This week, Poland’s Supreme Court quashed an ongoing probe into spyware abuses allegedly conducted by its own government – claiming it to be “unconstitutional”. Comprehensive new research, published earlier this month by the Atlantic Council’s Digital Forensic Research (DFR) Labs, also now shows that government abuse of spyware is now widespread across the European Union (EU).
The findings of DFR Labs’ research provide a truly damning description of the widespread abuse of spyware by governments across Europe, accusing the EU of effectively turning a blind eye to the widespread abuse of its citizens’ rights despite being made aware of the widespread abuses at least two years ago. In 2022, the European Parliament (EP), frustrated by the Commission’s reluctance to tackle the growing scandal, established the PEGA Committee to investigate the misuse of surveillance spyware.
The committee concluded that EU governments had extensively abused spyware services. It found, for example, that the Greek government had facilitated the export of Predator spyware which was then used by Sudan’s Rapid Support Forces militias, who are reported to have committed war crimes. But, despite the committee’s recommendations, the EU has so far failed to adopt any legislation as a bloc to curb the development or sale of spyware.
The report adds that: “For years, civil society organizations like AccessNow and Amnesty International have sought to bring attention to these abuses and have reported on spyware’s use on nearly every continent.”
“The Mythical Beasts” project as the spyware investigation is called, pulls back the curtain on the connections between 435 entities across forty-two countries in the global spyware market. According to the Atlantic Council’s findings, at least 80 of 195 countries in the world are known to have procured spyware from commercial vendors. Fourteen of the 27 countries that make up the European Union have purchased spyware from just one vendor, the NSO Group.
States extend surveillance beyond physical borders
“With the proliferation of spyware, from NSO Group’s Pegasus to Intellexa Consortium’s Predator, comes increased attention to its use…by states to extend surveillance power well beyond their physical borders, making it easier to track, arrest, kidnap, and even kill their citizens. In these abuses of spyware, the victims are most often journalists, activists, opposition politicians, and a myriad of other individuals whose activity has attracted hostile interest from their governments,” says the Atlantic Council’s DFR Labs’ “Mythical Beasts” report on the global spyware market.
EU governments must also be acutely aware that they are potentially facilitating criminal behavior when they decide to enter the shady world of spyware, as evidenced by the pains spyware vendors invariably take to cover their tracks.
According to the DFR Labs report: “Spyware vendors will change legal names and even shift entire corporate structures [abroad]. Several of the vendors captured in the dataset appear to have constructed subsidiary, branch, and partner relationships that cross strategic jurisdictional boundaries. These relocations may offer a variety of location-specific benefits, from facilitating sales to the EU market with an EU-domiciled firm to situating branches in states with more forgiving laws.”
There are also several instances where spyware vendors or suppliers have formed partnerships with major technology firms. Russia-based Positive Technologies, for example, was a member of Microsoft’s Active Protections Program (MAPP), publicly advertising its work with Samsung.
