The European Data Protection Supervisor (EDPS) has urged the EU to ban the development and deployment of spyware with the capabilities of Pegasus to protect fundamental rights and freedoms.

What is Pegasus?

On July 18, a group of 17 newspaper and media organizations—aided by Amnesty International’s Security Lab and the research group Citizen Lab—revealed that one of the world’s most advanced and viciously invasive spyware tools had been used to hack, or attempt to hack, into 37 mobile phones owned by human rights activists, journalists, political dissidents, and business executives.

This spyware, called Pegasus and developed by the Israeli company NSO Group, is reportedly instrumental to several governments’ oppressive surveillance campaigns against their own citizens and residents. Pegasus is designed to successfully attack almost any smartphone running either iOS or Android, based on specific yet very basic information like a telephone number. Pegasus effectively turns the smartphone into a 24/7 surveillance device by gaining complete access to all sensors and information on the smartphone, including messages before they are encrypted, geolocation, camera, and calls. As Amnesty International’s Security Lab put it:

“Pegasus can do more than what the owner of the device can do.”

For an in-depth look at Pegasus, have a listen to our podcast about the world’s most coveted spyware, Pegasus: Lock and Code S03E04.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

What is the EDPS?

The European Data Protection Supervisor (EDPS) is the European Union’s (EU) independent data protection authority. The EDPS is an increasingly influential supervisory authority that aims to provide requested as well as unsolicited advice to EU institutions and bodies on all matters relating to the processing of personal data.

Besides monitoring and ensuring the protection of personal data and privacy when EU institutions and bodies process the personal information of individuals, one of the EDPS missions is to monitor new technology that may affect the protection of personal information.

Level of intrusiveness

The EDPS is convinced that the use of Pegasus might lead to an unprecedented level of intrusiveness, threatening the very essence of the right to privacy, since the spyware is capable of interfering with the most intimate aspects of our daily lives.

The EDPS warns against regarding Pegasus as yet another law enforcement interception tool, but more as a hacking tool that has to be seen as a government Trojan in the form of a permanent backdoor. Unfortunately, Pegasus is not the only spyware tool of this type that is marketed as a law enforcement tool. However, Pegasus is considered a game-changer that renders existing legal and technical safeguards ineffective and meaningless.

EU law

Targeted surveillance is regulated in the national legislation of virtually every EU member state. But Article 52(1) of the EU Charter of Fundamental Rights requires that any limitations on the exercise of the fundamental rights and freedoms of the individual are proportionate and necessary. Such limitations must in any event be provided for by law and respect the essence of the fundamental rights and freedoms as recognized by the Charter.

The EDPS considers that only in cases of a very exceptional nature could Pegasus meet the requirements of proportionality and even in those cases less intrusive surveillance tools would be preferable. Therefore, using information gathered with the help of Pegasus and similar tools is likely to be considered inadmissible in a court of law. Also, many forensic experts may not have the necessary knowledge to identify and examine such highly advanced technology developed by private companies.

The advice

In its conclusion, the EDPS states that:

 “Pegasus constitutes a paradigm shift in terms of access to private communications and devices, which is able to affect the very essence of our fundamental rights, in particular the right to privacy. This fact makes its use incompatible with our democratic values. “

The EDPS therefore believes that a ban on the development of spyware with the capability of Pegasus in the EU would be the most effective option to protect our fundamental rights and freedoms.

It goes on to provide a list of steps and measures to block the unlawful use of Pegasus and similar tools:

  • Strengthen the democratic oversight over surveillance measures.
  • A strict implementation of the EU legal framework on data protection.
  • Judicial review of surveillance order applications should not be a mere formality.
  • Criminal procedural laws should outlaw the use of highly intrusive hacking tools.
  • Reduce the risk of using data gained by such methods reaching the databases of the European Union (e.g. Europol).
  • Stop (ab)using “national security” purposes for legitimizing politically motivated surveillance.
  • Address deficiencies in the rule of law that create grounds for abuse of secret surveillance.
  • Bring awareness and public debate to support and empower civil society.

By publishing this document, the EDPS has made its contribution to the public discussion whether there is a place for spyware tools like Pegasus in a democratic society.

The ban

Given that some member states of the EU are listed as NSO Group customers, the reason for requesting this ban is clear. It should also be clear by now that the individuals targeted by using Pegasus are not terrorist organizations, drug cartels, human traffickers, pedophile rings or other criminal syndicates, but rather reporters, scientists, romantic partners, and potentially even heads of state.

But, knowing how hard it is to detect such tools on affected devices, and—even if they are detected—finding out who is behind the infection in the first place, there will be people and organizations that are willing to risk using such tools.

Stay safe, everyone!