Tired of working for an egomaniacal startup boss or dull enterprise biz? A new org has been proposed called the Tech Lab, where you’d investigate the worst kinds of surveillance by governments on their citizens. In which despotic state, you ask? Surprise! You could base yourself in any European city.
EU MEPs want to start the public body – along with a host of other recommendations contained in a report that landed last night – after the so-called PEGA committee spent over a year looking into the use of Pegasus and equivalent spyware.
IT folks employed by the proposed EU Tech Lab will be tasked with device screening and performing forensic research – probably including testing vulnerability exploits. There will also be lawyers and tech support on payroll. The committee said it wants new laws to regulate the discovery, sharing, resolution and exploitation of vulnerabilities – referring to the “commercial trade” of system flaws. The report [PDF] calls for a ban on the sale of vulnerabilities in a system for any other purpose than strengthening the security of that system. We can only presume this regulation happens on the buy side, when practiced by one of the spyware makers – though how it intends to regulate this is unclear. We have asked but to us it seems like a tricky proposition.
It also asks that organizations both “public and private” should create a publicly available contact point where vulnerabilities can be disclosed in a standardized way and for organizations that receive information about vulnerabilities in their system to act immediately to fix it. Not, say, use it to place your spyware on a device. Right?
In April, Citizen Lab and Microsoft both reported that a zero-click exploit allegedly developed by Israeli spyware company QuaDream – called “Reign” – was used to deliver spyware on devices running Apple’s iOS 14 on victims’ phones. The exploit abused the iOS calendar app, leading to the spyware compromising the devices and stealing data, the researchers said.
A year in the making
The report follows a year-long investigation that kicked off after member states were suspected of using spyware to intimidate political opposition, silence critical media, and manipulate elections. Alleged targets of NSO’s Pegasus surveillance spyware include businesspeople, politicians, law enforcement, diplomats, lawyers, civil society actors and more. The report says reforms are needed because EU governance structures “cannot effectively deal with such attacks.”
The document and its recommendations still have to pass parliament’s beady eye in June; the committee vote was non-binding. The executive has so far stayed well out of it and it is clear that the use of spyware will still be very much in national intel agencies’ toolkits, whether the report is adopted or not. The draft resolution attempts to impose some rules around this. The proposed regulations will allow spyware to be used only in EU states “where allegations of spyware abuse have been thoroughly investigated, national legislation is in line with recommendations of the Venice Commission and EU Court of Justice and European Court of Human Rights case law, Europol is involved in investigations, and export licences not in line with export control rules have been repealed.”
They paid special attention to Hungary and Poland, whose governments have “dismantled independent oversight mechanisms.” MEPs also had “concerns” over spyware use in Spain and Greece – noting that Cyprus had played “a major role as an export hub for spyware.” The MEPs called on Cyprus to repeal all export licences it has issued that were not in line with EU legislation.
Speaking of exports, the UK has become an offshore haven for the private intelligence industry, according to a report released by Privacy International late last week [PDF], although the document also encompasses corporate intel agencies and those in the so-called “reputation management” game, rather than singling out makers of IMSI-catchers and purveyors of spyware, for example.
‘Not one government has really been held accountable’
Rapporteur Sophie in ‘t Veld said of EU committee’s report: “The member states and the European Commission should not sleep easy, because I intend to keep on this case until justice is being done.”
She added: “Not one victim of spyware abuse has been awarded justice. Not one government has really been held accountable.
“The unimpeded use of commercial spyware without proper judicial oversight poses a threat to European democracy, as long as there is no accountability. Digital tools have empowered us all in various ways, but they have made governments far more powerful. We have to close that gap.”
Committee chair Jeroen Lenaers noted that the report still allowed for the use of spyware by member states, saying: “Stricter EU-level scrutiny is needed to ensure that spyware use is the exception, to investigate serious crimes, and not the norm. Because we acknowledge that it can – when used in a controlled manner – be an important tool to combat crimes like terrorism.” He added: “Our committee has formulated a wide range of proposals to regulate the use of spyware, while respecting national security competences.”
According to data collected by Carnegie’s global inventory of commercial spyware and digital forensics between 2011 and 2023, at least 74 of the world’s governments contracted with commercial firms to obtain either spyware or digital forensics technology.
The move by the EU has been a long time coming, a full eight years after Middle Eastern governments fell in the Arab Spring uprisings and certain practices by commercial spyware vendors came to light. That same year, former European Data Protection Supervisor (EDPS) Giovanni Buttarelli warned that if the member states didn’t regulate, the trade in commercial spyware could hurt both Europeans’ privacy and data protection rights. But even if these controls are adopted, they will be non-binding.
You might think regulation is being done better stateside, where President Joe Biden signed an executive order in March prohibiting the use “by the United States government of commercial spyware that poses risks to national security.” But re-read that title and the qualifier. The accompanying legislation is likely as full of holes as it looks, as we reported at the time.
How the Arab Spring blew the lid off the commercial spyware
Although the committee appears to have worked hard on the resolutions, it seems exceedingly unlikely that any of the European governments, and certainly not those already breaking the rules, would fully comply. This is especially so, as some have pointed out, because such are the dealings of security agencies that even funding for such tools is not mentioned explicitly in national budgets, let alone the fact of their deployment. Remember when the NSA was said to have bugged Angela Merkel’s phone and how Germany quickly dropped its inquiry into this? How do you fight what you cannot see?
When it comes to spyware abuse, the committee said, not only should spyware be allowed solely when strict conditions are fulfilled, but a uniform definition of national security is needed. Quite. ®