Over 18 months have passed since an international coalition of brave investigative journalists released the Pegasus Project. The disclosure of the leak of over 50,000 phone numbers, including those of many human rights defenders, journalists, academics, and opposition leaders, that had been identified as potential targets for surveillance through the Pegasus spyware, shocked the world. Long-standing partners of my Office, such as the Azerbaijani human rights defender Khadija Ismayilova, were among those whose phones were infected.
Pegasus is a sophisticated and highly intrusive surveillance software, earlier versions of which have been known for some years. It allows the user to access the target’s entire device and all data connected to it without them doing anything or ever even realising they are under attack. The infected smartphone can be turned into a remote microphone and camera to spy on its owner or the owner’s surroundings, and it can even access the owner’s cloud accounts. There are few, if any, actions available to users to protect themselves from such zero-click exploits.
Governments have a duty to ensure security within their borders and the use of sophisticated surveillance technology may be necessary in a democratic society for the protection of national security or to safeguard the rights and freedoms of others. The case-law of the European Court of Human Rights establishes, however, that all surveillance must occur in accordance with the law, serve a legitimate aim, and be necessary and proportionate. What is more, the legal framework must provide precise, effective, and comprehensive safeguards on the ordering, execution and potential redress opportunities against surveillance measures, which must be subject to adequate judicial review and effective oversight.
Yet, ample evidence exists that Pegasus spyware has been used illegally and for purposes of domestic and international espionage rather than legitimate public safety concerns. Multiple inquiries initiated at national and regional level, most of them still ongoing, have gathered testimony on the illegal use, purchase, sale, and export of commercial spyware by Council of Europe member states. In the meantime, there continue to be new revelations about the targeting of journalists with spyware, suggesting that what we know so far is only the tip of the iceberg.
As Council of Europe Commissioner for Human Rights, I am alarmed about the impact of powerful hacking tools that grant complete and unrestricted access to someone’s private life. It is not only the right to privacy and personal data protection guarantees, as enshrined in Article 8 of the European Convention on Human Rights and protected by the modernised Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, that is at stake. The use of spyware has a chilling effect on other human rights and fundamental freedoms, including freedom of expression and public participation. It creates a climate of self-censorship and fear where all individuals can be treated as suspects and where human rights defenders and active members of political life are particularly threatened. The targeting of journalists with spyware endangers the confidentiality of their sources and, with that, the functioning and credibility of one of the most crucial pillars of our democratic societies: free access to information for all and the promotion of a pluralist media environment.
To prevent grave human rights violations stemming from the use of commercial spyware like Pegasus, Council of Europe member states must comply with their obligations under the European Convention as interpreted by the Court and ensure the legality, legitimacy, and necessity and proportionality of each such use.
Unfulfilled legality requirements
Any law authorising surveillance activities must be precise and clear as to the offences, activities and people subjected to surveillance. In addition, it must set out strict limits on the duration, as well as rules on the disclosure and destruction of the data obtained through the surveillance. Rigorous procedures should also be in place to order the examination, use and storage of the obtained information, and targets should be given a chance to exercise their right to an effective remedy. Finally, the bodies supervising the surveillance should be independent and accountable to parliament, rather than the executive.
With spyware as powerful and intrusive as Pegasus, the question remains of whether its use can ever be clear as to the targets, offences, and activities that are to be surveilled. As the European Data Protection Supervisor has pointed out, spyware tools like Pegasus constitute a game-changer in digital surveillance. These are hacking tools intended to breach security mechanisms and exploit existing vulnerabilities. As such, they affect the target’s entire surroundings and reach a level of intrusiveness that can never be precise or restricted to a specific person or timespan. This renders meaningful ex-ante and ex-post facto supervision practically impossible, even if existing legal frameworks are precise and comprehensive enough to meet the Court’s strict conditions. In addition, as infection with such sophisticated spyware is very hard to detect and prove, the victim’s right to an effective remedy may become elusive.
As a result, it is virtually unimaginable that the use of Pegasus or equivalent spyware could ever be considered in accordance with the law and the necessary safeguards as outlined by the Court.
Uncertainty regarding the legitimacy of the aim
What is more, information gathered so far suggests that commercial spyware is frequently used outside the remit of court orders and democratic scrutiny, and not to avert a serious and imminent threat to national security or for the protection of the rights and freedoms of others. With little evidence of the crimes that were prevented but numerous signs of spying on ordinary citizens for political purposes, spyware appears to have become an integral tool of state repression against human rights work, in most cases using national security considerations as a pretext. The fact that the inquiries into the circumstances surrounding the use of Pegasus and other spyware have been hampered by the lack of transparency and cooperation from the side of the governments involved does not help to dispel this claim, particularly in view of the long list of human rights defenders, journalists, and opposition leaders whom we know to have been targeted.
Unlimited secret surveillance neither necessary nor proportionate in a democratic society
While the Court grants contracting states certain discretion in terms of the conditions under which the system of surveillance is to be operated, this does not mean that they enjoy unlimited authorisation to subject persons within their jurisdiction to secret surveillance. They may not, in the name of the fight against espionage and terrorism, adopt whatever measures they deem appropriate. Rather, the Court has highlighted the paramount importance of ensuring that secret intelligence devices are used only in case of an aggravated threat and when traditional investigative means and devices have proven to be inefficient in the specific case.
There has been insufficient information shared about the specific dangers that Pegasus was intended to avert. However, given the massive interference with the rights to privacy of both the target and an unspecified number of persons in the target’s surroundings, it is difficult to imagine a scenario in which the use of such powerful and invasive spyware would ever be proportionate to the aim and thus human rights compliant.
An exponential market for the spyware industry
Serious concerns for human rights in Europe do not only stem from government agencies’ use of spyware. The spyware industry has been flourishing unabated for decades. Pegasus, Candiru, Predator and equivalent hacking tools have been exported and sold to the highest bidder, often without proper export license or other screening processes. The recent revelation of the European Predator spyware having been delivered to a Sudanese militia is therefore not only shocking but, unfortunately, also unsurprising.
The former UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye, warned in 2019 that surveillance through mobile device hacking, which was then already used in at least 45 countries, was thriving amid weak controls on exports and transfers of such technology. He stressed that states’ human rights obligations also included the duty to prevent, investigate, punish, and redress human rights abuses by third parties and referred to the UN Guiding Principles on Business and Human Rights. They urge states to exercise adequate oversight when contracting companies to provide services that may impact on human rights and are thus very relevant to state relations with the private surveillance industry.
Yet, oversight over the dealings of private companies remains inadequate and sporadic in an environment that has been called a wide-ranging culture of non-compliance with existing privacy protection safeguards in Europe. Spyware tools are essentially free for purchase, while their use on individual phone numbers is facilitated by the fact that personal data (including phone numbers, biometric and location data) continue to be collected, processed, and sold on an unprecedented scale to companies across the globe, often without the user’s consent. In such an environment, the protection and enforcement of the fundamental right to privacy faces tremendous challenges indeed, to the point that it risks obliteration.
The need for updated and stronger regulatory frameworks
As I have said before, no single country exists with a fully satisfactory legal framework regarding the operation of its national security services. In 2015, following the Snowden revelations, my Office provided guidance to Council of Europe member states on how to make national oversight systems more effective and the security services more accountable and compliant with human rights standards. Since then, the spyware industry has developed faster than the legal frameworks applicable to surveillance technology. Even where they exist, they are often vague in terms of the specific investigative techniques that can be applied, leave too much discretion to the executive, or provide insufficient levels of judicial control. In addition, the procurement, sale, and export of spyware tools usually takes place in such conditions of opacity that oversight is rendered extremely difficult.
It is high time for Council of Europe member states to recognise that the Pegasus spyware scandal is more than just an embarrassing episode. The lack of updated and adequate regulatory frameworks combined with often weak oversight structures has paved the way for grave privacy invasions that challenge the very concept of individual rights and endanger the essence of democratic societies, including the integrity of elections. Without constraints, surveillance becomes ubiquitous and increasingly intrusive, to the point that every actor is a potential target of surveillance and citizens curb their behaviour in that very knowledge.
While the ongoing inquiries to investigate the use of Pegasus and equivalent spyware are laudable and will undoubtedly contribute to a better understanding of what happened, why, and how, human rights activists, journalists, and opposition politicians continue to be targeted. Action must be taken now to prevent further abuse and restore public trust in security services. Given the complexity and extent of the challenge, comprehensive and strict regulation and scrupulous enforcement is indispensable.
The way ahead
I call on Council of Europe member states to impose a strict moratorium on the export, sale, transfer, and use of highly intrusive zero-click spyware tools such as Pegasus, and to put in place a precise, human rights compliant legislative framework for the use of modern surveillance technology. This framework should provide for meaningful procedural guarantees, robust systems of ex-ante and ex-post oversight through judicial review and parliamentary scrutiny, and effective redress mechanisms for victims. Once in place, this framework should be rigorously enforced.
Member states should further pay enhanced attention to the fact that the spyware industry is continuously developing new tools that, without safeguards and oversight, can be weaponised for nefarious purposes and facilitate human rights abuses. It is also imperative that governments are transparent about their efforts to guarantee the human rights compliant operation of their national security services and that they cooperate fully with all relevant inquiries. Finally, we must continue to raise public awareness about the rampant threat to the rights to privacy, freedom of expression and public participation stemming from an uncontrolled spyware industry and the opaque operations of national security services. We depended on the courage and determination of journalists and civil society groups to learn about the danger we are in. We now depend on the political will and resolve of governments to return to us a life in dignity and security.