Skip to content

Pegasus inquiry committee: Update before the summer break

Who uses the "Pegasus" spy software? Who has control over the data collected and the system itself? Who bears responsibility for human rights violations committed with the help of the software? A questioning of NSO representative Chaim Gelfand in the „Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware“ last week provided only inadequate answers to these questions.

The Committee of Inquiry, of which I am a member and shadow rapporteur, is initially limited in time to 12 months – in this short period of time, we as Members of Parliament must compile our findings and recommendations. Here is a first interim report.

At the beginning of our work, we mainly wanted to deepen our knowledge of how spyware works, how it is used and how to control its use. For this purpose, we invited independent experts who could answer many of our questions. Representatives of big tech companies such as Google, Meta and Microsoft then told us how security breaches in their systems can be exploited to obtain the data of the targets – who are sometimes human rights defenders, journalists or opposition representatives. Companies such as NSO, Hacking Team or Candiru, which produce surveillance software, rely on security holes in devices, programmes and systems (so-called "exploits"), which they use to gain access to data. To do this, they either search for these “exploits” themselves, buy the information from third parties, or use publicly known vulnerabilities that have not yet been addressed by big-tech companies. The "exploit" business is still largely uncontrolled and urgently needs to be regulated.

NSO rejects responsibility

In a next step, in May and June, we interviewed experts and representatives of relevant actors in the field of spyware, such as representatives of big tech companies or scientists and journalists who have been dealing with surveillance software and the consequences of its use for years. Topics included the extent of the illegal use of spyware by government agencies and how this abuse can be stopped as soon as possible. However, no one was able to give us an exact answer to the question of how widespread the illegal surveillance of civilians and politicians by means of surveillance software actually is – there is a huge number of unreported cases. Casting some light on this matter is part of our mandate. Hopefully, by the end of its term, the investigative committee will have obtained more information about the extent of the misuse of surveillance software, e.g. regarding the number of people affected, the number of surveillance software that are misused by government agencies, and the extent to which such software can invade privacy.

The questioning of Chaim Gelfand, who is "General Counsel" and "Chief Compliance Officer" at NSO Group (which produced "Pegasus"), therefore built on our previous findings. However, the NSO representative refused to address many of our questions about specific cases and customers, citing trade secrets and the national security interests of his clients. Thus, he would not comment on in which types of cases Pegasus is used, nor who has access to the data collected and the system itself. He also dismissed questions about his company's responsibility for human rights violations committed with the help of the software: In some cases, he even declared that the evidence for such human rights violations was insufficient and insisted that NSO bore no responsibility for the activities of its customers.

He was also unable to provide satisfactory answers to my questions. There were, however, some interesting statements: According to Gelfand, NSO currently has a total of slightly less than 50 customers, which includes more than five EU member states. In the past two years, NSO has terminated the contracts of eight customers, including at least one EU member state.

Gelfand also advocated regulating spyware like weapons. NSO has reiterated several times that it would welcome regulations on the use of spyware. This would relieve companies of the burden of having to come up with such rules on their own and would clearly define who should be held accountable for which type of violations.

Gelfand also stated that it is grounds for termination for NSO if a country does not give the company permission to examine possible violations of the rules. An example of such a violation would be the unauthorized monitoring of telephone numbers using the "Pegasus" software. However, he was unable to tell me with absolute certainty if this had already been the case with an EU country. I told him that the next time he was invited to a committee of the European Parliament, he should be better prepared to answer questions specifically about the EU.

We need rules, transparency and control

Overall, it is clear: The NSO’s repeated declarations regarding its commitment to human rights turn out to be window dressing when looking at things more closely. There is little sense of responsibility with regard to the possible misuse of the software. For the NSO, economic interests are clearly more important; the company even blocks the analysis of cases already proven – and continues selling its products to countries such as Saudi Arabia, Rwanda or Hungary.

Relying on the manufacturers of spy software to prevent abuse would therefore be naive. The recommendations we receive from the (cyber)security community are clear: The use of such systems, which interfere with fundamental rights, must be severely restricted, regulated and placed under democratic control. This requires international rules, transparency and more rights for parliaments – reagrding the entire "life cycle" of spy software, including funding, production, sale and use. Until then there’s still have a long way to go. That’s why we must consistently sanction the misuse of spy software – and temporarily ban its sale.

Share on facebook
Share on twitter
Share on linkedin

Latest Articles