Surveillance: after Pegasus and Predator, the EU is (slowly)…

While the European Parliament’s Commission enquires on the various states where surveillance technologies have been commercialised despite the bans, the emphasis remains on civil society and digital security.

Interview with Lorenzo Bagnoli of IrpiMedia by Paola Rosà

The new technological scenarios entail unprecedented challenges, like the Pegasus case with dozens of journalists, activists, and human rights defenders subjected to surveillance and wiretaps. The EU has responded with the Commission of Inquiry of the European Parliament on the amendments and the regulation on the export of civil and military dual-use technologies. The European Data Protection Authority (EDPS) itself was unequivocal in its analysis published on 15 February 2022: it is not just about the right to privacy and the violation of privacy – fundamental freedoms as well as democracy and the rule of law are also at stake. For this reason, the Authority had recalled, “the entire system of safeguarding our fundamental rights and freedoms must be rethought, because they are endangered by these instruments”. The measures suggested by the EDPS include some changes to the export regulation, so as to “condition the export of technologies suitable for digital surveillance on respect for fundamental rights and privacy”.

Now that several months have passed since those concerned declarations, now that the regulations and reports have been published, many doubts remain about the actual guarantees and protections, while the intra-European surveillance market appears to thrive, which an investigation by IrpiMedia defines “a black hole”.

We talk about it with Lorenzo Bagnoli, senior reporter and editor at IrpiMedia.
What is the focus of your research?

The global surveillance industry. One of our objectives is to understand how the relationship between countries producing and importing surveillance technologies works and to analyse money flows, to look for those who finances this world.

IrpiMedia is an independent, non-profit transnational investigative journalism outlet that covers organised crime, corruption, environment, migration, and justice. How did surveillance enter into the picture?

It has always been a topic of interest, for me even as a freelancer before the foundation of IrpiMedia. It is a pivotal theme on which in the past the collaborative approach that distinguishes our work has been lacking. Our #Sorveglianze series was born from the collaboration with Privacy International, a British organisation that deals with advocacy on the topic, with which we try to identify the most interesting threads.

When looking for a definition of “surveillance system”, what should we think about?

The mass surveillance system is a political and technological infrastructure that a state sets up with the ideal aim of building a safer society through the use of technological tools. In fact, the technological tools used are so invasive that in some cases they damage digital rights, especially among the poorest segments of the population. Those who produce technologies that power surveillance systems have the power to influence the decisions of a nation state.

The alarm was also raised at the European Union level, especially for some countries such as Hungary, Poland, and Cyprus.

We must thank the European Parliament and the Commission of Inquiry established in March 2022. Compared to the past, there are parliamentary groups that are more aware of how mass surveillance can arbitrarily target minorities and oppositions. However, I don’t think there is consensus in European fora to consider the spread of these technologies “alarming”. The presence of Cyprus among the problem countries according to the monitoring of the PEGA Committee is not too surprising, for historical and geographical reasons.

For this reason, at a certain point IrpiMedia also dealt with Cyprus.

Our interest in Cyprus was only due to the sale of Predator and the role the country played as a broker for Israeli technology in Greece. In general, in terms of public attention, since 2019 the spotlight has certainly been on Cyprus after the founder of Intellexa himself – the company involved in the scandal in Greece – had shown in an interview one of his own vans sold by a company of the group full of surveillance technologies.

Business deals passing through Cyprus bypassing the bans have since emerged.

Since at least 2015, around the time of the HackingTeam leak, it has been clear that there is a problem in the functioning of the licensing system for surveillance technologies such as spyware. In the case of Cyprus and the Predator case, the problem is the use of specific technology and the manufacturer NSO. NSO must comply with the export authorisation granted by the Defense Exports Control Agency (DECA) of the Israeli Ministry of Defense, but if the technology is exported by a company owned by NSO but registered in a country like Cyprus then it can create a hole in the control network. Cyprus can apply looser control to exports and, since exports between EU countries are less strictly regulated, at that point the intra-European resale system is the problem. Furthermore, Cyprus is a border country, which manages to use its position to act as a bridge between the EU and the Eastern Mediterranean.

Last January, the Commission of Inquiry produced a recommendation in which it condemns any export of these technologies to countries where human rights are violated and, noting that some abuses have been committed by Cyprus, calls on the government to provide a precise list of all export permits, revoking inappropriate ones, and to collaborate with Europol on alleged cases of spyware use against journalists, lawyers, and members of civil society. But Cyprus is not an isolated case, and the Commission reiterates that in other member states too there is “the presence of a thriving spyware industry which takes advantage of the good reputation, the single market and freedom of movement in the EU, allowing states such as Cyprus and Bulgaria to become clearinghouses for spyware to non-democratic regimes around the world”. The reality is therefore known. Are the solutions only legal or can there be other tools?

It is necessary to put in place a strategy to strengthen the cybersecurity of digital devices, providing both economic support to device manufacturing companies and including new obligations, such as extending security updates to older devices that would otherwise remain vulnerable.

Furthermore, a simplification of access to device analysis could be envisaged, in order to collect telemetry information useful for verifying infections. Until now this activity has been carried out almost exclusively by civil society organisations, let’s think about tools like the one developed by Amnesty Tech , which are very useful because they also allow those without high IT knowledge to carry out a preliminary analysis of a device and understand if there is any trace of infection.

Regulation, however, remains an important point: even just thinking about creating a public list of companies that sell surveillance technologies could be a step forward. At this moment journalists and associations are trying to put together a puzzle whose dimensions and number of pieces are unknown: we are walking in the dark, waiting to discover the name of yet another new company.

Is there something that public opinion could do at European level?

If we think about the behaviour of some member countries during the PEGA Commission’s investigation into the use of spyware such as Pegasus, we realise how some did not want to cooperate and respond to the Commission’s requests. In some cases they even almost sabotaged the works, like Spain with the case linked to Catalonia or Greece. Public opinion could put pressure to ensure that, in the next European elections in 2024, MEPs are much more aware of the risks of these technologies and have a much more incisive approach, also starting from the results of the report and recommendations of the PEGA Commission. Furthermore, public opinion could also ask for greater transparency from their governments regarding data on exports of these technologies: the European Commission collects data on exports but only publishes aggregate data without detailing the activities of each individual member state. States, in turn, barricade themselves behind this fiction of transparency to deny access to any data.

This statement was coordinated by the Media Freedom Rapid Response (MFRR), a Europe-wide mechanism which tracks, monitors and responds to violations of press and media freedom in EU Member States and candidate countries.

Library

Greece: MFRR alarmed by latest revelations of spying on…

Greece: MFRR alarmed by latest revelations of spying on journalists

The partners in the Media Freedom Rapid Response (MFRR) are alarmed by the continued lack of transparency of the Greek authorities about the surveillance of journalists.

As reported last week, an audit by the Authority for Communication Security and Privacy (ADAE) at telecom company Cosmote confirmed that the state security services wiretapped investigative journalist Tasos Telloglou for unspecified national security reasons. The ADAE conducted the audit on 15 December, following requests by Telloglou and MEP Giorgos Kyrtsos, who was expelled from the ruling New Democracy party earlier this year.

Cosmote unsuccessfully attempted to interfere with the inspection, as its legal adviser questioned the ADAE’s competence and contacted Supreme Court prosecutor Isidoros Dogiakos. The latter allegedly tried to intervene and stop the audit by stating that there should be an immediate opinion of the Supreme Court Prosecutor’s Office on whether ADAE or interested citizens are allowed to be informed of possible surveillance by the National Intelligence Service (EYP). The ADAE, however, invoked its constitutional authority and insisted on the audit. Dogiakos has meanwhile said that he simply expressed a non-binding view, even though he believes the audit was not legal. He also lashed out against media that have criticised the Greek judicial authorities for their handling of the ongoing investigation into “Greek Watergate”, and called for an extensive tax audit of the outlets.

Telloglou, who works for investigative platform Inside Story, leading daily Kathimerini and the ANT1 television news programme “Special Report, had written in October that he believed he was put under surveillance in connection with his reporting on a spyware scandal. In the article, he said his colleague at Inside Story, Eliza Triantafillou and journalist Thodoris Chondrogiannos of Reporters United had also been monitored. Both outlets repeatedly published breaking news about the use of spyware and alleged connections between companies that market the technology and Greek government figures.

Last week’s revelations are the latest chapter in a sprawling scandal in Greece which has implicated the EYP and the government in the surveillance of journalists. This involves the confirmed hacking of the phone of freelance financial journalist Thanasis Koukakis through the use of Predator spyware by an unknown party and allegations that investigative reporter Stavros Malichudis was secretly monitored by the EYP. In November, newspaper Documento published an article alleging that numerous journalists, editors, media owners and others connected to the industry were targeted with Predator spyware.

These cases are major violations of the affected journalists’ privacy, journalistic source protection, and press freedom in general. Although an investigation into Koukakis’ case has been launched, overall accountability remains wanting, and the Greek authorities have provided no real transparency. Quite the opposite: soon after New Democracy came to power in 2019, it moved to bring the intelligence service under the direct purview of the office of the Prime Minister and amended the requirements for the position of Director of Intelligence so the Prime Minister’s favourite could be appointed. In March 2021, the governing party rushed through a legislative amendment that changed the legal provisions that allowed citizens to be informed by the ADAE about whether they had been under surveillance if it had taken place for national security reasons. The cases at hand, pertaining to journalists who report in the public interest, serve to underscore the problematic nature of this exemption, showcasing the potential for abuse of this clause.

Accordingly, the MFRR reiterates its calls on the Greek authorities to provide transparency and accountability for these severe attacks on press freedom and privacy, and to put an immediate halt to the practice. We also renew our calls for action at the EU level, including through the inclusion in the European Media Freedom Act of provisions that effectively protect journalists and media workers against illegal surveillance.

Signed by:

ARTICLE 19 Europe
European Centre for Press and Media Freedom (ECPMF)
European Federation of Journalists (EFJ)
Free Press Unlimited (FPU)
International Press Institute (IPI)
OBC Transeuropa (OBCT)

Library

Greece: EFJ demands full disclosure on illegal surveillance of…

Greece: EFJ demands full disclosure on illegal surveillance of journalists

The European Federation of Journalists (EFJ) condemns the legal actions aimed at muzzling and intimidating the press in the context of the scandal of illegal government practices in Greece, in particular the tapping of journalists and politicians.

The EFJ condemns the abusive legal proceedings launched on Friday 5 August by Grigoris Dimitriadis, resigning adviser and nephew of Greek Prime Minister Kyriákos Mitsotákis, against journalists Thanasis Koukakis, Nikolas Leontopoulos and Thodoris Chondrogiannos, as well as against the website Reporters United and the newspaper EfSyn.

“We demand the immediate withdrawal of these complaints, which are only intended to intimidate the press and prevent the exposure of the illegal and undemocratic practices of those in power in Greece”, said EFJ President Maja Sever.

On 29 July, the Director of the Greek National Intelligence Service (EYP), Panagiotis Kontoleon, who also resigned after the scandal was revealed, admitted to a parliamentary committee that his services had been monitoring journalist Thanasis Koukakis from 15 May to 12 August 2020. It was learned that the journalist had also been monitored by Predator spyware from 12 July to 24 September 2021.

“We call on the Greek judicial authorities to activate judicial investigations into private and public actors, including those close to the Prime Minister, who use Predator software to spy on journalists,” said EFJ General Secretary Ricardo Gutiérrez. “We call on them to shed light on the illegal tapping of journalists by the intelligence services and to identify and convict those responsible. Journalism is not a crime, but obstructing the work of journalists is a crime against democracy.”

This statement is part of the Media Freedom Rapid Response (MFRR), a Europe-wide mechanism which tracks, monitors and responds to violations of press and media freedom in EU Member States, Candidate Countries and Ukraine.

Library

Who, and why, is surveilling journalists in Slovakia (SME)

They would go to the bathroom and turn the water tap on, so the water filling the bathtub would make it harder for anyone to hear them talk about serious issues. They knew which rooms to avoid if they wanted to speak of secret meetings and critical texts they were writing. Phone calls were like scenic plays for the state that they knew was listening: Hi, how’s life? Do we need to buy any milk?

In the 1980s, Czechoslovak, Polish, and Hungarian samizdat authors knew the state was actively intercepting them and keeping detailed records of their talks. Civic courage and disobedience were their working methods.

Journalists of the banned publications engaged in their own rituals. They set up meetings in surprising places. They never came to the meetings together, and they left only one by one. Sometimes, before such a meeting, they would buy a train ticket to a small village where they would get off and then secretly return to the city.

They recognised the faces of some of those that followed them. If they met in a café in the suburbs, and noticed anyone suspicious around, they would gesture each other into changing the topics.

The real messages they wanted to exchange they wrote on small bits of paper, only to immediately burn them in the ashtray as soon as they were read. There were ashtrays everywhere; smoking was allowed everywhere back then.

It was clear who listens and why

Editors of the Hungarian samizdat Beszélő protected their sources. They openly published their own names, to make sure the police would focus on them rather than on the people who were helping them, with information or with distribution. The police would regularly raid their homes. They reckoned with that and learned to live with it.

Beszélő was a quarterly publication and the publishers’ main goal was for the state to miss the printing day. And so, not even the editorial team knew where the publication was printed and who the middleman between the editorial and the printing house was.

Some 2,000 pieces of the issue would be divided immediately into packages of 25 and sent around the country. The state always managed to catch at least one or two distributors, but it never managed to dissolve the entire network. The editors never had more than a few copies with them at a time.

In the Gutenberg galaxy

This is how things worked in the world where it was clear who was surveilling journalists and why. Journalists knew exactly what communication channels were connected to the state, they knew the secret service was trying to recruit people from among them, to report on their colleagues.

The snitches continued to act as revolutionaries and criticise the communist state, but in reality they had already crossed over.

This was a system that the communist power openly admitted to on the ideological basis. It was the Gutenberg galaxy with no Googles or Facebooks, where civic courage could weaken the state machinery. Some samizdats managed to remain sustainable for as long as an entire decade.

Too much of a lure?

Today, journalists in working democracies mostly do not expect the state to surveil them. Wiretapping or surveillance without a reason is always the first symptom of the abuse of power and the technological apparatus of the intelligence services. If anything like that comes out, the media ring a loud alarm. And they are right to do so.

Today, the state power no longer requires a snitch, a whisperer or an informant, to be able to find out who thinks what. They no longer need to collect receipts from cashiers to monitor people’s purchases, or secretly sit near their table in a café to hear whether they are badmouthing the government.

They can find out about everything with the potential help of tech companies. They do not boast about it, nor do they cover up these activities with ideology. That is why control mechanisms are necessary to make sure the state does not abuse its technological means against journalists. Because if it dares to do it to the media, then it will easily dare to do it to an ordinary citizen.

The Pegasus scandal has shown how much of a lure a software originally developed for countering terrorism is for governments. For the government of Viktor Orbán in Hungary, among others, which used it to tap into the mobile phones of more than 300 people, including investigative journalists and publishers of independent media.

Does every government tap phones?

In the last 30 years, the Slovak governments followed and wiretapped several journalists.

In the early 1990s, Ivan Lexa led the national intelligence agency, the Slovak Information Service (SIS). Under his lead, the SIS abducted the son of President Michal Kováč. Back then, reasonable people reckoned that the government had all critics of the regime under surveillance. Speaking on landlines, people would greet the undisclosed call participant, imagining them as some rank-and-file state official sitting in a shabby office with his or her headphones on.

With the arrival of mobile phones later on, entrepreneurs would remove batteries from their phones during meetings. Some would go as far as to wrap them in aluminium foil. It was almost like a statement of self-importance, to conspire and to pretend having the phone tapped.

For some, it was more than just a disturbing idea. Under Lexa and the then prime minister Vladimír Mečiar, SIS massively followed and wiretapped journalists.

A change?

Cases of tapping into journalists’ phones appeared also after the fall of Mečiar. For example, the police found in its systems an unauthorised recording of a 2002 conversation between the then economy minister Pavol Rusko and a journalist with daily Sme.

Canadian journalist Tom Nicholson obtained information that the secret services wiretapped his phone calls under the first government of Smer (2006-2010), with Robert Fico as prime minister and Mečiar as one of his two coalition partners. Just because he was a foreigner, the SIS agents wanted to know if Nicholson cooperated with foreign secret services.

The military intelligence service under Ľubomír Galko as defence minister tapped the phones of journalists of the Pravda daily and the head of the private television news channel TA3, with the argument that they wanted to know who leaks classified information to whom.

But the surveillance of journalists only grew into monstrous dimensions with the arrival of the commando that, rather than by the state, was built by Marian Kočner who profited from his relationships with high-ranking public officials and nominees of the then-ruling Smer party.

He had journalists screened through his contacts at the police. Then he hired his friend Peter Tóth to put some of them under illegal surveillance. His commando also followed Ján Kuciak, who later ended up murdered.

What stance will the state eventually take towards such brutal interference with the lives of journalists?

The Pegasus era

There are countries that have leaned away from democracy and that use the “illiberal” label to mask their autocratic traits. They no longer need ideology to justify the surveillance of journalists or opponents.

We are faced with a paradox, when the parliament elected in a relatively free election approves a law for the ruling party to legitimise the use of technology for the surveillance of opponents and government critics. Journalists, too. After all, it has become a routine for government representatives to call journalists the enemies of the nation.

They use technology – mobile phones – that nearly everyone uses in their daily lives.

The existence of critical media and independent institutions plays a crucial role in how such interferences into the lives of journalists or ordinary citizens end. Critical media find out and write about it, while independent institutions then investigate it.

Hungarian government representatives deny the surveillance of journalists. The Hungarian prosecution service announced in July 2021 that they were investigating the use of Pegasus software, but in all likelihood, if Orbán gets re-elected next year, this institution’s investigation will be inconclusive.

If some autocrats manage to grind down the independent institutions in their countries, as is the case in Hungary and in Poland, the effect of the surveillance of journalists and ordinary citizens may be similar as that under communism, but without the state having to build the whole communist-time apparatus anew.

What is worse, traditional tools, like those that the samizdat authors fought by, are not effective in the fight against this new machinery.

This piece is published in collaboration with SME as part of a content series on threats to independent media in Central Europe. Read more.