EU democracy is under attack by the increasing use of mercenary spyware that violates privacy rights, silences opposition and the free press, and shields governments from public scrutiny, a new report by a committee of the European Parliament has said.
Once installed in a device, spyware allows the invader to conduct real-time surveillance, find passwords and sensitive files, track locations and plant fabricated evidence. It is usually installed through a malicious app or website link and leaves very few traces for its detection.
Pegasus, developed by the Israeli-based company NSO Group, and Predator, a less sophisticated version, are the most well known brands across Europe.
The report, presented as a draft version on Tuesday, accuses EU countries of practising "omertà," the code of silence originally linked to the Italian mafia, and covering each other's backs to stonewall the investigation.
"The spyware scandal is not a series of isolated national cases of abuse, but a full-blown European affair," the report says.
Sophie in 't Veld, the Dutch MEP who acted as rapporteur, said her team was forced to rely on publicly available information due to the continued refusal to cooperate by EU governments.
The report is "not complete (but) a puzzle," in 't Veld said, blasting member states for creating an "area of lawlessness" and sweeping the issue "under the carpet."
"I understand the frustration," the lawmaker said. "But if you connect the dots, it does show a picture that is very difficult to deny."
'Ill-equipped' to protect institutions
The report paints a grim picture of a continent that has become an "attractive place" for mercenary spyware but remains "ill-equipped" to protect its democratic institutions from internal threats.
Spyware is described as an "integral part" of a broader system that, in some cases, leads to illegitimate surveillance based on vague justifications and ineffective oversights, leaving victims unable to obtain answers. The exemption of national security is repeatedly invoked to avoid accountability and maintain secrecy.
"The rule of law turns into the law of the ruler," it reads.
The document names four EU countries in which spyware has been illegally used against citizens – Poland, Hungary, Greece and Spain – and a fifth one under suspicion – Cyprus.
Poland and Hungary have seen dozens of cases of political opponents and media professionals claiming to have been illegally targeted with Pegasus spyware by the state.
Greece has been rocked by an escalating espionage scandal that indicates the country's intelligence services infected the phones of journalists, business people and politicians with Predator software, forcing Prime Minister Kyriakos Mitsotakis to apologise.
In Spain, spyware was detected in the phones of Prime Minister Pedro Sánchez and several national ministers, as well as Catalan lawmakers, lawyers and civil society organisations.
'A very shady industry'
But the report goes beyond concrete cases of illegal activity and points the finger at other member states for being complicit in building a broader environment that facilities and promotes the use of spyware.
The document accuses Cyprus and Bulgaria of acting as export hubs for spyware, Ireland of offering favourable fiscal conditions, Luxembourg of providing banking services to developers, France of hosting manufacturers, Malta of being a popular destination for industry leaders and even the Czech Republic of celebrating an annual fair dubbed the "Wiretappers Ball."
Sophie in 't Veld claimed that all 27 EU countries have spyware at their disposal – "all of them," she insisted – even if they refuse to admit it. Contracts between state actors and companies like the NSO Group are extremely hard to access, making it impossible to draft an accurate list of clients.
"The spyware industry a very shady industry, opaque and elusive and with very low ethical standards," in 't Veld told reporters. "The term 'mercenary spyware' sums it up nicely."
The Dutch lawmaker said spyware developers take advantage of the passport-free Schengen area and the good reputation of the "EU-regulated" label to easily move their products across the bloc and beyond.
In 't Veld blamed the worsening trend on the European Commission for its "weak" and "superficial" enforcement of EU law and on the European Council for shielding member states from scrutiny.
"When it comes to defending the most important thing, democracy and freedom, Europe is weak and impotent," she said. "The EU is still immature as a democracy."
Reacting to the criticism, a Commission spokesperson rejected accusations of weak enforcement and said that any attempt by national authorities to illegally access the data of private citizens was "unacceptable."
"National security is a member state competence, but when guaranteeing national security, member states must apply relevant EU law," the spokesperson said, responding to a question from Euronews.
The EU Council did not immediately reply to a request for comment.
Among its recommendations, the report calls for an EU-wide moratorium on the sale and use of spyware, more stringent export rules, a new legal framework to unify the different standards between countries, and a common definition of national security that clarifies its practical limitations.
It also demands that Europol, the EU's law enforcement agency, make greater use of its powers to investigate spyware cases that national authorities are unwilling to probe.
The draft report unveiled on Tuesday was the result of months of research and trips to Poland, Cyprus and Greece, with a visit to Hungary scheduled to take place in the near future.
The document will be discussed by the MEPs who sit on the special PEGA committee, which was set up earlier this year to examine spyware cases and is due to expire in March 2023, unless its mandate is extended.
Given the sensibility of the topic at hand, the report is expected to be subjected to multiple amendments.
"This committee is extremely politicised," in 't Veld said. "On occasion, you can feel the presence of national governments in our debates."