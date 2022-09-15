The EU ’s reaction to the Pegasus scandal has largely been shrugging its shoulders. The justice commissioner’s mobile phone was not compromised at all.

The EU Commission washes its hands of the widely criticized attacks with spyware such as Pegasus on members of the opposition, civil rights activists and lawyers in member s. The heads of administration and justice at the Brussels government institution, Johannes Hahn and Didier Reynders, write in a response to 24 questions from the European Parliament’s Pegasus Committee of Inquiry. Everything else is up to the states.

“The use of spyware technologies by national security and law enforcement agencies – when done ethically and in accordance with the law (including EU law) – can be a powerful and necessary law enforcement tool to ensure security and justice in the digital age guarantee,” the commission said in the ten-page letter, the original of which was available to voonze online and Netzpolitik.org has published a text version.

“Law enforcement agencies must use modern digital technologies to investigate in a digital environment and counteract the increasing use of technology by organized crime groups,” the law enforcement body said. However, she has also noticed that there are “repeated reports of abuse and human rights violations due to the illegal use of digital surveillance tools.”

Hahn and Reynders know that the complaints are “violations of data protection and privacy, arbitrary arrests or crackdowns on civil society and citizens”. The investigation of such incidents is initially the responsibility of the individual EU member states, but could also be “the subject of monitoring and control by the Commission”. We are closely following developments here and collecting information “to ensure that national regulations are in line with the EU data protection framework and other relevant EU legislation”.

Responsibility of the EU member states

The national authorities must “thoroughly examine such allegations and restore the trust of the citizens,” emphasize the two commissioners. They are “particularly aware of the particular risks that journalists and human rights defenders are exposed to in this context”. The appeal goes to all member states to “implement legislation and protective measures to protect individuals from unlawful surveillance, including arbitrary or mass surveillance”. Such measures would have to be in full compliance with international human rights law. At the same time, they want to strengthen cyber security.

The Commission cannot yet say much about the recent spyware scandals in Hungary, Poland, Spain and Greece. The first two countries cited national security when deploying Pegasus. Greece also doubts that the EU is responsible. Spain has not yet responded to a request for information.

According to the letter, the contacts with the authorities in Israel, where the Pegasus manufacturer NSO Group is based, have also yielded little so far. The aim was to express to the export control bodies their own concerns about the espionage reports and to obtain information on any related remedial measures. So far, however, the Commission has not received any corresponding commitments.

No answers

According to a memorandum, a delegation from the Pegasus Committee in Israel also encountered a wall of silence: Instead of speaking to officials from the Defense Ministry, the parliamentarians were only allowed to speak to envoys from the Foreign Ministry. These were limited to explaining the export rules in general.

The authors of the letter to the representatives of the people do not confirm reports of an apparently successful spyware attack on Reynders and other Commission employees. “Apple issued an official notice on November 23, 2021 regarding the possible compromise of Commissioner Reynders’ device by state-sponsored attackers,” they explain. “Neither the checks carried out by the investigators before nor after this date confirmed that such software had managed to compromise the commissioner’s personal or professional devices”.

According to the reply, the relevant Commission services also checked the mobile phones of other Commission officials who had received similar notifications from Apple that day. Even with these, Apple’s suspicion was not confirmed. A year ago, a mobile “Endpoint Detection and Response” (EDR) solution was introduced on the smartphones of all employees to combat similar threats.

Criticism of lack of processing

“The Commission is doing far too little and is also not transparent,” commented MEP Cornelia Ernst (left) on the decision. All in all, this feeds the suspicion that “the state use of spy software in Brussels should be boiled down rather than processed”. The Israeli Foreign Ministry’s tip “that we should ask Europol about it is a bad joke.” A hearing has already revealed that the police authority does not want to use any of its new powers to protect democracy and the rule of law in the EU.

“Spying on citizens for political purposes is a crime”, emphasized the Liberal Sophie in’ t Veld on Twitter: “We should be clear about who the perpetrators are: the national governments.” The Commission and Parliament could not rely on the EU Council to protect citizens.