Greek Government Responds To Domestic Surveillance Controversy By Making Things Worse

Malware and exploit developers are generating a seemingly endless number of headlines, thanks to misuse of their products by government entities. Israel's NSO Group has made the most headlines, but other Israel-located malware purveyors have made the news as well. Candiru, another Israeli exploit developer, was hit with the same sanctions the US Commerce Department leveled against NSO Group.

Another surveillance tech firm with ties to Israeli intelligence services, Cytrox, was at the center of another scandal, this one involving the government of Greece. According to Citizen Lab researchers, Cytrox has become the go-to malware purveyor for those who have been denied by the recently recalcitrant NSO Group. In addition to Cytrox phone infections suspected to be originating from Saudi Arabia, Greek citizens were finding themselves targeted by this company's exploits.

Thomas Koukakis, an investigative reporter covering financial issues, found out his phone had been infected for at least 10 weeks by Cytrox's Predator." The infection was traced back to a Greek phone number, which sent a malicious link to the journalist.

A few months later, opposition leader Nikos Androulakis was notified that his phone had been infected with Cytrox malware shortly before he declared himself a candidate for the country's third-largest political party.

Following these reports, the head of Greece's intelligence service resigned, as did the general secretary of the prime minister's office. These are not admissions of guilt, but they do appear to be high-ranking government officials pressing the eject button before anyone else (the rest of the government/citizens of Greece) did it for them.

So, the Greek government is facing a domestic surveillance scandal - one that involves journalists and political leaders. And it has made an attempt to address this issue through legislation. The problem is that it's terrible legislation. The proposal appears to do little more than allow the government to say it's taking things seriously while simultaneously codifying some very helpful opacity.

Here's what Human Rights Watch has to say about the proposed legislation:

The draft law fails to take into account objections from two constitutionally entrenched independent public bodies: the Hellenic Authority for Communication Security and Privacy (ADAE), which oversees surveillance powers, and the Data Protection Authority, which oversees the use of personal data. ADAE is tasked with monitoring compliance with the terms and the procedures of legally permitted interception of communications, but lacks the power of review that competent judicial authorities have.

Both of these bodies have been bypassed. It appears the government would rather sweep its surveillance of journalists (there's another target listed in HRW's report) and opposition leaders under an extremely dark rug while pretending to expand options for those who suspect they've been illegally surveilled.

What the law is supposed to fix has instead created a parallel route for indefinite opacity. While it does introduce time limits on disclosure, it severely restricts what surveilled citizens can learn about government spying.

Until March 2021, a person under government surveillance for national security reasons had the right to file a request with ADAE for information about themselves. But ADAE would only provide that information once those measures were no longer in effect and, notably, only if disclosure would not compromise the purpose of the investigation. An amendment adopted at the end of March 2021 made it impossible for someone under government surveillance for national security reasons to ever get information about it or to seek a remedy.

The draft law reintroduces access to such information, but only three years after the end of the monitoring. The affected person can be informed of the fact of the surveillance and of its duration but not of the content, significantly hampering a potential victim from collecting evidence about their surveillance and challenging it in court on the basis that it is illegal, abusive, or disproportionate.

On the plus side, the government would be required to turn over information three years after the period of monitoring. On the negative side, the information allowed to be released would be mostly useless, only allowing domestic surveillance targets to be apprised, years after the fact, that they were surveilled. It won't tell them why they were targeted. It won't tell them what was targeted. Instead, they'll only be informed that it happened. And they'll only know to ask if they can show (without access to evidence) that they were targeted.

What should be done instead is a wholesale reform of surveillance powers, starting with a moratorium on the use of powerful phone exploits to target citizens of Greece. No doubt the government has an interest in securing the nation and fighting crime, but when it's compromising the phones of journalists and political opponents, it cannot be considered trustworthy enough to wield these powers. This legislation doesn't make the government more accountable. All it does is codify its refusal to be honest with surveillance targets about its actions.