Members of the European parliament are to urge that Brussels be given “federal-style” powers to enforce laws aimed at curbing improper use of spyware, following concerns that member states often have little incentive to follow the rules.
Sophie in ’t Veld, a Dutch MEP overseeing a report to be published on November 8 into how the technology is used, also wants more powers given to Europol, the EU’s law enforcement agency. It currently can only operate with the consent of member states.
In March, MEPs set up a committee to investigate the use in the bloc of Israeli spyware company NSO’s Pegasus and other surveillance technology. Two months later, it emerged that Pegasus spyware was used to hack the mobile phones of senior officials, including that of Spanish prime minister Pedro Sánchez — the first confirmed use against a serving head of government.
The software is able to penetrate a mobile phone and copy its encrypted content. Pegasus was used to target smartphones belonging to 37 journalists, human rights activists and other prominent figures last year. NSO has denied the claims.
The report will face intense pushback, particularly from EU states spying on citizens for political reasons, according to those with direct knowledge of the process. Hacking software has reportedly been used in Greece, Spain, Hungary and Poland against members of the opposition and journalists.
It is up to the European Commission, the EU’s executive body, to propose new legislation that will have to be negotiated between the commission, the parliament and member states.
In ’t Veld is hoping the report will show the scale of the issue and that it will generate the political momentum needed to ensure new laws are drafted.
She told the Financial Times that the scale of the problem was much more severe than previously thought.
“This is not about a handful of governments spying on their citizens, it is all over Europe. All governments are using this stuff, some governments are abusing it,” she said.
“Different EU member states play different roles in a scheme that spans the whole of Europe. One country is the preferred destination for the financial operations. Another is the hub for international trade. A third one provides golden passports to the executives behind the spyware companies,” in ’t Veld said, referring to Luxembourg, Cyprus and Malta respectively. “The whole business is intertwined with governments and government funding.”
She added that the authorities’ attitudes towards the enforcement of rules on the use of spyware had gone from “the presumption of compliance [by member states] to the pretence of compliance”.
As a result, in ’t Veld is calling for Brussels to have enhanced powers akin to those enjoyed by the US federal government.
“There have been these two big attacks on democracy in the United States — Watergate and January 6. But at least they have the federal institutions that are able to deal with this,” she said. “They have the FBI, they have Congress, which has full powers of inquiry, they have a federal Department of Justice that can investigate and intervene.”
“We cannot have an open European Union if we do not have all these super supranational instruments for the enforcement of the rules,” she added.
The report will also call for the blacklisting of companies that do not abide by the bloc’s rules but will stop short of demanding an outright ban on Pegasus. In ’t Veld said the use of spyware to threaten people’s privacy and to blackmail politicians had become “a real poison for our democracy”, adding that there was a trace of Russian infiltration everywhere you turned.
“On the one hand, we’re all saying that our democracy and our free society are being attacked from the outside by the Russians, but they’re also under attack from the inside. We are completely defenceless,” she said.
“This is not just threatening the privacy of individuals. This is threatening democracy because they’re using it against journalists, politicians, lawyers, activists. This is a real poison for our democracy.”
