Logo Assembly Logo Hemicycle

Pegasus and similar spyware and secret state surveillance

Doc. 15825: compendium of written amendments | Doc. 15825 | 10/10/2023 | Revised version

Contents

A Draft Resolution
B Draft Recommendation

Compendium index

Amendment 1 Amendment 2 Amendment 3 Amendment 4 Amendment 5 Amendment 6 Amendment 7 Amendment 8 Amendment 9 Amendment 10 Amendment 11 Amendment 12 Amendment 13 Amendment 14

Caption: AdoptedRejectedWithdrawnNo electronic votes

ADraft Resolution

1In July 2021, an international coalition of investigative journalists coordinated by Forbidden Stories, with the technical support of Amnesty International’s Security Lab (“the Pegasus Project”), published information about a leaked list of over 50 000 phone numbers identified as potential targets by clients of NSO Group, an Israeli company that developed and globally markets a spyware called Pegasus. This list included human rights defenders, political opponents, lawyers, diplomats, Heads of State and nearly 200 journalists from 24 countries. 11 countries around the world were identified as potential NSO clients, including two Council of Europe member States, Azerbaijan and Hungary.
2Subsequent investigative reports, including by CitizenLab of the University of Toronto, have revealed that governments of several Council of Europe member States have acquired and used Pegasus for targeted surveillance of their own citizens. It is known that Pegasus was sold to at least 14 European Union countries, including Belgium, Germany (in a modified version), Hungary, Luxembourg, the Netherlands, Poland and Spain. There is strong evidence that Azerbaijan has also used it, including during the conflict with Armenia. Other member States have acquired or used similar spyware, such as Candiru and Predator. These tools have not only been used within the jurisdiction of member States but they have also been exported to third countries with authoritarian regimes and a high risk of human rights violations, including Libya (under the Gaddafi regime), Egypt, Madagascar and Sudan. These exports have potentially breached EU export rules.
3The Parliamentary Assembly notes that Pegasus is a highly intrusive surveillance spyware, which grants the user complete and unrestricted access to all sensors and information on the targeted mobile phone. It turns the smartphone into a 24-hour surveillance device, accessing the camera and microphone, geolocation data, e-mails, messages, photos, videos, passwords, and applications. While some spyware require some action on the part of the victim, such as clicking on a link (for instance, Predator) or opening an attachment, Pegasus is installed through a so-called “zero-click attack”. Given its unprecedented level of intrusiveness into the private life of the targeted individual and all their contacts, the Council of Europe Commissioner for Human Rights and the European Data Protection Supervisor have expressed serious doubts as to whether its use could ever meet the proportionality requirement and therefore be human-rights compliant.
4The Assembly shares these concerns and believes that the use of Pegasus-type spyware should be limited to exceptional situations as a measure of last resort, to prevent or investigate a specific act amounting to a genuine and serious threat to national security or a specific and precisely defined serious crime, and only targeting the person suspected of committing or planning to commit those acts. In order to limit such a high level of intrusiveness, States should take into account the proportionality of new spyware before acquiring and using them; they should also consider using spyware without some of the most invasive features of Pegasus or a version that is programmed in such a way that it limits access to what is strictly necessary.

10 October 2023

Tabled by Mr Pablo HISPÁN, Mr Gonzalo ROBLES, Ms Carmen LEYTE, Ms Belén HOYO, Mr Javier MAROTO

In the draft resolution, paragraph 4, at the end of the first sentence, add the following words:

"and always under court supervision"

Explanatory note

One of the key issues of the use of these systems by a member State of the Council of Europe is that they should be used under the oversight of a judicial court or special judge.

5The Assembly is deeply worried about mounting evidence that Pegasus and similar spyware have been used illegally or for illegitimate purposes by several member States, including against journalists, political opponents, human rights defenders and lawyers. Pegasus and other spyware have also been exported from member States to authoritarian regimes outside Europe, potentially in breach of European Union export rules. The Assembly welcomes the thorough investigation carried out by the European Parliament’s Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware (PEGA Committee) leading to the adoption of a recommendation by the European Parliament on 15 June 2023. It notes in this respect that the PEGA Committee and the European Parliament have found that:
5.1in Poland and Hungary, Pegasus surveillance spyware has been illegally deployed for political purposes to spy on journalists, opposition politicians, lawyers, prosecutors and civil society actors, apparently as part of a system or an integrated strategy;

10 October 2023

Tabled by Mr Constantinos EFSTATHIOU, Mr Paul GAVAN, Mr Stefan SCHENNACH, Mr Simon MOUTQUIN, Mr Max LUCKS

In the draft resolution, paragraph 5.1, replace the words "has been illegally deployed for political purposes to spy on journalists, opposition politicians, lawyers, prosecutors and civil society actors, apparently as part of a system or an integrated strategy" with the following words:

"has been allegedly illegally deployed for political purposes to spy on journalists, opposition politicians, lawyers, prosecutors and civil society actors, apparently as part of a system or an integrated strategy. In parallel with Pegasus, in Poland, traditional surveillance methods have been allegedly unlawfully used to spy on civic activists and opposition politicians within state-owned hotels of the Polish Hotel Holding"

5.2in Greece, it has been confirmed that a member of the European Parliament and a journalist have been wiretapped by the intelligence agency and targeted with Predator spyware, and media reports revealed further possible targets of Predator, including other high-profile politicians. Spyware appears to have been used on an ad hoc basis for political and financial gains;
5.3in Spain, the Prime minister and other ministers’ phones were infected with Pegasus, allegedly by a third country (Morocco). 65 persons related to the Catalan pro-independence movement were allegedly targeted with Pegasus and/or Candiru, 18 of whom have been confirmed as lawful targets by the Spanish authorities;

10 October 2023

Tabled by Mr Pablo HISPÁN, Mr Gonzalo ROBLES, Ms Carmen LEYTE, Ms Belén HOYO, Mr Javier MAROTO

Votes: 40 in favor 56 against 10 abstentions

In the draft resolution, paragraph 5.3, second sentence, replace the words "were allegedly targeted" with the following words:

"were alleged by them to have been targeted"

Explanatory note

There have been cases, such as that of Toni Comin, which have been demonstrated to have been false positives.

5.4Cyprus and Bulgaria serve as an export hub for spyware;
5.5spyware companies are or were present in several member States, including Austria, Bulgaria, Cyprus, France, Germany, Greece, Ireland, Italy, Luxembourg, Romania and Switzerland.
6The Assembly further notes that according to the “Pegasus Project” revelations, Azerbaijan has also used Pegasus, including against journalists, independent media owners and civil society activists. Recent reports have disclosed its use in connection with the Armenia-Azerbaijan conflict, against 12 persons working in Armenia, including an Armenian government official, in what appears to be an example of transnational targeted surveillance.
7The Assembly unequivocally condemns the use of spyware by State authorities for political purposes. Secretly surveilling political opponents, public officials, journalists, human rights defenders and civil society actors for purposes other than those exhaustively enumerated in Article 8.2 of the European Convention on Human Rights (ETS No. 5, “the Convention”) (among which the prevention of disorder or crime and the protection of national security and public safety) amounts to a clear violation of the right to respect for private life (Article 8).
8If the authorities invoke national security grounds as a justification for using spyware but their real purpose is to target and discredit an opposition politician or to intimidate and silence a human rights defender, the surveillance will give rise to a violation of Article 8 in conjunction with Article 18 of the Convention, which prohibits States from restricting rights for purposes not prescribed by the Convention itself. Such a misuse of power has a chilling effect on the exercise of other human rights and fundamental freedoms, including the freedom of expression (Article 10), the freedom of assembly and association (Article 11) and the right to free elections (Article 3 of Protocol No. 1 to the Convention (ETS No 009)). It may also undermine the integrity of electoral processes and free public debate, and therefore, the foundations of our democratic societies.

10 October 2023

Tabled by Mr Pablo HISPÁN, Mr Gonzalo ROBLES, Ms Carmen LEYTE, Ms Belén HOYO, Mr Javier MAROTO

Votes: 26 in favor 77 against 8 abstentions

In the draft resolution, paragraph 8, first sentence, after the words "as a justification", add the following words:

"without court supervision"

Explanatory note

Again, the key issue of the use of spyware by a member State of the Council of Europe is when it is used without oversight or supervision by a judge or court.

9The targeting of journalists has an impact on the confidentiality of their sources and in turn on their freedom to impart information. The targeting of lawyer-client communications impairs the exercise of defence rights and the right to a fair trial guaranteed by Article 6 of the Convention, which is a fundamental principle of the rule of law.
10The Assembly underlines that member States have both negative and positive obligations under the Convention. Positive obligations in this area should include the protection of individuals within their jurisdiction from unlawful targeted surveillance by non-State actors and third States (transnational surveillance). This should trigger at the same time a procedural obligation to effectively investigate all cases of alleged unlawful digital surveillance by third actors targeting persons living in the territory of a member State. The Assembly refers in this context to Recommendation CM/Rec(2016)3 of the Committee of Ministers to member States on human rights and business adopted on 2 March 2016, which recalls that member States have a duty to protect individuals against human rights abuses by third parties, including business enterprises.
11The Assembly considers that the national investigative authorities and courts of the member States accused of spyware abuses must fully investigate and determine whether the use of Pegasus and similar spyware was lawful under domestic law and compliant with the Convention and other international standards. This implies assessing in each individual case whether the interference pursued a legitimate aim under Article 8.2 of the Convention and whether it was strictly necessary in a democratic society and proportionate to that aim. It also means ensuring that all victims of spyware-related abuses have access to effective remedies and redress. In this context, the Assembly urges:

10 October 2023

Tabled by Mr Constantinos EFSTATHIOU, Mr Paul GAVAN, Mr Stefan SCHENNACH, Mr Simon MOUTQUIN, Mr Max LUCKS

In the draft resolution, paragraph 11, replace the words "abuses must fully investigate [...] to effective remedies and redress" with the following words:

"and surveillance abuses must fully investigate and determine whether the use of Pegasus, similar spyware or other surveillance methods was lawful under domestic law and compliant with the Convention and other international standards. This implies assessing in each individual case whether the interference pursued a legitimate aim under Article 8.2 of the Convention and whether it was strictly necessary in a democratic society and proportionate to that aim. It also means ensuring that all victims of spyware- and surveillance-related abuses have access to effective remedies and redress."

11.1Poland, to:
11.1.1inform the Assembly and the European Commission for Democracy through Law (Venice Commission) about the use of Pegasus and similar spyware, within three months;
11.1.2conduct effective, independent and prompt investigations on all confirmed and alleged cases of abuse of spyware and provide sufficient redress to targeted victims in cases of unlawful surveillance;

10 October 2023

Tabled by Mr Constantinos EFSTATHIOU, Mr Paul GAVAN, Mr Stefan SCHENNACH, Mr Simon MOUTQUIN, Mr Max LUCKS

In the draft resolution, paragraph 11.1.2, after the words "abuse of spyware" add the following words:

"as well as unlawful surveillance in state-owned hotels,"

11.1.3refrain from using blanket secrecy rules to deny oversight mechanisms’ and targeted persons’ access to information on the use of spyware;
11.1.4apply adequate sanctions, either criminal or administrative, in cases of abuse;
11.1.5comply with the opinion of the Venice Commission on the 2016 Police Act;
11.2Hungary, to:
11.2.1inform the Assembly and the Venice Commission about the use of Pegasus and similar spyware, within three months;
11.2.2conduct effective, independent and prompt investigations on all confirmed and alleged cases of abuse of spyware and provide sufficient redress to targeted victims in cases of unlawful surveillance;
11.2.3refrain from using blanket secrecy rules to deny oversight mechanisms’ and targeted persons’ access to information on the use of spyware;
11.2.4apply adequate sanctions, either criminal or administrative, in cases of abuse;
11.2.5implement without delay the judgments of Szabó and Vissy and Hüttl, as required by the Committee of Ministers in the exercise of its powers under Article 46.2 of the Convention;
11.3Greece, to:
11.3.1inform the Assembly and the Venice Commission about the use of Predator and similar spyware, within three months;
11.3.2conduct effective, independent and prompt investigations on all confirmed and alleged cases of abuse of spyware and provide sufficient redress to targeted victims in cases of unlawful surveillance;
11.3.3refrain from using blanket secrecy rules to deny oversight mechanisms’ and targeted persons’ access to information on the use of spyware;
11.3.4apply adequate sanctions, either criminal or administrative, in cases of abuse;
11.4Spain, to:
11.4.1inform the Assembly and the Venice Commission about the use of Pegasus, Candiru and similar spyware, within three months;
11.4.2conduct effective, independent and prompt investigations on all confirmed and alleged cases of abuse of spyware and provide sufficient redress to targeted victims in cases of unlawful surveillance;

10 October 2023

Tabled by Mr Pablo HISPÁN, Mr Gonzalo ROBLES, Ms Carmen LEYTE, Ms Belén HOYO, Mr Javier MAROTO

Votes: 34 in favor 68 against 7 abstentions

In the draft resolution, at the beginning of paragraph 11.4.2, add the following words:

"after the end of all the judicial proceedings,"

Explanatory note

Spain is a rule of law member State of the Council of Europe; the alleged unlawful spyware is before the courts. Before everything we should wait to see what the different courts and judges decide. In the case of any illegal spying of course there should be a political investigation.

11.4.3refrain from using blanket secrecy rules to deny oversight mechanisms’ and targeted persons’ access to information on the use of spyware;

10 October 2023

Tabled by Mr Pablo HISPÁN, Mr Gonzalo ROBLES, Ms Carmen LEYTE, Ms Belén HOYO, Mr Javier MAROTO

Votes: 28 in favor 78 against 4 abstentions

In the draft resolution, delete paragraph 11.4.3.

Explanatory note

Spain is a rule of law country where there are no "blanket secrecy rules to deny oversight mechanisms' and targeted persons' access to information on the use of spyware". The rules are clear and the use of spyware must be under the supervision of a court.

11.4.4apply adequate sanctions, either criminal or administrative, in cases of abuse;

10 October 2023

Tabled by Mr Pablo HISPÁN, Mr Gonzalo ROBLES, Ms Carmen LEYTE, Ms Belén HOYO, Mr Javier MAROTO

In the draft resolution, paragraph 11.4.4, replace the words "adequate sanctions" with the following words:

"tough sanctions"

Explanatory note

Any violation of the rule of law for political purposes using spyware without the supervision of a court should receive a tough penalty.

11.5Azerbaijan, to:
11.5.1inform the Assembly and the Venice Commission about the use of Pegasus and similar spyware, within three months;
11.5.2conduct effective, independent and prompt investigations on all confirmed and alleged cases of abuse of spyware and provide sufficient redress to targeted victims in cases of unlawful surveillance;
11.5.3refrain from using blanket secrecy rules to deny access to information on the use of spyware to oversight mechanisms and targeted persons;
11.5.4apply adequate sanctions, either criminal or administrative, in cases of abuse.
12The Assembly considers that the Polish parliamentary election of 2019 was not fair as Pegasus was used against political opponents during the electoral campaign.

10 October 2023

Tabled by Mr Constantinos EFSTATHIOU, Mr Paul GAVAN, Mr Stefan SCHENNACH, Mr Simon MOUTQUIN, Mr Max LUCKS

In the draft resolution, at the end of paragraph 12, add the following sentence:

"The Assembly further worries that illegal surveillance by the State is allegedly conducted in Poland, where opposition politicians, the Open Dialogue Foundation human rights watchdog, and Belarussian leader Sviatlana Tsikhanouskaya have been spied on in state-owned hotels of the Polish Hotel Holding, as reported by a whistle-blower and the media."

13The Assembly calls on member States which seem to have acquired or used Pegasus, including Germany, Belgium, Luxembourg and the Netherlands, to clarify the framework of its use and applicable oversight mechanisms. It invites them to send this information, as well as any statistics on the use of Pegasus, to the Assembly and the Venice Commission within three months.
14In order to prevent future abuses of spyware and human rights violations in Europe and beyond, the Assembly calls on all member States to:

10 October 2023

Tabled by Mr Constantinos EFSTATHIOU, Mr Paul GAVAN, Mr Stefan SCHENNACH, Mr Simon MOUTQUIN, Mr Max LUCKS

In the draft resolution, paragraph 14, after the words "spyware and", add the words:

"other surveillance methods, as well as"

14.1ensure that their national laws on secret surveillance are in full conformity with the requirements of the European Court of Human Rights and the Venice Commission, with regard to quality of the law, authorisation procedures, supervision and oversight mechanisms, notification mechanisms and remedies, and review them if necessary;
14.2ensure that the implementation of their legislative framework is effectively in line with the case-law of the European Court of Human Rights on targeted surveillance, with respect to legality, legitimacy, necessity and proportionality of any surveillance measure;
14.3pending the assessment of their legislative framework and practice by the Venice Commission, refrain from using tools like Pegasus, Candiru, Predator or similar spyware;
14.4in the mid-term, regulate specifically the acquisition and use of spyware by law enforcement and intelligence agencies, limiting the use of Pegasus-type spyware to exceptional situations as a measure of last resort, to prevent or investigate a specific act amounting to a genuine and serious threat to national security or a specific and precisely defined serious crime, and only targeting the person suspected of committing or planning to commit those acts. States should also establish oversight mechanisms, including parliamentary oversight, on the acquisition and use of spyware technologies, and incorporate an obligation to take into account proportionality considerations before acquiring and using new spyware;
14.5criminalise the sale to and use of spyware by non-State actors;
14.6ratify, if they have not yet done so, the Protocol amending the Convention for the protection of individuals with regard to the automatic processing of personal data (CETS No. 223) known as “Convention 108+”, which will apply to the processing of data for national security purposes, and already start implementing its standards in national law;
14.7ratify, if they have not yet done so, the Convention on Cybercrime (ETS No. 185, “Budapest Convention”) and its Additional Protocols;
14.8refrain from granting export licenses in respect of spyware technologies to countries where there is a substantial risk that those technologies could be used for internal or transnational repression and/or to commit human rights violations and revoke those granted in such cases;
14.9join the Wassenaar Arrangement if they have not yet done so, and for States already participating in this arrangement, develop a human rights-based framework for the transfer of spyware technologies, according to which export licenses would require a human rights impact assessment of the recipient State and the companies’ compliance with the United Nations Guiding Principles on Business and Human Rights;
14.10require that all spyware companies domiciled or conducting substantial activities within their jurisdiction apply human rights due diligence throughout their operations or in respect of such activities, in line with the CM/Rec(2016)3 of Committee of Ministers, and implement standards restricting public procurement contracts to only those companies which demonstrate that they apply human rights due diligence.
15The Assembly asks the Venice Commission to assess the legislative framework and practice on targeted surveillance of all member States (in priority Poland, Hungary, Greece, Spain and Azerbaijan; and then Germany, Belgium, Luxembourg, the Netherlands and all the other member States), in order to assess if such framework contains adequate and effective guarantees against any possible abuse of spyware, having regard to the Convention and other Council of Europe standards. Given the level of intrusiveness of Pegasus and similar spyware, clear and precise legislation, robust oversight mechanisms, procedural guarantees and effective remedies must be in place before member States can continue using those tools.

10 October 2023

Tabled by Mr Pablo HISPÁN, Mr Gonzalo ROBLES, Ms Carmen LEYTE, Ms Belén HOYO, Mr Javier MAROTO

Votes: 23 in favor 89 against 2 abstentions

In the draft resolution, paragraph 15, delete the words:

"(in priority Poland, Hungary, Greece, Spain and Azerbaijan; and then Germany, Belgium, Luxembourg, the Netherlands and all the other member States)"

Explanatory note

The Assembly should not single out member States of the Council of Europe before any court decision has been reached.

16The Assembly trusts that the evaluation and review mechanism foreseen in amending Protocol CETS No. 223 will ensure the monitoring of the implementation of the relevant provisions of Convention 108+ in the area of targeted surveillance for national security and law enforcement purposes, including the use of spyware.
17The Assembly calls on:
17.1Israel, which enjoys observer status with the Assembly, to:
17.1.1strengthen its export control mechanisms to ensure that export licenses are denied or revoked with respect to spyware technologies where there is a substantial risk that those technologies could be used for internal or transnational repression and/or to commit human rights violations;
17.1.2fully cooperate with investigations conducted by Council of Europe member States regarding the use of Pegasus and other spyware exported from Israel or sold by Israeli-based companies;
17.1.3publish its framework on export control and inform the Assembly about it within six months;
17.2Morocco, which enjoys partner for democracy status with the Assembly, to:
17.2.1inform the Assembly within three months on whether it has used Pegasus or similar spyware at home and abroad;
17.2.2launch within three months a fully independent investigation into the alleged use of Pegasus by State authorities against targets in Morocco and targets within the jurisdiction of Council of Europe member States;
18The Assembly also calls on spyware and surveillance companies domiciled in Council of Europe member States or conducting substantial activities within their jurisdiction to apply human rights due diligence throughout their operations or in respect of such activities and improve transparency, in line with the CM/Rec(2016)3 of Committee of Ministers and the United Nations Guiding Principles on Business and Human Rights;
19The Assembly invites the European Union to sign and ratify Convention 108+, make use of the Council of Europe’s expertise in this field, and engage with its relevant bodies in areas such as data protection, targeted surveillance and spyware, for the purposes of standard-setting, monitoring and co-operation.

BDraft Recommendation

1The Parliamentary Assembly refers to Resolution … (2023) “Pegasus and similar spyware and secret state surveillance” and recommends that the Committee of Ministers:
1.1adopt a recommendation to member States of the Council of Europe on secret surveillance and human rights, particularly in the light of the threats posed by new surveillance technologies and spyware, taking due account of the highest international standards, the case law of the European Court of Human Rights and Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 223, “Convention 108+). The recommendation should focus on:
1.1.1the conditions for the acquisition of spyware by member States’ government bodies and agencies;
1.1.2the conditions for the use of spyware technologies for law enforcement and national security purposes;
1.1.3the conditions for the sale and export of spyware technologies to third countries;
1.1.4authorisation procedures, supervision and oversight mechanisms, notification mechanisms and remedies applicable to the use of spyware by State authorities;

10 October 2023

Tabled by Mr Pablo HISPÁN, Mr Gonzalo ROBLES, Ms Carmen LEYTE, Ms Belén HOYO, Mr Javier MAROTO

In the draft recommendation, paragraph 1.1.4, before the word "supervision", add the following word:

"judicial"

Explanatory note

The question of the judicial supervision is a key point, as is the question of whether or not there should be a special judge who should authorise and be the focus point. The judge would also be a focus point for citizens' questions about their rights.

1.1.5accountability mechanisms in cases of unlawful use of spyware;
1.1.6human rights due diligence standards for spyware companies;
1.1.7the transnational aspect of digital surveillance and the use of spyware;

10 October 2023

Tabled by Mr Pablo HISPÁN, Mr Gonzalo ROBLES, Ms Carmen LEYTE, Ms Belén HOYO, Mr Javier MAROTO

In the draft recommendation, after paragraph 1.1.7, insert the following paragraph:

"the role of national parliaments."

Explanatory note

National parliaments should have a role in scrutinising governments' use of these technological mechanisms and in ensuring government accountability.

1.2examine the feasibility of a Council of Europe Convention on the acquisition, use, sale and export of spyware;
1.3coordinate its efforts with other international organisations, including the European Union and the United Nations, in the areas of data protection, targeted surveillance and spyware, for the purposes of standard-setting and co-operation.