This call is coming from inside the house.
New revelations about the use of Israeli spyware tool Pegasus against an opposition lawyer and a prosecutor in Poland rocked Brussels and Warsaw this week, adding fuel to their ongoing dispute over the rule of law. European lawmakers are urging the EU to step in to investigate the incident and protect the victims.
Researchers at the Toronto-based Citizen Lab watchdog group said late on Monday that Roman Giertych, a prominent lawyer tied to the country’s political opposition, and prosecutor Ewa Wrzosek had fallen victim to the Pegasus software, detailing how their phones were hacked to surveil their activity.
The Polish government denied it had targeted the two for political purposes. “Any suggestions that the Polish services use operational methods for the sake of political struggle are false,” said Stanisław Żaryn, spokesperson for Poland’s special services ministry.
But critics of Poland’s nationalist government on Tuesday rebuffed that response, accusing the government of being behind the attacks.
“It puts Poland, unfortunately, in the same category as other authoritarian regimes who misuse criminal and technological capabilities for targeting not the bad guys but political rivals,” said Radosław Sikorski, a Polish member of the European Parliament and former national minister, whose center-right Civic Platform party is Poland’s strongest opposition force.
It’s not the first case where Pegasus was found to have been used against opposition figures in Europe. An investigation called Pegasus Project this summer found that the software was used in more than 50 countries on members of civil society, politicians, lawyers, journalists and others.
France, Spain and Hungary were among countries where journalists had been targeted. In the case of Hungary, researchers linked the use of Pegasus to the government of Prime Minister Viktor Orbán. In the wake of the reports, the European Parliament’s civil liberties committee held hearings and called on the Commission to get involved and limit the use of spyware, including by member governments.
Spyware in Europe
The Pegasus software at the heart of the scandal is a powerful piece of malware developed by Israeli firm NSO Group that is sold mainly to government entities.
The malware uses “known or unknown security weaknesses in devices [like smartphones] of targets, to gain access to them. After gaining control of such a device it’s possible to browse the local files, photos, turn on the microphone” and more, said Łukasz Olejnik, a Polish independent cybersecurity researcher.
Concerns around spyware pushed the EU to tighten its rules on exporting such technology to authoritarian regimes.
But the revelations from Poland this week and from Hungary this summer confront the EU with a different, much trickier conundrum: How to prevent spyware being used for political purposes inside the bloc?
“I don’t really have an idea on how to forbid this,” said German MEP Moritz Körner of Renew Europe, who follows digital surveillance issues in the civil liberties committee. He said the EU doesn’t have the authority to decide how member countries handle their internal security, which has impeded action against pervasive surveillance practices in the past.
Europe’s next move
Other countries have taken decisive action.
U.S. officials added NSO Group to their Entity List in November, banning U.S. firms from trading with the group. Tech giant Apple also announced in November it was suing NSO Group “to prevent further abuse and harm.”
Eighty-eight human rights groups and experts earlier this month called on the EU to impose targeted sanctions on the Israeli spyware maker.
But European governments have blown hot and cold when pressed on whether they’ll ban the malware.
Luxembourgish Prime Minister Xavier Bettel in October suggested he’d condone his government’s use of Pegasus for state security purposes. In November the MIT Technology Review reported the French government had been in talks to purchase the software. (Paris denied the allegations.)
Spyware “may be used for legitimate purposes” by governments, said Olejnik, adding this requires “proper oversight.”
But independent oversight is a problem in Poland, critics say, pointing to the government’s effort to bring courts, prosecutors, the media and other aspects of civil society under political control.
“What is happening here [in Poland] is no longer a democracy. It’s no longer a rule of law,” said Dutch liberal MEP Sophie in ‘t Veld. “But it’s part of the EU,” she added. “The Commission and Council can’t continue to brush this off.”
In ‘t Veld and fellow lawmakers want the Commission to investigate whether Poland, Hungary or other member countries violated EU rules on private communications and data protection in their use of Pegasus malware.
Sikorski, meanwhile, said the revelations strengthened the EU’s case to take infringement actions against Poland over the rule of law.
Polish hacking victims could seek legal redress in Poland, but are also considering taking action elsewhere, he said: “It’s impossible to investigate it fairly in Poland. But, you know, we might try civil procedures, and we might try to go to the European Court of Human Rights, or even conceivably to the International Criminal Court.”
Want more analysis from POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email email@example.com to request a complimentary trial.