Tamping down demand for spyware in Europe is an uphill battle
Greek authorities closed out 2022 with a bang by raiding six surveillance-for-hire companies. A key target of the crackdown was Intellexa, an Israeli cyber intelligence firm operating in Greece through its subsidiary, Cytrox. Known for its Predator software — which collects mobile phone data after user interaction with a malicious link — Intellexa has become a major spyware exporter, which some governments use for repression of their people. However, Greece’s Intellexa clampdown is not a success story against a notoriously under-regulated industry. Instead, it is a reminder of authoritarian appetites for surveillance and regulatory irresponsibility across Europe.
The raids occurred amidst a domestic spying scandal, in which the Greek National Intelligence Service (EYP) allegedly illegally monitored journalists, government officials and politicians with Predator. Prime Minister Kyriakos Mitsotakis initially denied the surveillance accusations, and the government claimed no connections to Predator and declared the product was illegal. However, forensics from journalists Stavros Malichudis and Thanasis Koukakis and even former Minister of Energy Kostis Hatzidakis have published reports indicating otherwise.
The Greek case represents a wider trend in the demand for spyware among European democracies. In a report released last summer, the European Parliament found at least 11 European Union (EU) members used or pursued digital spying capabilities. For Europe’s democratic backsliders, this may not be surprising. As democratic checks and balances erode, authoritarian behaviors such as targeted domestic surveillance are more likely to emerge. For example, leaders in Poland and Hungary reportedly have used spyware to monitor journalists, academics, activists and opposition. The Orban government reportedly has surveilled over 300 individuals in the past few years, according to a leaked list.
More troubling, however, is the appetite for spyware from Europe’s more consolidated democracies. For example, Spain apparently has utilized spyware since 2001 and spurred numerous domestic spying scandals over the past two decades. Madrid is reported to have often pursued multiple products at once. From 2010 to 2016, Spain’s National Intelligence Center reportedly paid 3.4 million euros to the Italy-based Hacking Team for its Galileo software. In the same period, the Spanish government is said to have deployed Finfisher, spyware sold by Anglo-German Gamma Group. More recently, the controversy over surveilling prominent Catalonians between 2017 and 2020 has revealed Madrid as an alleged longtime user of Pegasus.
But European democracies aren’t just buying spyware. They evidently export these tools to repressive authoritarian regimes, with regulatory action occurring only after public and diplomatic backlash. For example, despite disavowing any links to the spyware, the Greek government confirmed it granted Intellexa licenses to export Predator to Madagascar. Since 2021, the government reportedly has approved at least 12 other sales to foreign countries. Accordingly, Intellexa continued pedaling its software, including a reported sales pitch to Ukraine. Only after domestic turmoil and bad press over Intellexa’s reported unauthorized export of Predator to Sudan did Athens take action against the firm.
A similar scene played out in Italy with Hacking Team. From 2008 to 2014, the Italian government reportedly authorized the company to export its Galileo spyware globally. Hacking Team subsequently developed an expansive customer list. In Latin America alone, the firm reportedly held active contracts in seven countries and had negotiations with five others. Yet, lax government oversight meant Hacking Team could ignore its reported role in supporting repressive regimes. Italy revoked the universal export license in 2016 apparently only after the murder of Giulio Regeni in Egypt created tension between Rome and Cairo. But this move appears to have been more about punishing a longtime Hacking Team client in Egypt than about regulating spyware exports.
Curbing Europe’s spyware problem requires addressing both supply and demand. The former is likely easier than the latter. Adhering to common export controls across the EU is an important step in overcoming inconsistent or nonexistent oversight of spyware sales to non-European countries. But implementation power ultimately rests with national governments, meaning that driving consensus around spyware regulation will require sustained diplomacy and pressure from partners. This is an area where the Biden administration must take a more proactive leadership role in shaping the international spyware agenda and response.
Tamping down the demand for spyware within Europe is going to be harder, though, particularly when democratic governments acquire capabilities from their own private sectors. In this sense, the Greek Parliament’s recent vote to ban spyware in the country and impose a two-year minimum prison sentence on violators can serve as a test case for deterring spyware abuses. However, the slim margin upon which the legislation passed — all opposition lawmakers opposed the bill — shows that democratic governments have an uphill climb to regain political trust after illegal surveillance. Greater transparency and accountability are certainly required for European democracies to live up to their rhetoric on privacy and other civil rights.
Jason Blessing, Ph.D., is a Jeane Kirkpatrick Visiting Research Fellow with the foreign and defense policy department at the American Enterprise Institute. His research focuses on cybersecurity as well as transatlantic relations. Follow him on twitter @JasonABlessing.
Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.