EU action needed to tackle spyware abuses after Pegasus revelations
As the European Parliament today debates the Pegasus spyware scandal, the undersigned partners of the Media Freedom Rapid Response (MFRR) call for an immediate investigation into the alleged use of the spyware against journalists by Hungarian authorities and urge the strong implementation of new EU rules on the export of cyber-surveillance technology around the world.
Revelations by the Pegasus Project that at least 180 journalists in 20 countries had their phones infected by the NSO Group’s spyware underscored the need for urgent action by the international community to tackle the unregulated spread of such technology and to create safeguards for the protection of human rights, including the freedom of the press.
Within the European Union, credible allegations indicate that Pegasus was illegally deployed by Hungarian intelligence or national security services in 2018 and 2019 against at least five journalists, including András Szabó and Szabolcs Panyi from Direkt36, one of Hungary’s last remaining independent media outlets. Fresh revelations surfaced last week when Hungarian media reported that Zoltán Páva, the publisher of the news portal Ezalenyeg.hu and former Member of the European Parliament, had been surveilled using Pegasus as recently as May this year.
Last week it was also revealed that the German Federal Criminal Police Office (BKA) secretly purchased the technology from NSO in 2019. In France, prosecutors are probing allegations that journalists from media outlets including Le Monde, Agence France-Presse and FRANCE 24 were surveilled by Moroccan intelligence services using Pegasus.
The failure to control the acquisition, trade and use of such intrusive technology inside the bloc means that the number of EU member states to have bought Pegasus or other similar cyber-surveillance technology remains unknown. Current estimations may represent the tip of the iceberg. This opacity poses significant threats to journalistic sources, privacy and safety, undermines media freedom and constitutes a clear failure by the EU to close the gaps in its regulatory framework.
As Parliament debates the matter, our organisations again urge the European Commission to conduct an independent and impartial investigation into alleged abuses by the Hungarian authorities against journalists and others. The Commission must establish the extent of Hungary’s use of Pegasus, identify what safeguards have been implemented and react to any abuses. Until such an investigation is carried out, the Pegasus revelations will continue to undermine journalists’ safety and have a chilling effect on what remains of independent media within the country. Robust and effective legal protection must be guaranteed within EU member states against unlawful surveillance by domestic intelligence, national security and law enforcement agencies to guard against human rights violations, including the right to freedom of expression and the right to privacy as protected under domestic, European and international law.
At the same time, the EU needs to protect journalists from illegal surveillance outside as well as inside its borders. Reports by NSO that suggest that EU member states Cyprus and Bulgaria granted export licenses for its technology are also deeply disturbing. While Cypriot authorities have denied to the Commission that it has any export links with NSO, the assurances remain unsatisfying. Meanwhile, the response from the Bulgarian authorities has yet to be disclosed. The Commission must renew its engagement with the relevant authorities in Sofia to seek immediate clarity. If confirmed, immediate action must be taken to revoke the export license and establish how and when it was granted.
EU member states themselves have a role to play. On September 9, after a decade of negotiation, new EU export controls came into force with the Recast Dual-Use Regulation, which among other things aims to strengthen controls on the international trade of so-called “dual-use” cyber-surveillance tools. The MFRR urges all 27 member states to swiftly implement this landmark regulation and to collaborate in a transparent manner with the Commission on the sharing of information involving the export of such surveillance tools from the customs union.
The subsequent annual report prepared by the Commission under this regulation should act as a much-needed tool for holding the national authorities authorising the sale of this technology to account. It will also lift the veil on the potential sale of spyware tools by commercial actors based in EU member states to authoritarian regimes around the world. For too long the industry has been able to escape proper oversight and regulation. The Commission should closely monitor and enforce states’ adherence to the new rules. Moving forward, more frequent compilation of information and updates about the buying and selling of advanced surveillance tools may be required to address a fast-changing market.
Despite the modest advances in rights protection in relation to the licensing of these technologies for export from the EU subsequent to the entry into force of the recast dual-use regulation, there evidently remains the need for an internationally applicable regulatory framework that can prevent, mitigate and redress the negative human rights impact of surveillance technology. Until this is in place, we continue to call for a global moratorium on the sale and transfer of spyware technology. The European Union should lead the way on pushing for international agreements on the freeze of sales of these cyberweapons around the world.