Logo Assembly Logo Hemicycle

Pegasus and similar spyware and secret state surveillance

Report | Doc. 15825 | 20 September 2023

Committee
Committee on Legal Affairs and Human Rights
Rapporteur :
Mr Pieter OMTZIGT, Netherlands, EPP/CD
Origin
Reference to committee: Doc. 15373, Reference 4608 of 27 September 2021. 2023 - Fourth part-session

Summary

Since 2021, different investigative reports have revealed that governments of several Council of Europe member States have acquired and used a spyware called Pegasus. This spyware is a highly intrusive surveillance tool since it grants the user complete and unrestricted access to all data of the targeted mobile phone. There is mounting evidence that Pegasus or similar spyware have been used for illegitimate purposes by several member States, including against journalists, political opponents, human rights defenders. Some States have also exported it to authoritarian regimes outside Europe.

The Assembly should condemn the use of spyware by State authorities for political purposes, which amounts to a violation of the right to respect for private life and other rights guaranteed by the European Convention of Human Rights. The use of Pegasus-type spyware should be limited to exceptional situations as a measure of last resort, for genuine and serious threats to national security or specific and defined serious crimes.

States that have reportedly used Pegasus for illegitimate purposes should inform the Assembly and the Venice Commission about its use, conduct effective investigations and provide redress to victims. All member States should refrain from using this type of spyware until their legislative framework on secret surveillance is fully in line with the requirements of the Convention, as assessed by the Venice Commission.

A Draft resolutionNote

1. In July 2021, an international coalition of investigative journalists coordinated by Forbidden Stories, with the technical support of Amnesty International’s Security Lab (“the Pegasus Project”), published information about a leaked list of over 50 000 phone numbers identified as potential targets by clients of NSO Group, an Israeli company that developed and globally markets a spyware called Pegasus. This list included human rights defenders, political opponents, lawyers, diplomats, Heads of State and nearly 200 journalists from 24 countries. 11 countries around the world were identified as potential NSO clients, including two Council of Europe member States, Azerbaijan and Hungary.
2. Subsequent investigative reports, including by CitizenLab of the University of Toronto, have revealed that governments of several Council of Europe member States have acquired and used Pegasus for targeted surveillance of their own citizens. It is known that Pegasus was sold to at least 14 European Union countries, including Belgium, Germany (in a modified version), Hungary, Luxembourg, the Netherlands, Poland and Spain. There is strong evidence that Azerbaijan has also used it, including during the conflict with Armenia. Other member States have acquired or used similar spyware, such as Candiru and Predator. These tools have not only been used within the jurisdiction of member States but they have also been exported to third countries with authoritarian regimes and a high risk of human rights violations, including Libya (under the Gaddafi regime), Egypt, Madagascar and Sudan. These exports have potentially breached EU export rules.
3. The Parliamentary Assembly notes that Pegasus is a highly intrusive surveillance spyware, which grants the user complete and unrestricted access to all sensors and information on the targeted mobile phone. It turns the smartphone into a 24-hour surveillance device, accessing the camera and microphone, geolocation data, e-mails, messages, photos, videos, passwords, and applications. While some spyware require some action on the part of the victim, such as clicking on a link (for instance, Predator) or opening an attachment, Pegasus is installed through a so-called “zero-click attack”. Given its unprecedented level of intrusiveness into the private life of the targeted individual and all their contacts, the Council of Europe Commissioner for Human Rights and the European Data Protection Supervisor have expressed serious doubts as to whether its use could ever meet the proportionality requirement and therefore be human-rights compliant.
4. The Assembly shares these concerns and believes that the use of Pegasus-type spyware should be limited to exceptional situations as a measure of last resort, to prevent or investigate a specific act amounting to a genuine and serious threat to national security or a specific and precisely defined serious crime, and only targeting the person suspected of committing or planning to commit those acts. In order to limit such a high level of intrusiveness, States should take into account the proportionality of new spyware before acquiring and using them; they should also consider using spyware without some of the most invasive features of Pegasus or a version that is programmed in such a way that it limits access to what is strictly necessary.
5. The Assembly is deeply worried about mounting evidence that Pegasus and similar spyware have been used illegally or for illegitimate purposes by several member States, including against journalists, political opponents, human rights defenders and lawyers. Pegasus and other spyware have also been exported from member States to authoritarian regimes outside Europe, potentially in breach of European Union export rules. The Assembly welcomes the thorough investigation carried out by the European Parliament’s Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware (PEGA Committee) leading to the adoption of a recommendation by the European Parliament on 15 June 2023. It notes in this respect that the PEGA Committee and the European Parliament have found that:
5.1 in Poland and Hungary, Pegasus surveillance spyware has been illegally deployed for political purposes to spy on journalists, opposition politicians, lawyers, prosecutors and civil society actors, apparently as part of a system or an integrated strategy;
5.2 in Greece, it has been confirmed that a member of the European Parliament and a journalist have been wiretapped by the intelligence agency and targeted with Predator spyware, and media reports revealed further possible targets of Predator, including other high-profile politicians. Spyware appears to have been used on an ad hoc basis for political and financial gains;
5.3 in Spain, the Prime minister and other ministers’ phones were infected with Pegasus, allegedly by a third country (Morocco). 65 persons related to the Catalan pro-independence movement were allegedly targeted with Pegasus and/or Candiru, 18 of whom have been confirmed as lawful targets by the Spanish authorities;
5.4 Cyprus and Bulgaria serve as an export hub for spyware;
5.5 spyware companies are or were present in several member States, including Austria, Bulgaria, Cyprus, France, Germany, Greece, Ireland, Italy, Luxembourg, Romania and Switzerland.
6. The Assembly further notes that according to the “Pegasus Project” revelations, Azerbaijan has also used Pegasus, including against journalists, independent media owners and civil society activists. Recent reports have disclosed its use in connection with the Armenia-Azerbaijan conflict, against 12 persons working in Armenia, including an Armenian government official, in what appears to be an example of transnational targeted surveillance.
7. The Assembly unequivocally condemns the use of spyware by State authorities for political purposes. Secretly surveilling political opponents, public officials, journalists, human rights defenders and civil society actors for purposes other than those exhaustively enumerated in Article 8.2 of the European Convention on Human Rights (ETS No. 5, “the Convention”) (among which the prevention of disorder or crime and the protection of national security and public safety) amounts to a clear violation of the right to respect for private life (Article 8).
8. If the authorities invoke national security grounds as a justification for using spyware but their real purpose is to target and discredit an opposition politician or to intimidate and silence a human rights defender, the surveillance will give rise to a violation of Article 8 in conjunction with Article 18 of the Convention, which prohibits States from restricting rights for purposes not prescribed by the Convention itself. Such a misuse of power has a chilling effect on the exercise of other human rights and fundamental freedoms, including the freedom of expression (Article 10), the freedom of assembly and association (Article 11) and the right to free elections (Article 3 of Protocol No. 1 to the Convention (ETS No 009)). It may also undermine the integrity of electoral processes and free public debate, and therefore, the foundations of our democratic societies.
9. The targeting of journalists has an impact on the confidentiality of their sources and in turn on their freedom to impart information. The targeting of lawyer-client communications impairs the exercise of defence rights and the right to a fair trial guaranteed by Article 6 of the Convention, which is a fundamental principle of the rule of law.
10. The Assembly underlines that member States have both negative and positive obligations under the Convention. Positive obligations in this area should include the protection of individuals within their jurisdiction from unlawful targeted surveillance by non-State actors and third States (transnational surveillance). This should trigger at the same time a procedural obligation to effectively investigate all cases of alleged unlawful digital surveillance by third actors targeting persons living in the territory of a member State. The Assembly refers in this context to Recommendation CM/Rec(2016)3 of the Committee of Ministers to member States on human rights and business adopted on 2 March 2016, which recalls that member States have a duty to protect individuals against human rights abuses by third parties, including business enterprises.
11. The Assembly considers that the national investigative authorities and courts of the member States accused of spyware abuses must fully investigate and determine whether the use of Pegasus and similar spyware was lawful under domestic law and compliant with the Convention and other international standards. This implies assessing in each individual case whether the interference pursued a legitimate aim under Article 8.2 of the Convention and whether it was strictly necessary in a democratic society and proportionate to that aim. It also means ensuring that all victims of spyware-related abuses have access to effective remedies and redress. In this context, the Assembly urges:
11.1 Poland, to:
11.1.1 inform the Assembly and the European Commission for Democracy through Law (Venice Commission) about the use of Pegasus and similar spyware, within three months;
11.1.2 conduct effective, independent and prompt investigations on all confirmed and alleged cases of abuse of spyware and provide sufficient redress to targeted victims in cases of unlawful surveillance;
11.1.3 refrain from using blanket secrecy rules to deny oversight mechanisms’ and targeted persons’ access to information on the use of spyware;
11.1.4 apply adequate sanctions, either criminal or administrative, in cases of abuse;
11.1.5 comply with the opinion of the Venice Commission on the 2016 Police Act;
11.2 Hungary, to:
11.2.1 inform the Assembly and the Venice Commission about the use of Pegasus and similar spyware, within three months;
11.2.2 conduct effective, independent and prompt investigations on all confirmed and alleged cases of abuse of spyware and provide sufficient redress to targeted victims in cases of unlawful surveillance;
11.2.3 refrain from using blanket secrecy rules to deny oversight mechanisms’ and targeted persons’ access to information on the use of spyware;
11.2.4 apply adequate sanctions, either criminal or administrative, in cases of abuse;
11.2.5 implement without delay the judgments of Szabó and Vissy and Hüttl, as required by the Committee of Ministers in the exercise of its powers under Article 46.2 of the Convention;
11.3 Greece, to:
11.3.1 inform the Assembly and the Venice Commission about the use of Predator and similar spyware, within three months;
11.3.2 conduct effective, independent and prompt investigations on all confirmed and alleged cases of abuse of spyware and provide sufficient redress to targeted victims in cases of unlawful surveillance;
11.3.3 refrain from using blanket secrecy rules to deny oversight mechanisms’ and targeted persons’ access to information on the use of spyware;
11.3.4 apply adequate sanctions, either criminal or administrative, in cases of abuse;
11.4 Spain, to:
11.4.1 inform the Assembly and the Venice Commission about the use of Pegasus, Candiru and similar spyware, within three months;
11.4.2 conduct effective, independent and prompt investigations on all confirmed and alleged cases of abuse of spyware and provide sufficient redress to targeted victims in cases of unlawful surveillance;
11.4.3 refrain from using blanket secrecy rules to deny oversight mechanisms’ and targeted persons’ access to information on the use of spyware;
11.4.4 apply adequate sanctions, either criminal or administrative, in cases of abuse;
11.5 Azerbaijan, to:
11.5.1 inform the Assembly and the Venice Commission about the use of Pegasus and similar spyware, within three months;
11.5.2 conduct effective, independent and prompt investigations on all confirmed and alleged cases of abuse of spyware and provide sufficient redress to targeted victims in cases of unlawful surveillance;
11.5.3 refrain from using blanket secrecy rules to deny access to information on the use of spyware to oversight mechanisms and targeted persons;
11.5.4 apply adequate sanctions, either criminal or administrative, in cases of abuse.
12. The Assembly considers that the Polish parliamentary election of 2019 was not fair as Pegasus was used against political opponents during the electoral campaign.
13. The Assembly calls on member States which seem to have acquired or used Pegasus, including Germany, Belgium, Luxembourg and the Netherlands, to clarify the framework of its use and applicable oversight mechanisms. It invites them to send this information, as well as any statistics on the use of Pegasus, to the Assembly and the Venice Commission within three months.
14. In order to prevent future abuses of spyware and human rights violations in Europe and beyond, the Assembly calls on all member States to:
14.1 ensure that their national laws on secret surveillance are in full conformity with the requirements of the European Court of Human Rights and the Venice Commission, with regard to quality of the law, authorisation procedures, supervision and oversight mechanisms, notification mechanisms and remedies, and review them if necessary;
14.2 ensure that the implementation of their legislative framework is effectively in line with the case-law of the European Court of Human Rights on targeted surveillance, with respect to legality, legitimacy, necessity and proportionality of any surveillance measure;
14.3 pending the assessment of their legislative framework and practice by the Venice Commission, refrain from using tools like Pegasus, Candiru, Predator or similar spyware;
14.4 in the mid-term, regulate specifically the acquisition and use of spyware by law enforcement and intelligence agencies, limiting the use of Pegasus-type spyware to exceptional situations as a measure of last resort, to prevent or investigate a specific act amounting to a genuine and serious threat to national security or a specific and precisely defined serious crime, and only targeting the person suspected of committing or planning to commit those acts. States should also establish oversight mechanisms, including parliamentary oversight, on the acquisition and use of spyware technologies, and incorporate an obligation to take into account proportionality considerations before acquiring and using new spyware;
14.5 criminalise the sale to and use of spyware by non-State actors;
14.6 ratify, if they have not yet done so, the Protocol amending the Convention for the protection of individuals with regard to the automatic processing of personal data (CETS No. 223) known as “Convention 108+”, which will apply to the processing of data for national security purposes, and already start implementing its standards in national law;
14.7 ratify, if they have not yet done so, the Convention on Cybercrime (ETS No. 185, “Budapest Convention”) and its Additional Protocols;
14.8 refrain from granting export licenses in respect of spyware technologies to countries where there is a substantial risk that those technologies could be used for internal or transnational repression and/or to commit human rights violations and revoke those granted in such cases;
14.9 join the Wassenaar Arrangement if they have not yet done so, and for States already participating in this arrangement, develop a human rights-based framework for the transfer of spyware technologies, according to which export licenses would require a human rights impact assessment of the recipient State and the companies’ compliance with the United Nations Guiding Principles on Business and Human Rights;
14.10 require that all spyware companies domiciled or conducting substantial activities within their jurisdiction apply human rights due diligence throughout their operations or in respect of such activities, in line with the CM/Rec(2016)3 of Committee of Ministers, and implement standards restricting public procurement contracts to only those companies which demonstrate that they apply human rights due diligence.
15. The Assembly asks the Venice Commission to assess the legislative framework and practice on targeted surveillance of all member States (in priority Poland, Hungary, Greece, Spain and Azerbaijan; and then Germany, Belgium, Luxembourg, the Netherlands and all the other member States), in order to assess if such framework contains adequate and effective guarantees against any possible abuse of spyware, having regard to the Convention and other Council of Europe standards. Given the level of intrusiveness of Pegasus and similar spyware, clear and precise legislation, robust oversight mechanisms, procedural guarantees and effective remedies must be in place before member States can continue using those tools.
16. The Assembly trusts that the evaluation and review mechanism foreseen in amending Protocol CETS No. 223 will ensure the monitoring of the implementation of the relevant provisions of Convention 108+ in the area of targeted surveillance for national security and law enforcement purposes, including the use of spyware.
17. The Assembly calls on:
17.1 Israel, which enjoys observer status with the Assembly, to:
17.1.1 strengthen its export control mechanisms to ensure that export licenses are denied or revoked with respect to spyware technologies where there is a substantial risk that those technologies could be used for internal or transnational repression and/or to commit human rights violations;
17.1.2 fully cooperate with investigations conducted by Council of Europe member States regarding the use of Pegasus and other spyware exported from Israel or sold by Israeli-based companies;
17.1.3 publish its framework on export control and inform the Assembly about it within six months;
17.2 Morocco, which enjoys partner for democracy status with the Assembly, to:
17.2.1 inform the Assembly within three months on whether it has used Pegasus or similar spyware at home and abroad;
17.2.2 launch within three months a fully independent investigation into the alleged use of Pegasus by State authorities against targets in Morocco and targets within the jurisdiction of Council of Europe member States;
18. The Assembly also calls on spyware and surveillance companies domiciled in Council of Europe member States or conducting substantial activities within their jurisdiction to apply human rights due diligence throughout their operations or in respect of such activities and improve transparency, in line with the CM/Rec(2016)3 of Committee of Ministers and the United Nations Guiding Principles on Business and Human Rights;
19. The Assembly invites the European Union to sign and ratify Convention 108+, make use of the Council of Europe’s expertise in this field, and engage with its relevant bodies in areas such as data protection, targeted surveillance and spyware, for the purposes of standard-setting, monitoring and co-operation.

B Draft recommendationNote

1. The Parliamentary Assembly refers to Resolution … (2023) “Pegasus and similar spyware and secret state surveillance” and recommends that the Committee of Ministers:
1.1 adopt a recommendation to member States of the Council of Europe on secret surveillance and human rights, particularly in the light of the threats posed by new surveillance technologies and spyware, taking due account of the highest international standards, the case law of the European Court of Human Rights and Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 223, “Convention 108+). The recommendation should focus on:
1.1.1 the conditions for the acquisition of spyware by member States’ government bodies and agencies;
1.1.2 the conditions for the use of spyware technologies for law enforcement and national security purposes;
1.1.3 the conditions for the sale and export of spyware technologies to third countries;
1.1.4 authorisation procedures, supervision and oversight mechanisms, notification mechanisms and remedies applicable to the use of spyware by State authorities;
1.1.5 accountability mechanisms in cases of unlawful use of spyware;
1.1.6 human rights due diligence standards for spyware companies;
1.1.7 the transnational aspect of digital surveillance and the use of spyware;
1.2 examine the feasibility of a Council of Europe Convention on the acquisition, use, sale and export of spyware;
1.3 coordinate its efforts with other international organisations, including the European Union and the United Nations, in the areas of data protection, targeted surveillance and spyware, for the purposes of standard-setting and co-operation.

C Explanatory memorandum by Mr Pieter Omtzigt, rapporteur

1 Introduction

1. The present report is based on a motion for a recommendation tabled on 21 September 2021, which the Bureau referred to the Committee on Legal Affairs and Human Rights (the Commitee) for report on 24 September 2021.Note On 27 September 2021, the committee appointed me rapporteur.
2. The motion for a recommendation recalls that in mid-July 2021, the Forbidden Stories consortium and its international partners reported on a leaked list of 50 000 phone numbers that had been proposed by clients of the NSO Group as potential targets for NSO’s spyware product, Pegasus. “Many of the phones in question belonged to journalists, human rights defenders, opposition politicians, and foreign politicians. [...] Whilst the existence of Pegasus had already been known, the apparent scale and manner of its use by governments from around the world are shocking. Its potential impact on media freedom and democratic institutions is of profound concern”. The Pegasus revelations show that stricter safeguards against misuse of such technology by public authorities, especially those of oppressive and authoritarian regimes, are needed. The motion calls on the Assembly to prepare a report on the Pegasus revelations, with a view to making policy proposals to Council of Europe member States and other relevant actors.
3. In George Orwell’s dystopic novel 1984, all citizens’ houses and apartments are equipped with telescreens so that they may be watched or listened to at any time. Each person know they are being observed and it is a stark warning. The present spyware is far more intrusive: the citizen does not know if and when it is used and who uses it. Not only information which is present is transferred, but all data on the phone can be transferred. It is so intrusive that even Orwell did not go this far. Yet, this is the reality of our modern world and is part of the tools used against political opponents today.
4. During the preparation of this report, the committee held two hearings. The first one was held in September 2022 in Bern, with the participation of Tim Engelhardt, human rights officer at the Office of the United Nations High Commissioner for Human Rights, and Lars Patrick Berg, member of the European Parliament and its Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware (PEGA Committee). The second one was held in December 2022, when we had the opportunity to hear the testimony of three victims targeted with Pegasus or similar spyware: Krzysztof Brejza, member of the Polish Sejm for the opposition Civic Platform party, Diana Riba, a Spanish MEP from Esquerra Republicana de Catalunya party and Vice-Chair of the PEGA Committee, and Thanasis Koukakis, an investigative journalist from Greece. I have also met with other victims in my capacity as rapporteur. I have also taken into account the motion “Investigation into the illegal surveillance of foreign leaders, political opponents and activists in Poland” of 26 April 2023.Note
5. In this report, I will start by setting out the factual background concerning the reported allegations of misuse of Pegasus and similar spyware by Council of Europe member States, on the basis of different sources, including the findings of the PEGA Committee. I will then refer to the Council of Europe and other international legal standards that States may have breached as a consequence of the use of commercial spyware like Pegasus. I will finally present the proposals made by different international actors to prevent further abuse of Pegasus-type spyware and better address their impact on human rights.

2 The use of Pegasus and similar spyware by Council of Europe member States

2.1 The Pegasus spyware

6. Pegasus is a spyware developed and marketed by the Israeli company NSO Group. It can be covertly installed on mobile phones running most versions of iOS and Android. The earliest version of Pegasus, which was discovered by researchers in 2016, infected phones through what is called spear-phishing, text messages or emails that trick a target into clicking on a malicious link.Note Since then, Pegasus infections can be achieved through so-called “zero-click” attacks, which do not require any interaction from the phone’s owner in order to succeed. For instance, in 2019, WhatsApp revealed that Pegasus had employed a vulnerability in its app to launch zero-click attacks; the spyware would be installed onto a target’s phone by calling their phone, and the spyware would be installed even if the call was not answered. More recently, NSO has begun exploiting vulnerabilities in Apple’s IMessage software. Where neither spear-phishing nor zero-attacks succeed, Pegasus can also be installed over a wireless transceiver located near a target device, or by gaining physical access to the device.Note
7. Once installed on a phone, Pegasus has been reported to be able to run arbitrary code, to extract contacts, call logs, messages, photos, web browsing history, settings,Note as well as to gather information from apps including but not limited to communication apps iMessage, Gmail, Viber, Facebook, WhatsApp, Telegram and Skype.Note It can secretly turn a mobile phone into a 24-hour surveillance device, as it gains complete access to all sensors and information on the phone. It can read, send or receive messages that are supposed to be end-to-end encrypted, download stored photos, and hear and record voice/video calls. It has full access to the phone’s camera, microphone and geolocation module.Note In a way, the eavesdropping party can know more than the owner of the phone.
8. According to the European Data Protection Supervisor, Pegasus belongs to a new category of spyware tools that differ from “traditional” interception tools used by law enforcement authorities, in three aspects: it grants complete and unrestricted access to the targeted device; it is able to carry out a “zero-click” attack, not requiring any action by the user to be triggered; and it is very difficult to detect.Note Contrary to conventional wiretapping, which only allows for real-time monitoring of communications, this type of spyware can provide full, retroactive access to files and messages created in the past, passwords, and metadata about past communications.
9. NSO Group claims that Pegasus only collects data from the mobile devices of specific pre-identified individuals, suspected to be involved in serious crime and terrorism. In this respect, it is (according to NSO) similar in concept to a traditional wiretap and has helped to prevent terrorist attacks, break up paedophilia, sex- and drug-trafficking rings, or find and rescue kidnapped children. NSO licenses Pegasus to law enforcement and intelligence agencies of sovereign States and has no visibility into its usage and its customers’ targets.Note According to NSO, Pegasus is not able to delete or alter data on a mobile device. The company states that it requires human rights compliance clauses in all customer agreements, and that customers must commit to use NSO’s systems exclusively for legitimate and lawful prevention and investigation of serious crimes and terrorism. Once the company has completed its internal human rights due diligence procedure for the approval of customer engagements, the applications for export licenses must be approved by the Defence Export Controls Agency of the Israeli Ministry of Defence, who strictly limits the licensing of Pegasus, conducting its own analysis of potential customers from a human rights perspective.Note Moreover, NSO claims that it tailors the configuration of the Pegasus system with specific settings for each end user. These customised specifications reflect the limitations of use as outlined in the company’s internal human rights policies, and as determined by the terms of the export license issued by the Israeli Ministry of Defence. Any allegation that Pegasus has been misused by a State triggers a thorough review process and investigation into the reported claims. It can lead to the termination of the contract with a customer, when necessary. In fact, NSO claims that it launched investigations following the 2021 “Pegasus Project” allegations, including by reviewing domestic legal frameworks, interviewing end users and verifying facts from objective sources.Note
10. On 3 November 2021, the United States government (Department of Commerce - Bureau of Industry and Security) added NSO Group to the Entity List for engaging in activities that are contrary to the national security or foreign policy interests of the US. This was done on the basis of evidence that this company developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers, even outside their borders. U.S. Secretary of Commerce Gina M. Raimondo stated: “The United States is committed to aggressively using export controls to hold companies accountable that develop, traffic, or use technologies to conduct malicious activities that threaten the cybersecurity of members of civil society, dissidents, government officials, and organizations here and abroad”.Note The export of technology to the NSO Group and its subsidiaries is therefore prohibited.
11. Companies such as Meta and Apple have filed lawsuits against NSO Group for using the Pegasus spyware against their users.Note A US appeals court has rejected the Israeli company’s claim that it should be protected under sovereign immunity laws.
12. Following the “Pegasus Project” revelations and the blacklisting of NSO in the United States, it appears that the Israeli Ministry of Defence reduced the list of eligible export countries from 102 to 37.Note

2.2 Early allegations concerning the misuse of Pegasus

13. Pegasus’ iOS exploitation was identified in August 2016. Arab human rights defender Ahmed Mansoor received a text message promising “secrets” about torture happening in prisons in the United Arab Emirates by following a link. Mansoor sent the link to Citizen Lab of the University of Toronto, which investigated, finding that if Mansoor had followed the link it would have jailbroken his phone and implanted the spyware into it.Note Pegasus had previously come to light in a leak of records from Hacking Team, which indicated that the software had been supplied to the government of Panama in 2015. Some media have also reported that the United Arab Emirates was using this spyware as early as 2013.Note
14. Two months after the murder of the Saudi journalist Jamal Khashoggi in Istanbul, Saudi dissident Omar Abdulaziz filed a lawsuit in Israel against NSO Group, accusing the firm of providing the Saudi government with the surveillance software to spy on him and his friends, including Khashoggi.Note This is disputed by NSO.
15. Allegations concerning the use of Pegasus against targeted individuals in certain Council of Europe member States were also reported before 2021. For instance, according to the The Guardian and El País, Pegasus software was used to compromise the phones of several politicians in Spain, including the former President of the Parliament of Catalonia, Roger Torrent.Note

2.3 “The Pegasus Project” revelations in 2021

16. In 2020, a list of over 50 000 phone numbers believed to belong to individuals considered as “people of interest” by clients of the NSO Group was leaked to Amnesty International and Forbidden Stories, a media non-profit organisation based in Paris. This information was shared with 17 news media organisations in 11 countries in what has been called “The Pegasus Project”. Over several months, more than 80 journalists from these media organisations, including The Guardian, Le Monde and Radio France, Die Zeit, The Washington Post, Le Soir and Direkt36, carried out a joint investigation into the possible misuse of Pegasus against targeted individuals. Amnesty International’s Security Lab carried out forensic analyses of mobile phones of some of the potential targets.Note
17. On 18 July 2021, reports started to be published, revealing that Pegasus had been potentially used against human rights defenders, political opponents, lawyers, diplomats, Heads of State and nearly 200 journalists from 24 countries.Note Forbidden Stories and its partners identified potential NSO clients in 11 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates. According to The Washington Post, 14 former or current Heads of State and government, including French President Emmanuel Macron and former Prime Minister of Belgium Charles Michel (current President of the European Council), appeared on the list of potential targets.Note

2.4 Findings on the use of Pegasus and similar spyware by Council of Europe member States

18. Subsequent investigative reports and other sources have demonstrated that Pegasus and similar spyware have been bought and used by Council of Europe member States against their own citizens. From information provided by the NSO Group, it is known that Pegasus was sold in at least 14 EU countries until the contracts with two countries were terminated. It is not known which countries these are, but there is a general assumption that they are Poland and Hungary.Note There is also evidence that Council of Europe member States have exported Pegasus or similar spyware to third countries with authoritarian regimes and a high risk of human rights violations. The following paragraphs summarise some of the findings and conclusions by the PEGA Committee and other sources country by country.

2.4.1 Poland

19. In December 2021, Citizen Lab at the University of Toronto announced that Pegasus had been used in Poland against Roman Giertych, a lawyer representing top opposition politicians including Donald Tusk, and Ewa Wrzosek, a prosecutor involved in a case against the ruling government.Note Senator Krzystof Brejza’s phone had also been compromised numerous times when he was running the Civic Platform electoral campaign in 2019.Note Other reported victims include Michal Kolodziejczak, leader of the agrarian movement Agrounia; Tomasz Swejgiert, journalist and alleged former associate of the Central Anticorruption BureauNote; Andrzej Malinowski, former President of the Employers of Poland; as well as former Law and Justice (PiS) politicians.Note On 7 February 2022, the Supreme Audit Office revealed that between 2020-2021, 544 of its employees’ devices were under surveillance in over 7 300 attacks, and that three could have been infected with Pegasus.Note The Supreme Audit Office had been investigating the cancellation of the presidential elections in 2020 at the time.
20. The case of Senator Brejza who was serving as the head of the election campaign of the Civic Platform during the European and national elections when he was targeted is illustrative of the alleged links between the surveillance and the electoral process. There were 33 attacks on Brejza’s phone from April to October 2019, just days after the end of the electoral cycle. As a result of these attacks, text messages and correspondence from his phone were stolen and aired on the state-controlled television network in an allegedly orchestrated smear campaign against him. No charges were ever brought against Brejza, but his surveillance was allegedly linked to the criminal investigation against his father (mayor of Inowroclaw) started five years before, where Mr Brejza had not even been questioned as a witness. Mr Brejza Sr had himself received 10 text messages in 2019 which Amnesty International’s security lab deemed suspicious and which matched the hallmarks of Pegasus. In addition, according to Mr Brejza, the court which authorised the surveillance against him during the electoral campaign was not informed about the use of Pegasus.Note
21. While the Polish government had initially denied the acquisition of the spyware, it confirmed in early 2022 that it was in possession of Pegasus. Jarosław Kaczyński, the chairperson of the ruling PiS party, admitted that Poland had acquired the Pegasus spyware but dismissed any allegations about its misuse for political purposes, for instance against opposition politicians in the 2019 parliamentary election campaign. The Minister of Justice, Mr Ziobro stated that any use of Pegasus was done “according to the law”.Note In this connection, a committee set up by the Polish Senate to investigate the use of Pegasus (Senate Extraordinary Committee on Investigation of Cases of Illegal Surveillance, their Impact on the Electoral Process in the Republic of Poland and the Reform of the Special Services) heard different witnesses and experts, among them cybersecurity experts (from Citizen Lab) and the former president of the Supreme Audit Office and subsequently, independent Senator, Krzysztof Kwiatkowski. In January 2022, he presented two invoices to the committee confirming the purchase of spyware for the Central Anti-Corruption Bureau for PLN 25 million from a Ministry of Justice fund earmarked for victims of crime. Since according to Polish law the operations of the Central Anti-Corruption Bureau can only be financed from the state budget (the above-mentioned fund not being part of it), it appears that the purchase of Pegasus breached Polish law. As regards the use of Pegasus, it has not been made explicitly clear whether any, let alone all, of the persons targeted by this spyware to date were spied on with judicial authorisation, as required by law. It seems that only the case of prosecutor Ewa Wrzosek and Krzysztof Brejza have been taken up by the courts following their complaints and appeals.Note
22. In February 2022, I wrote to the Polish authorities, through the Chairperson of the Polish delegation to the Assembly, asking them to provide me with some explanations. On 22 April 2022, Stanislaw Zaryn, Director of the National Security Department, replied that there was no evidence of illegal surveillance against anyone and that every case of operational control by the Polish special services had obtained judicial authorisation.
23. During my fact-finding visit to Warsaw (13-15 March 2023) in the context of the monitoring procedure in respect of Poland (Committee on the Honouring of Obligations and Commitments by Member States of the Council of Europe (Monitoring Committee)), I met with members of the Senate Committee to clarify cases of illegal surveillance and other relevant authorities. I was informed that the number of secret services and law enforcement agencies that are legally allowed to conduct surveillance has proliferated in Poland. As a result, judicial and parliamentary oversight is fragmented and clearly no longer adequate. I regret that besides the Senate Extraordinary Committee, no attempts have been made by the Sejm to investigate the allegations of illegal surveillance, including of prominent political personalities.Note It must be noted that the Senate committee lacks the investigative powers of the Sejm.
24. The PEGA Committee concluded that “the use of Pegasus [in Poland] is an integral and vital component of a system for the surveillance of the opposition and critics of the government for political gain (…). The scope for surveillance in Poland has been expanded vastly over the past few years, weakening or removing safeguards and oversight provisions. In the course of systematic and targeted legislative changes brought about by the ruling majority, the rights of victims have been minimised and legal remedy and redress have been rendered meaningless in practice. Effective ex ante and ex post scrutiny, as well as independent oversight, have been de facto eliminated.”Note The European Parliament, in its Recommendation of 15 June 2023 on the Investigation of the use of Pegasus and equivalent surveillance spyware, noted that “Pegasus surveillance spyware has been illegally deployed for political purposes to spy on journalists, opposition politicians, lawyers, prosecutors and civil society actors”.

2.4.2 Hungary

25. In 2021, it was revealed by the Pegasus Project and confirmed by Amnesty International that over 300 Hungarians had potentially been targeted with Pegasus. The phone numbers of at least 10 lawyers and 5 journalists, an opposition politician, as well as activists and high-profile entrepreneurs were included in the leaked list of potential Pegasus targets.Note Since then, a number of targets have been confirmed as having been successfully hacked. The phone of Szabolcs Pany, an investigative journalist for Direkt36, was infected with the spyware, according to the forensic analysis by Amnesty International. Mr Pany’s phone had been repeatedly compromised by Pegasus during a seven-month period in 2019, with the infection coming soon after he requested comments from government officials (including on an article he had written concerning the move of a Russian bank to Budapest). Other persons identified as targets include journalist Dávid Dercsény; Central Media Group owner Zoltán Varga; professor Attila Chikán (former minister in Viktor Orbán’s first government and currently a critic); the son and lawyer of one of Viktor Orbán’s former friends (now opponent), Lajos Simicska; János Bánáti, president of the Hungarian Bar Association; Adrien Beauduin, a Belgian-Canadian PhD student of the Central European University who was arrested after attending a protest in Budapest; lawyer Ilona Patócs; the mayor of Gödöllö György Gémesi; Brigitta Csikász, one of Hungary’s most experienced crime reporters; as well as persons inside the Fidesz inner circle.Note
26. In early 2022, a group of six journalists and activists initiated legal actions before the Hungarian authorities and the European Commission. The Hungarian Civil Liberties Union (HCLU) is representing them.Note At the time of writing, both the Supreme Court and the Constitutional Court had rejected the HCLU’s requests.
27. Hungarian authorities initially neither commented nor denied the use of Pegasus. In November 2021, Lajos Kósa, Chair of the Committee on Defence and Law Enforcement of the Parliament, admitted that the Ministry of Interior had purchased Pegasus but said that it had never been used against Hungarian citizens.Note The Ministry of the Interior bought Pegasus for EUR 6 million indirectly through Communication Technologies Ltd from NSO Group’s company registered in Luxembourg in 2017. On 31 January 2022, the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) presented the conclusions of an investigation launched ex officio into the use of Pegasus by the Hungarian authorities. NAIH concluded that Pegasus was used by the National Security Service on several persons whose names had appeared in the press, but always in compliance with the legal framework (with a Ministry of Justice or court authorisation) and on grounds of national security. Not all 300 Hungarian citizens whose phones appeared on the leaked list were investigated by NAIH, since according to its president, Amnesty International did not provide them with such a list.Note The investigation’s reasoning will remain classified until 2050.
28. In February 2022, I wrote to the Hungarian authorities, through the Chairperson of the Hungarian delegation to the Assembly, to provide me with some explanations. Unfortunately, I received no reply.
29. Other spyware companies such as Black Cube and Cytrox also appear to have connections with Hungary. Black Cube became involved in Hungary during the 2018 elections, when they spied on various NGOs and persons who had connection to George Soros.Note In 2015, files leaked from the Hacking Team revealed that the Hungarian government was a client.
30. The PEGA Committee concluded that “the use of Pegasus in Hungary appears to be a part of a calculated and strategic campaign to destroy media freedom and freedom of expression by the government. The government has utilised this spyware in order to usher in a regime of harassment, blackmail, threats and pressure against independent journalists, media, political opponents and civil society organisations with ease and without fear of recourse.”Note The European Parliament, in its Recommendation of 15 June 2023, reached the same conclusion as with Poland, namely that “the Pegasus surveillance spyware has been illegally deployed for political purposes to spy on journalists, opposition politicians, lawyers, prosecutors and civil society actors”.

2.4.3 Greece

31. In March 2022, Citizen Lab revealed that investigative journalist Thanasis Koukakis’ phone had been infected with the Predator spyware in 2021.Note Unlike Pegasus, predator is a one-click exploit that requires the target to click on a link in order for the spyware to infect the phone. Predator was developed by Cytrox, a firm based at the time in North Macedonia. Cytrox was subsequently acquired by Tal Dilian (former member of the Israeli Defence Force with Maltese citizenship) and became part of the Intellexa alliance, a consortium of spyware vendors with representations in Cyprus, France, Greece and Ireland. In July 2022, the leader of the Greek opposition PASOK party and MEP Nikos Androulakis announced that he was filing a complaint against attempts to infect his phone with Predator. The attempted infection with spyware was discovered during a check of the phone by the European Parliament’s IT service. These attempts took place when Mr Androulakis was a candidate for the leadership of PASOK. In November 2022, the Greek media revealed a list of 33 targets of Predator, all of whom were high-profile personalities, including members of the government, former Prime Minister Antonis Samaras and former EU Commissioner Dimitris Avramopoulos. In February 2023, the President of the Hellenic Data Protection Authority (HDPA) confirmed that 300 text messages related to Predator spyware had been sent to approximately 100 devices.Note Some confirmed targets of Predator are Christos Spiritzis, former Minister of Infrastructure and member of parliament for the Syriza party, and Artemis Seaford, a Greek-American former employee at Meta who had written about a case of sexual harassment by a politician.
32. Both Mr Koukakis and Mr Androulakis tried to obtain information or redress from the competent national authorities, including through the Hellenic Authority for Communication Security and Privacy (ADAE) and by lodging criminal complaints. They have also lodged applications with the European Court of Human Rights.
33. In August 2022, the Greek Government admitted that the National Intelligence Service (EYP)Note had been monitoring (through conventional wiretapping) Mr Koukakis and Mr Androulakis, but it denied having ever purchased Predator or used it against them. On 8 August, Prime Minister Kyriakos Mitsotakis stated that the surveillance of Mr Androulakis had been ‘legal’ but ‘politically unacceptable’. He made no reference to the case of Mr Koukakis or other alleged cases. After the initial revelations, the Director of the EYP and Grigoris Dimitriadis, the government’s Secretary-General, resigned. The former Director of the EYP stated that the wiretapping of Mr Androulakis had been launched at the request of the intelligence agencies of Armenia and Ukraine, in the light of his participation in the European Parliament’s Committee on International Trade, which deals with trade relations between the EU and China. It is possible that Predator was not directly purchased by the State, but through other channels.Note
34. It has also been confirmed that the Greek Government has granted export licences to Intellexa for the sale of the Predator spyware to governments such as Madagascar and Sudan. This could have been a violation of the EU Dual Use Regulation. Note
35. The PEGA Committee concluded that “there are patterns suggesting that the Greek government enables the use of spyware against journalists, politicians and businesspersons. It also allows the export of spyware to countries with poor human rights records (…) Although the use of spyware is illegal in Greece, the investigation into origins of the spyware attacks only gained momentum in Summer 2022 (…) The highest political leadership in the country use spyware as a tool for political power and control, in some cases in parallel or after legal interception (…) Unlike other cases, such as Poland, the abuse of spyware does not seem to be part of an integrated authoritarian strategy, but rather as a tool used on an ad hoc basis for political and financial gain.” The European Parliament, in its Recommendation of 15 June 2023, added that “it is highly probable that Predator has been used by or on behalf of persons very close to the Prime Minister’s office.”

2.4.4 Spain

36. In April 2022, Citizen Lab published a report (CatalanGate Report) according to which 65 persons had been targeted or infected with Pegasus or similar spyware between 2017 and 2020: 63 with Pegasus, four with Candiru (another spyware sold by the Israeli-registered firm Candiru) and at least two persons with both. At least 51 individuals’ devices were infected. All these were members of the Catalan pro-independence movement (MEPs, Catalan Presidents, legislators, lawyers and members of civil society) or family and staff linked to them. Citizen Lab did not attribute the attacks to a specific entity but suggested that evidence pointed to “a strong nexus with one or more entities within the Spanish government”. In May 2022, the Spanish authorities admitted having targeted, with the authorisation of a Supreme Court’s judge, 18 individuals out of the 65 alleged cases. The former director of the Spanish National Intelligence Centre (CNI) Paz Esteban appeared before the Official Secrets Committee of the Congress of Deputies at a meeting held in camera to provide justification for the surveillance of these 18 persons, but the judicial warrants have never been made public. Among the confirmed targets are the current President of Catalonia Pere Aragonès, former President and current MEP Carles Puigdemont (relational targeting), former Presidents of the ANC (Catalan civil society organisation supporting independence) Jordi Sanchez and Elisenda Paluzie, and former Vice-President of the NGO Omnium Cultural Marcel Mauri. Some of the confirmed targets have faced criminal charges related to the 2017 independence referendum and follow-up events. Others were allegedly targeted at the time of the public protests and blockages organised by the Committees for the defence of Republic (CDR) as a reaction to the criminal conviction of the Catalan leaders involved in the illegal referendum. The authorities have invoked reasons of secrecy and national security for not expanding on the reasons for the surveillance. The government has not commented on the 47 remaining persons and it remains unclear whether these individuals were indeed legally targeted with a court order. Some of the targets were outside Spain when the infection took place, among other places in Belgium and Switzerland.Note According to some sources, the Spanish government purchased Pegasus in the first half of the 2010s for an estimated EUR 6 million.Note
37. One of the targeted groups are the pro-independence Catalan MEPs. We heard about the case of Diana Riba at the committee hearing on 12 December 2022. According to her, her phone was infected with Pegasus on two occasions. The first one was in June 2019, after she had just taken her seat as an MEP and during political discussions on the vacant seat of Oriol Junqueras, who could not take up his position as an MEP while in pre-trial detention for his involvement in the 2017 illegal Catalan referendum. The second infection was in October 2019, after the Supreme Court’s judgment against pro-independence leaders, including her own partner and former Catalan Minister Raül Romeva. The majority of her phone calls related to that case, including conversations with his lawyers.Note
38. Other persons among the 65 alleged targets include Marta Rovira, Secretary General of the ERC party living in Switzerland; Elena Jiménez, International Representative of Omnium Cultural serving on the legal team of Jordi Cuixart (former President of Omnium Cultural); and lawyers representing some of the then imprisoned pro-independence Catalan politicians.
39. At the same time, in May 2022, shortly after the CatalanGate revelations, the Spanish Government disclosed that the phones of Prime Minister Pedro Sánchez, Minister of Defence Margarita Robles and Minister of the Interior Fernando Grande-Marlaska had been infected with Pegasus spyware in 2020-2021. Minister for Agriculture Luis Planas, who had previously served as a diplomat in Morocco, was also targeted but no infection was achieved. While no confirmation of the source of these attacks has been given, there are suspicions that the Moroccan authorities (also suspected of having used Pegasus against targets in France) are behind them, given the diplomatic crisis between the two countries at the time.
40. As a result of the CatalanGate revelations, the Spanish Ombudsman carried out an ex officio investigation. On 18 May 2022, he concluded that the 18 confirmed targets had been surveilled in accordance with the law as the interceptions had been approved by a Supreme Court judge and the authorisation was accompanied by the required justification. He had had access to the classified documents but did not comment on the substance of the justification contained in the judicial warrants or the proportionality of the surveillance.Note Although the Spanish Congress voted against a proposal to establish a committee of inquiry on the use of Pegasus in 2022, the recent elections held in July 2023 have led to a change of position of the ruling Socialist party (PSOE), which has ultimately agreed to create a committee of inquiry on Pegasus in exchange of the support of the Catalan pro-independence parties to the newly elected Speaker of the Congress.Note The Catalan Parliament had already established a committee of inquiry in 2022.Note
41. Different criminal complaints have been filed with investigative courts in Barcelona by some of the individuals concerned, civil society organisations and even the Catalan Parliament.Note However, investigations are not advancing as quickly as expected, and there are difficulties in proving the infections. It appears that investigating judges do not always accept the expert evidence presented by the plaintiffs and the public prosecutors ask for the infected mobile phones to be checked by the police. The Supreme Court rejected the complaints by some of the confirmed targeted individuals seeking access to the judicial warrants and documents related to their surveillance. Note Under Spanish law, information related to intelligence services and their activities is classified. Note The case of the surveillance of Prime Minister Pedro Sánchez and other ministers also reached the Audiencia Nacional in Madrid. The investigating judge of this court sent a formal request for international judicial assistance (letter rogatory) to the Israeli Government asking for information on different aspects of the Pegasus software. However, the judge has recently decided to provisionally close this case “due to the complete lack of cooperation from Israel”.Note
42. The PEGA Committee concluded that the 47 targeted persons mentioned in the CatalanGate report should have access to justice and an investigation should be launched. With regard to the 18 cases with judicial authorisation, their proportionality and necessity remain to be checked by a court, given that the Ombudsman only verified their (formal) legality. The European Parliament in its Recommendation of 15 June 2023 called on Spain to invite Europol, which could contribute with technical expertise, to join the investigations.

2.4.5 Azerbaijan

43. According to the 2021 “Pegasus Project” revelations, Azerbaijan is among the countries that uses Pegasus. At least 48 journalists were potentially selected for Pegasus targeting.Note These included Sevinc Vaqifqizi, a freelance journalist for the independent media outlet Meydan TV, whose phone was infected over a two-year period (2019-2020) and Khadija Ismayilova, an investigative journalist at the Organized Crime and Corruption Reporting Project (OCCRP), whose phone was regularly infected for nearly three years (2018-2021).Note Reports also referred to civil society activists, such as Fatima Movlamli, a female activist whose intimate photographs had been leaked on Facebook in 2019.Note In this connection, the publication of private and intimate photos and conversations of women raises particular concerns and illustrates the specific gender-related dangers of targeted surveillance of female journalists and human rights defenders.
44. The investigation conducted by the OCCRP revealed that there were more than 1 000 Azerbaijani numbers in the Pegasus Project list. 245 phone numbers were identified. Out of this list, a fifth belonged to reporters, editors, or media company owners.Note Around 62 individuals brought complaints before the Prosecutor General’s Office, claiming that their phones had been illegally infiltrated by Pegasus spyware and that this amounted to a violation of their right to private life guaranteed by the European Convention on Human Rights (ETS No. 5). The Prosecutor General’s Office replied that their complaints had to be sent to the Investigative Directorate of the State Security Service (SSS). The SSS refused to give an official written answer and officials orally informed the lawyers of the individual applicants that they had not used such spyware against them. The applicants have filed lawsuits against the General Prosecutor’s Office and the SSS for inaction and refusal to launch a criminal investigation. While some complaints are still pending before domestic courts at different instances, some have already reached the European Court of Human Rights.Note
45. Recent reports have revealed that Pegasus has been used during the Armenia-Azerbaijan conflict. The phones of 12 people working in Armenia, including the spokesperson of the Armenian Foreign Ministry, a UN official and several Armenian civil society activists and journalists (most of whom had reported on the conflict), were allegedly infected with Pegasus between October 2020 and December 2022.Note There is no evidence suggesting that Armenia has ever been a Pegasus user (see below, concerning the possible purchase of Cytrox’s Predator). CitizenLab has identified a suspected Pegasus operator in Azerbaijan that could have reached targets in Armenia.

2.4.6 Cyprus

46. According to the European Parliament, “Cyprus is an important European export hub for the surveillance industry and an attractive location for companies selling surveillance technologies”. Tal Dilian, former member of the Israeli Defence Force, started a career as intelligence expert in Cyprus, where he launched Aveledo Ltd., later to be known as WS WiSpear Systems Ltd. He also launched Intellexa Alliance, a consortium of vendors of surveillance equipment. In 2019, Tal Dilian reportedly entered into a non-contractual arrangement with Hermes Airports to use his WiSpear equipment for the purpose of enhancing the Wi-Fi signal for passengers at Larnaca Airtport. It appears that the true reason for the agreement was to test WiSpear’s interception technology. WiSpear was fined EUR 76 000 by the Assize Court on 22 February 2022 for illegal surveillance of private communications and data protection violations. The criminal charges against Tal Dilian and other WiSpear employees were dropped. Following this case, Mr Dilian moved Intellexa’s operations to Greece, although he never left Cyprus.Note
47. Although the Cypriot Government denies the export of Pegasus and the register of any NSO Group entity in Cyprus, NSO Group reports indicate that Cyprus had granted export licenses for its technology.Note According to a document shared with the European Parliament by the opposition party AKEL, the NSO Group has reportedly exported Pegasus through one if its subsidiaries in Cyprus to a company in the United Arab Emirates. In 2017, a meeting with NSO officials and Saudi Arabian customers took place in the Four Seasons Hotel in Limassol to present them with the latest capabilities of Pegasus. The Saudi Arabian clients immediately purchased it, one year before the killing of Jamal Khashoggi in the Saudi consulate in Istanbul and the alleged surveillance of persons close to him with Pegasus.Note
48. According to the PEGA Committee, “in practice it would seem that rules are easy to circumvent and there are close ties between politicians, the security agencies and the surveillance industry. It seems to be the lax application of the rules that makes Cyprus such an attractive place for trade in spyware.”Note

2.4.7 Other member StatesNote

49. The Austrian Government stated that Austria has not been a client of NSO. However, its former Chancellor Sebastien Kurz has close ties to the founder of NSO Group, Shalev Hulio. In October 2022, they launched a cybersecurity firm called Dream Security. Moreover, a spyware company, Decision Supporting Information Research and Forensic (DSIRF) is based in Austria. In July 2022, Microsoft found that a software tool from DSIRF (called Subzero) was used to attack law firms, banks and strategic consultancies in Austria, the United Kingdom and Panama. Given the absence of an export licence for DSIRF, the Vienna Public Prosecutor’s Office initiated a preliminary investigation. The software could have been used by a foreign actor, which would mean that export restrictions would have been violated by DSIRF. Note
50. Belgium appears to be one of the 14 EU States which purchased Pegasus. A former Israeli intelligence official revealed that the Belgian police uses Pegasus in its operations. In September 2021, the Minister of Justice mentioned that Pegasus could be used in a legal way, bud did not confirm whether the Belgian services were a client of NSO. Persons targeted by Pegasus on Belgian territory (most likely by third countries) include former Prime Minister and current President of the European Council Charles Michel as well as his father Louis Michel; El Mahjoub Maliha, human rights defender from the Western Sahara; Carine Kanimba, daughter of a Rwandan political activist; current EU Commissioner for Justice Didier Reynders as well as EU Commission staff members.Note
51. In Bulgaria, national authorities deny having granted export licenses to the NSO Group or its subsidiaries. However, NSO Group reports indicate that its products are or have been exported from both Cyprus and Bulgaria.Note According to media reports, some of the servers of the network structure through which Pegasus attacks are conducted are located in a Bulgarian data centre owned by a Bulgarian company, Circle Bulgaria, in turn owned by the NSO Group. From Bulgaria, this company provides the Cypriot subsidiaries with research and development services and exports products to governments. The Sofia City Prosecutor’s Office is investigating whether State services have illegally used Pegasus against Bulgarian citizens.Note
52. In France, the Pegasus Project revealed several cases of attempted hacks by Pegasus, including of President Macron. Traces of Pegasus infections were confirmed on the phones of five ministers and one member of Parliament, the director of Parisian radio station TSF Jazz Bruno Delport, investigative journalists Edwy Plenel and Lénaïg Bredoux, as well as lawyers and relatives of Saharawi activists. In most cases, Morocco seems to be behind the attacks.
53. At the same time, France is home to different spyware companies, such as Nexa Technologies (part of Tal Dilian’s Intellexa Alliance) and Amesys. In July 2021, following several complaints by human rights organisations, four executives of Amesys and Nexa Technologies were indicted over the sale of surveillance technology to the governments of Libya (under the Gaddafi regime) and Egypt. It is unknown if export licences were granted for the export of spyware to these countries.Note
54. In Germany, media reported that the Federal Criminal Police Office (BKA) had acquired a modified version of Pegasus (with access only to live communications, for it to be compliant with German law) in late 2020. According to media, the Vice-President of the BKA confirmed the purchase during an in camera meeting of the Interior Committee of the Bundestag and that it had been used since March 2021. The German foreign intelligence service also bought a modified version of Pegasus. The information regarding these operations remains classified. Before the Pegasus revelations, both the BKA and Berlin Police LKA purchased FinSpy from FinFisher (based in Munich) in 2012 and 2013, also in a modified version with access only to live communications. Former FinFisher executives have been charged by the public prosecutor’s office in Munich for exporting surveillance technology to Türkiye without an export licence. FinFisher has declared insolvency and its operations have now ceased. More recently, it has been reported that the Government (through the Central Office for Information Technology in the Security Sector: ZITiS) had been in contact with other spyware companies (Italian RCS Lab, Austrian DSIRF, Candiru, Intellexa or Cytrox), although it has not been confirmed whether any additional spyware was actually acquired.
55. With regard to Italy, no reports on the possible purchase or use of spyware by the authorities have been published. However, spyware companies such as Tykelab and RCS Lab are based in Italy. Hacking Team, now called Memento Labs, exported RCS spyware to authoritarian countries.Note
56. In the Netherlands, the media reported in June 2022 that the Dutch intelligence service used Pegasus when it assisted the police in tracking down, Ridouan Tagh, a prime suspect for multiple murders related to organised crime. The Dutch Government refused to comment. Other media reports have revealed that in 2019 the Dutch Ministry of Defence was about to sign an agreement with WiSpear, the company owned by Tal Dilian. But it has not been confirmed whether the contract was signed or if any spyware was acquired.Note
57. Relevant connections with the spyware industry exist in Luxembourg, Ireland, Malta and the Czech Republic. Luxembourg hosts nine entities directly related to NSO Group, although the Foreign Minister confirmed that none of them had been authorised to export surveillance products from Luxembourg. In October 2021, Prime Minister Xavier Bettel confirmed however that Luxembourg bought and used Pegasus “for reasons of State security”. Ireland hosts some of the spyware companies mentioned (Intellexa and Thalestris Limited, its parent company), allegedly due to its favourable fiscal laws. Several figures from the spyware trade, including Tal Dilian, have acquired Maltese passports. And the home of the annual European fair of the spyware industry, the ISS World “Wiretappers Ball”, is in Prague.Note
58. According to CitizenLab report, likely Predator customers were found in Armenia. It appears that Government-backed actors purchased Cytrox products.Note
59. Romania purchased FinFisher spyware, like other EU countries (Belgium, the Czech Republic, Estonia, Germany, Hungary, Italy, the Netherlands, Slovakia, Slovenia and Spain). Black Cube was involved in a hacking scandal: the Heads of the company admitted to spying on the former chief prosecutor of Romania’s National Anti-Corruption Directorate Laura Kövesi; former Romanian agent Daniel Dragomir was allegedly the person who commissioned the job. Some other spyware companies (Cognyte, QuaDream) reportedly operate from Romania.Note
60. According to some reports, Serbia has been a client of Circles Technologies (owned by the NSO Group), Predator, Cognyte and FinFisher.Note
61. Subsidiaries of the company Thalestris, parent company of Intellexa Alliance, are located in Switzerland. DigiTask (Germany) sold spyware to Swiss authorities, according to information disclosed in 2011.Note
62. Türkiye used FinSpy from FinFisher in 2017. The software was disguised as a downloadable app recommended to participants in anti-government demonstrations.Note German prosecutors have charged four former company executives with illegally selling software to Türkiye’s secret services.
63. According to CitizenLab, phones of United Kingdom Government officials, including from the Prime Minister’s Office and the Foreign and Commonwealth Office, were infected with Pegasus in 2020-2021. The suspected infections relating to the Foreign Office were associated with Pegasus operators linked to third countries, including the United Arab Emirates, India, Cyprus and Jordan.Note

3 Relevant legal standards

3.1 The European Convention on Human Rights

64. Targeted secret surveillance, including intercepting mobile-telephone communications, is an interference with the right to respect for private life and correspondence enshrined in Article 8.1 of the European Convention on Human Rights (ETS No.5, “The Convention”).Note According to the case-law of the European Court of Human Rights (“the Court”), secret surveillance of an individual can only be justified under Article 8.2 if it is “in accordance with the law”, pursues one or more of the “legitimate aims” to which this paragraph refers (among which the prevention of disorder or crime and the protection of national security and public safety), and is “necessary in a democratic society” in order to achieve such aims.Note
65. As to the first requirement, this means that the surveillance must have some basis in domestic law and that the law must be accessible to the person concerned and foreseeable as to its effects. The law must be sufficiently clear to give citizens an adequate indication as to the circumstances and conditions where public authorities are empowered to resort to secret measures of surveillance. In its case-law on such measures, the Court has developed the following minimum safeguards that should be set out in law in order to avoid abuses of power: the nature of offences which may give rise to an interception order; a definition of the categories of people liable to have their telephones tapped; a limit on the duration of the measure; the procedure to be followed for examining, using and storing the data obtained; the precautions to be taken when communicating the data to other parties; and the circumstances in which recordings may or must be erased or destroyed.Note The Court has confirmed that these minimum safeguards apply in cases where the interception was for the purposes of preventing or detecting criminal offences, but also where the measure was ordered on national security grounds.Note It has however admitted that the requirement of “foreseeability” of the law does not go so far as to compel States to enact legal provisions listing in detail all conduct that may prompt a decision to subject an individual to secret surveillance on “national security” grounds. By their very nature, threats to national security may vary in character and may be unanticipated or difficult to define in advance. The law must at least indicate the scope of any discretion conferred on the competent authorities and the manner of its exercise with sufficient clarity.Note
66. The second condition for an interference to be justified under Article 8.2 is that the measure shall be “necessary in a democratic society” in the interest of one of the stated goals in this paragraph (national security, public safety, the prevention of disorder or crime, etc.). The powers to instruct secret surveillance of citizens are only tolerated under Article 8 to the extent that they are strictly necessary for safeguarding democratic institutions.Note Moreover, the measure must be strictly necessary for the obtaining of vital intelligence in an individual operation. In order to ensure that secret surveillance measures are applied only when “necessary in a democratic society”, the Court must also be satisfied that there are adequate and effective guarantees against abuse. This implies assessing inter alia the authorisation procedures, the arrangements for supervising the implementation of secret surveillance measures, as well as any notification mechanisms and remedies provided for by national law.Note
67. As regards authorisation procedures, although prior judicial authorisation may be an important safeguard against indiscriminate surveillance, the Court also scrutinises its scope of review (whether the judge applies a “necessity” or “proportionality” test) and the content of the interception authorisation (namely mentioning specific persons or premises). The authorisation authority must indeed be capable of verifying the existence of a reasonable suspicion against the person concerned, in particular, whether there are factual indications for suspecting that person of planning, committing or having committed criminal acts or other acts that may give rise to secret surveillance, such as, for example, acts endangering national security.Note It is in principle desirable to entrust supervisory control to a judge, as judicial control offers the best guarantees of independence and impartiality as well as a proper procedure. However, supervision by non-judicial bodies may also be considered Convention-compliant if the supervisory body is independent of the authorities carrying out the operation and is vested with sufficient powers to exercise an effective and continuous control.Note Applying these principles, the Court found in Szabó and Vissy v. HungaryNote that the authorisation and supervision of secret surveillance measures by the Minister of Justice (without prior judicial authorisation) were inherently incapable of ensuring the requisite assessment of strict necessity. For the Court, supervision by a politically responsible member of the executive did not provide the necessary guarantees. Moreover, where a supervising judge or court adopts a passive attitude and merely endorses, without genuinely checking the facts, the actions of security services, such supervision is not compatible with Article 8.Note
68. After the surveillance has been terminated, the question of subsequent notification of surveillance measures is inextricably linked to the effectiveness of remedies before the courts. There is in principle little scope for recourse to the courts by the individual concerned unless the latter is advised of the measures taken without his or her knowledge and is able to challenge their legality retrospectively, or unless any person who suspects that his or her communications are being or have been intercepted can apply to courts, so that the court’s jurisdiction does not depend on notification to the interception subject. Information should however be provided in principle to the subject after the termination of the surveillance measures “as soon as notification can be carried out without jeopardising the purpose of the restriction”.Note
69. The Court has found violations of Article 8 in cases concerning secret surveillance of human rights activists,Note members of non-governmental organisations,Note lawyers,Note and journalists,Note among others.
70. With regard to journalists, targeted surveillance measures with a view to discovering their journalistic sources may also infringe their right to freedom of expression, as guaranteed by Article 10 of the Convention, in the absence of adequate safeguards in the lawNote or any overriding requirement in the public interest justifying such measures in the concrete case.Note The Court has constantly held that the right of journalists to protect their sources is part of the freedom to “receive and impart information and ideas without interference by public authorities” protected by Article 10 and serves as one of its important safeguards. It is a cornerstone of freedom of the press, without which sources may be deterred from assisting the press in informing the public on matters of public interest. An interference potentially leading to disclosure of a source cannot therefore be considered “necessary” under Article 10 unless it is justified by an overriding requirement in the public interest.Note
71. Lawyer-client communication is especially protected under Article 8 of the Convention. In principle, oral communication as well as correspondence between a lawyer and his or her client are privileged and must remain confidential. It is also an important safeguard of the right to defence and the right to a fair trial guaranteed by Article 6.Note The use of spyware also has adverse consequences on the exercise of other Convention rights, particularly by human rights defenders and political activists, including the right to freedom of assembly and association (Article 11), the right to free elections (Article 3 of Protocol No. 1 to the Convention (ETS No 009)), and in the most extreme cases, the right to physical and mental integrity and the right to life (Articles 2 and 3).
72. Whether the reported cases of Pegasus infections described in the section above breached the Convention rights and in particular the right to respect for private life will have to be determined by the different national courts seized and ultimately by the Court. Some individual applications have already been lodged with the Court. Although there has not yet been any decision or case-law on the use of Pegasus, the use of this or similar spyware by State authorities raises new issues in terms of human rights implications. Giving access to all the contents and features of a smartphone (location, phone calls, text and voice messages, emails, photos, videos, passwords, web browsing history, or the possibility to remotely use the camera and microphone in real time) leads to an unprecedented level of intrusiveness. It reveals the most sensitive information (including health, sexual life, political opinions, religious or other beliefs) not only about the targeted individuals but also their family, colleagues, friends, clients, etc. In this connection, the European Data Protection Supervisor, in his preliminary remarks published on 15 February 2022, stated that given the level of interference with the right to privacy and the difficulty in meeting the requirements of proportionality, the regular deployment of Pegasus or similar highly intrusive spyware technology would not be compatible with the EU legal order. He therefore proposed a ban on the development and the deployment of such spyware in the European Union and, in the alternative (if such tools are nevertheless applied in exceptional situations), some measures to prevent unlawful use (strengthening the oversight of surveillance measures, full implementation of EU privacy and data protection law, judicial review, no politically-motivated abuse of the national security exception, etc.).Note The Council of Europe Commissioner for Human Rights also expressed serious doubts as to the compatibility of the use of Pegasus or similar spyware with the case-law of the Court, given its level of intrusiveness.Note In any event, and irrespective of the proportionality assessment on the use of such spyware in each individual case, the Court will first have to examine the quality of the legislative framework concerned, as it often does in surveillance cases under Article 8. According to different studies, the legislative framework of some of the countries that have used Pegasus is weak or inefficient, particularly with regard to ex ante and ex post oversight mechanisms, as well as remedies.Note In some cases, the shortcomings have already been identified by the Court in previous cases of surveillance unrelated to Pegasus (Hungary, e.g. lack of notification requirement after the termination of the surveillanceNote and limited oversight powers of the Data Protection AuthorityNote). In others (Poland, Greece), these studies have led the PEGA Committee and the European Parliament to identify gaps that appear to raise concerns with regard to Convention standards. For instance, in Greece, a legislative amendment in 2021 abolished the ability of the ADAE to notify citizens of the lifting of the confidentiality of communications. As for Poland, the European Commission for Democracy through Law (Venice Commission) found that the 2016 Police Act regulating the surveillance of citizens (still in force) did not contain sufficient safeguards to prevent abuse.Note

3.2 Other Council of Europe standards

73. The Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108, 1981), the only legally binding international instrument in the data protection field with global relevance (ratified by 55 Parties, including 9 non-Council of Europe members), grants additional protection for any data processing carried out by the private and public sector, including data processing by judicial and other enforcement authorities. However, States may make declarations aimed at excluding from the scope of the Convention certain types of data processing (for example for national security and defence purposes).Note As recalled by Ms Kaldani, Vice-chairperson of the Consultative Committee of the Convention, during the hearing of 14 September 2021, the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 223, Convention 108+, opened for signature on 10 October 2018 and not yet entered into forceNote) removes this possibility. The modernised Convention also establishes stronger requirements regarding the lawfulness of the processing, proportionality, and data minimisation, recalling that data processed should be adequate, relevant and not excessive in relation to the purposes for which they are processed.Note It provides individuals with stronger rights and imposes greater transparency requirements,Note which may however be restricted when this is prescribed by law, respects the essence of the fundamental rights and freedoms, and constitutes a necessary and proportionate measure in a democratic society for “essential objectives of general public interest”, including the protection of national security, defence, public safety or the prevention, investigation and prosecution of criminal offences.Note Convention 108+ also reinforces investigative and corrective powers and the independence of data protection authorities. It does however allow for a limited number of exceptions in the area of national security and defence, as long as they are provided by law and necessary in a democratic society.Note In any event, the processing activities for national security and defence purposes must be subject to independent and effective review and supervision under domestic law.Note
74. Since its opening for signature in 2001, the Convention on Cybercrime (ETS No. 185, also known as ″Budapest Convention″ or ″Cybercrime Convention″) has attracted membership from all regions of the world. It contains provisions on substantive criminal law and procedural law, as well as on international co-operation, in relation to computer-related crime. The notion of “computer system” defined in Article 1.a covers modern mobile telephones, smart phones, tablets or similar devices, which have the capacity to produce, process and transmit “computer data”.Note Among the abuses that the Convention requires States Parties to criminalise, those relevant for the present topic are “illegal access” (Article 2), “illegal interception” (Article 3) and “misuse of devices” (article 6). “Illegal interception” applies to all forms of electronic data transfer (e.g. by telephone), but the interception must be committed “intentionally” and “without a right”. In this respect, the interception is justified if it is “lawfully authorised in the interests of national security or the detection of offences by investigating authorities”.Note The “misuse of devices” refers to the production, sale, procurement for use, import, distribution or otherwise making available of a device, including a computer program, designed or adapted primarily for the purpose of committing any of the other offences; or of a computer password, access code or similar data by which the computer system can be accessed. The Cybercrime Convention Committee (T-CY) has clarified that all forms of malware are covered by these provisions, depending on what the malware actually does.Note The Budapest Convention could come to play in those cases where the interception using spyware was clearly not lawful under domestic law, in which case it could amount to “illegal interception” and should be criminalised.Note Furthermore, the Budapest Convention contains specific provisions on interception of content data of communications (“in relation to a range of serious offences to be determined by domestic law”) and related mutual assistance between States (Articles 21 and 34). The interception should in any case be subject to human rights safeguards, including those arising under the Convention and other international treaties, and in particular to the principle of proportionality, judicial or other independent supervision, grounds justifying application, and limitation of the scope and the duration of such procedure/power (Article 15).
75. The Assembly’s previous work on this topic shows that it has always been in favour of maintaining the highest possible level of protection for privacy rights, both against targeted and mass surveillance. In this context, reference must be made to Resolution 1843 (paragraph 18) and Recommendation 1984 (2011) “The protection of privacy and personal data on the Internet and online media”; Resolution 1986 (paragraph 6.1) and Recommendation 2041 (2014) ″Improving user protection and security in cyberspace” (paragraphs 2.1 and 2.9),Note and Resolution 2256 (2019) “Internet governance and human rights” (paragraph 7).
76. In Resolution 2045 (2015) “Mass surveillance”, adopted following the disclosures by Mr Edward Snowden about mass surveillance practices by the United States and certain Council of Europe member States, the Assembly urged member and observer States to: “ensure that national law allows the collection and analysis of personal data (…) only with the consent of the person concerned or following a court order granted on the basis of reasonable suspicion of the target being involved in criminal activity; unlawful data collection and treatment should be penalised in the same way as the violation of the traditional confidentiality of correspondence (…)”; “ensure, in order to enforce such a legal framework, that their intelligence services are subject to adequate judicial and/or parliamentary control mechanisms (…)”; “agree on a multilateral ‘intelligence codex” for their intelligence services, which lays down rules governing co-operation for the purposes of the fight against terrorism and organised crime (…); and “refrain from exporting advanced surveillance technology to authoritarian regimes” (paragraph 19). In its Recommendation 2067 (2015) “Mass surveillance”, the Assembly invited the Committee of Ministers to consider addressing a recommendation to member States on ensuring the protection of privacy in the digital age and Internet safety in the light of the threats posed by the newly disclosed mass surveillance techniques, and further exploring Internet security issues related to mass surveillance and intrusion practices, with regard to the human rights of Internet users (paragraphs 2.1 and 2.2).
77. The Committee of Ministers has also adopted important texts in this field: the 2013 Declaration on Risks to Fundamental Rights stemming from Digital Tracking and other Surveillance Technologies; Recommendation No. R(87)15 regulating the use of personal data in the police sector; Recommendation CM/Rec(2014)6 on a Guide to human rights for Internet users (Appendix, paragraphs 65-85), and Recommendation CM/Rec(2016)5 on Internet freedom (Appendix, paragraph 4.2).The Committee of Ministers has recalled that any measures in the interest of national security should rigorously meet the requirements set out in the Convention, in particular regarding Articles 8, 10 and 11. It has also underlined that member States have both negative obligations and positive obligations, which include the protection from arbitrary restrictions by non-State actors.Note
78. Finally, the Venice Commission has established relevant standards with respect to security services. Its main focus has been on accountability, namely parliamentary and judicial accountability.Note

3.3 Other international standards

79. On 28 May 2019, the United Nations Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression published a report on surveillance and human rights, which referred to the Pegasus spyware as an example of mobile device hacking used as a targeted surveillance tool in 45 countries. The report gives a general overview of States’ human rights obligations at the UN level that protect against targeted surveillance, among which Articles 12 (right to privacy) and 19 (freedom of expression) of the Universal Declaration of Human Rights, Articles 17(1) (right to privacy) and 19 (freedom of expression) of the International Covenant on Civil and Political Rights. In addition to the primary obligations not to interfere with these rights, States have positive duties to protect individuals against third-party interference, including with regard to transnational surveillance committed by foreign entities against their own citizens. The report also refers to the Guiding Principles on Business and Human Rights: Implementing the United Nations “Protect, Respect and Remedy” Framework adopted by the Human Rights Council in 2011, which are relevant both for States and for the private surveillance industry (human rights due diligence processes, remediation, etc.). In terms of export control, reference is made to the non-binding Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies. Participating States to this arrangement are expected to apply export controls to all items on the list of dual-use goods and technologies, which includes items related to “intrusion software” and Internet Protocol network communications surveillance systems since 2013. The UN Special Rapporteur regrets however that the arrangement lacks guidelines or enforcement measures that would directly address human rights violations caused by surveillance tools.Note
80. With respect to European Union legislation, apart from the Charter of Fundamental Rights (Articles 7, 8, 11, 41, 42, 47 and 52(1)Note) the e-Privacy Directive,Note and the Law Enforcement Directive,Note it is worth mentioning the EU Dual-Use Regulation (recast), which has introduced new export controls for “cyber-surveillance items”, where there is a risk of them being used in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law.Note The European Parliament, in its 15 June 2023 Recommendation on the Pegasus inquiry, concluded for instance that there was evidence of “maladministration in the implementation of the EU Dual-Use Regulation in Cyprus”, on the basis of reports that showed that Cyprus had become an export hub for spyware to repressive third countries.

4 The way ahead: proposals to prevent the abuse of spyware and better address its impact on human rights

81. Following the Pegasus revelations, different international actors have made proposals to prevent the abuse of spyware and better address the human rights risks that it poses.
82. On 27 January 2023, on the occasion of European Data Protection Day, the Council of Europe Commissioner for Human Rights published a Human Rights Comment entitled “Highly intrusive spyware threatens the essence of human rights”. The Commissioner observed that 18 months after the disclosure of the leak of over 50 000 phone numbers that had been identified as potential targets for surveillance through the Pegasus spyware, human rights activists, journalists, and opposition politicians continued to be targeted with powerful zero-click hacking tools that procured complete and unrestricted access to their private lives, putting their personal safety and access to basic human rights at risk. While welcoming the ongoing inquiries into the export, sale, transfer, and use of highly intrusive spyware such as Pegasus, the Commissioner called on member States to take action to prevent further abuse, to impose a strict moratorium on the export, sale, transfer and use of zero-click spyware tools such as Pegasus, and to put in place a comprehensive and human rights compliant legislative framework for the use of modern surveillance technology. This should provide for meaningful procedural guarantees, robust systems of ex-ante and ex-post oversight, and effective redress mechanisms for victims. The Commissioner further reflected on the need for more public awareness of the rampant threat to human rights, including the rights to privacy, freedom of expression and public participation, stemming from an uncontrolled spyware industry and the opaque operations of national security services.
83. The UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression proposed (in 2019) a legal and policy framework for regulation, accountability and transparency within the private surveillance industry, in order to improve compliance with international standards and address the gaps in their implementation. He called for tighter regulation of exports of surveillance equipment and regulations on their use, as well as for an immediate moratorium on the export, sale, transfer, use or servicing of surveillance tools until the use of those technologies could be technically restricted to lawful purposes that are consistent with human rights, or until it could be ensured that those technologies will only be exported to countries in which their use is subject to authorisation granted in accordance with due process and the standards of legality, necessity and legitimacy by an independent and impartial judicial body. States participating in the Wassenaar Arrangement should develop a framework by which the licensing of any technology would be conditional upon a national human rights review and companies’ compliance with the UN Guiding Principles on Business and Human Rights.Note
84. The former United Nations High Commissioner for Human Rights, Ms Bachelet, expressed the view that until compliance with human rights standards can be guaranteed, governments should implement a moratorium on the sale and transfer of surveillance technology.Note A recent report prepared by the Office of the UN High Commissioner for Human Rights, apart from reiterating previous calls to implement a moratorium on the (domestic and transnational) sale and use of surveillance systems, recommends that hacking of personal devices be employed only as a measure of last resort, to prevent or investigate a specific act amounting to a serious threat to national security or a specific serious crime, and narrowly targeting the suspect; such measures should also be subject to strict independent oversight and should require prior approval by a judicial body.Note
85. The European Parliament, in its June 2023 Recommendation following its inquiry into the use of Pegasus, has made important recommendations to EU member States, EU institutions and other relevant actors. Apart from addressing specific recommendations to the main EU member States concerned (Poland, Hungary, Greece, Spain and Cyprus), particularly with regard to their legislative framework and investigations, it calls for the “adoption of conditions for the legal use, sale, acquisition and transfer of spyware” and sets a deadline for all member States (end of 2023) to fulfil four conditions in order to be allowed to continue using spyware. These conditions are the following: a) investigation and resolution of spyware abuse cases without delay; b) alignment of the national legal framework with the standards of the Venice Commission, and the case law of the Court of Justice of the European Union and the European Court of Human Rights; c) explicit commitment to involve Europol in their investigations; and d) repeal of export licenses that are not compliant with the Dual-Use Regulation. The fulfilment of these conditions should be assessed by the EU Commission by 30 November 2023. Regarding long-term action, the European Parliament considered that owing to the EU dimension of the use of spyware (judicial cooperation in criminal matters and internal market), there is a need for common EU standards that should regulate and limit the use of spyware. For instance, the authorisation for the use of spyware should only be granted in exceptional cases with respect to investigations into a “limited and closed list of clearly and precisely defined serous crimes that represent a genuine threat to national security”. Other recommendations by the European Parliament include, inter alia:
  • Ratification of the Council of Europe Convention 108+ by all member States and immediate application of its standards in national law, and accession by the European Union itself;
  • Additional European legislation that would require corporate actors producing and/or exporting surveillance technologies to include human rights and due diligence frameworks, in line with the UN Guiding Principles on Business and Human Rights;
  • Involvement of Europol in investigations into allegations of spyware abuses, including by proposing to the national authorities to initiate, conduct or co-ordinate an investigation;
  • Better implementation and enforcement of EU export rules to avoid “export regime shopping”;
  • Better management of EU development aid to prevent potential abuse of surveillance technology by third countries;
  • Creation of a EU Tech Lab that would be tasked with discovering and exposing the unlawful use of software for illicit surveillance purposes, and providing technical support to individuals by detecting spyware traces in their devices;
  • Integration of EU member States’ unlawful use of spyware in the EU Commission’s rule of law reports.
86. NGOs and civil society have also made proposals for further regulation in this area, calling for an immediate moratorium on the sale, transfer and use of spyware until such a regulatory framework is put in place.Note Some have criticised that the EP recommendations did not go far enough. Noting that there are still doubts as to whether the legal use, sale, acquisition and transfer of spyware will effectively continue while the evaluation of the four conditions is carried out by the EU Commission, that there is no enforcement action foreseen in case of non-compliance with these conditions, or simply that that the EP has not called for a total ban on the use of this intrusive form of spyware.Note

5 Conclusions

87. The Pegasus revelations and subsequent investigations have provided evidence that Pegasus and similar spyware (e.g. Candiru, Predator) have been used as a hacking and surveillance tool against journalists, lawyers, politicians and human rights activists in several Council of Europe member States and beyond. Given the unprecedented level of intrusion of this software, which grants unauthorised (“zero-click”) and unrestricted remote access to the mobile phone and all its personal and private data, its use has serious implications for fundamental human rights of the persons targeted and all their contacts, including their right to privacy and their right to freedom of expression, as well as more generally for media freedom and democratic institutions. It has been argued that its very use could hardly ever meet the requirements of proportionality that any interference with those rights should fulfil, having regard precisely to its level of intrusiveness and stealth. I tend to agree with those who have voiced these concerns, including the Council of Europe Commissioner for Human Rights and the European Data Protection Supervisor. In any event, national investigative authorities and courts of the countries concerned must still shed more light on whether these highly intrusive interferences with the rights of the individuals concerned pursued a legitimate aim (national security, prevention of crime) or were mainly based on political considerations, and on whether they were necessary and proportionate to achieve that aim in the specific case, as required by Convention and other international standards. Spying on politicians, journalists and human rights defenders for purely political purposes clearly does not comply with Council of Europe values, human rights, rule of law and democratic principles. It not only has a chilling effect on the exercise of fundamental rights by civil society actors, politicians and journalists, but it also affects the essence and integrity of electoral processes and public debate. Victims should have access to effective remedies in all cases of unlawful targeted surveillance, which presumes having access to the relevant information once the surveillance measure has been terminated. However, in many of the countries concerned, victims have faced obstacles in proving that their devices were infected or targeted, partly because of the lack of transparency and cooperation from national authorities, which invoke reasons of secrecy and national security. The legislative frameworks and oversight systems on surveillance activities in some member States are weak or inefficient, and there is a clear need for stronger regulation and safeguards and better implementation and monitoring.
88. The Assembly should address specific recommendations to the member States that have acquired and used Pegasus or equivalent spyware, including Poland, Hungary, Greece and Spain. It should also address general recommendations to all member States, many of which have used or still use similar spyware, drawing from standards laid down by the European Court of Human Rights in this area. States should refrain from using spyware unless their legislative framework, oversight mechanisms and system of remedies are fully in line with those standards. In this respect, the Assembly should invite all member States to report to the relevant Council of Europe bodies (be it the Consultative Committee of Convention 108+ once the amending protocol enters into force, or the Venice Commission) on whether their regulatory frameworks and implementation are in line with the Council of Europe standards and to share their best practices. Until such an assessment is made, member States should apply an immediate moratorium on the acquisition and use of highly intrusive spyware tools such as Pegasus. The Committee of Ministers should also be invited to draft a recommendation to member States on surveillance and human rights, with a specific focus on the acquisition, use, export and transfer of spyware, taking due account of all Council of Europe and international legal standards. All these standards would benefit from being brought together in a consolidated form for clarity purposes. This recommendation would also codify the highest standards in this field, drawing for instance from existing UN and Council of Europe texts on human rights and business (Recommendation CM/Rec(2016)3) and adapting them to the context of the spyware industry. At a later stage, the Committee of Ministers could examine the feasibility of drafting a new Council of Europe Convention on the acquisition, use, export and transfer of spyware, with a monitoring mechanism.