Project: Secrecy

Close
Mercenary spyware

Europe’s Watergate

As Putin is waging war on the free world, our democracy is under attack from the inside as well.

In summer 2021, the Pegasus Project, a collective of investigative journalists, NGOs and researchers, revealed the large scale abuse of mercenary spyware against a range of political targets. The list of victims included some 50.000 names, among them politicians, even heads of state, journalists, lawyers, prosecutors and activists. The most dramatic case may well be that of Jamal Khashoggi, the Saudi journalist, who was savagely murdered for his criticism of the Saudi regime.

However, after a short wave of outrage over the spyware scandal, the focus quickly returned to the summer holidays. It was not until fresh revelations in autumn about the use of Pegasus spyware by the Polish government against government critics, that our call for an inquiry got a majority in the European Parliament. The inquiry committee by the name of “PEGA” started its work in March 2022, and is expected to conclude within twelve months.1

Halfway through PEGA’s term, it has become clear that the use of mercenary spyware in the European Union can easily be labelled Europe’s Watergate. Indeed, the image that emerges bit by bit, far exceeds the original Watergate. It goes way beyond the simple eavesdropping by governments on the occasional political opponent.

Mercenary spyware is a key tool in the toolkit of governments for monitoring, gathering compromising information, blackmailing, discrediting, intimidating, manipulating, and even planting fabricated evidence, against opponents, critics, or persons who aim to expose corruption and crime.

Spyware may even be used to collect “Kompromat” on members and allies of the government party, just to secure their loyalty.

The use of mercenary spyware may be combined with “official” surveillance by public authorities, mainly secret services, and legitimised with flimsy or phoney judicial authorisation procedures, invoking “national security”, mainly as a fig leaf for refusing transparency and accountability. Legal remedy does not exist in practice. Governments may also use proxies to do the spying on their behalf, so it will not leave any government fingerprints.

In addition to spyware, various other spying services are on offer in this obscure market, involving both traditional and technological surveillance methods, promoted with smooth names like “Creative intelligence”, “Cutting edge analysis and research”, “Tailored solutions for governments”, etc. Spying is a booming business, but the sector is opaque and elusive, and largely escaping scrutiny and control.

So far we have a learned about several EU member states where citizens have been targeted with spyware by their governments. In Poland, Hungary and Spain, victims had been targeted with Pegasus spyware. In Greece, Predator was used against journalists and opposition politicians, though the government vehemently denies the purchase and use of spyware. We know that fourteen EU member states had bought Pegasus, and it is likely all member states are using one or another brand of commercial spyware. They may acquire it via proxies and middlemen, or through personal contacts, so to avoid leaving any government fingerprints.

Moreover, many EU countries are central to the global trade in mercenary spyware. Cyprus and Bulgaria are export hubs. Prague hosted the largest spyware vendors gathering ISS World (also dubbed “The wiretappers ball”). Spyware manufacturers and vendors are established in several member states (Italy, France, Austria), some with opaque connections to non EU countries like Russia. Ireland and Luxemburg are the preferred locations for the fiscal and banking side of business. Spyware vendors based in the EU benefit from the internal market, free movement, and the reputation of respectability and reliability of the EU.

The use of mercenary spyware within the EU is a profoundly European issue for other reasons as well. It affects directly the main EU institutions, and thus risks compromising the democratic decision making process. Several members of the European Parliament were targeted directly, and the “by-catch” consists of all their contacts in the European Parliament and beyond. Members and officials of the European Commission have also been targeted with spyware. And many of the likely perpetrators (and a few targets) are members of the Council and the European Council.

If the use of spyware has influenced the outcome of national elections, it means even the composition of the Council is impacted. In addition, EU law is affected, not least the General Data protection Regulation, but also the Charter of Fundamental Rights, the e-Privacy Directive, the Dual Use Regulation on exports, as well as rules on cybercrime, corruption and extortion, and more.

Does this sound like far-fetched fiction that even Orwell would have dismissed as too implausible a plot? That may be because most Europeans only have the keyhole perspective of the national media. It is perceived mostly as a national political scandal. But the narrow prism of national politics prevents a proper understanding of the dimensions and impact of this truly European Watergate scandal.

When the US found that Pegasus had been used against US citizens, they were not amused and they took swift and determined action. The NSO Group was blacklisted, the FBI started an investigation and a legal ban on commercial spyware is in the pipeline. In several EU member states parliamentary or judicial inquiries have been launched (though they are generally being stonewalled by the governments).

Meanwhile, tech giants like Apple and Microsoft have launched legal challenges against spyware manufacturers, and victims are suing as well. The European Parliament has set up the PEGA inquiry committee. In stark contrast to all this activity, there is a deafening silence from the European Council of government leaders, and the European Commission is desperately trying to downplay the whole thing, whereas Europol has so far failed to act and claims this is a national responsibility.

This shows the Achilles heel of the European Union: its intergovernmental institutional architecture is totally not designed for this kind of situation. Whereas the US was able to tackle the Watergate scandal within its federal structures, the EU lacks the powers to investigate or prosecute or indeed impose rules and standards. And national governments like to keep it that way. They deliberately keep Europe weak and powerless. In the European Parliament there are calls for strict regulation of the use of spyware. However, the other EU legislator, the Council, is made up of representatives of the national governments. It is not very likely they will be very keen to impose European rules on themselves.

And yet it is essential that they do. Europe is no less immune to authoritarian or kleptocratic tendencies than any other part of the world. Under pressure of various crises, European integration has accelerated and Europe is rapidly evolving as a geopolitical power, taking decisions on our security, health, heating and eating, livelihood and survival of the planet. These are fundamentally political, not technocratic issues. Europe as a political union needs very solid democratic foundations, or it will disintegrate. The spyware scandal is an attack on European democracy, not a mere national issue.

This is our Watergate moment.


Footnotes

  1. Text of the mandate of PEGA[]

See also