Pegasus: Europe’s deepening spyware scandal

The EU data protection authority wants the powerful surveillance program to be banned, calling it a threat to democracy after claims of misuse in member states

A cellphone near the headquarters of NSO Group, the creators of Pegasus.
A cellphone near the headquarters of NSO Group, the creators of Pegasus.JACK GUEZ (AFP)

Concern over the use of a powerful spyware called Pegasus is growing in intensity in the European Union. An investigation committee launched by the European Parliament is preparing its first operational work meeting, which could be held this Thursday. The provisional agenda shows the presence of members of the Senate of Poland, one of the countries where there are suspicions about the use of Pegasus to spy on the government’s political rivals. The European Data Protection Supervisor has already called for programs like Pegasus to be banned on the grounds that they are very difficult to control and endanger fundamental rights and freedoms.

The investigative group (whose formal name is Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware) was requested after the governments of Poland and Hungary admitted to having the program, a very powerful spying software developed by the Israeli company NSO Group and that is only available to government agencies. Pegasus can take control of a cellphone without its owner noticing and, in addition to accessing all its contents, it can also turn it into a listening and image capture terminal.

The committee’s initial session in April, to deal with preparatory work, coincided with revelations about the so-called CatalanGate, an investigation into espionage of separatist leaders with ties to Catalonia’s failed unilateral breakaway attempt from Spain in 2017. And its next session will take place right after Spain’s prime minister, Pedro Sánchez, on Monday said that his own phone was hacked by Pegasus. Other senior members of the Spanish government have apparently been targeted by the spyware, including Defense Minister Margarita Robles and former foreign minister Arancha González-Laya, whose cellphone communications were spied on during a diplomatic crisis between Spain and Morocco in May 2021, government sources said.

Spain's PM Pedro Sanchez (c) and Defense Minister Margarita Robles (to his right) receiving Afghan evacuees at the Torrejón military base in Madrid on August 27, 2021.
Spain's PM Pedro Sanchez (c) and Defense Minister Margarita Robles (to his right) receiving Afghan evacuees at the Torrejón military base in Madrid on August 27, 2021. Paul White (AP)

For the space of a year, the 38 members of the investigation committee (including Carles Puigdemont, who led the Catalan secession attempt, fled to Belgium to avoid arrest and was later elected to a seat in the European Parliament) will try to collect testimony and documents that prove the use of the program in the EU, where there have been accusations of spying in Greece, Poland and Hungary besides Spain. In France, President Emmanuel Macron is believed to have been on a list of potential Pegasus targets, according to media reports from July 2021 based on a collaborative journalism investigation known as the Pegasus Project. And last month, UK Prime Minister Boris Johnson was informed by Citizen Lab, a digital security research department of the University of Toronto, that his office may have been targeted in 2020 and 2021.

If the committee’s conclusions confirm the apparent danger, “the European Parliament will ask the EU Commission to legislate on its use,” says Juan Fernando López Aguilar, a member of the investigation committee and chair of the Committee on Civil Liberties, Justice and Home Affairs.

López Aguilar is convinced that “the response provided by the European Parliament will mark the attitude of national parliaments on this matter.” And he believes that, at a minimum, Pegasus “will have to be regulated, because it affects fundamental rights that are highly protected in the Charter [of fundamental rights of the EU].”

The European Data Protection Supervisor (EDPS), the European authority on data protection, is already advocating for prohibiting the development and deployment of espionage programs with capabilities such as Pegasus in order to protect “fundamental freedoms but also democracy and the rule of law.” In a preliminary report published in mid-February, the Supervisor considered that “the use of Pegasus might lead to an unprecedented level of intrusiveness, which threatens the essence of the right to privacy, as the spyware is able to interfere with the most intimate aspects of our daily lives.“

NSO Group claims that it only sells its software to government agencies. “That information is yet to be verified,” notes López Aguilar. “The truth is that the program is very expensive and each intervention costs a fortune, so in principle it is not within the reach of amateurs.”

More information

Recomendaciones EL PAÍS
Recomendaciones EL PAÍS