Written by Adrianna Lisek
Recently, the topic of surveillance has come up in discussion panels. All this is due to the increasingly widespread reports reaching us of the use of the now-famous PEGASUS system. This system was used, for example, in Poland to monitor a prosecutor, a lawyer, and an opposition senator (TVN 24, 2021).
The PEGASUS system has been the subject of extensive discussion at the EU level, among others. The European Data Protection Supervisor has published a report on the use of the system and the need for appropriate legislative steps taken at the European level.
The European Data Protection Supervisor report
The report reveals PEGASUS is a unique device. The European Data Protection Supervisor has noticed that PEGASUS needs regulation, which is similar to a “government Trojan ” and “online searchers”. The functioning of all these operating systems might be a subject of constitutional concern(European Data Protection Supervisor, 2022). A previously similar concern was raised by Privacy International in Germany in front of the German Constitutional Court. During the case, the Court was examined by using spyware in criminal investigations. Concerning the facts presented, it is important to cite the amendment to the Criminal Code that took place in 2017. This amendment provided a wide range of investigative methods including the possibility of integration in technical systems. It was required to be installed and after that activity, authorities could read all data. The system is called “state Trojans”. As a PEGASUS, state Trojans also are a danger for privacy and safety. The most important fact, in this case, is that Trojans are enabled to get all access to mobile phones and to invigilate by using cameras andmicrophones. It also allows deleting all traces of use. In the case of using Trojans by authorities in Germany, the following conclusions were put forward. Firstly, using Trojans interferes with the highest human value, which is the right to privacy. The right to privacy is guaranteed by human rights law. Secondly, it might significantly affect the security of IT systems that are functioning in every state. The last argument cited in the statement was inconsistent with the most important principles like proportionality. The case has shown that the issue of surveillance has been discussed before. The PEGASUS system has already intensified the discussion around privacy and the dangers of government overreach. (Privacy International, 2021.)
As it was mentioned before, the PEGASUS system can bypass all known data communication systems. This is one of the arguments for regulating its access and use. What is worth mentioning is already regulated access to PEGASUS. The NSO Group provides this product only to government customers which are characterized by the rule of law (The Guardian, 2021),
According to NSO Company, spyware like PEGASUS helps the government in the prevention of terrorism including terrorist attacks like bombing. Despite the company’s official statement, another side of this software has been discovered. The report states that citizens of the European Union have been spyed on. It is confirmed by the surveillance carried out in Poland. Through PEGASUS, observation of a lawyer, a prosecutor, and an opposition senator was carried out.
The report said that surveillance legislation is already regulated by almost every member state of the EU. All regulations must comply with the preliminary human rights and European law. Despite that, the cases about surveillance, especially in a digital way, were subject to the European Court of Justice (European Data Protection Supervisor, 2022).
The question which was asked in the report was whether the member’s state can use PEGASUS legally. According to the report, PEGASUS was introduced to the public as a law tool. The second question which was asked in a published report was if the European Union allows using similar techniques even for a fight with criminal issues. History has shown to all European citizens that crimes like terrorism threaten all of Europe. Steps like prevention are necessary. According to the legal regulations cited in the report (Article 52(1) of the EU Charter of Fundamental Rights), fundamental rights and freedoms may be limited if there is an overriding reason of general interest. The prevention of terrorism undoubtedly constitutes such an interest (European Data Protection Supervisor, 2022).
The main object of the analysis provided by the European Data Protection Supervisor was to introduce the possibilities which may be implemented in the future. The report presents eight steps and measures. Firstly, the European Data Protection Supervisor emphasizes the necessity of providing safety for the citizens. This is to be ensured through a promise, not to export cyber-surveillance items to countries that do not obey a law- especially fundamental human rights. The PEGASUS is not only risky for fundamental rights but also the maintenance of democratic and rule of law states.
Some of the proposals will be presented below:
- EU states should reinforce to democratic oversight over surveillance measures. The states should provide more impactful measures which will be taken by protection authorities.
- The implementation of the legal framework on data protection. This proposal is related to enforcing the Law Enforcement Directive.
- Using PEGASUS as a justification for providing security, while in reality concealing political surveillance
- The object of publishing this report was to start a discussion about using spyware tools like PEGASUS across the EU. It raised a question about privacy, how governments and other authorities may interfere in private life. The discussion shows how important are human rights in the ever faster digital world (European Data Protection Supervisor, 2022).
Actions now undertaken by the European Union might be not enough to ensure abide by human rights. Recently in publicity, it was heard about invigilation by using PEGASUS the prime minister of Spain – Pedro Sanchez, and the defense Minister – Margarita Robles. The phone of the prime minister was invigilated in May and June (Guardian, 2022). Still using PEGASUS by different authorities or unknown persons will not provide us as citizens, security, and trust in local and government authorities. Beyond varied statements like the UN human rights chief, every single institution underlines the necessity of legal regulation of using pegasus. Taking legal action will be a very important step in controlling the use of this surveillance, but on the other hand,that legal action may be delayed. According to the Charter of Fundamental Rights of the European Union, everyone is guaranteed the right to the protection of their data. The use of this data shall be subject to the consent of the person concerned or other legitimate grounds. The seriousness of this provision is also demonstrated by its position in the Charter. It appears at the beginning (Article 8) (Charter of Fundamental Rights of the European Union, 2012/C 326/02). The unjustified surveillance of politicians and journalists that has taken place in various EU countries violates not only the right to protection of personal data but also the right of everyone to respect private and family life. When a phone is infected with PEGASUS, the operator of the phone immediately gains access to all the data, including the most sensitive.
The use of modern and at the same time similar surveillance technologies to PEGASUS was also the subject of a case before the European Court of Human Rights. According to the Court’s jurisprudence, the development of new technologies makes States obliged to inform their citizens in the field of surveillance possibilities. The right to privacy is also regulated by the Universal Declaration of Human Rights (UDHR)
The increasing use of this system is undermining public confidence in the state, as well as the fundamental rights that every human being is guaranteed, including the rights I mentioned earlier. It should be noted in these considerations that the lack of trust is compounded by the fact that it is not only politicians who are subject to surveillance. PEGASUS was used to surveillance Ahmed Masoor. He is a human rights activist. What is more, the spyware was used by hacking the mobile phone of a journalist Szabolcs Panyi. He is a very famous investigative journalist in Hungary and repeatedly been rewarded for his work. His phone was infected during his job on a very important article. The spyware was also activated for tracking Arabian journalist – Jamal Khashoggi (Peltola, 2021).
This report is an important element in the process of legally regulating the use of not only PEGASUS but also other similar tools. It is important that the EU has recognized the growing problem and has taken decisions to find a solution. However, EU regulation should concentrate strongly on the control mechanism not only for surveillance systems but also for new tools. It is, therefore, essential to draw up such regulations that they are fairly universal and also guarantee legal certainty and security. This is undoubtedly one of the major challenges facing the EU.
The PEGASUS case has become one of the top priorities of EU policies. Recently the EU parliament has decided to spark an investigation (Killeen, 2022). Next week the EU Parliament will approve the launching committee to use the PEGASUS spyware across the EU. The main aim of the appointed committee is to investigate the purchase of PEGASUS spyware in a member state. In particular, the ‘watching brief’ is intended to cover countries with problems of compliance with the rule of law – Hungary, Poland (De Filippis, 2022) . The investigation will focus, among other things, on the use of spyware in earlier attacks on mobile phones used by politicians, journalists, and government officials (Rueckert, 2021). The group will consist of 38 members. Apart from talking about PEGASUS the committee will be discussing the role of technology in Europe. All this is happening because of an investigation by a consortium of media that disclosed the use of PEGASUS spyware to eavesdrop on politicians like President Emmanuel Macron. However, the inquiry committee is not appointed very often. The PEGASUS case was the subject of discussion in 2021. The Parliament’s Renew group wanted to initiate an investigation but this initiative did not come to fruition (Killeen ,2022) Along with new speculations and discovered facts about illegal use of new software, it began to hold a PEGASUS inquiry. Aside from taking actions by the European Parliament, European Data Protection Supervisor, the European Commission undertakes its investigation relating to the possibility of breach of European law. Undoubtedly, the PEGASUS software is a new kind of danger for breaching fundamental rights and the EU needs proper regulations that ensure security, trust.