A Struggle for Fundamental Rights

Europe vs. Spyware

February 28, 2023
Romain Bosc
Charles Martinet
8 min read
Photo credit: jivacore / Shutterstock.com

The alleged abuse of spyware by European government agencies constitutes a threat to civil and political rights. The extensive use of these intrusive technologies is blurring the line between legitimate hacking to combat crime and terrorism, and the possible arbitrary surveillance of journalists, activists, and political opponents.

The European Parliament’s PEGA Committee was established in March 2022 to investigate the use of surveillance spyware. It is already looking into reported cases of human rights violations in at least four EU member states and shedding light on the spyware industry’s wide-ranging ramifications. While some EU countries serve as export platforms or offer spyware vendors advantageous fiscal and banking conditions, other member states act as commercial hubs. Prague’s "Wiretappers Ball" trade fair gathers vendors and buyers, most of which are government agencies.

The committee’s first draft report, released in November 2022, states that national governments are “deliberately ignoring and violating EU laws” and emphasizes a general lack of transparency, redress, and oversight mechanisms to ensure a proportionate use of spyware by national intelligence and law enforcement agencies. Among the committee’s draft recommendations, published in January 2023, are an immediate moratorium on the use and sale of spyware, clear limits to “national security” exemptions under EU law, and reviews of national surveillance practices.

However, the oversight of intelligence services in the EU is most likely to remain a primarily national competence since member states will not surrender such authority to Brussels or any international entity. EU lawmakers should consequently focus on trade and internal market legislation, both of which are within their mandate to regulate the spyware industry. Any initiatives that yield more transparency on government development, purchase, and use of spyware would be welcome and set an important precedent. Such efforts should also include boosting EU cooperation with the technology industry and international democratic partners.

Everyone Wants to Watch

Existing EU laws tend to protect user privacy from indiscriminate surveillance, but spyware can squeeze through many legal loopholes. Government agencies regularly invoke “national security” exemptions to justify the deployment of spyware and dismiss any allegations of abuse. But this only reignites the debate about what constitutes legitimate restrictions of fundamental rights under EU law. The EU Agency for Fundamental Rights warned in 2015 that the unclear delineation of “national security” had repercussions for the applicability of EU law and noted shortcomings related to the oversight of surveillance practices across the EU. Recent scandals have heightened these concerns and put the legality of powerful device-hacking tools, such as Pegasus, into question. Such tools can remotely extract all data from a targeted mobile phone without the user even clicking on a malicious link or attachment.

Experts have argued that any restrictions on fundamental rights must fully align with the principles of legality, necessity, and proportionality established by the European Court of Human Rights, the Court of Justice of the European Union, and the Venice Commission. Similarly, civil society representatives have called for clear and strict legal standards. European Digital Rights, an NGO, has also called for an EU-wide ban on spyware technologies that “excessively interfere with fundamental rights”. Such an outright ban, however, may be politically difficult to impose and even more difficult to enforce unless the European Commission ensures that no member states circumvent the rules.

PEGA’s draft recommendations include a common legal definition of national security at the EU level, alongside an immediate “moratorium on the sale, acquisition, transfer, and use of spyware” that only the Commission could lift for a member state that has demonstrated responsible and legitimate use of spyware. PEGA also recommends that surveillance activities should be subject to prior judicial authorization, clear limitations, and independent oversight. Targeted citizens should also have access to legal redress and be notified after the surveillance period, while certain professionals including lawyers, journalists, politicians, and doctors should be subject to additional protections.

The main hurdle is that any initiatives related to national security, if they are to succeed, must be coupled with a broader discussion on the division of authority between EU institutions and member states. Granting the European Union Agency for Law Enforcement Cooperation (Europol) more investigative powers would likely be perceived by national agencies as encroaching on a crucial area of their sovereignty. Such a proposal would require profound reform of Europol’s legal basis and relevant EU treaties. With several national authorities already refusing to participate in PEGA’s activities, European officials should prioritize more pragmatic ways to tackle spyware proliferation.

Keeping an Eye on Spyware

The spyware industry’s presence in Europe is growing. PEGA’s initial draft report notes some spyware industry players moved part of their operations to the continent from Israel after the country, well known for its booming surveillance technology sector, tightened its export rules. These vendors engaged in “license shopping”, or selecting the jurisdiction most conducive to their businesses. Their choice in this case allowed continued access to the EU internal market. Some vendors now even label their products as “EU-regulated”. Cyprus and Bulgaria are among member states that host subsidiaries of major vendors, such as the Israeli NSO Group, that benefits from export licenses in possible violation of EU law.

Restricting exports, however, is just one dimension of a much broader issue. Member states should also closely monitor their domestic markets and imports. The European Data Protection Supervisor (EDPS), in fact, suggested strengthening the EU Dual Use Regulation to condition exports and imports on fundamental rights in the country of destination or origin. PEGA draft recommendations support including a broader interpretation of the definition of cyber surveillance items to capture different types of spyware technologies and to ensure that the Commission has the resources to enforce a recast Dual Use Regulation.

Another method for curbing spyware proliferation involves policymakers’ examining the technology’s deployment and use. This entails improving overall digital security and, in particular, the way government agencies handle software vulnerabilities. EU cybersecurity agency ENISA defines spyware as “a type of malware that spies on a [user’s] activities without their knowledge or consent”, adding that “spyware is usually spread as a Trojan, or by exploiting software vulnerabilities”. PEGA recommends more stringent regulation of the discovery, sharing, patching, and exploitation of software vulnerabilities, and banning commercial trade in security vulnerabilities. This, too, would require subjecting government agencies to more transparency and independent oversight of their use and exploitation of digital vulnerabilities for surveillance purposes. Civil society organizations are also calling for more action in this area, such as ensuring that national legislation protects security researchers from criminal and civil liabilities for finding and reporting vulnerabilities. More public funding would also help these researchers, or “ethical hackers”, to patch vulnerabilities before spyware operators exploit them.

The tools and methods used to intrude into people’s digital lives are constantly evolving and are in increasing demand. Unsurprisingly, the number of companies operating in this market is booming. The EU should respond to this by imposing due diligence operations, or “know your client (KYC)” reporting obligations, on vendors. This would allow systematic tracking of commercial spyware relations and government purchases of spyware products and services.

A Multistakeholder and Transatlantic Effort

Civil society and industry have been at the forefront of alerting public opinion and policymakers to spyware proliferation. They have urged responsible state behavior and regulation, filed lawsuits against spyware vendors, and provided assistance to victims. These actions reflect the importance of multistakeholder cooperation, especially since most advanced skills and expertise reside within technology companies. Enhancing cooperation between governments and industry in cyber threat intelligence would also help better track nefarious actors.

All the aforementioned issues must be part of a broader debate about EU measures to enforce rule-of-law principles and reconcile privacy and security in a digital society. And since such measures have implications for internal and external policy, the EU and its allies, especially the United States, should collaborate more closely on setting higher standards for national surveillance practices while keeping the spyware market in check. One first step would be for the EU and the United States to develop a common approach to spyware export licenses and due diligence. This would set an important precedent and help exert more pressure on other trading partners, such as Israel, to follow suit.

Several US government departments have reportedly purchased Pegasus, yet Washington has announced measures to limit official access to the software and better monitor spyware proliferation. The Commerce Department’s Entity List, which governs export controls, has been expanded to include spyware vendors, and President Joe Biden is said to be preparing an executive order that bars the American government from using “commercial spyware that poses counterintelligence or security risks to the United States or risks of being used improperly”. A bipartisan bill recently introduced in Congress also mandates the director of national intelligence to provide a clear assessment of the risks posed by foreign commercial spyware and potentially ban US intelligence services from using it.

To tackle these challenges, Brussels and Washington should work together to create a whitelist and blacklist of spyware vendors. Both capitals should also consult industry and civil society organizations in this process, especially while the EU-US Trade and Technology Council is expected to issue guidelines for export controls for dual-use items.

The PEGA Committee will conclude its activities in June 2023, following a plenary vote on its draft policy recommendations. Although the vote is nonbinding, approval will send a strong signal to the European Commission and EU governments to act. In the meantime, the PEGA Committee has already scored a victory. The impressive array of materials it has gathered can only contribute to raising public awareness and pressure for greater protection of users’ fundamental rights and from cyber mercenary activities.

Charles Martinet is a research assistant at the Center for European Policy Analysis.

The views and opinions expressed in the preceding text are those of the author(s) and do not necessarily reflect the positions of the German Marshall Fund of the United States.