In a preliminary report, the European Data Protection Supervisor has urged EU officials to ban the use and deployment of military-grade surveillance products, citing recent findings around the NSO Group's flagship spyware tool, Pegasus. The EU privacy watchdog cites "unprecedented risks and damages" to rights and freedoms of individuals, and to democracy and the rule of law.
In its report, entitled "Preliminary Remarks on Modern Spyware," the EDPS suggests that Pegasus - which according to recent local reports was turned on Israeli citizens by the nation's police force - exceeds the bounds of any legal framework and infringes upon privacy for individuals and those who have been tapped. It also contends that any evidence collected as a result of Pegasus snooping should not be permitted in court.
"We have to rethink the entire existing system of safeguards established to protect our fundamental rights and freedoms, which are endangered by these tools,"
the EU privacy watchdog writes.
The watchdog says the spyware, which was designed to attack smartphones running either iOS or Android operating systems, can
"turn a mobile phone into a 24-hour surveillance device,"
with complete access to sensors, sent/received messages, stored photos, voice/video calls, the geolocation module and the device camera.
"It grants complete, unrestricted access to the targeted device,"
the EDPS says.
"One cannot exclude the possibility of using Pegasus beyond mere interception of communication. It might allow the attacker to gain access to digital credentials or digital identity apps, which can be used to impersonate the victim and gain access to digital and physical assets."
The supervisory authority also cites Pegasus' "zero-click" ability, meaning no action is required to trigger the surveillance - a state which even cyber-savvy users may not prevent.
Even device vendors such as Apple and Google may not be able to entirely protect individuals from malware such as Pegasus, the EDPS says, adding:
"Private hacking companies such as the NSO Group may have the financial power to contract highly capable software engineers with the sole task of seeking ever-existing vulnerabilities and developing powerful exploits, on par with nation-state capabilities."
Intrusions, the report says, are also hard to detect - unless the OS is powered by secure logging mechanisms. And recent versions reportedly only inhabit the device's temporary memory - meaning signs of infection can vanish after a reboot, it says.
A 'Game Changer'?
The EDPS also rejects the notion that Pegasus can be considered a "traditional" law enforcement interception tool, writing:
"Spyware tools like Pegasus are actually hacking tools … based on breaching security mechanisms and exploiting unpatched vulnerabilities, and, in this sense, allowing their use even under strict conditions would create a permanent and strong risk of massive security breaches for all users."
Calling Pegasus a "game-changer" for its level of intrusiveness, the EDPS says it renders legal and technical safeguards "ineffective and meaningless."
NSO Group Responds
Responding to the report, a spokesperson for the Israeli firm tells ISMG:
"NSO Group is proud to help its customers across the EU to save lives and allow governments and law enforcement agencies to rely on the critical cyber intelligence tools like Pegasus to save thousands of lives from terror attacks, severe crimes, pedophiles, locate kidnapped children, and human trafficking. All this without compromising the public's privacy.
"NSO strongly believes there needs to be an international regulatory structure put in place to oversee issues raised by the misuse of cyber intelligence tools. Without such a framework, the rogue states who use cyber intelligence to suppress human rights and stifle democracy will benefit."
The spokesperson says any misuse of such tools is
"a serious matter and all allegations must be investigated."
Still, they contend, many of the organizations that have leveled allegations have
"relied on 'experts' who claim to be 'familiar' with NSO and Pegasus and are longtime political opponents of cyber intelligence."
They call it an
"international effort by these groups to distort a necessary international policy debate over cyber intelligence tools."