The European Union Data Protection Supervisor (EDPS) has called for the EU to ban Pegasus, the controversial mobile spyware made by NSO Group, and similarly capable surveillance tools.
NSO Group has sold the Pegasus spyware for years, and Citizen Lab reported in 2018 that it was being used to spy on smartphones in the US and Canada. But criticism mounted in 2021 after Forbidden Stories and Amnesty International formed The Pegasus Project to reveal the extent of the tool’s usage.
The Pegasus Project said it had evidence that Pegasus was used to target devices owned by journalists, activists, and political leaders despite NSO Group’s claims to the contrary. WhatsApp CEO Brian Acton—whose company has sued NSO Group because one version of Pegasus exploited a flaw in the WhatsApp client—then said the spyware also targeted US allies.
These revelations led Apple to sue NSO Group, prompted the US government to add the company to the Entity List in a bid to prevent it from using American technologies, and pushed Israel to restrict the export of hacking tools like Pegasus. Now the EDPS has joined the chorus of complaints in the Preliminary Remarks on Modern Spyware report (PDF) published today.
“The mounting evidence shows that highly advanced military-grade spyware like Pegasus has the potential to cause unprecedented risks and damages not only to the fundamental rights and freedoms of the individuals but also to democracy and the rule of law,” EDPS says. “Pegasus constitutes a paradigm shift in terms of access to private communications and devices, which is able to affect the very essence of our fundamental rights, in particular the right to privacy. This fact makes its use incompatible with our democratic values.” (Emphasis theirs.)
EDPS advocates for “a ban on the development and the deployment of spyware with the capability of Pegasus” in the EU. (Note that it doesn’t simply want Pegasus itself banned; it wants anything with similar capabilities to be banned as well.) Barring that, EDPS offers eight “steps and measures as a guarantee against the unlawful use” of surveillance tools:
- Strengthening of democratic oversight over surveillance measures.
- The strict implementation of the EU legal framework on data protection.
- Judicial review, both ex-ante and ex-post, should be real; it cannot be a mere formality.
- Strengthening of the protections offered by the criminal procedure.
- Reducing the risk that data originating from such undemocratic and abusive surveillance practices reaches the database of the Union.
- Stop (ab)using national security purposes for legitimising politically motivated surveillance.
- Addressing the rule of law problems.
- Empowering civil society to bring awareness and public debate forward.
Those are just the headlines; EDPS has more details about each measure in the full report. “With this document, the EDPS would like to contribute to the discussion on whether spyware tools like Pegasus should have any place in a democratic society,” the watchdog says. “At the centre of any such discussion, should not only be the use of the technology itself, but the importance we attribute, as a society, to the right to privacy as a core element of human dignity.”
