The European Parliament committee investigating member nations’ use of surveillance apps on mobile devices proposed a ban on the commercial buying and selling of zero-day exploits in a set of draft recommendations that also called for an immediate moratorium on the sale and use of advanced spyware.
The PEGA Committee last March began investigating the use of advanced spyware on the continent after reports surfaced that authorities in Poland, Greece, Hungary and Spain had deployed it against political opponents and civil society. Use of advanced spyware by the Greek secret services against politicians, journalists and business executives has developed into a national scandal being called the “Greek Watergate.”
The committee convened Wednesday to consider the recommendations in a meeting marked by a repeat of allegations from committee rapporteur and Dutch representative Sophie in ‘t Veld that European leaders would rather bury evidence of human rights abuses by national governments that deploy advanced spyware than grapple with the consequences (see: EU Complicit in Spread of Advanced Spyware, Charges Veld).
“We are being stonewalled, completely, by the member states, the Council and the European Commission,” Veld said. Abuse of spyware by European nations amounts to a “digital attack on democracy, from within,” she added. The committee expects to finalize the recommendations this spring.
Governments across the world, including authoritarian regimes, have been caught deploying spyware such as NSO Group’s Pegasus to snoop on political opponents, real or perceived. Spyware industry defenders say the ability to infiltrate mobile devices has been instrumental in capturing criminals and stopping terrorism.
Initially, only a handful of companies possessed the technical know-how to exploit security flaws in mobile operating systems to infect Android devices and iPhones with spyware capable of recording phone calls and tracking victims’ location. Now that number is closer to three dozen and the line between spyware and financially motivated malware is becoming blurry. The Predator spyware at the heart of the Greek scandal comes from a previously obscure North Macedonian developer called Cytrox.
The root cause of advanced spyware’s infiltration capabilities lies with zero-days – unpatched flaws in the iOS or Android operating systems that attackers exploit to bypass security protections. New discoveries of zero-days can command deals worth millions in the gray market of vulnerability brokers. Governments may hoard them for their own purposes.
An October committee hearing highlighted the role of security vulnerabilities in the spread of spyware and included testimony from Google executive Shane Huntley that decried the stockpiling of vulnerabilities (see: Zero-Day Hoarding Aids Advanced Spyware, PEGA Committee Told).
The draft recommendations call for a ban on public authorities’ ability to board vulnerabilities except for limited cases governed by an equities process that weights the benefits of disclosure against the hacking gains made by the zero-day’s exploitation. The recommendations also call for a ban on the commercial trade in vulnerabilities and easing the concerns that security researchers who disclose zero-days may have about civil or criminal liability.
A European-wide halt on the acquisition and use of spyware should take effect immediately, Veld also proposed. It could be lifted on a country-by-country basis so long as authorities can demonstrate a legal framework in line with European standards for the use of spyware. Governments would also have to run down accusations of spyware abuse and resolve them “without delay.”
The committee will also have to consider the draft’s recommendations that Poland, Hungary, Greece and Spain specifically shore up safeguards against spyware abuse and resolve outstanding investigations. Cyprus should also take steps to tackle its status as an export hub for the surveillance industry, the draft says, proposing the country assess and potentially repeal export licenses issued for spyware.