Multiple European governments are using advanced surveillance tools to spy on their own people, according to a damning new European Parliament report. “EU Member States have been using spyware on their citizens for political purposes and to cover up corruption and criminal activity,” the report reads. “Some went even further and embedded spyware in a system deliberately designed for authoritarian rule.”
The European Parliament launched this inquiry after the 2021 publication of the Pegasus Project, a spyware investigation led by 16 media outlets around the world. Reporters found that governments had targeted more than 50,000 phone numbers worldwide using the surveillance tool Pegasus, made by the Israeli company NSO Group. Individuals on the list included editors and reporters at CNN, the New York Times, Reuters, and France 24 as well as human rights activists, lawyers, and people close to Jamal Khashoggi, the journalist the Saudi Arabian government murdered in 2018. The report makes it clear that though we hear most often about this technology being used by authoritarian governments like China and Iran, democracies engage in spyware abuses, too. Curtailing surveillance harm around the world requires confronting this reality and pushing democracies to uphold a higher standard of behavior.
Spyware makes it possible to secretly track and pull information from a device. Once the software accesses a target’s phone or computer, whoever installed it can pull texts and emails, download every photo on the device, and even track the device’s GPS location. Abusive individuals have used spyware—often dubbed “stalkerware” in this context—to surveil, torment, and even physically harm other people, including their current and former intimate partners. (Disturbingly, 1 in 10 Americans admit to having installed stalkerware on their partner’s or ex’s device, according to a 2020 NortonLifeLock poll.) Governments use spyware, too, silently watching their targets for a range of law enforcement, intelligence, and/or repressive purposes.
Pegasus, the predominant focus of the European report, enables users to quietly siphon passwords, contact lists, calendar events, text messages, live voice calls, and other data from a target’s phone. It even lets the software operator turn on the phone’s camera and microphone to watch the person and their surroundings. And forget tricking a person into clicking on a link; Pegasus can leverage “zero-click” exploits to install the malware with no user interaction at all, which makes it virtually impossible for the average user to know when they are first being watched.
NSO Group, the Israeli company that makes Pegasus, notoriously shows zero regard for human rights. The University of Toronto’s Citizen Lab has published numerous investigations revealing Pegasus’ use by repressive governments all over the world, targeting a UAE human rights defender, a Saudi activist, and more; supporters of Mexico’s soda tax were even targeted by what might have been a commercial actor. Members of European Parliament had plenty of reason, then, for grave concern when the 2021 Pegasus Project spotlighted the targeting of European citizens
While one could imagine legitimate spyware use cases—such as targeting foreign officials for traditional espionage purposes, carefully controlled and overseen—the activities detailed in the European Parliament report highlight undemocratic surveillance designed to repress expression and political competition. It found that Polish officials bought Pegasus in 2017, in part using funds meant for victims of crimes, before targeting numerous opposition figures with the spyware. The Hungarian government bought Pegasus in 2017 after meeting with Polish Prime Minister Mateusz Morawiecki and former Israeli Prime Minister Benjamin Netanyahu. Though they claim it was used for purely national security reasons, Hungarian authorities targeted over 300 people, from lawyers and journalists to high-profile business owners, activists, and an opposition politician, according to the report.
The list goes on: security personnel in Greece bought spyware called Predator, believed to be from North Macedonian company Cytrox, and used it against political figures domestically. Officials in Cyprus acquired surveillance technology from European company Intellexa Alliance, a seeming umbrella organization for Cytrox, and, reportedly, illegally tracked over 9.5 million mobile devices. Spanish authorities appear to have targeted people in Catalonia with NSO Group’s Pegasus.
The governments could have acquired these spyware technologies to investigate threats of violent extremist attacks or prosecute actual criminal offenses. They also could have used it for what looks like traditional, country-on-country espionage: For example, Moroccan authorities supposedly targeted the Spanish prime minister, minister of defense, and interior minister using Pegasus. Instead, the report indicates many of these European governments quietly purchased spyware specifically to target critics and opponents at home.
Investigators didn’t pull any punches: The report authors wrote that the abuse of spyware “mercilessly exposes the immaturity and weakness of the EU as a democratic entity.” The EU’s “internal market and free movement” have benefited the spyware trade, the report says, with some vendors even using the phrase “EU-regulated” to masquerade their unregulated surveillance activities as responsibly controlled—which they are certainly not. Even though some of the report’s findings had already been reported, it still comes as a strong and, for some, shocking reminder. For all that the U.S. and European countries may talk about “techno-democracy” and the importance of privacy, democratic governments abuse spyware, too.
There is a clear and considerable difference between spyware and surveillance abuses in democratic countries and those in many autocracies. Russia’s parliament, essentially a rubberstamp for the Putin regime, would never conduct any real investigation into government surveillance abuses; likewise, there is no world in which this kind of several-hundred-page investigation into state-driven privacy abuses would happen in modern-day China. The rule of law and the existence of relatively independent media, among many other factors, provide much more space for scandal and reform.
But that is exactly why the EU’s report on spyware abuses is a vital reminder. Some nominally democratic governments are using spyware to target opposition politicians, journalists, and others under the false pretense of fighting crime or protecting national security. This undermines privacy and political expression. It also undermines democracies’ messaging on fighting autocratic surveillance. And, in doing so, some of these governments are helping prop up a market for surveillance tools and helping to pay, here, a company widely known to sell the very same technology to despots. The report actually praised the U.S. government for its actions against spyware—though American officials can still do more domestically and should also increase their efforts with partners in Europe and elsewhere to ensure these kinds of activities do not occur.
Controlling this technology is extremely difficult, as the kinds of export controls that governments place on physical goods, like weapons and chemicals, don’t translate in the same way to software. But to truly fight to protect privacy in the modern age, democracies must also get their own houses in order.