotiations are progressing, but I think there are a number of issues which need to be resolved at the political level, and I think this is where we need to focus and I hope we can focus on on today.

The key issue our committee is dealing with and here I will recall our regional and the standing mandate is that several fundamental rights enshrined in the charter may be affected by the use of spyware. This is why we have our inquiry committee and why we call witnesses and experts to speak to pick up. And we have learned that some EU governments have targeted EU citizens with powerful spyware. And this, of course, does pose a threat to democracy and fundamental rights. But we should also act within the scope of of our competence. And one challenge which we have here, and let me be very clear about this, is that under the EU law, national security does remain the exclusive competence of member states. And of course, we need to reconcile this with the principle of protection of fundamental rights and democratic norms, which are also strongly embedded in the EU law. I see this as the main role of our committee, and the report and recommendations should strike a balance between these two concepts and we have also tabled amendments in this direction.

This is a key issue for us. Let me just underline that the European Commission has no powers to act in the area of national security. So in response to the cyber scandal, it has so far taken a couple of steps which included requesting clarification from various member states. And I think this is one point where we need to persevere and make sure that we ask the commission to really make an assessment of and analysis of the situation and the responses or the lack thereof. We also need to make clear that we offer recourse to victims. This is another important part, and we need to be as clear as we can to have a common also European answer on this issue, because this is what concerns the original mandate and the main focus the protection of fundamental rights of individuals which have been violated.

Now, at the same time, and this is an extremely important point for us, is that we cannot call for a blank moratorium on the use of spyware and under legal circumstances. We must be aware of the fact that the use of spyware is and can be legitimate in investigations, of course, under proper judicial and political oversight. It is equally important that we differentiate between the countries which we mention in both reports most clearly. Some countries have responded and have taken positive steps to address the issue. We have had countless discussions on this, but especially Greece and Cyprus, and some countries have even refused to meet with our respective missions, such as Poland and Hungary. And we should be clear and fair when we make the distinctions. When I say countries, I mean the governments, of course. Let me be clear here. We met, of course, a number of representatives, and in the end we need to seek the widest possible support in this House, especially for the recommendations.

So to focus on couple of specific points with respect to each documents, we need to be clear and fair when it comes to the language which we have, especially in the long report which will vote in the committee and with respect to various countries. There are still issues which have to be rectified and clarified with respect to Greece, Cyprus, but also Spain. It is important that we are clear on redress when it comes to the victims, and the EU should be committed to setting up an independent body that would help victims. We also have to be clear that the issues of national security remain the sole responsibility of each member State, and we should not forget the original intention of spyware, which is to help law enforcement keep up with the criminal world. And finally, let’s keep to the scope of the report. There are some issues such as commenting on Ireland and tax or fiscal laws which really are out of scope of of our mandate. Now, in terms of the shorter document, but politically, the most important among the recommendations and here I’m coming to a closure, let me just say a few major points.

Indeed, the use of spyware can be legitimate and can be used to protect our security. But we have to be very clear about the checks and balances that have to be reinforced and used properly. And that’s why the recommendations do need a more balanced approach. We are dealing with the failures in this respect of the respective governments and governmental authorities when it comes to the unlawful targeting of victims and citizens. And also in terms of the spyware industry, which is very complex with a number of actors and services. We cannot prescribe one size fits all standards.

We have to be aware of this in the final recommendations. Additionally, we also must deal with malign third countries and close loopholes that exist in our legislation. And finally, I would hope that we can refrain from calling for revision of existing and recently adopted legislation, such as in the case of Europol or dual use regulation, and instead let us focus and aim for full use of existing legislation we have at our disposal so we can deal with the problems which we have been tasked to investigate. Thank you very much.

Jeroen Lenaers (Chair): Thank you, Mr. Bilčík. Mr. Heide is unable to come today, but we be represented by Mr. Garcia Del Blanco for the S&D.

Ibán García Del Blanco (Socialists and Democrats): Thank you, Chairman. First of all: I would like to apologise on behalf of our coordinator and the committee. But the shadow rapporteur for the S&D couldn’t come. But I will say a couple of words without going in-depth here, because I’d like to discuss the details elsewhere, because it is a very sensitive subject for a coordinator.

Now, the S&D group doesn’t think that it’s strange that we’ve had over 1200 amendments because the report right from the start is not balanced and there are many gaps, many problems here. But we’re going to balance these elements, especially where we look at we were in a democratic state with rights, but we also have to look at our security. And then as we were saying, we’ve got to respect individual rights and private life. We must not do anything here in an illegal fashion. Now, I think now we have the opportunity. We’re discussing these amendments and yes, indeed, and the S. and D. group submitted about 100, we may be able to solve some of these problems. It may be a look at a public presentation that was made, which was not a right, because it did preclude a lot of the conclusions we’re going to reach now and we’re going to discuss. It seemed as if it were an inquisition against certain governments. As our colleague from the EPP, not everyone had accepted this in the same way, nor has everyone reacted in the same way.

You have something that is similar should be enough to help us to have practical recommendations that will make us improve things. Not when we look at the amendments that we have brought as S&D group. I would like us to clarify the use of Pegasus and similar programs and the negative repercussions on fundamental rights, which it basically is looking at the Charter for Individual Rights that we look at to see what the member states have acquired with their views. Pegasus are the equivalent spyware, and I would like to know what the reaction is of these member states, not only as I was saying at the beginning on how to resolve some of the points when we are looking at the victims here, for instance, of protecting the victims, but how these governments have behaved and interacted with this committee.

As I said earlier, not everyone, we haven’t all reacted to the same words. The big problems in certain countries. And and we need to have the opportunity to submit these cases and where they contested the points that were raised in this case, the same with the Hungarian or the Polish governments and the Spanish government, the way they both behaved the next few days it would be a mission and this would help us to test some of the fundamental questions that have given rise to discussions and interest in this report, but in European society as a whole. And with this, I conclude what we need to do is bear in mind this extremely sensitive topic we are working on, and we must always bear this in mind and be careful, be sensitive ourselves so that we don’t damage further a bad situation, don’t have a lack of in the media so that we can improve the institutional functioning and full respect of human rights. We’ve got to respect human rights and the of all our citizens. Thank you.

Jeroen Lenaers (Chair): Thank you very much, Mr. Garcia Del Blanco. We continue with the Greens. Hannah Neumann.

Hannah Neumann (Greens): Thank you. And allow me to say I am not so sure whether that is actually the position of the S&D group as I perceived it in the negotiations.

But now on the Green Party assessment and where we are in negotiations, I mean, first of all, and I can only join EPP here in saying thank you to everyone who manages at the moment in the background and these 1281 amendments of which apparently if one side is tabling what was in the original report, still 900 is stuff that we need to deal with on the political level and to make it even more complicated. We have in some cases and we have just witnessed it right now, even political groups where member table members tabled amendments that go in opposing directions. So it is really not easy to do with all of that. And I’m very thankful for all those who do that in the background. And well, I mean, at least in the first shadow meetings, we also managed together on political level to solve a number of issues.

With the report and the recommendations boasts of of both parts, we address a number of key challenges of modern society, namely the protection of people’s fundamental rights from state interference and potentially unlawful rights violations, but at the same time still being able to keep up with the criminal sector, as Mr. Bilčík said. So with the with the gathering intelligence for legitimate purposes of preventing the most serious crimes, this is a huge challenge and it’s a challenge that is not just therefore spyware, but I think the the the new technologies and the new abusive powers that spyware have makes it especially crucial to look at it when it comes to the use or misuse of spyware and regulating it.

And we have seen many incidents in the past, and a lot of them are also in the report right now where spyware has clearly been abused, abused against colleagues of ours. Abuse against journalists, abuse against lawyers, and that not just somewhere but inside the European Union. And it is very important that we look at it in that broad field. And I think it is also very important that we see ourselves as members of the European Parliament and not as representatives of one member state or one member states government, because this is the added benefit and the potential to really have a bit more unbiased and a bit more rights based approach in this House that we are members of the European Parliament and I really hope that this is the spirit that will guide us through all of it, which means that we look at all EU member states based on the same principles and the same standards and come forward with the same broader, unbiased assessment. And this seems to be one of the key challenges in the report part at the moment, also after having listened to some colleagues here.

When it comes to the recommendations for for further political actions: One thing has become clear over the over over the past months of this inquiry, and it is that the use of spyware at the moment is out of control in the European Union. And it means and I’m quite puzzled to see that we are still not on the same page. It is out of control. It violates very fundamental rights of European citizens. And we may only know the peak of the iceberg that not everyone is on the same page of saying it can’t go on like this. So we have to stop the use of spyware until we come up with new legislations, new operational procedures, new approaches for redress, and and more information for victims and all of that before we even start to try using it again, because at the moment, it undermines the very fundamentals of our European democracy.

If members of the European Parliament are being spied upon while they are in critical negotiations, if lawyers are being spied upon while they prepare for legal proceedings. I mean, this really undermines the separation of power and everything that this union is built upon and that we are proud of. How can we not agree on saying we stop it and we try to fix it and then we assess case by case if we allow member states to use it again. And that is what the moratorium wants. It says we stop it. So there is a moratorium because at the moment it is not working. Then we define what are the minimum criteria to allow member states to use it again.

And then we see case by case if they implement it and if they continue to implement it. And if they do that, they can use this by way again. I mean, it is just the very natural way of approaching a thing that is completely out of control, rather than trusting that now only because we in the European Parliament looked at it whilst none of the EU member States fully cooperated with us, they now all miraculously do it differently. I don’t have that trust and I don’t know where anyone gets that trust from. So yes, we need the moratorium. We can then politically discuss what conditions need to be met to are lifted on a case by case basis. But first of all, we need to stop it because we can’t continue with business as usual and with continuing to basically not regulating it because it hasn’t worked in the past.

The second aspect we need to look at is the intrusiveness of the spyware, because at the moment, technically, a lot of things are possible that, according to my understanding of our legal standards, is not proportionate in terms of when it’s fully use. So to give you one example, and if there is spyware installed on a phone, that phone can send messages to other people without the owner of the phone knowing it. So how all this undermines the whole notion of gathering evidence, for example, in trials and everything, because who has modified this data? Who hasn’t? Was that really send? Was that not sent? So this really goes against the principle of proportionality. And I think we should ban the use of this function of spyware everywhere.

Our understanding of green is we should also stop the functionality of spyware that allows to go back in the data before the date of when a certain court ruling was in place that spyware can be used. But this is also something we should discuss amongst ourselves. What are the functions of spyware that we still think could in a very confined number of of cases, persons and crimes be used? And what is the use of spyware that really the functions that really we want to ban and we don’t want to see them implemented in the European Union and internationally, we really think we have to look into the functionality because there are some functions at the moment being implemented that are really against the very fundamental fundaments of our law, especially the aspect of proper proportionality.

Then there is the issue of national security. Yes, according to the Treaties, Member States have the prerogative over national security, but yes, according to the treaty, fundamental rights are the job of the European Union. And at the moment we see massive infringements in the fundamental rights of European citizens and it is our job to protect them from this. So I think if member states want to invoke this card of national security, they have to justify why now national security is all of a sudden in this specific case and that specific case and that specific case. So they should do it case by case is now more important and why they want to invoke national security. So we just have to basically around that the fundament. It’s infringement on fundamental rights. It’s fundamental rights. It’s our business. And if member states want to play the national security card, they have to justify. Fair enough. But they have to justify. It can’t be the other way round. And at the moment, they just use the national security card to even refuse to cooperate with us. And that I find it unacceptable. And we should not let them get away with that.

Third point of key importance for US security vulnerabilities. We keep fighting for better cybersecurity in the European Union. Yet when it comes to spyware, we basically are totally fine right now with compromising the cybersecurity for everyone to potentially get one or two criminals. Because we allow companies to leave or we allow member states to hoard these security vulnerabilities that put potentially thousands of users into jeopardy, by the way, including the French president or the Spanish minister of defence that have been spied upon because member states and other companies are hoarding security vulnerabilities instead of closing them. And this is something that also we don’t find proportionate and we have to really close it.

The last point for us, it is a priority for our group to also acknowledge that the EU has been complicit in human rights abuses with spyware all around the world, and we have supplied spyware to dictators, to the European providers. We have donated spyware to repressive regimes without putting any checks and balance in place. And we continue to buy spyware from companies that are known to sell their technologies to the bloodiest regimes. So it is a priority for us to also close this loophole of complicity. If the dual regulation, dual use regulations, properly implemented, could do that, we are fine with it. However, we don’t see it is doing it at the moment. So I guess we will have to change something. These are the four key priorities for us, the screens and of all we are looking forward to continue into of constructive negotiations.

Jeroen Lenaers (Chair): Thank you, Miss Neumann and I. Mr. Lebreton is not here, I think. Mr. Tarczyński, I also don’t see. So I move on to Cornelia on behalf of the left.

Cornelia Ernst (Left): Thanks a lot. And let me start this way and tell my group that without journalists having discovered this matter and express themselves on it, we would still be completely in the dark about this. I want to be quite upfront about that. So I don’t think that it’s a question of whether we’re shouting or whispering about this. It’s about the clarity of the message. What it’s really about here is we are protecting fundamental rights. And if we don’t stand up for human rights, who will Who is going to stand up for them If not we? And this is a massive responsibility upon us particularly. This Parliament is expected to fulfil this responsibility. We’ve had a massive corruption scandal, all of that history. People want to have clarity about this. They want to know that we really are standing up for basic rights. That’s what the issues are all about, isn’t it? And I think this is fundamental.

This matter has to do with restoring people’s basic trust. It’s not about national political interests, of course. I know it’s painful if someone you’re allied with in the national government is responsible. It’s not fun, but we’re not here to defend particular member states political interests, but rather to defend democracy. That’s our job. It’s our bread and butter. That’s why we’re here. So we need to take standpoints vis a vis member states. And the member states, their governments have refused to work with us and that is a massive scandal. We can’t let them get away with this. We can’t just look the other way. No, I think this is a matter that we really have to make clear. We have a committee of inquiry. And despite the member States refusal to cooperate with us, we need to carry on with it. And there are other people who are going to help us with our inquiries. So this is the key point. And when there are new developments, I think we need to remain flexible. And thank you very much for the chairs interest in making sure that the new developments in Spain have been put on the table today. We’re going to visit there. And we have already some of us have seen with our own eyes what’s going on. And that is really why we are concerned about this matter here today.

So that was my general remarks as regards the position we take. Of course, amendments have been tabled. I don’t want to fall into repetition, but I want to add something to the resolution. Clear wording on our message, very clear messaging in our conclusion. And I’m keen that we should discuss moratoria or prohibitions of spyware. This is a discussion we need to carry on having, I think. I’m of the opinion that there should be a quite straightforward ban on spyware. And I think that we need this discussion. The report. Rapporteurs have suggested a moratorium. We think that in general, carrying on with this kind of technology, the the sale of it, the provision of surveillance technologies etc. And I think we need an international scope of discussion on forbidding this technology. We need to discuss this further. I think there should be obligations in law, to allow the matters to come to light which have still been hidden.

Now, just a word on national security. National security is a blanket term that’s used as a as a get out clause. People often say it’s not a community law matter and they’re right. But we need to define clearly what we understand by national security and how to treat this matter. You can’t get out of jail just by saying national security. It’s not meant to be a conversation killer. You need to establish the necessity and proportionality when you talk and invoke national security. And I think this discussion needs to continue to be had because otherwise we are going to be hampered from reaching resolutions. Finally, many thanks to our rapporteurs. I must take this opportunity to thank them because they have really fought heroically for this. You have really done your best. We support you in the key points and I just wanted to bring these matters to attention. Thank you.

Jeroen Lenaers (Chair): Thank you, Ms. Ernst. That concludes around of shadow rapporteurs. We have on our list now to speak to Mr. Arłukowicz, Mr. Puigdemont, Mr. Georgiou and Mr. [incomprehensible], and Mr. Garcia Del Blanco has asked the florals to respond. I guess because you were personally addressed, Mr. Cañas personally, just about two other groups. I will also give you the floor. I think that’s only fair, but we’ll take the other first before I hand the floor back to Ms. [incomprehensible]. So Mr. Arłukowicz.

Bartosz Adam Arłukowicz (European People’s Party): Thank you very much, Chairman. I have tabled some amendments which have been included in the compromise amendments, so I won’t mention those, but I feel the duty to inform you publicly about a certain conflict of of dates, of deadlines because we are finishing work on our report while some new information is coming to light, including in Poland. And I know that you have got this information, but I think this should be put into minutes of our work.

Lately in Poland, there has been some information that has come out to the media concerning the spying of another public person with the use of Pegasus. As far as I understand, by government agencies. The name is Jacek Karnowski. He is the mayor of Sopot, which is a Polish city, a big important in Polish politics. Mr. Karnowski has been spied on with the use of the Pegasus. He was one of the leaders of of an electoral campaign. Before the elections, the national elections. And he was one of the lead, one of the leaders of a of a grouping. An opposition grouping. They got the majority. And then it turned out that another leader of this campaign was also spied on. Illegally by means of Pegasus. So I hope that this fact could be mentioned somehow that a way will be found, that the rapporteur will find a way to mention this in this report. It’s very important. Because there was a case involving the leader of a campaign in the elections to the lower chamber, to the same in Poland. Now, this one concerns a person who is the leader of an electoral campaign for the Senate. So I just wanted to inform you about this next stage of the scandal in Poland. Thank you.

Jeroen Lenaers (Chair): Thank you very much, Mr. Arłukowicz. And also, just to repeat what I said, I think it’s very important for the committee to always take into consideration developments that were not yet known by the time that the deadline movements were there. So that flexibility is there. And to add that also there has been a request officially to to have a hearing or a meeting also dedicated to the case of Mr. Karnowski. So we will also deal with that in the coordinators meeting. Thank you, Mr. Puigdemont.

Carles Puigdemont i Casamajó (Non-attached): Thank you. First of all, I’d like to thank the rapporteur for his work. It wasn’t easy. Now, this subject is the centre of the discussion on fundamental rights and democracy in the in Europe and our safety. Now, I think to the victims, but there are also people in the government involved in the illegal use of this software. Now, is it because there is there’s a concern in Europe about what is happening in this, especially in Parliament. Now, this report is gives hope to victims. It’s annoying for certain certain countries, but here we’re not representing countries nor the interest of countries who are representing our citizens and especially the rights of our citizens.

So even though I have submitted amendments, it is still a sign for hope. Now, I have to be clear that this usage of software is a real threat to our democracy. And we’ve also got to denounce these infractions of fundamental rights that member countries have done. We can’t be silent on this. We also have to be clear in stressing that national security can’t be an excuse to facilitate the constant misuse and uncontrolled use of the things. These amendments are in line to stop this type of misuse and the fundamental rights that are at the basis of the difference between the EU and other powers in the world.

And I’m saying this openly. This software is not compatible with the European Union’s Charter of Fundamental Rights, because, yes, we’ve seen this through different states that it can be authorised. However, no country has shown that this can be controlled. The absence of this is the basis of this threat, this severe threat to European democracy. So here we’re dealing with the threat which can become structural, which can become rooted in the heart of our democracy. So this report is a sign of hope, and I’m hoping that the final amendment will represent, yes, something that is irritating for certain countries, but reassuring for our citizens who are concerned for the help of our European institutions. Thank you.

Jeroen Lenaers (Chair): Thank you, Mr. Puigdemont, then, Mr. Georgiou.

Giorgos Georgiou (Left): Thank you, Chairman. I would like to thank sincerely, warmly you, but also our rapporteur, Mrs. in ‚t Veld. And I would like to thank everybody who worked very, very hard during this period to have in our hands these two documents, these reports. The whole issue is extremely serious. It concerns democracy. It concerns the normal functioning of the European Union. It occupied as a topic the societies in Europe. There were shocked the citizens. So they heard, they understood that they could be spied upon during the most private moments.

I was worried by an effort that was made by countries and by governments doomed to lower the value of the German and Mrs. Felt to underestimate them and the committee. Mr. Puigdemont is right. We do not represent countries or government here. We do not represent parties. The European citizens sent us here and the European citizens are very worried about all these things that have been heard. Our coordinator on behalf of good will cooperate in a constructive way in order to have support for the report. Undoubtedly, we have found facts. We’ve seen facts, events. And from these facts we have established, we have recommendations. These recommendations should be submitted. In a clear way, because what’s important in the end is not whether we are going to support our political group or our party. What we are talking about is crucial values, democracy, freedom and truth. Thank you.

Jeroen Lenaers (Chair): Thank you, Mr. Georgiou. Mr. Cañas.

Jordi Cañas (Renew): Thank you, Chairman. As MEPs have got many obligations and some fundamental ones, the first one is to defend the rights of all of our citizens and I think we all agree on this point. It is extremely important to look at the conclusions, the recommendations of this committee in order to avoid the illicit illegal use of this type of programme and any other kind of monitoring, controlling our investigation and our citizens, because it it’s part of their fundamental rights for their privacy. So we agree with all this, but I think that most of the employees of this Parliament are agreed on this, and their central point is to guarantee the fundamental rights of our citizens, no matter what their nationality, their creed or their political affiliation is.

Now, the only difference can be how you know, and what are you willing to give up in order to reach to get this. Now, if we understand that the conclusions on the recommendation will probably be accepted by a great majority, it can be some sort of moratorium or a stop, but there will be a large majority dealing with this regulation which will need to be adopted following negotiations and amendments. But the report is something else. How do you reach that conclusion? And as MEPs, we have the obligation of defending European values and one of the fundamental one is our critical spirit and the wish, the willingness to listen. And it is that you can’t have a decisions before you have the process, the processes necessary to find what´s the truth.

Now, when you confuse truth with what you want or what you deduct or what you imply, it’s something different. In order to have a report which is there to be the basis of recommendations, this this report has to be tied strictly to facts, to truth. And facts and truth are very different to implications, suppositions, etc. When you confuse your position with a fact, there’s a problem. If it’s you doing it by mistake, it’s like a venial sin. If you do it deliberately, it’s very dangerous. An investigative committee is not a court of the Inquisition. It’s an area for discussion and tradition, for raising doubts and for critical spirit to listen to different versions of facts which might even be in conflict, that the the methodology of a scientific spirit leads to a certain conclusion. A hypothesis is not a theory. That’s the first thing. So if you confuse and hypotheses with a theory, you do this deliberately, this implies that the conclusions you obtain can be then called into question.

Now we don’t want the conclusions on the recommendation to be called into question if there is a lack of rigour. Now, what we’re going to try to do with these amendments is try to limit ourselves to what is certain, what is true, what is provable, whatever is inference or deduction as has to be set aside. And that’s what we want as MEPs. And this is what should move us to the discussion of the amendments. And at the end of the day, should invote the report and the recommendations work will derive from it.

Jeroen Lenaers (Chair): Thank you very much, Mr. Cañas. I see. I’m not sure if it’s the translation, but there’s another the second time today that our committee is being compared to Inquisition, and I don’t think that is a appropriate way of of of defining our work, giving the the history of inquisition. So I hope also that colleagues and I don’t know whether it’s a translation issue, but I do hope that colleagues also give this committee the respect that it deserves. Mr. Reuten.

Thijs Reuten (Socialists and Democrats): Thank you chair. And I want to start with thanking in particular Sophia in ‚t Veld and her team for the outstanding work that she did. And I can testify of many occasions also that one mission I participated in, but also on several hearings that we had, how much she tried to go to the bottom of it and to really get out everything that we needed to to get a report, a report that indeed must reflect just the interests of the European citizens and the common European cause.

A few points from my side. National security is an ongoing debate and that is not without reason. I share the point also also made by colleague Norman that the use of this argument almost as a standard excuse, not only not not only for doing things, but also for not doing things, for not sharing, for not cooperating, that must be tackled, in my opinion. So I support that point. We also support a conditional moratorium and not mentioned as not not that much in the time that I was here. Sorry for for being for arriving a bit late. But now we need maybe it has been mentioned a bit. We need better safeguards and remedies for the people targeted illegitimately and also, and that was a point that has come up in several hearings and missions, the right to be notified and the need to be and the need to guarantee that in every European member state and closing thanking again the rapporteur for her for her work. Thank you.

Jeroen Lenaers (Chair): Thank you, Mr. Reuten. Ms. Bricmont.

Saskia Bricmont (Greens): Thank you. Thank you, colleagues. First of all, I’d like to thank the rapporteur for her work. We’ve followed the work of this investigative committee right from the start. I would say that during our audition we found it important to when we established the agendas and organised the mission because, yes, the interference or the involvement of national governments was a constant and it was relayed, repeated to us by the members of this government. Now we’ve got to find a report which is really a balancing act. So how do you manage? So thank you very much.

And that’s why we insist on the fact that we want this report as a common point where the negotiations can start. And this because the origin of this commission was that of organising all guarantee that full respect of the treaties. The commission is supposed to do this. However, the case that concerns us, well, that it doesn’t is that they’re not doing it so with the recommendations of a certain member State so that we can have a common framework no matter what results, there will be within the Member States themselves. And what we haven’t discovered yet, of course, because the situation is evolving daily and there might be further revelations in future. But we’re also aimed at the European institutions themselves. The Commission and the other institutions have to set up.

Now allow me to say that as we’ve followed this work right from the start, we weren’t helped by the member States. Some didn’t want to answer that, too, from a the Democratic Party view, many questions arise. But some of the reports are based on solid facts. What we’ve managed to find, we have observed, was not invented. So first of all, I would like to say that we can’t believe that our work isn´t based on facts, says national security, depends on the member states. That’s true. But we still have to respect the law and individual rights or human rights. So when we look at the documents on the table, this is a moratorium on their set up so that all our member states put together a legal framework and also independent monitoring systems guarantee the rights are protected and all the methods, the necessary means, are set up.

The other point: We also want to say that the origin of our work as started from journalists who are victims of this spyware of these people and all the victims actually expecting the EU to guarantee their freedom to carry out their work in a pure and fully independent fashion. Thank you.

Jeroen Lenaers (Chair): Thank you very much Ms. Bricmont. Than we have still Mr. Garcia Del Blanco and Ms. Neumann is asking for the floor in a second round. So both, please try to be as brief as possible. Mr. Garcia Del Blanco

Ibán García Del Blanco (Socialists and Democrats): Thank you. Now, I must say I was happy, but it seemed to me that there was a very, an intolerable position. Now, here with socialists and Democrats, it’s not another group. I’ve listening with great respect to everything that was said. But I can’t let this just go past. This is a position of the Social Democrats. We are MEPs and we’re not journalists. They are different responsibilities for us.

Jeroen Lenaers (Chair): Thank you, Mr. Garcia Del Blanco, Ms. Neumann.

Hannah Neumann (Greens): Thank you. And I would just like to make one statement regarding facts because it is a recurring topic here and I find it increasingly annoying, I have to say. So let me be very clear. We have an organisation, Citizens Lab, that in a very technologically sophisticated way investigates whether people have been infected, targeted with the spyware, and whether spyware has taken information out of their phones. We have investigative journalists networks that look into this as well. This is the best information we have. And whatever they have done in their research has often been verified by reality, in subsequent hearings, meetings, discussions that we had here. We have at the same time member states, who actually have the knowledge and the information to prove that citizens lab data is maybe wrong, but they refuse to cooperate.

So until proven otherwise by member states who can come here and tell us and justify who has been surveyed by them and not until proven otherwise, I think we should base our work on the research and the works of Citizens Lab and others. And now we have some people here in this committee who, I’m not going to speculate on the reasons, say that the proves that Citizen Lab has; for example, Hungary and Poland, are totally acceptable, whereas for Spain, they are not. And that is shady. And I’m not willing to accept this and I’m not willing to accept this inside our reports. So as long as member states do not cooperate with us, we base our knowledge on the best facts that we have available and the best future research that is being done. And that is, as a matter of fact, that of Citizen Lab and investigative journalists.

Jeroen Lenaers (Chair): Thank you, Ms. Neumann. And to bring all this together in one coherent report, I give the floor back to our rapporteur, Sofia in ‚t Veld.

Sophie in ’t Veld (Renew): Thank you, Chair, and I would like to thank all the colleagues for their comments and contributions. I’m going to try and respond to some of the things that have been said, but I would I would also like to take one step back and remind ourselves what it is that we are doing here and why we are having this inquiry committee. That is because in the European Union, where many people are concerned about threats to democracy in the US or Brazil or Israel, but in this European Union today there are political parties in various governments who are spying on journalists, spying on lawyers, spying on NGOs, spying on the opposition. And it’s not just listening in to their conversations. They are using the material they obtained in order to discredit people, to intimidate them, blackmail them, harass them. This is not fantasy. It is happening today. It’s a threat to our democracy. That’s the reason we are doing this.

Yes, there are some uncomfortable truths about a couple of member states in particular, but actually about quite a lot of member states, including even my own, even included some critical remarks. But this this abuse of spyware, because let’s be very clear, the legitimate use of spyware is not within the scope of this report. We can easily I mean, we can dedicate one sentence to it, you know, if if it’s used in order to fight crime and terrorism find legitimate, we don’t need to say anymore about it, because that’s not within the scope of this inquiry committee. We’re talking about the abuse of spyware and it is being abused and it’s actually very easy for governments to abuse it because everybody is hiding behind the argument of national security. Then, you know, the the shutters closed. We get no more information and governments sort of unilaterally give themselves unlimited powers to use it. That is the problem. It is happening right now. And I think Mr. Arłukowicz, who was left again, he has rightfully indicated that new facts have come to light in Poland and new facts are coming to light in various member states almost on a daily basis. It is a threat to our democracy. That is why we’re doing this. And let’s let’s also not forget the spyware has been used to target members of this House, colleagues belonging to different political groups coming from different countries. Colleagues of this House have been targeted with spyware. Officials of the European Commission have been targeted with spyware. Possibly partially by by third countries, but also by political parties, government parties within the European Union.

Now: If we all agree that this is a disgrace and a threat to our democracy, then we also have to be coherent and consistent and be willing to, first of all, investigate what has happened. And secondly, we have to be willing to propose measures. So, you know, I I’m going to to bend over backwards to get to a compromise amendments that are going to command a broad majority. But I can tell you, not against any price, I’m not going to gut the whole reports into a resolution just to get the signature from everybody. We all know that there is a fairly solid majority that supports the general lines. And I think we have to be you know, we’re all mature people. We’re all grownups. We can we can face some uncomfortable truths even within our own political families and our own countries.

Now: A couple of remarks that were made on the moratorium, which has become a kind of she mirror almost. I have not, and I’m saying this specifically to Mr. Bilčík, I have not proposed a blanket moratorium unconditional. It’s conditional. And I’m also already elaborating ideas that will make it possible to have, on the one hand, a moratorium, but without the interruption of the legitimate use. I think that is possible. There is a landing zone. But to say, you know, oh, we think it is terrible that governments are using or abusing spyware, but they can, as far as we’re concerned, they can continue to do so and we count on them to stop it. No, they won’t stop it because, you know, they benefit from the abuse of spyware. They use it to consolidate their power base. They use it to hide corruption and crime. So they have absolutely no interest. And we should also remember that we can call for a moratorium. It ain’t going to happen just because it’s in a resolution of the European Parliament. So I think we can fairly safely take a very clear position.

Secondly, on national security, national security is a national competence. That means that the member states can organise their national security structures in any way that they please. What it does not mean is that they can unilaterally declare that anything is national security and therefore the normal rules don’t apply anymore that they cannot do. The European Commission, even the European Commission, which has been hiding under the table ever, ever since this scandal erupted. But the one thing they did was write a letter to a couple of member states reminding them, stating very clearly, national security is not a blanket exemption from the normal rules. And there is actually specifically (incomprehensible) on surveillance. There is case law from the European Court of Justice that makes it very clear that surveillance takes place actually within the space created by, I believe, Article 15 of the ePrivacy directive and therefore which is an exemption to the confidentiality of communications and therefore the Charter of Fundamental Rights applies. Member States have to respect that.

And there are a couple of member states like Hungary, which we visited just a couple of weeks ago. They actually have a definition, a legal definition of national security, which is in principle good thing. Problem is, in Hungary, so broad, it could be anything. So we have to make sure that, you know, it’s more limited.

And I would also like to say on national security. Dear colleagues, if you scrutinise closely the text of legislation that we have passed over the last 20, 22 years, since since 911, and check how often that legislation in the, you know, the preamble and the justification, it refers to national security as a kind of quasi legal base. You’d be surprised. It’s being used the whole time by the European Commission to make legislative proposals. And nobody, nobody cares.

So another remark did I underline again, as I’ve done many times before, that no two member states can be compared? There may be big problems in some of the member states, smaller problems in some other member states, but every situation is different. The context is different. So we’re not saying, you know, Member State X is exactly the same as member state Y, while in a member state X is offended because they think in Y is much worse. But let’s just look at the problems that occur in the European Union and, you know, member states as a part of that European Union.

First on third countries. Yes. This is, of course, an important topic. The problem that we have when you’re talking about scope is there’s not a whole lot we can do to regulate third countries. I mean, we can make we can regulate. And this is why I have proposed not to just regulate, but also to align closely with the United States so that we can use our combined power, also our market power to to influence the markets and to trade in and use of of spyware. But we also have to be realistic. It’s not because we we adopt a resolution that certain countries are going to suddenly not target us anymore, but just it’s an important topic.

Mr. Bilčík also said there are certain things out of scope, like remarks about the taxation regime in Ireland. It’s not out of scope. If you’re describing the how the markets are, how the industry functions. This is very, very relevant. As a matter of fact, in Ireland, a committee has actually been set up to deal specifically with the issue of spyware, and they’ve recognised that there is a connection between, you know, spyware companies. I mean, they’re using the internal markets and that’s that’s that’s a factor because one thing that I haven’t mentioned yet is that the abuse of spyware by EU governments is one problem. Another big and growing problem is that the European Union as a whole is becoming a kind of spyware vendors paradise. You know, it’s very, very comfortable to be established in the European Union where we have strict rules, but lax enforcement, to put it mildly. And we are becoming the hub of the trade in spyware. And the stuff is being sold to very dodgy regimes outside the European Union. And it’s being used against, you know, by by those dictatorial regimes against their own citizens. If we are coherent with ourselves and we are going around lecturing the whole world about human rights, that we should also be willing to look at this issue. And as I said, I mean, I’ve mentioned Ireland, and I think the Irish government itself into Parliament are actually you know, they are themselves looking into this issue. So I don’t think that we are finger pointing here, but just underlining a problem.

On redress to victims. Yes, absolutely. But, you know, we cannot on the one hand say, okay, we cannot touch no moratorium, we cannot touch national security. We don’t want to regulate the use. We don’t want to regulate the markets. Member states can pretty much do what they like. How are we going to offer remedy or recourse to victims? Besides, the problem here is not just victims, the individuals. The problem is, is that it’s undermining democracy. That’s the problem. And I think Mr. Arłukowicz, you know, again underlined how how is being used as a as a political tool to manipulate elections, spy on the opposition, to manipulate and intimidate the opposition. So it’s not just the individuals who deserve remedy. It is the our democracy that we have to preserve.

Then finally, I would like to make one remark about how we work here. It was already a challenge to to get an inquiry committee in the first place, because when I first called for an inquiry committee in July 2021, there was no majority. Only when there were new revelations about specific member states, there was a majority. Meanwhile, we started working. We are very diligent. But I also note that… Let’s say there are considerable pressures coming from member states, coming from certain actors. I mean, I have to say that so far I’m not terribly impressed with letters of lawyers threatening with cases. But it is irritating. But I also note inside the inside of this house, if I listen to the tone of the debate.

Look, colleagues, my ego is fairly robust. You know, I can handle it. But there are limits. And we have to be a little bit conscious of the way in which we conduct conduct this debate. I’m getting a little bit tired of all the attempts to discredit me. Question my my intentions. Offend me, you know? Question the method, the procedure. Let’s recognise that this is a very sensitive issue, that we respect each other’s sensitivities, that there are emotions, that their interests and all the rest of it. But let’s keep this factual in a serious and a respectful debate, because then I think we will be able to get to compromises that are going to command broad majority in April and later on for the resolution in June. Thank you.

Jeroen Lenaers (Chair): Thank you very much. Sophie in ‚t Veld. And you know, many of the points that were raised today in your responded to, I’m sure can be addressed in the meetings, the many meetings that you will still will still have. Thank you. Thank you all. That concludes the first point of our agenda. And we immediately continue while we allow our technicians to connect to the remote speakers for the second part. We have, on numerous occasions during our considerations, talked about sort of a European equivalent to Citizens Labs or a European tech centre within the European Union that could do the work for which we now rely on on organisations in third countries.

Panel 2: Exchange of views on a European Security Lab / Research centre on spyware

We had the presentation before of Professor Sartor on his study on Pegasus of fundamental values, and there were many questions formulated by the members two concerning the possibilities to create such a European research centre, and the purpose of the policy hub is to come back with more precise answers to these questions. And this is why Professor Sartor will make a presentation on this topic. And in addition, experts from Amnesty International Security Lab have been invited. Also, Citizen Lab has been invited, by the way, to share their experiences of such a centre and the criteria to take into account when creating such a centre.

So we will have Professor Sartor, who is going to be accompanied also by Professor Pierre Luigi Parcu, who is the Director of the Centre for Media Pluralism Media Freedom in the European University Institute. Professor Rafaela Brigitte, who is Legal Informatics, Forensic Informatics, Cybersecurity and Data Protection at the Law Department of Bologna University. Professor Francesca La Joya, who is a senior Research Fellow at the European University Institute. And Professor Marco Botta, who is also from the European University Institute. And then we will also hear from and I do apologise, but it’s a nightmare for any chair when there’s a original Irish last name. So I will I will try to pronounce Mr. Donncha Ó Cearbhaill, but please correct me if I’m wrong, from Amnesty International tech-lab.

And unfortunately, there was no possibility for our respected friends at Citizen Lab to join at this particular moment. So we will start off by giving the floor to Professor Sartor. It’s good to see you again. This time connected remotely. I’ll pass you the floor to make your presentation. We will then move also to Amnesty International, and then we can have questions and answers by the members. Please, Professor Sartor, you have the floor.

Giovanni Sartor (European Research Council): Thank you very much, Mr. President. I’m very happy to be here with with you, with the committee, and have the opportunity to contribute again. I think that the activity of the committee has played that a fundamental importance in preserving European values against the threats of spyware, spyware. And I think that it would be important to provide a persistent support to the parliament, majority of the European institution, to civil society in addressing this threat, and more generally, the threats pertaining to digital surveillance.

It has emerged that there are many issues that that need to be addressed in order to provide an adequate framework for the use of spyware that in the idea of national security on the legal side, addressing the idea of national security analyses, the remedies that are available or are not available at the national level, the EU level, the international level, and then that are important. The technical aspect, determining what technologies are available for espionage. This is a moving target as technologies are rapidly evolving, what intrusion are taking place with what the facts effects, and then trying to devise what technical solution can be adopted to prevent the intrusions or mitigate their effect.

So to address the spyware issue, a complex combination of the legal, social and technical skills are and the software programs that interfere with the functions of individual devices in particular, so called the device hacking tools are used by all states. So as it was remarked various times during the previous session, it is hard to imagine a blanket moratorium. And we need to find the framework that enables the use of such devices in a way that preserves fundamental rights, democracy and the rule of law. So for this purpose, I think that it would be very useful for the European Parliament and more generally for the European institutions to be able to rely on an impartial centre that can provide adequate legal and technical expertise by tapping on the competence that is available in Europe and and beyond. I think that it is important also to ensure continuity, to have a persistent control over what is happening in order to identify the ways in which spyware is being used, the violations that are happening. And it is also important to have a way of verifying claims and denials concerning what abuses have taking place. And then I think it is important to have the embassy and evolving a comprehensive and updating the matter of existing practices.

And the phenomenon of the use of spyware is an opaque and nebulous. So we don’t know really what is happening. But there are some examples, excellent examples of how some light can be made. So in the Pegasus case, I would like to mention three entities that have played an important and decisive role in making the truth that emerge. So one is that a Toronto Citizen’s Lab and Academic Research lab established at the University of Toronto, which has focussed, which is focussed on the study of digital rights and civil society. The second that is Amnesty International Security Lab, which also has developed the technologically advanced technologies in order to detect the instances in which spyware been abusively deployed. And then we have submitted stories, an initiative involving journalists that has provided widespread awareness on the abuses.

So it has both the Toronto Citizen Lab, the Amnesty International Security Lab, have shown that that relying on appropriate technological skills, it is possible to detect the instances of the use of spyware and identify the technology being used there and evandro maps of the how this phenomenon that is taking place in different parts of the world. So I think that the times are mature to consider a building, also a European centre, a kind of European citizens lab which may exercise this role in particular with regard to what is happening within the European Union, but possibly also beyond any connection, establishing connections with the other centres that worldwide are engaging in this activity.

It seems to me that the centre must have access to top level legal and technical expertise that must be impartial, so that I think it can be a location within the academic communities would be useful, must provide continuity and not so that its activity evolves during during time, must have a networking capacity being a hub that connects the multiple places in Europe where NGOs, academia and other structures are engaging in the deal with not only with spyware or more generally with surveillance and the computer security issues. And I think that one possible setting for such a centre could be represented by the Schuman Centre at the UI and in particular by the Centre for a Digital Society, which is directed by Professor Park, who is also director of the Centre for Media Pluralism and Media Freedom. At the UI there is also the (incomprehensible) of the European Digital Media Observatory, so there is a cluster of initiative in which such a centre could be could be connected.

I must say, however, that the UI and the Schuman Centre at top capacities as far as the legal and the social dimensions are involved, but they lack the technical skills, the technical competence in dealing in computer security and in forensics. Such capacities are, however, available in various places in euros and in particular in nearby at the University of Bologna, that is a centre exist for digital forensics and cybersecurity. And the University of Bologna is also leading the Italian national projects on security and rights and risk management for cyber physical ecosystems.

So I believe that there is the possibility of by in a way, combining these two entities to have the first the nucleus of these set of a centre that a European citizens lab focussed on spyware and more generally on digital threats to democracy and civil society.

Such a centre should be, I think, a kind of harbour as inclusive as possible, so involving adult experiences all over Europe that engage with such such problems. I think that the European Parliament might considering might consider supporting such an initiative maybe through a pilot project as a first experimental attempt. But hopefully this kind of centre could become a permanent asset that would enable the Parliament, the European institutions and more generally the European Member States and civil society to have an awareness of what is happening in the domain of spyware and more generally digital surveillance and an idea of possible abuses, but also of remedies both on the legal and on the technical side. So thank you very much for your attention. I look forward to possible questions. And I really believe that we are at a times of mature for such an initiative and look forward to the continuation of our discussion. Thank you very much.

Jeroen Lenaers (Chair): Now, thank you very much, Mr. Sartor, for your willingness, your renewed willingness to to speak to us is very, very, very helpful for for the work we are undertaking. And we really appreciate it. We move now, and I’ll give the floor to Mr. Donncha Ó Cearbhaill also for your presentation. And please, please correct me if I mispronounced your your name. Thank you.

Donncha Ó Cearbhaill (Amnesty International): Thank you for inviting me here. Now, my name is Donncha Ó Cearbhaill, and I’m happy to be here to discuss the proposal for a European security lab. I lead the security lab of Amnesty International, based here in Germany. And over the past five years, our detailed technical investigations have identified forensic evidence of spyware abuses around the world, including in Hungary and Poland. Amnesty International also led to technical investigations with written stories which exposed the Pegasus project.

I’d like to begin today by contextualising the efforts needed to tackle the spyware crisis. I would also like to frame the vital role that technical research and investigations can serve in achieving transparency, accountability and ultimately remedies for victims of spyware. I would like to conclude my reconditioned contributions today by recommending that the EU is not well-placed to run a security lab as an EU institution. Instead, the EU should finally start using its full force through legislation, political pressure and centre setting to achieve the transparency and accountability we urgently need.

Years of diligent research from civil society, researchers and journalists have exposed numerous cases of human rights abuses enabled by the spyware industry. These investigations have uncovered undoubtedly only the tip of the spyware iceberg. However, these reports are not and cannot be a only solution to the problem. Rights groups cannot be expected to continue playing a metaphorical (incomprehensible), working intently to identify individual cases of abuse. While inaction by EU member states and institutions let the spyware crisis grow larger and more dangerous. Day by day.

Just to be clear, we should not be mistaken here. This is not an external problem where EU institutions are powerless. Spyware is being developed in member states. Spyware is being exported from member states and ultimately it is being abused by member states to target their own citizens. What must put domestically and across Europe the EU’s? Do you really need to start getting its own house in order first? First, you should radically increase transparency on sale, use and transfer of spyware inside and outside the union. The work of civil society researchers would be dramatically improved and eased by meaningful transparency around where spyware is being used by the EU. This includes having meaningful and clear transparency over these export and sale of dual use technologies, including which spyware companies are active in the EU and where the sales are being made.

The EU must also ensure that victims have meaningful revenue avenues of accountability for spyware abusers. And so far we’ve seen this has been severely lacking. We’ve also seen multiple instances, where nominally independent bodies, including data protection authorities and courts in member states, have been obstructed or subverted in attempts to block meaningful accountability into rights violations. We’ve even heard today from other members of the of the committee about the situation they themselves are facing as part of their investigations into these spyware abuses.

To address the specifics of a European security lab. A primary concern of Amnesty International with an EU funded or border security lab would be questions about its independence or its perceived independence as well as its impartiality. As we discussed today, Member States are using these tools, and it’s difficult to imagine how an independent European security lab would not be somehow obstructed or otherwise impinge on its work when member states are carrying out these abuses.

As we’ve seen mentioned earlier, existing European institutions such as the European Commission have themselves not been able to provide meaningful public transparency about spyware attacks, which they themselves were subjected to. It’s really difficult to see how a European security lab would be able to carry out independent and impartial investigations, as well as publicly highlight any abuses on unlawful surveillance tools which are being carried out by member states.

We also see risk that such a European lab could be obstructed or instrumentalized for political purposes. We’ve already seen multiple instances where states and other actors have tried to spread disinformation in attempts to cast doubt on detailed and extensive forensic and technical evidence proving spyware abuses, which has been substantiated by investigations by the committee and by other independent parties. We cannot let these attempts of disinformation distract meaningful accountability and redress for the victims.

The efforts of civil society researchers such as Amnesty International and Citizen Lab are also based on trust that we maintain with the journalists and human rights defenders that we work with. I think it’s difficult to imagine that EU institution which is being supported or potentially interfered with by member states would be able to maintain this trust with the victims and also other partners, which would be necessary to investigate and document abuses which are potentially being carried out by Member States themselves.

If there is a need for greater technical knowledge or advice for the inquiry or for other institutions, there is existing EU institutions that could be drawn on further support, including the European Union Agency for Cybersecurity, as well as the EU CERT, which both have deep technical expertise and could advise on technical areas of legislation or otherwise. On understanding the threats, the threat landscape from spyware and the spyware industry.

To conclude, civil society researchers have done all we can to highlight these abuses. Now it is urgently time for the EU to act until fundamental safeguards are in place. EU member states should focus on immediately putting a moratorium on the sale, use and transfer of spyware and other surveillance technologies until a global human rights compliant regulatory framework is in place.

Thank you. I look forward to taking some of your questions.

Jeroen Lenaers (Chair): Thank you very much, Donncha Ó Cearbhaill. I will open the Q&A session of this point on our agenda. I will start with our rapporteur, Sophie in ‚t Veld, and I would like to invite other members that would like to raise questions to indicate so, so that we can close the speakers. So first, Sophie in ‚t Veld.

Sophie in ’t Veld (Renew): Thank you, chair. But I can be fairly brief. I’m not sure that we we what the purpose or the setup of this particular session is. I thought that we were going to have a debate. But whether we are going to, in addition to what we are going to recommend in a resolution, is setting up a centre of expertise, etc. I thought that we were going to talk about ways in which we can more rapidly, even before, you know, we have to go through the whole legislative process, which is going to take years to take practical steps in order to create a central point where citizens can turn and have their phones checked. But it should also be at the same time centre of expertise and and research and and development. And as my neighbour just rightfully pointed out to me, there are going to be several elections taking place in countries, including in countries where we have concerns about the abuse of spyware. And we know that Citizens Lab is a) overburdened and b) not in Europe and see under attack from some people trying to discredit it and challenge its authority.

So how are we going to set up a kind of hotline quickly where people can turn inside Europe and get gets good support? I think that’s the and then in the longer term, we can we can think about what the exact mission of a centre should be, what its status should be, who should participate and where it’s going to be. But I think we should also talk about how are we going to create a kind of hotline or service desk, maybe rather where people can turn to immediately.

Jeroen Lenaers (Chair): Thank you. Thank you. Fair point. And let me just mention that something I should have said in the beginning. The reason why we decided to do this now is because, of course, everything always takes time. So also setting up something of this scope with this purpose will take time. What we were considering is that March is the month where the Parliament and the committees of the Parliament can table ideas and suggestions for pilot projects. Now the bigger committee has a committee of inquiry, cannot ask for such budgetary implications itself, but through the regular committees, the standing committees of the Parliament, pilot projects can be requested or proposed.

So we thought perhaps if we organise this now we have a little bit of a debate on how such a centre could look to look like, what kind of criteria would be necessary, what kind of ideas we should include there. Then we could perhaps feed this into the requests for proposals for pilot projects of the standing committees to get a budget to get started. And we cannot do this ourselves, but there is deadlines there as well. So we thought we do this today and then we see as a as a conclusion of today’s meeting whether we can as a figure committee, for instance, request the Labour Committee or colleagues in the lead committee to ask for a pilot project with a guaranteed budget so we can get started a little bit quicker instead of going through the whole procedure. So this is what I wanted to to, to underline. Yes, we.

Sophie in ’t Veld (Renew): Just I think that that’s certainly not a bad idea. But I would just like to point out that even because I’ve done some of those pilot projects, even then, it’s going to take several years because it would it would be adopted for next year’s budget. But the commission then has time to to implement, usually also take its time. But I do think I mean, you know, there’s so much money going around for almost everything at the moment for health crises and war crises and inflation crises and all sorts of crises. This is a crisis of democracy. And I think in itself, it doesn’t have to cost a lot of money. But if we want it to be useful for, for example, in the election period and this year, then I think it has to be something slightly more rapid, lean and mean and improvise. But it can be in addition to what you’ve just proposed.

Jeroen Lenaers (Chair): And I’m I’m, I’m always a big fan of of of rapid lean mean to improvise is just that it often shows when we’ve come up with rapidly mean and improvise ideas we run up against the whole well so so very happy to to look at what other ways we could do in order to get this started. Whether we should also perhaps address this to the Bureau of the Parliaments again, where I know that the previous vice chair of the Parliament was looking into, at least in the context of the European Parliament, to set something up. Now she is no longer a vice chair of the parliament, so this could be an option. But I think there was a wide agreement within the bigger committee that such a centre would be a useful addition. So we were just looking for ways to accelerate the establishment of such a centre. But in order to do so, we would also need a little bit more of an in-depth discussion of what what it would look like. What kind of criteria should we be there? And this is why today we also wanted to have that a little bit more in-depth discussion. And I’m always open for any suggestion about how we can do this more, more rapidly. Hanna Neumann, you also wanted to come in on this particular point.

Hannah Neumann (Greens): I was about to make the same statement such as Sophie. So if we run into the pilot project, I mean it’s only going to be decided by the end of the year at best, and then everyone starts implementing it. So it’s not really going to help us. So I was also rather hoping for an exchange, maybe even with people from the commission, that helps us understand how we can speed it up because, I mean, sometimes things are built faster, but we can also discuss, like now on the content of what it’s supposed to be. But on that we all tabled our amendments and very few colleagues are here. So I’m just wondering how we want to use now the time for the discussion.

Jeroen Lenaers (Chair): The the point is, if we want to if we want to have a development with regards to such a centre. We need to also have some sort of a common idea of how it should look like. And the idea was that we need to do to accelerate this. So that means also that we do not want to wait until we have a agreed compromise amendment voted in the Parliament that requests this. So in order to do so, I think it’s helpful to to hear from the experts, from amnesty and also from the professors about what we should look for. And then we can use this information to together accelerate the the procedure within the possibilities that we have, because, of course, we can want as much as we want, but we need the help and the finances of other bodies, whether this is from the European Commission so far in our exchanges with the European Commission, this has not been something that has been very warmly embraced, whether it’s from within the Parliament. We need to look at how we can activate this from from our political groups and from the committee. But we also need a little bit of a more in-depth discussion on what it should look like and what it should do before we go into that. So I’m not sure we’ve heard the presentations of the two speakers If there are any substance questions on the substance of the presentations, then I would suggest we do this. And then afterwards we see how we can accelerate the work that in great majority we want to do on this. So I see there is questions on the substance by Hannah Neumann. One, I’m not sure. And I passed the floor first to Ms. Neumann.

Hannah Neumann (Greens): Thank you. I mean, one of the key problems in all of this financing will be do we get support from EU member states? So our EU member states willing to have an EU body. That helps in terms of investigating people’s phones, that helps in terms of gathering evidence, that helps in terms of collecting evidence, that then could also be used, for example, for legal processes in others. And I’m pretty sure EU member states will not accept this because they may see that as an infringement of whatever. So we will find other ways. We will have to find other ways in terms of the financing.

Yet now on in terms of what should such a lab do, I think we amongst us are pretty clear that it would be useful that such a lab helps people to investigate in their smartphones to screen the the smartphones of people who suspect that they have been targeted by spyware, which is a service that we as members of parliament have right now. And I think it should be extended basically to all EU citizens if they feel they have been spied upon.

I also think it would be important to have such a union tech lab that regularly reports on use and misuse of spyware inside the European Union. At the moment, as I said previously, we rely on Citizens Lab, which is in Canada and on Amnesty Technical Tech Lab, which is an NGO. So I think it would be useful that we actually find something that provides us with these kinds of service, including providing expertise on how to improve legislation and so on. There’s one question I would have to the two speakers, and because as I said, there’s Amnesty tech lab, for example, that does research and also screening of phones. I know that there are a number of universities in the European Union that also do research on the subject matter. For one, I think whenever we build up such an institution, we should make sure that also support to independent university research and others continues because they are much freer in the kind of work they do than, for example, government financed bodies. But how do you think should the integration, cooperation, collaboration with all these independent actors and entities that exists already all over the European Union in such a tech lab look like.

Jeroen Lenaers (Chair): Thank you. Yeah. We’ll ask the the interlocutors to respond. Then we will pass the floor to to you, Mr. (incomprehensible). And so first, Mr. Sartor. Professor Sartor. Sorry.

Giovanni Sartor (European Research Council): The specification of the at tasks of the lab. This will help individuals to determine whether their phones have been hacked, whether an intrusion is taking place, and then provide reports on the use and misuse of of spyware. So mapping what is happening in Europe and then and providing suggestions on the legislative and technical measures that may be useful to prevent or mitigate abuses.

I would add also maybe also to help people also in understanding what kind of remedies are available and legal remedies are available currently and what the progress can be made can be made in this regard. Concerning the way to establish a collaboration, I think that the the centre should be a hub and it should involve all the research centres, both within the academia and outside of it, that are interested to contribute to these to this task. As I said, we have some experience in similar initiatives within the UI. Maybe Professor Parcu who’s here, could give us an idea of the more precise that what they can do on how such a kind of cooperation that can be established.

And then I believe that also the values, the tasks that are that are assigned to the to the centre can then be delegated to the values, academic or non-academic entities that are affiliated. I think that this initiative could be started quite quickly by relying on an existing structure that experiences both, for instance, in the UI and on other and in particular academic institutions in in Europe. So if there is a clear mandate for the Parliament, I think that the progress, the progress can be, it can be quicker.

Jeroen Lenaers (Chair): Thank you. And you suggested to also let Professor Baku take the floor if I’m. Not mistaken. So if we could get him connected.

Parcu Pier Luigi (Centre for Media Pluralism and Freedom): Yes. Good morning. Well, what I can say: We have clearly an experience on relation with the weather, say the centre. So in some of our research activity, like the Centre for Media Pluralism and Media Freedom, in which this centre is based on the European University Institute. But we have local teams in all Member states, plus all the candidate countries. This local teams are very often unique from universities. Sometimes they’re also INGOs. It depends on the country, the situation on this, but those we can reach in there for the media pluralism monitor that we go very very it is despite the. Is used in the exercise of the rule of law. One of the elements that we call it is the issue of the safety of journalists, in particular the digital safety of journalists. This is an element of the evaluation of the risk for the pluralism in Europe.

So, there are clearly expertise in the Centre for Digital Associated that we are now expanding in Florence at the European University Institute. We have now received the new teams. So like I would say, human autonomy, respect to digital development and other kind of things, like social cohesion or political political influence over the Democratic debates. So this kind of issues that we are dealing the two facing here could well be introduced in this kind of activities. So obviously they require an organisational effort and cooperation. We thought that the centres, the universities and the NGOs that are already working on this. But clearly we have a tradition to organise links, so that’s a possibility, but obviously it depends on the mandate. Thank you.

Jeroen Lenaers (Chair): Thank you. Thank you very much. And then also to Ó Cearbhaill for some reflections. If there is something you would like to add to this.

Donncha Ó Cearbhaill (Amnesty International): There is research where such as a lab could be of benefit. And these to our one is strategic research, and it is tactical research and investigations. So I definitely see a role for either academic or an EU body to do broad level research about what are the kind of threats that are out there, where these tools are being used, what are developments, and also investigating the known cases of abuses and trying to raise awareness about how these how these tools are being misused and helping to, you know, do what is necessary in terms of advising on legislation or otherwise regulation to to prevent these abuses.

What I think would be more difficult for this lab would be to work on the tactical research, technical research and investigations. Wanting to be aware of about these kinds of forensic forensic work is that this is is not investigations to measure a fact of nature. This is ongoing investigations to find evidence of abuse, which is, in practice, an arms race. Every time researchers like Amnesty International assistant lab find evidence of spyware abuse. And we publish reports about how this abuse is occurring, the companies and the actors who develop the spyware are making efforts to avoid getting these abuses detected in future.

So they’re changing their indicators of compromise. They’re changing how their spyware works. And so from our point of view, it’s constantly an arms race where we need to always be understanding the next threat, understanding the next matter of attack, and trying to keep this knowledge confidential from the from the attackers and from people who are abusing the spyware to maintain our ability to to find these abuses. So in that sense, I find it difficult. I think it will be difficult to get open transparency and sharing of this kind of tactical information about how attacks are actually happening. I find that very difficult to see how that would be shared with either an EU student body or with member states who they themselves may be parties to the abuse as it states or friends discover how these attacks are being detected, they’ll simply try to change it to avoid the abuses being discovered. And that really makes it difficult to be fully open and fully transparent. And how these attacks are detected as in what other kind of scientific methodologies.

Jeroen Lenaers (Chair): Thank you. Mrs. Thun and Hohenstein.

Róża Thun und Hohenstein (Renew Europe): Thank you, Chair, and thank you for your presentations. I also come to today’s situation and to the fact that we are spied upon and that politicians are spied upon and we have more and more cases, journalists, etc. And we don’t do anything about it in the European Union. Well, I will repeat what Sophie has just said. We have a year with several elections in several countries and the danger is very high that those elections can be through the spyware, manipulated, influenced as they were last times. And there are clear proofs that the result of the elections was different than it would be without without them. The cases of spying on persons who are crucial in the elections, for whom I don’t know the leaders of the electoral campaign, of opposition parties, etc. And there are more and more such cases which we disclose, and we cannot just look at it without doing anything. So here I would reiterate very strongly the fact that we need some solution ad hoc and otherwise the situation will be repeated, I’m afraid, very much.

And of course the idea with the pilot project is very nice, but it will last long. But we have already institutions here, in the member states or in European institutions, that could maybe before we start. I see this as a potential. Three steps: We need a solution for now, immediately. We need the pilot project and we need such a hub or centre as you describe it forever, that will have several functions and also analytical, etc.

But when they see here we have Professor Sartor from the European University Institute in Florence, and this institute, as far as I know, is already financed by European funds and has fulfilled many of our needs. And maybe it could also have an additional function, namely this ad hoc analysis or a checking of the equipment of, I don’t know, politicians, journalists, opinion makers, whoever, I don’t know, I’m thinking loud. Another thing is we already have Europol and they have a unit, cyber crime unit. Why not using them? Amnesty International has also a centre in Berlin, which is already very capable. We have already a lot. Maybe we really should see the responsibilities on us, if the democracy will win this year in Europe or not. Maybe we really should see what solutions we almost have almost on the table and do a special procedure to secure democratic elections at least. To put it bluntly, at least to secure democratic elections this year and continue, of course, elaborating the idea of the pilot project, which seems to me very reasonable. And then, of course, of this hub which you have just presented here. Thank you very much.

Jeroen Lenaers (Chair): Thank you Roza Thun, and thank you for thinking out loud. That is always, always leads to good results. So to to both, the question is basically the idea of what their own organisations like the European Union issued an amnesty could could do more of what they would need from us to do more. And also about the role of Europol in this regard and already the the structures that we have in place. So maybe also I give to the floor firstly and to Professor Sarto.

Giovanni Sartor (European Research Council): Thank you very much. Hmm. I think that I would like first to say that the European University Institute is financed by the by the European Union, and in particular the Schuman Centre has project by the European Union. But this is an independent academic institution. So the kind of worries that were raised the concerning the possible influence by member States and other interests, I think that could be should be overcome by an appropriate design design of the centre. And I think that we should then investigate all options if (incomprehensible) we could consider some more and more quick, quick, quick action that involves the maybe the, the agents that were mentioned by Ms. Thun, that is Amnesty International and, and Europol and also in this case the UI may engage in a kind of coordination role by tapping the resources that are available through these to these entities and maybe also some academic lab which is already active in the domain, in the domain of spyware, of unlawful intrusions. And so whatever I I’m not I don’t have the competence to identify the appropriate administrative arrangement within the European institutions. But then whatever comes out, I’m quite confident that we can develop an appropriate and appropriate solution.

Jeroen Lenaers (Chair): Thank you, Ó Cearbhaill.

Donncha Ó Cearbhaill (Amnesty International): Thank you. Thank you for sharing these points in terms of what support is needed right now. I agree that there’s far too many researchers working in this space, and I know that our team and (incomprehensible), I remember, is overwhelmed with the amount of cases and the other pieces that are coming in day by day. I think what’s really urgent is that civil society partners can identify, you know, the canary in the coal mine. We can show that these abuses are happening, but we cannot solve this problem by. And what’s really crucial is that EU institutions of member states really take dramatic action to stop these abuses and to reign in this industry. There is a lot of tools at the disposal of the EU to prevent this. These tools are being exported and to really push Member States for transparency and accountability on the cases that have already been discovered.

And this is something that we really need to focus on as a priority instead of our and not let that slide in this in scope. Looking for four new cases of abuse. We’ve already seen enough in terms of working in this space. I think it’s also important that existing partners are working with and collaborate with. This is a very niche area of research and it takes a lot of resources and expertise to get an understanding of how this technology is working and how to detect the technology. And so I would hope that if there is an EU institution that would work collaboratively with other bodies, whatever from industry or civil society, who are already trying to tackle this problem.

Jeroen Lenaers (Chair): Thank you. Thank you very much, Ó Cearbhaill. So: I understand also from the European University Institute that short term progress is possible if we get our heads around the administrative procedures, etc. I don’t think that is necessarily the topic to have a fully fledged committee debate on here at the moment, but maybe it could be helpful. Also, together with the policy hub in an informal setting to to have a look at what we can do in the short term, basically based on Roza Thuns three point method saying something for the short term, the pilot project for the mid-term, and then look at how we can develop this into the long term into something structural and sustainable. But the the the overwhelming point made by the colleagues here present today is that we need something that is quicker than just a pilot project or a general procedure in a normal institutional way of doing. So I would maybe together with some actors within the Parliament, have a bit more of an informal debate about this to see how we can channel that into something productive.

If there are no other questions here, for the moment, I just really like to thank Professor Sartor and Ó Cearbhaill for their willingness to be with us today. As you understand, there is this is a very interesting topic for debate for us, but we also will not really have our own heads around how exactly we we can play a role here. So so your input is very valuable and I hope we can also rely on that input for the foreseeable future and then we will be in touch. Also, to reach out to you to see what we can do together.

Thank you very much and thank you to all the colleagues for being with us this morning for the whole session. I would just like to announce that our next meeting is foreseen on Thursday morning in Strasbourg next week, and I look forward to see you all there. Thank you very much.

Deine Spende für digitale Freiheitsrechte

Wir berichten über aktuelle netzpolitische Entwicklungen, decken Skandale auf und stoßen Debatten an. Dabei sind wir vollkommen unabhängig. Denn unser Kampf für digitale Freiheitsrechte finanziert sich zu fast 100 Prozent aus den Spenden unserer Leser:innen.

0 Ergänzungen

Wir freuen uns auf Deine Anmerkungen, Fragen, Korrekturen und inhaltlichen Ergänzungen zum Artikel. Bitte keine reinen Meinungsbeiträge! Unsere Regeln zur Veröffentlichung von Ergänzungen findest Du unter netzpolitik.org/kommentare. Deine E-Mail-Adresse wird nicht veröffentlicht.