The inquiry committee to investigate the use of the Pegasus spyware questioned a representative of the Israeli company behind the technology, the NSO Group, with questions but still many remain unanswered.
The European Parliament set up the committee to look into the purchase and deployment of the controversial technology.
On Tuesday (21 June), the committee scrutinised the NSO Group by questioning Chaim Gelfand, the tech firm’s General Counsel and Chief Compliance Officer.
The MEP and rapporteur Sophie in ‘t Veld said the way Gelfand responded to or declined to answer several questions was “an insult to our intelligence” and that there was a “complete disconnect between reality and what you are saying”.
“I would like to understand which cases of terrorism and serious crime were at stake when you sold Pegasus, for example, to the Hungarian and Polish governments,” Sophie in ‘t Veld said.
According to Gelfand, through the use of Pegasus, state authorities thwart numerous terrorist attacks, and it has been instrumental in apprehending paedophiles and other serious criminals.
While the tangible impact of the technology is difficult to measure, Gelfand estimated that “probably many thousands of lives have been saved”.
However, as has been revealed by a consortium of media outlets last year, the spyware has been used to hack the phones of critics, journalists and politicians, thus raising concerns about the mechanisms to control who can get hold of such technology.
NSO software was used to spy on prominent European leaders such as Spanish Prime Minister Pedro Sánchez and French President Emmanuel Macron, as well as political groups in Poland, Hungary and Spain.
Control mechanism
Gelfand emphasised that only governments can be the end-users of the Pegasus spyware, and they must pass a “due diligence review” to acquire it.
This review is based on openly available information on a country’s respect for human rights and the rule of law as well as the national laws and is reviewed annually, according to Gelfand.
Referring to the clearly problematic situations regarding the rule of law in certain European member states, the Polish MEP Róza Thun und Hohenstein asked: “who and how was checking the governments of Hungary and Poland? How on earth could they be verified by you?”
The question was not directly answered as no information about specific clients could be disclosed, Gelfand reiterated.
Data access
Besides enabling countries – that many MEPs expressed should not pass such a review – to use the spyware, another question that kept coming up in the debate was how the NSO Group could ensure that countries were using their technology to fight against terrorism and crime.
While a former employee said that the NSO Group had access to all the data, Gelfand said that data was not stored in any cloud and there was no backdoor access.
“But if you have no access to this information, how do you know this is not being abused? Or if it is used correctly? Do you have any information on how this intelligence is being used,” Polish lawmaker Bartosz Arłukowicz asked.
In response, Gelfand explained that since they do not have access to the intelligence, suspicion comes up through whistleblowing, which results in the NSO Group investigating certain cases.
Responding to breach of use
Thus, according to Gelfand, the NSO Group only reacts to breaches of use after these are reported. Following “credible” reports, the NSO Group initiates an investigation that can lead to an automatic suspension or the termination of contracts.
In eight cases, investigations have led to terminations of contracts, Gelfand said.
How many and which countries were affected by such terminations were not divulged. While admitting at least five EU countries used Pegasus, Gelfand did not name them but said he would hand in this information at a later stage.
The NSO Group representative repeatedly stated that international regulation would be the best way to deal with this issue in the future, rather than leaving it up to private companies. “Countries would have to agree how they are using the system and would have to sign up. There would be international ability to oversee this,” he said.
The MEPs expressed their hope that many of the unanswered questions would be followed up in writing. The chair of the debate, Jeroen Lenaers, announced that a mission to Israel would also take place to get further information from the NSO Group.
[Edited by Luca Bertuzzi/Alice Taylor]