PEGA Committee Calls for Limits on Commercial Spyware

A European Parliament committee investigating the abuse of commercial spyware tools such as Pegasus recommended a slew of new regulatory safeguards but dropped a preliminary call for a moratorium.

See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources

In place of a continental pause on European Union member governments’ deployment of spyware that can surreptitiously infect smartphones to record the location, telephone calls and text messages of victims, the committee said governments should fulfil a string of conditions by the end of this year.

Committee members also condemned “major violations of EU law in Poland and Hungary” for those governments’ use of commercial spyware. In Hungary, spyware has been “part of a calculated and strategic campaign to destroy media freedom and freedom of expression by the government.” In Poland, the use of Pegasus has been part of “a system for the surveillance of the opposition and critics of the government – designed to keep the ruling majority and the government in power.”

“The European Commission and the Council have a moral duty to the citizens. If they continue to allow the illegitimate use of spyware in the European Union, then they are complicit to the destruction of democracy,” Sophie in ‘t Veld, a Dutch member of the European Parliament and rapporteur of the PEGA Committee, said during a Tuesday press conference.

The final recommendations of the committee also call for commercial spyware’s use only in exceptional cases that “present a genuine threat to national security.”

Among the conditions that governments should meet by Dec. 31 are to cease exporting commercial spyware unless the exports confirm with dual-use controls, fully investigate all alleged abuses of spyware, and prove that their deployment of commercial spyware is in line with European standards.

“There are more than sufficient indicators for, let’s say, illicit exports taking place from Cyprus, from Greece, from Bulgaria and possibly also from other countries,” in ‘t Veld said while also acknowledging that the committee had not found hard evidence of export control violations. “Do we have evidence? No, because none of the authorities are cooperating,” she said.

The European Parliament set up the PEGA Committee in March 2022 after reports surfaced that authorities in Poland, Greece, Hungary and Spain had deployed spyware against political opponents and civil society. The committee on Monday voted 30-5 to send the recommendations onward to a full session of the European Parliament. Two members abstained from the vote.

The committee also recommended that when governments deploy commercial spyware, they should attach a mandatory signature that identifies the authority that authorized it.

A preliminary set of recommendations released by in ‘t Veld in October called for a ban on government stockpiling of zero-day vulnerabilities except in highly limited cases (see: Zero-Day Hoarding Aids Advanced Spyware, PEGA Committee Told).

The final report instead calls on member states to develop a vulnerability equity process that by default discloses vulnerabilities.

In ‘t Veld said the conclusion of the probe does not mean that European Parliament’s work has been achieved. “Not one government has really been held accountable. Even if the inquiry has been concluded, we will ask questions and remain on top of this issue.”