Council Of Europe Says Most Use Of NSO’s Pegasus Spyware Is Probably Illegal
I mean, that's what we all were thinking, right? When you carve out a niche selling to outlaws, there's a good chance your product will be used illegally, no matter who's buying it.
That's how it all plays out for NSO Group and its infamous Pegasus zero-click phone exploit - one capable of fully compromising targets' phones. And what a list of targets it is! Journalists, human rights activists, opposition leaders, religious leaders, lawyers, and dissidents were all included on the list of NSO malware targets obtained by journalists in 2021.
Two years of bad news followed. Not just negative press, but investors, founders, and even the Israeli government backing away slowly from this suddenly toxic asset. At its peak, NSO had a long list of customers, most of them doing their own citizens dirty with routine human rights abuses. At its current nadir, NSO limps along, trying to find someone willing to pay it to put itself out of its self-inflicted misery.
This report [PDF], compiled by the Council of Europe and written by the Netherlands' Pieter Omtzigt, says what everyone knows. But it says it for the benefit of those who know, but still refuse to stop engaging in abusive deployments of the Pegasus malware.
Here's the main takeaway, as summarized by Suzanne Smalley for The Record.
The PACE's Committee on Legal Affairs and Human Rights, which produced the report,askedat least 14 European Union countries which have bought or used the tools, including the Netherlands, Germany, Belgium and Luxembourg, to clarify the framework of its use and applicable oversight mechanisms" within three months.
Additionally, the report singles out Poland, Hungary, Spain, Greece and Azerbaijan, which have already weathered public scandals related to their use of the NSO Group's Pegasus spyware and similar tools, to undertake effective, independent and prompt investigations" on all confirmed and alleged cases of spyware abuse.
Some things to note before we take a deeper look at the report:
First, it was composed by a representative of a government that has been (at least somewhat) critical of the EU's attempts to undermine encryption with client-side scanning mandates. Second, the countries named as participants in likely illegal surveillance include Greece and Spain. Greece has been dealing with the fallout of illegal spying efforts utilizing other malware created by yet another Israeli-based spyware company. Spain has been engaged in open oppression of Catalan dissidents and wholeheartedly believes the EU should give it even more power to repress those who seek to have this region's independence recognized by the Spanish government.
The other countries on the list have rarely been considered havens of personal freedom, with Poland being a bit more progressive in its protection of human rights than Hungary or Azerbaijan. That being said, Poland hasn't exactly kept its hands entirely clean when it comes to domestic surveillance.
The problem is the malware itself, which is extremely powerful and, for most targets, undetectable. Given these aspects, the Parliamentary Assembly of the Council of Europe (PACE) doubts any use of the spyware could possibly comply with European law.
The Parliamentary Assembly notes that Pegasus is a highly intrusive surveillance spyware, which grants the user complete and unrestricted access to all sensors and information of the targeted mobile phone. It turns the smartphone into a 24-hour surveillance device, accessing the camera and microphone, geolocation data, e-mails, messages, photos, videos, passwords, and applications. While some spyware tools require some action on the part of the victim, such as clicking on a link (for instance, Predator) or opening an attachment, Pegasus is installed through a so-called zero click attack". Given its unprecedented level of intrusiveness into the private life of the targeted individual and all the target's contacts, the Council of Europe Commissioner for Human Rights and the European Data Protection Supervisor have expressed serious doubts as to whether its use could ever meet the proportionality requirement and therefore be human-rights compliant.
This is followed by the name-and-shame portion of the presentation. The Council notes the malware has been deployed in both Poland and Hungary to spy on journalists, opposition leaders, lawyers, prosecutors, and activists. In Spain, 65 infections of phones possessed by Catalan pro-independence activists have been verified. Azerbaijan has both deployed it against its own people (journalists, activists) as well as targets in Armenia.
Since almost any deployment of Pegasus will, at the very least, likely violate European privacy laws, the Council requests that all EU nations inform the Assembly about any past, present, or planned Pegasus use, provide redress to those illegally-targeted, apply sanctions (if needed) against the entities deploying the malware, and conduct investigations to determine whether any past deployments have flown under the oversight radar.
The report delivers more details on potentially illegal Pegasus deployments throughout the rest of the report. Most of these were uncovered by security researchers, like the invaluable Citizen Lab. None of the discovered infections were the result of self-reporting by government agencies who purchased NSO spyware. In a few cases, government investigations have uncovered abusive deployments by government entities, but most of the legwork is still being done by the private sector.
While the Council is entitled to make these demands of EU nations, it doesn't actually have the power to make any of this happen, unfortunately. Back to Suzanne Smalley and The Record:
The Council of Europe was established in the wake of World War II to promote human rights and democracy. While it cannot enact laws, it describes itself as being able to push for the enforcement of select international agreements reached by member states on various topics."
It's not much, but maybe it will be enough. NSO is on the ropes and very few self-respecting governments want to be caught with Pegasus on their hands. There will always be competitors willing to fill the void created by NSO should it choose to exit the market. But maybe efforts like these will make EU nations think twice before doing business with malware merchants more than happy to get in bed with any autocracy that will have them.