The spyware industry has found a cozy home in the EU

In a press conference on Tuesday, PEGA, an EU committee set up to investigate the abusive use of spyware across Europe, presented the initial results of an extensive investigation it started back in April this year.

While there have been reports of spyware abuse across several EU member states—which led to PEGA’s creation in the first place—in a 159-page draft report shared with Risky Business, the committee said it found that spyware use and the surveillance industry are prevalent across EU member states.

“All member states have spyware at their disposal. All of them, even if they don’t admit it. They do!” PEGA Committee rapporteur Sophie In ‘t Veld said yesterday.

She added that while some countries use it responsibly, others have abused it to spy on political rivals, journalists, and government critics, but all use the cloak of “national security” to create an “area of lawlessness” where they operate without any accountability.

Unmatched in spyware abuse in the UE are Hungary and Poland, according to the PEGA Committee rapporteur.

“[In] Poland and Hungary, […] spyware is an integral element of a system; a system which is designed to control and even oppress the citizens—that is the critics of the government, the opposition, journalists, whistleblowers—and the whole system is very methodically set up. It’s not by accident. It’s not a random tool they are using,” In ‘t Veld said.

In other countries like Spain and Greece, In ‘t Veld said spyware was deployed “with no evident, imminent, immediate threat to national security” and that there are also reports of similar abuses in Cyprus.

But In ‘t Veld said that while some EU member states are consumers, others are guilty of providing a legal framework for surveillance companies to operate unhindered and sell their software all across the globe. According to the draft report, some vendors advertise themselves as “EU regulated,” using the term as a form of “quality label.”

“Certain EU countries are attractive as an export hub, as—despite the EU’s reputation of being a tough regulator—enforcement of export regulations is weak,” the draft report concluded. More below:

“Two Member States, Cyprus and Bulgaria, serve as the export hub for spyware. One Member State, Ireland, offers favourable fiscal arrangements to a large spyware vendor, and one Member State, Luxemburg, is a banking hub for many players in the spyware industry. The home of the annual European fair of the spyware industry, the ISS World’ Wiretappers Ball,’ is Prague in The Czech Republic. Malta seems to be a popular destination for some protagonists of the trade. A few random examples of the industry making use of Europe without borders: Intellexa has a presence in Greece, Cyprus, Ireland, France and Hungary, and its CEO has a Maltese passport and (letterbox) company. NSO has a presence in Cyprus and Bulgaria and it conducts its financial business via Luxemburg. DSIRF is selling its products from Austria, Tykelab from Italy, FinFisher from Germany (before it closed down).”

PEGA’s draft report proposes a series of measures the EU should take to address its spyware problem. The first one that the EU should apply, according to In ‘t Veld, would be an immediate moratorium on the sale and use of such tools.

The second would be to “enforce the [EU] export rules vigorously because that, frankly, friends, is a joke. We have Dual Use regulation but the enforcement is really not serious”—as In ‘t Veld eloquently put it yesterday.

Other proposals include states defining what “national security” is, the creation of a dedicated European Export Control Agency, a joint initiative with the US to create common standards and a blacklist of spyware vendors, the involvement of Europol in the investigation of abusive spyware use, and granting PEGA and other EU bodies actual powers to investigate spyware cases.