After 6 years in power, the Polish government led by the nationalist Law and Justice (PiS) party, has introduced Polish civil society to Eurosceptic politics and antidemocratic reforms, all the while interspersed with small and large political scandals. However, when last December Toronto-based Citizen Lab NGO revealed that the Polish government spied on opposition politicians, members of the judiciary and a famous opposition lawyer, public opinion sharply turned. Despite creating its own narrative, the state-owned media were not able to fully convince their supporters, and even PiS MPs started to openly criticise their party. The issue reached the European Parliament and in March voted to create a Committee of Inquiry that will investigate the use of Pegasus and equivalent surveillance spyware within the next 12 months.
The government firstly ignored any accusations. PiS spokesman, when asked about the spyware, laughed it down that perhaps his colleagues from opposition party found an old Pegasus game console in the attic. Later the party changed their strategy by saying that the government bought Pegasus spyware from the Israeli-based NSO Group, but it was used only in case of a serious suspicion of criminal activities. As for now, it seems that the Polish Watergate, as the scandal has already been labelled, is a tip of the iceberg. More victims of illegal cyber-attacks were reported in Poland, but the case is not only limited to one member state. Last year it was revealed that the Hungarian government also spied on opposition politicians and government critics.
Pegasus is a computer software developed by the Israeli- based NSO Group. It infects mobile phones and can turn on camera and voice recorders to spy on victims. One of the most dangerous features of the malware is that it downloads the victim’s passwords to make spying possible after the initial attack is over. On its website, NSO Group states that their products support government intelligence and law-enforcement to meet the modern challenges of cyber security and investigate terror and crime. The Pegasus spyware has been claimed to be used as early as in 2016 to hack into a phone of the human rights lawyer Ahmed Mansoor when he received a message with a link to allegedly confidential information about torture taking place in the United Arab Emirates prisons.
Pegasus came back to the European agenda again in December 2021, when Polish opposition member of the Senate (the upper chamber of the Polish parliament) Krzysztof Brezja, received information from the Citizen Lab that his phone was hacked 33 times in 2019. Among nearly 40 victims, there was a prominent opposition lawyer Roman Giertych, prosecutor Ewa Wrzosek and (un) surprisingly individuals from the ruling political camp.
Mr Brejza states that there was a higher political significance behind him being attacked, as in 2019 he was the head of the Civic Platform (PO) political campaign to the Parliament (won by PiS – PO came as the second). During the campaign, Polish state-owned media published Brejza’s allegedly leaked text messages that suggested that he might be engaged in criminal activities. Brejza began legal proceedings against the state-owned me in 2019, but it is now known that the published information was fabricated and might have been acquired with the help of Pegasus spyware. Senator Brejza, quoted by Politico said: “This operation destroyed the work of the headquarters and destabilised my campaign […] I don’t know how many votes it took from me and the entire coalition.”
The Senate, where opposition has the majority of seats, established a Special Committee on the issue of illegal tapping and its influence on the elections. John Scott- Railton, Senior Analyst in Citizen Lab whose team has been investigating Pegasus since 2016, said during the hearing in January, that what drew his team’s attention was that all previous cases of spying with the use of Pegasus were reported in dictatorships and authoritarian regimes, not democratic states such as Poland. Mr Scott- Railton commented that this was one the most aggressive attacks with the use of Pegasus malware he has ever encountered. It seems that the aggressor wanted to know what the Head of the Campaign had been doing on a regular basis.
The Polish government is not the only EU member that has used spyware against its own citizens. According to an article published by the Guardian in 2021, the Hungarian government used the spyware to infect phones of at least ten lawyers, five journalists and an opposition politician. In November 2021, Poland and Hungary were excluded by Israel from the list of potential clients of cyber-security products as they were labelled as not fully democratic states.
The Pegasus scandal was not unnoticed by the EU and the European Parliament. The debate on the surveillance of politicians, prosecutors, lawyers, and other persons and entities in the EU took place during the plenary on February 15 in Strasburg. The Commission was represented by Didier Reynders, Commissioner for Justice, with Clément Beaune, the French Minister of State for European Affairs, also participating in the debate.
The voice of the European Parliament (EP) was united. MEPs from largest political groups vowed for tighter EU policy regulations regarding the use of spyware programs and privacy of European citizens. Jeroen Lenaers from the European People’s Party quoted the words of Roman Giertych, saying: “the victims, in his [Giertych] words, are the canary in the coalmine. They are the first symptom. They are the warning of a much wider problem. They are an alarm that rings loudly for everyone to hear, and the EU must now show that we have heard this alarm. We must act upon the warning we have received and defend democracy and the rule of law whenever and wherever necessary”. Juan Fernando López Aguilar from the S&D called the EP to establish a special committee of enquiry to ensure that the Commission exercises its role as guarantor of the Treaties and of European law, including European privacy law. Sophia in ‘t Veld from the Renew group said that the Council and Commission have not done enough to prevent such situations in the future. “When no one can be sure anymore that he is not being spied upon, more and more people will start practising self-censorship.” MEP warned. “We have already gone through that in Europe. Never again. We will also need to have a very close look at the possible impact that these practices may have had on the integrity of elections in Europe, and notably the 2019 European elections in Poland”.
During the plenary session in March, the European Parliament voted in favour of establishing a special Committee of Inquiry which for the next 12 months will investigate the use of Pegasus and equivalent surveillance spyware. In February, MEPs stressed the need to defend the rule of law whenever and wherever necessary and that the EP, even if does not hold the same inquiry powers as national parliaments, should play a lead role in this process. Civil society in Poland, Hungary and the EU will closely examine the workings of the Committee with hope that along with the Commission’s Digital Service Act, it will be defining for the cyber-security of the EU and its citizens.