EU Pega Committee Hears Call For Policy Overhaul on Spyware

Navigating the Difficulties of Patching OT The Pega Committee began investigating last March the use of advanced spyware on the continent after reports surfaced that authorities in Poland, Greece, Hungary and Spain deployed it against political opponents and civil society. Use by the Greek secret services of advanced spyware against politicians, journalists and business executives has developed into a national scandal being called the 'Greek Watergate.' The committee convened Wednesday to consider the recommendations in a meeting marked by a repeat of allegations from committee rapporteur and Dutch representative Sophie in 't Veld that European leaders would rather bury evidence of human rights abuses by national governments that deploy advanced spyware than grapple with the consequences (see: EU Complicit in Spread of Advanced Spyware, Charges Veld). "We are being stonewalled, completely, by the member states, the Council and the European Commission," Veld said.

Abuse of spyware by European nations amounts to a "digital attack on democracy, from within," she added. The committee expects to finalize the recommendations this spring. Governments across the world including authoritarian regimes have been caught deploying spyware such as NSO Group's Pegasus to snoop on political opponents, real or perceived.

Spyware industry defenders say the ability to infiltrate mobile devices has been instrumental in capturing criminals and stopping terrorism. Initially only a handful of companies possessed the technical know-how to exploit security flaws in mobile operating systems to infect Android devices and iPhones with spyware capable of recording phone calls and tracking victims' location. Now that number is closer to three dozen and the line between spyware and financially-motivated malware is becoming blurry.

The Predator spyware at the heart of the Greek scandal comes from a previously obscure North Macedonian company called Cytrok. The root cause of advanced spyware's infiltration capabilities lies with zero days - unpatched flaws in the iOS or Android operating systems that attackers exploit to bypass security protections. New discoveries of zero-days can command deals worth millions in the gray market of vulnerability brokers.

Governments may hoard them for their own purposes. An October committee hearing highlighted the role of security vulnerabilities in the spread of spyware and included testimony from Google executive Shane Huntley that decried the stockpiling of vulnerabilities (see: Zero-Day Hoarding Aids Advanced spyware, PEGA Committee Told). The draft recommendations call for a ban on public authorities' ability to board vulnerabilities except for limited cases governed by an equities processes that weights the benefits of disclosure against the hacking gains made by zero days' exploitation.

The recommendations also call for a ban on the commercial trade in vulnerabilities and easing criminal or criminal liability concerns of security researches who disclose zero days. A European-wide halt on the acquisition and use of spyware should take effect immediately, Veld also proposed. It could be lifted in a country-by-country basis so long as authorities can demonstrate a legal framework in line with European standards for the use of spyware.

Governments would also have to run down accusations of spyware abuse and have them "resolved without delay." The committee will also have to consider the draft's recommendations that Poland, Hungary, Greece and Spain specifically shore up safeguards against spyware abuse and resolve outstanding investigations. Cyprus should also take steps to tackle its status as an export hub for the surveillance industry, the draft says, proposing the country assess and potentially repeal export licenses issued for spyware.