January 25, 2023
Authored by Spencer Levitt
UCI Law’s International Justice Clinic has been investigating the use and abuse of spyware technologies as a part of the clinic’s private surveillance project. Proliferating in recent years, hundreds of vendors across the globe buy-and-sell technological exploits, develop surveillance tools to infiltrate these exploits, and sell these tools to the highest bidder (often states or state-sponsored actors). Pegasus, developed by the Israeli company NSO group, is the most infamous of these spyware tools. The software has been deployed by states against journalists, politicians, and human rights defenders in violation of the human rights to privacy and freedom of expression and opinion. Our clinic has conducted research about the impact of surveillance technologies, examined how these tools infringe upon human rights, and have explored potential redress for victims of surveillance. Our clinic is actively engaging in the coalition building of digital rights organizations. We have hosted workshops discussing possible avenues to restrain state-sponsored digital surveillance in March 2022 and November 2022. You can find our other publications here.
On November 8, 2022, the European Parliament’s PEGA Committee rapporteur Sophie in ‘t Veld released a draft report presenting the committee’s findings in response to the ongoing inquiry into spyware use by EU member states and institutions. After highlighting a myriad of examples of spyware use across member states and institutions, the report also analyzes the legal aspects of the use of spyware in the EU and concludes with courses of action for the EU.
The report was released soon after two-days of hearings at the European Parliament in Brussels, Belgium, which themselves followed several months of hearings on the subject. As a part of these hearings, UCI Law’s International Justice Clinic Director Professor David Kaye testified about the human rights implicated by the use of spyware technology with the support of Digital Rights Fellow Hinako Sugiyama and the Clinic’s students. He urged the PEGA Committee to consider a ban of the use and trade of Pegasus-like spyware. Two clinical students joined Professor Kaye for the hearings.
In this post, we provide an overview of the role of the PEGA Committee, highlight key points from the testimony, and discuss the recent draft report circulated by Sophie in ‘t Veld.
What’s the role of the PEGA Committee?
PEGA, or the Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware, was formed on March 10, 2022 with a twelve-month mandate to investigate the alleged infringement of EU law in relation to spyware technology. The committee’s explicit role is to “gather information on the extent to which Member States or third countries are using intrusive surveillance to the extent that it violates the rights and freedoms enshrined in the Charter of Fundamental Rights of the EU.” Inquiry efforts include relevant studies and briefings on the topic, fact-finding missions, and most recently hearings with experts, victims, and other relevant parties. The Committee consists of 38 members of parliament and 38 substitute members. Highlights of the committee, meeting minutes, workshops, and other researched can be accessed on the PEGA Committee website.
Previous PEGA Committee Hearings:
Prior to the Committee’s hearings in late October, a total of 11 other hearings were conducted, spanning back to May 2022. Panels included country specific experts testifying about the trade and use of spyware within their state, testimony from parliamentarians who have been targeted by spyware, and a discussion about the harms suffered by victims of spyware and the potential remedies available. On June 21, 2022 the PEGA Committee invited Chaim Gelfand, General Counsel and Chief Compliance Officer of NSO Group to testify to the committee. The testimony directly from an NSO Group representative was much anticipated. Mr. Gelfand testified that at least 5 EU Countries had used NSO Group tools.
October 26th & 27th Hearings:
Big tech, regulation, and cybersecurity
The first hearing over the two-days in Brussels was presented by a panel of 4 experts. Shane Huntley, the director of Google’s Threat Analysis Group (TAG), spoke about the emergence of the commercial spyware industry. Much like a game of whack-a-mole, Huntley described the evolution of vulnerabilities in Google products and how reactive solutions implemented by the TAG team are met with new and evolving exploits by spyware vendors—most prominently the NSO Group. The next presenter was Jo De Muynk who is the head of the operational cooperation unit at the European Agency for Cybersecurity (ENISA). As of June 2022, ENISA has identified over 10 million mobile trojan attacks. De Muynk noted that any effective vulnerability management and disclosure needs to be paired with proactive investment into cyber-systems designed to fortify systems against external attack. The panel also included Saad Kadhi who is the head of CERT-EU, which acts as the cyber defense agency for all EU institutions, bodies, and agencies, but not for the member states directly. Last, Rosanna Kurrer of Cyberwayfinder testified about dire employment needs across the cybersecurity industry.
Spyware and the right to privacy
Ángel Vallejo, Jesper Lund, and Wojciech Klicki comprised the second panel of the day where all three speakers focused on regulatory and jurisprudential challenges for constraining surveillance. A crucial barrier within the European Union exists within Article 4(2) of the Treaty of the European which states that “national security remains the sole responsibility of each Member State”. States have, and will continue to argue that any use of surveillance technology is justified under national security. Vallejo argued that the EU should implement a necessity and proportionality test to constrain the use of spyware, arguing that any state implementation of the technology ought to have an explicit target and duration. Lund pushed for a specific gathering limit that should apply for states to ensure that any information extracted is “narrowly relevant to the investigation at hand” to avoid indescriminate data gathering. One key issue in legal proceedings, Klicki testified, is that evidence collected using spyware like Pegasus is used in court proceedings without any determination on the admissibility of this evidence. Moving forward, it is crucial for court’s to develop restrictions on the use of evidence collected by these sorts of technologies to ensure that the right to privacy is widereaching.
The Impact of Spying on Fundamental Rights
UCI Law International Justice Clinic Director Professor David Kaye was invited to testify about the impact of spyware technology on fundamental rights. Professor Kaye’s testimony focused on the human rights of privacy and freedom of expression and opinion, and the state obligations to protect the human rights affected by spyware. In response to questions raised by the committee’s rapporteur, Professor Kaye noted the lack of robust regulation around spyware. Without a strong legal framework to assess the use of spyware, it cannot be effectively regulated. However, with spyware like Pegasus in particular, no legal framework can justify its use. The indiscriminate data collection enabled by Pegasus makes it illegitimate on its face. As Professor Kaye put it, “this is the conundrum of how you regulate a tool that is unregulable.”
Professor Kaye also testified about the difficulty of providing redress to victims when the perpretators were state actors. This implicates the law of sovereign immunity, which needs to be restricted to provide effective remedy for the victims of spyware. Professor Kaye concluded by testifying that “The use and trade of Pegasus-like spyware should be banned.”
Joining Professor Kaye at the first panel on October 27th was Professor Ot van Daalen from the Institute of Information Law and Professor of Law at the University of Amsterdam. Professor van Daalen testified about the human rights obligations of states to regulate the disclosure of vulnerabilities. Because any effective spyware needs both access and control over devices through these vulnerabilities, Professor van Daalen argued that states should introduce a “duty of disclose” exploits. Advocating for a two-step approach to accomplish this goal, he testified that: (1) the European Union should clarify that researchers have a right to research vulnerabilities and share their findings without facing liability; and (2) by requiring a duty to disclose findings, states would close the loophole where vulnerabilities are discovered, but remain accessible.
Spyware, Democracy, and Electoral Processes
The last panel of the week consisted of three experts on the intersection of spyware and democracy. Kryzstof Breja, a Polish politician testified that he was targeted with Pegasus by an opposing political party. Breja’s testimony served as a powerful reminder of the invasivness of this spyware. His personal data was discovered, doctored, and published on national television. Giovanni Sartor, Professor of Law at the University of Bologna spoke to the indirect impacts caused by the proliferation of spyware. With its rampant use by states against journalists and other activists, spyware has created a chilling effect of self-censorship which has pushed people to avoid the public sphere. Rounding out the two-days of hearings was testimony from Iverna McGowan, the director of the European office of the Center for Democracy and Technology. McGowan highlighted how “hack-and-leak operations” and the “micro-targeting” of user data has effected the electoral process by exploiting political candidaates. An example of the latter was the Cambridge Analytica scandal. She concluded her testimony by calling for a moratorium in the EU on the sale and transfer of spyware technology until more robust regulations are put in place.
Draft Report Commentary
On November 8, 2022, the European Parliament’s PEGA Committee rapporteur Sophie in ‘t Veld released a draft report presenting the committee’s findings in response to the ongoing inquiry into spyware use by EU member states and institutions. It’s worth emphasizing the Committee’s effort to comprehensively compile known information concerning spyware across the EU, including the purchase and use of spyware by member states, applicable domestic legal frameworks and oversight mechanisms currently in place, ongoing initiatives of seeking redress and public scrutiny, and active spyware vendors. This background information is crucial for future advocacy and litigation.
Nonetheless, we highlight at least four areas that should receive further consideration.
First, regarding the EU’s capacity, the draft accepts an overly broad legal limitation, or self-limitation, by saying “[w]hen member states…invoke ‘national security,’ the EU is basically out of the game,” and “[m]ember States define national security unilaterally, and can shut the door at any time” (page 144). While the report itself criticizes the EU’s reticent attitude on member states’ conduct, the PEGA Committee does not have to accept such a premise. Article 4(2) of the Treaty of the European Union provides that “national security remains the sole responsibility of each EU Member State,” but this does not mean that EU member states enjoy carte blanche on their conduct aimed toward national security. To this end, the draft report does recommend the implementation of prior judicial authorisation for spyware, a right to notification for targeted citizens, and limited duration of surveillance (para 588). However, merely recommending the circumstances under which surveillance is acceptable obfusacates the human rights requirements imposed on state surveillance. Under the ICCPR, as well as the European Convention of Human Rights and Charter of Fundamental Rights of the European Union, the restriction of freedom of expression and other fundamental human rights for the “national security” purpose can constitute a violation of human rights by failing the legality, necessity, or proportionality requirements (para. 430). The EU can and should intervene with a member state’s decision-making when it comes to conduct which violates human rights, regardless of whether it is aimed at national security.
Second, although the draft report acknowledges that the European Court of Human Rights has instituted a legality, necessity, and proportionality framework to assess the use of spyware, the report evades any application of the framework to instances of surveillance (para 442). This is likely because, as Prof. Kaye reiterated in his testimony, there is serious doubt that surveillance technologies with similar characteristics as Pegasus can ever meet the tests of international human rights law. It indiscriminately accesses, or has the capability to access, all information on a device, which is likely never proportionate to the state’s interest being pursued. Additionally, data-minimization efforts in an attempt to meet the proportionality requirement would likely fail. Unlike conventional surveillance methods like wiretapping—where attempts to minimize the amount of data collected at the time of collection by law enforcement or intelligence agencies makes the surveillance more targeted—the scope of information accessed by technologies like Pegasus is much more expansive. The indiscriminate nature of Pegasus-like tools make the data minimization for this type of spyware practically impossible. Because regulation would not be effective, The PEGA Committee should pursue, or at least study the feasibility and efficacy of, the ban of use, trade, exports, and imports of Pegasus-like spyware by EU member states.
Third, we echo the PEGA Committee’s call for the immediate adoption of a moratorium on the “sale, acquisition, transfer, and use of spyware.” (para. 586). The report predicts that a state-by-state moratorium will rarely grant exceptions, unless the European Commission decides that a member state which applies for the exception meets all the required conditions. Key among these requirements is the completion of a thorough investigation of the alleged use of spyware which violates human rights as well as the demonstration of future effective safeguards preventing abuse of spyware. However, the success or failure of this scheme depends largely on the actual investigation tools at the Commission’s disposal. For example, what sort of metrics are be available for the Commission to greenlight the effectiveness of the regulation and legal framework of the applicant state, and how will the Commission’s independence and impartiality be guaranteed in the assessment? These questions are tough, given the demonstrated state incentives to abuse spyware, and we do suspect that, for Pegasus-type spyware, the former question could not be an answered. However, we hope the final report grapples with these questions.
Fourth, the PEGA Committee’s recent invitation of José Javier Olivas and Gregorio Martín—two individuals accused of trying to discredit surveillance allegations against the Spanish government—to the country hearing about Spain shows a concern about a political influence on the Committee, which would hinder it from achieving its purpose. We hope that the Committee would improve its procedural rules to insulate it from political influence and bring more transparency into the speakers selection.
What’s next?
The PEGA Committee will continue to hold hearings with experts, host presentations of relevant studies, and engage in other fact-finding endeavors leading up to the publication of the final report by rapporteur Sophie in ‘t Veld. The final report is scheduled to be published in March, 2023. Following the conclusion of the PEGA Committee’s mandate, the committee should: (1) request that the parliament of the member states concerned cooperate with the findings by implementing the recommended regulations; (2) urge the European Parliament and Commission to codify the recommendations into EU law; and (3) monitor the action taken on the results of the published report and continue to report on implementation progress (Rule 208 (13) of the European Parliament’s Rules of Procedure).
Given the impact of PEGA Committee’s findings on state’s use of spyware, civil society should carefully monitor the developments of the PEGA Committee and report on compliance with its findings to effectively restrain the private surveillance industry in service of human rights.