EU Privacy Watchdog Calls for Ban of NSO Group's SpywarePegasus the Target of Preliminary Report from European Data Protection Supervisor
In a preliminary report, the European Data Protection Supervisor has urged EU officials to ban the use and deployment of military-grade surveillance products, citing recent findings around the NSO Group's flagship spyware tool, Pegasus. The EU privacy watchdog cites "unprecedented risks and damages" to rights and freedoms of individuals, and to democracy and the rule of law.
In its report, entitled "Preliminary Remarks on Modern Spyware," the EDPS suggests that Pegasus - which according to recent local reports was turned on Israeli citizens by the nation's police force - exceeds the bounds of any legal framework and infringes upon privacy for individuals and those who have been tapped. It also contends that any evidence collected as a result of Pegasus snooping should not be permitted in court.
"We have to rethink the entire existing system of safeguards established to protect our fundamental rights and freedoms, which are endangered by these tools," the EU privacy watchdog writes.
The watchdog says the spyware, which was designed to attack smartphones running either iOS or Android operating systems, can "turn a mobile phone into a 24-hour surveillance device," with complete access to sensors, sent/received messages, stored photos, voice/video calls, the geolocation module and the device camera.
"It grants complete, unrestricted access to the targeted device," the EDPS says. "One cannot exclude the possibility of using Pegasus beyond mere interception of communication. It might allow the attacker to gain access to digital credentials or digital identity apps, which can be used to impersonate the victim and gain access to digital and physical assets."
The supervisory authority also cites Pegasus' "zero-click" ability, meaning no action is required to trigger the surveillance - a state which even cyber-savvy users may not prevent.
Even device vendors such as Apple and Google may not be able to entirely protect individuals from malware such as Pegasus, the EDPS says, adding: "Private hacking companies such as the NSO Group may have the financial power to contract highly capable software engineers with the sole task of seeking ever-existing vulnerabilities and developing powerful exploits, on par with nation-state capabilities."
Intrusions, the report says, are also hard to detect - unless the OS is powered by secure logging mechanisms. And recent versions reportedly only inhabit the device's temporary memory - meaning signs of infection can vanish after a reboot, it says.
A 'Game Changer'?
The EDPS also rejects the notion that Pegasus can be considered a "traditional" law enforcement interception tool, writing: "Spyware tools like Pegasus are actually hacking tools … based on breaching security mechanisms and exploiting unpatched vulnerabilities, and, in this sense, allowing their use even under strict conditions would create a permanent and strong risk of massive security breaches for all users."
Calling Pegasus a "game-changer" for its level of intrusiveness, the EDPS says it renders legal and technical safeguards "ineffective and meaningless."
NSO Group Responds
Responding to the report, a spokesperson for the Israeli firm tells ISMG: "NSO Group is proud to help its customers across the EU to save lives and allow governments and law enforcement agencies to rely on the critical cyber intelligence tools like Pegasus to save thousands of lives from terror attacks, severe crimes, pedophiles, locate kidnapped children, and human trafficking. All this without compromising the public's privacy.
"NSO strongly believes there needs to be an international regulatory structure put in place to oversee issues raised by the misuse of cyber intelligence tools. Without such a framework, the rogue states who use cyber intelligence to suppress human rights and stifle democracy will benefit."
The spokesperson says any misuse of such tools is "a serious matter and all allegations must be investigated." Still, they contend, many of the organizations that have leveled allegations have "relied on 'experts' who claim to be 'familiar' with NSO and Pegasus and are longtime political opponents of cyber intelligence."
They call it an "international effort by these groups to distort a necessary international policy debate over cyber intelligence tools."
The 'Darker Side'
Still, the EU privacy watchdog cautions against the "darker side of the software," in which Pegasus has reportedly been applied to spy on journalists, lawyers, opposition leaders and human rights activists, including individuals in the EU.
The EDPS says EU law permits such surveillance under clear-cut cases of terrorism or preventing organized crime, but that the use must be warranted and proportionate. "Pegasus, which de facto grants full unlimited access to personal data, including sensitive data, [is highly unlikely to] meet the requirements of proportionality [without certain features switched off]. … The level of interference with the right to privacy is so severe that the individual is in fact deprived of it."
Around permissibility in court, EDPS says Pegasus-collected data "could actually encroach on the right to fair trial … which is one of the cornerstones of European legal systems."
Ban on Development?
EDPS officials conclude that Pegasus "constitutes a paradigm shift" regarding access to private communications and devices, "making its use incompatible with democratic values."
They call for a ban on the development and deployment of the spyware across the EU.
Noting the watchdog's findings, some security experts say Pegasus has led to an entirely new wave of "surveillanceware."
"Tactics like mobile phishing and zero-click malware delivery are key capabilities for Pegasus, and we've seen an increase in those two tactics over the last few years," says Hank Schless, senior manager of security solutions at the firm Lookout, noting a trickle-down effect to criminal gangs and lone-wolf actors. "Regardless of what happens with Pegasus, mobile surveillanceware isn't going anywhere anytime soon. It will be interesting to see what takes Pegasus' place as the malware of choice [though]."
For "exceptional" cases demanding such surveillance, the EDPS calls for these safety precautions:
- Strengthening of democratic oversight over the program;
- Strict implementation of the EU legal framework;
- Judicial review over the type of surveillance;
- Criminal procedural laws that outlaw the use of such hacking tools;
- Not using national security as a reason to legitimize extensive use.