The European Commission has decided to launch an investigation on the surveillance of EU journalists as the bloc reels from the Pegasus Project revelations released over the weekend that governments had used military spyware to intercept communications.
“We are starting to collect information to see what are the possible uses of such a kind of application in one of those member states. We have seen the comments in the press about that,” said Commissioner for Justice Didier Reynders on Tuesday (20 July).
An investigative consortium formed by Forbidden Stories, Amnesty International and 17 media organisations revealed on Sunday that at least 10 governments had allegedly employed military spyware for illegal surveillance of journalists, lawyers, businessmen and members of civil society.
The Hungarian government is the only one in Europe to be accused of having illegitimately used the Pegasus hacking software from Israeli tech company NSO, which had originally been developed to target criminal and terrorist networks.
Reynders added that the Directorate‑General for Communications Networks, Content and Technology (DG CNECT) will coordinate the work, which will also be informed by investigations from judicial authorities and data protection watchdogs.
Rule of law
The Commission’s rule of law country report released on Tuesday notes that “media pluralism remains at risk.” Similarly, a report of the European University Institute’s Centre for Media Pluralism and Media Freedom published on the same day assesses that media pluralism in Hungary continued to deteriorate in 2020.
The spyware allegations come at a time when Budapest is already on a collision course with Brussels on the rule of law, as the Commission has already initiated several infringement proceedings against Hungary and might start a new one for a controversial law targeting LGBTIQ references.
Hungarian authorities, however, lament an ideological bias against their government. Asked by EURACTIV if the Hungarian government denies ever using the NSO spyware, a Hungarian official replied “what would be the answer of the governments of the United States of America, the United Kingdom, Germany or France to the same question?”
In presenting the rule of law report, Commission Vice-President Věra Jourová noted that surveillance falls within the scope of national security laws, but it will also be included in the upcoming recommendation on the safety of journalists.
Pegasus spyware allows the hacking of mobile devices, accessing all sorts of information, including messages, emails, calendars and phone records. The phone’s microphone and camera could also be activated without the owner knowing.
The investigative consortium is in possession of 50,000 mobile numbers that were potentially targeted, which however does not automatically indicate the phones were hacked. Only a forensic analysis can confirm if the device was compromised. The consortium tested a sample of leaked phone numbers and found traces of the spyware in more than half of them.
European Commission President Ursula von der Leyen has said that if the allegations were verified, it would be “completely unacceptable.”
However, Budapest denied any wrongdoing. “Hungary is a democratic state governed by the rule of law, and as such, when it comes to any individual it has always acted and continues to act in accordance with the law in force,” a representative of Hungarian Prime Minister Viktor Orban’s office told the Washington Post.
The leaked list contains the names of 180 journalists, including two journalists from Hungary’s opposition newspaper Direkt36. Amnesty International stated they have conclusive evidence the phone of Szabolcs Panyi, a Direkt36 reporter, was hacked for several months in 2019.
The consortium found a positive correlation between the hacks and Panyi’s official requests for comments to the Hungarian government, which would suggest the authorities tried to anticipate the story and identify the relevant sources, something Budapest has denied.
“Although governments all over the world will dismiss these allegations, what the Pegasus investigation uncovered is an awfully serious issue that shows us the extent to which governments break the law and interfere with journalists’ work,” said Marius Dragomir, director of the Centre for Media, Data and Society (CMDS) at CEU Democracy Institute.
Although national security remains a strictly national competence, EU member states are bound to comply with human rights standards and privacy rules. However, there is currently no judicial assessment of surveillance practices, as legal compliance is merely verified with the signature of the minister of justice.
The European Court of Human Rights ruled in 2016 against Hungarian legislation, for failing to provide sufficient safeguards against abuse and privacy violations. According to the Guardian, Justice Minister Judit Varga signed 1,285 such authorisations only last year.
“Although I don’t expect that to happen right now, I hope that this scandal will be added to the list of wrongdoing and illegalities that these people will be charged with once they lose power,” Dragomir added.
The Hungarian Data Protection Authority will be responsible for verifying the privacy breaches. At one point during the pandemic, the Hungarian government applied a state of emergency, effectively suspending certain data protection rights.
[Edited by Josie Le Blond]