The European Parliament committee investigating the abuse of commercial spyware tools such as Pegasus has recommended a slew of new regulatory safeguards, but dropped a preliminary call for a moratorium. The committee said governments should fulfil a string of conditions by the end of this year instead of calling for a continental pause on European Union member governments’ deployment of spyware that can surreptitiously infect smartphones to record the location, telephone calls and text messages of victims. Committee members also condemned “major violations of EU law in Poland and Hungary” for those governments’ use of commercial spyware. European Parliament member Sophie in ‘t Veld of the Netherlands, said that the European Commission and the Council have a moral duty to citizens and that their failure to prevent the illegitimate use of spyware would mean they were complicit in the destruction of democracy.
The PEGA Committee’s final recommendations call for commercial spyware’s use only in exceptional cases presenting a genuine threat to national security. Governments must also cease exporting commercial spyware unless the exports comply with dual-use controls, fully investigate all alleged abuses of spyware, prove that their deployment of commercial spyware is in line with European standards. The committee’s report also recommends governments attach a mandatory signature that identifies the authority that authorized the commercial spyware when it is deployed.
Among the conditions that governments should meet by Dec. 31 are to cease exporting commercial spyware unless the exports confirm with dual-use controls, fully investigate all alleged abuses of spyware, and prove that their deployment of commercial spyware is in line with European standards. There are more than sufficient indicators for, let’s say, illicit exports taking place from Cyprus, Greece, Bulgaria, and possibly other countries, said in ‘t Veld, who also acknowledged that the committee had not found hard evidence of export control violations. In ‘t Veld said that, although the inquiry has concluded, not one government has been held accountable, and the European Parliament will continue to ask questions and remain on top of this issue.
Reports surfaced in March 2022 that authorities in Poland, Greece, Hungary and Spain had deployed spyware against political opponents and civil society. The European Parliament set up the PEGA Committee in response. Monday, the committee voted 30-5 to send the recommendations onward to a full session of the European Parliament, and two members abstained from the vote.
A preliminary set of recommendations released by in ‘t Veld in October last year called for a ban on government stockpiling of zero-day vulnerabilities except in highly limited cases. The final report instead calls on member states to develop a vulnerability equity process that by default discloses vulnerabilities.