Back to main site

    Spyware

    Module 4: Surveillance of Journalists, Searches and Digital Device Seizures

    Targeted surveillance describes surveillance which focusses on obtaining information about the communications of a specific individual, such as a person who is already a suspect in a criminal case.”(1) A prominent example is the use of spyware, a malicious type of software which “interferes with a device’s normal operation to collect information without alerting the user”.(2)

    The most intrusive type of spyware currently known to the public is Pegasus spyware, which is manufactured by the Israeli cyber-arms company NSO Group and is exclusively sold to governments. In 2021, the Organised Crime and Corruption Project (OCCPR), released a report which outlined the use of Pegasus spyware on, inter alia, journalists, human rights defenders, activists and political figures worldwide.

    Pegasus spyware can be installed covertly on an individual’s device, often their mobile phone. Once installed, the spyware turns the device into a full-time surveillance tool, granting unrestricted access to the stored data, as well as the device’s camera, microphone, messages, photos, passwords, calls, and geolocation.

    Methods of implantation on a device include the clicking on a malicious link by the user or the use of a wireless transmitter in close proximity to the phone. However, one of the most concerning revelations about Pegasus spyware is its capability to infect a device through the so-called “zero click”-method, which does not require any act by the user or any “jailbreaking” of the system.

    Once a device is infected, it is extremely difficult to detect the spyware as well as its actions, for instance whether there has been an extraction of data.

    1. International standards

    Various international bodies have expressed serious concern over the use of spyware, including the UN Human Rights Committee.(3) As pointed out by the UN OHCHR, the development and use of pervasive surveillance tools is “profoundly alarming”, threatening the rule of law and eroding pluralistic democracies.(4)

    The targeting of journalists, human rights defenders and others with this spyware tool constitutes a serious interference with the right to privacy (Article 17 ICCPR)(5)which, in particular when carried out for political reasons, can never be justified.(6)

    In addition, the use of Pegasus spyware violates freedom of expression, protected on the international level by Article 19 ICCPR. Infecting a personal communication device with spyware permits “insights into the thinking processes of individuals subject to hacking, as well as their political and religious views and beliefs”.(7) This is especially true in the journalistic context as the protection of journalistic sources is circumvented and the mere existence of spyware creates a chilling effect.(8)

    1. Regional standards: EU

    In the EU, targeted surveillance measures – with the exception of national security measures excluded from its scope by Article 4(2) TEU – must comply with applicable Union primary and secondary law, in particular the EU Charter, the ePrivacy Directive and the Law Enforcement Directive.(9) Article 52(1) EU Charter requires all acts limiting fundamental rights to confirm with the requirements of proportionality and necessity. (10)

    Due to the quality and quantity of data stored on smartphones, the EU Data Protection Supervisor, considers it “highly unlikely that spyware such as Pegasus, which de facto grants full unlimited access to personal data, including sensitive data, could meet the requirements of proportionality” as “the interference with the right to privacy is so severe that the individual is in fact deprived of it” and that the protection of third parties and those who are afforded special protection, such as lawyers, is not guaranteed.(11)

    In a similar approach, the European Parliament has condemned “the use of spyware by Member State governments, and members of government authorities or state institutions for the purpose of monitoring, blackmailing, intimidating, manipulating and discrediting opposition members, critics and civil society, eliminating democratic scrutiny and the free press, manipulating elections and undermining the rule of law by targeting judges, prosecutors and lawyers for political purposes.”(12)

    1. Regional standards: CoE

    On 23 October 2023, the CoE’s Parliamentary Assembly issued a resolution expressing its deep worry about “mounting evidence that Pegasus and similar spyware have been used illegally or for illegitimate purposes by several member states, including against journalists, political opponents, human rights defenders and lawyers” and condemned its use for political purposes.(13)

    Even before the revelations about the intrusiveness of Pegasus spyware, ECtHR’s Grand Chamber has acknowledged that against the backdrop or rapid technical advancement, domestic law must be sufficiently clear “to give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities are empowered to resort to any such measures.”(14)

    The ECtHR has yet to deliver its first judgment on a case concerning the use of Pegasus spyware. However, its caselaw gives some insights into how it approaches such matters.

    The use of intrusive spyware against journalists goes to the heart of their right to private and family life (Article 8 ECHR), as well as their freedom of expression (Article 10 ECHR), as it gives access to a range of sensitive information and correspondence and creates a chilling effect for those contributing to public debate. Its use fails to meet the conditions of the so-called three-part test, in particular the requirements of necessity and proportionality. Lastly, Pegasus spyware circumvents the protection of journalistic sources, without which, as stressed by the ECtHR, sources may be deterred from speaking to the press, which in turn cannot fulfil its public watchdog role.(15)

    Litigating spyware cases: Victim status

    In contrast to cases concerning mass surveillance legislation, individuals targeted with spyware, such as Pegasus spyware, have usually been informed by technical experts, their devices’ manufacturer or civil society organisations that they have been specifically targeted and that their devices have been infected. However, they often face other obstacles in litigating their cases, as the majority of the information about the hacking remains solely in the domain of the attacking state. These difficulties include, but are not limited to the following:

    • Meeting the burden of proof required by the court they are accessing;
    • Difficulties in obtaining detailed technical evidence that the hacking took place;
    • Submitting details on the date and length of the infection, the data accessed/extracted and the aim of the measure;
    • Identifying the attacking state.  

    Footnotes

    1. Nóra Ní Loideáin, Bulk Surveillance: Europe’s Recent Landmark Judgements (5 July 2021), (accessible at https://digitalfreedomfund.org/bulk-surveillance-europes-recent-landmark-judgements/). Back
    2. Amnesty International, What is spyware and what can you do to stay protected? (14 December 2023), (accessible at https://www.amnesty.org/en/latest/campaigns/2023/12/what-is-spyware-and-what-you-can-do-to-stay-protected/#:~:text=Spyware is a type of,to a device by default). Back
    3. HRC, Concluding observations on the seventh periodic report of Germany (30 November 2021), CCPR/C/DEU/CO/7, paras 42-43, (accessible at https://documents-dds-ny.un.org/doc/UNDOC/GEN/G21/357/46/PDF/G2135746.pdf?OpenElement); HRC, Concluding observations on the fifth periodic report of the Netherlands (22 August 2019), CCPR/C/NLD/CO/5, paras 54-55, (accessible at https://documents-dds-ny.un.org/doc/UNDOC/GEN/G19/249/80/PDF/G1924980.pdf?OpenElement); HRC, Concluding observations on the sixth periodic report of Italy (1 May 2017), CCPR/C/ITA/CO/6, paras 36-37. Back
    4. UN Human Rights Council, The right to privacy in the digital age. Report of the Office of the United Nations High Commissioner for Human Rights (4 August 2022), A/HRC/51/17, para 54, (accessible at https://documents-dds-ny.un.org/doc/UNDOC/GEN/G22/442/29/PDF/G2244229.pdf?OpenElement). Back
    5. Ibid. paras 4-5 and 9, (accessible at https://documents-dds-ny.un.org/doc/UNDOC/GEN/G22/442/29/PDF/G2244229.pdf?OpenElement). Back
    6. Ibid. paras 18-19. Back
    7. Ibid, para 9, (accessible at https://documents-dds-ny.un.org/doc/UNDOC/GEN/G22/442/29/PDF/G2244229.pdf?OpenElement); see also Human Rights Council, Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye (22 May 2015), A/HRC/29/32, para 20, (accessible at https://documents-dds-ny.un.org/doc/UNDOC/GEN/G15/095/85/PDF/G1509585.pdf?OpenElement/). Back
    8. Ibid. para 10. Back
    9. See: The European Data Protection Supervisor, Preliminary Remarks on Modern Spyware (15 February 2022), p. 6, (accessible at https://www.edps.europa.eu/system/files/2022-02/22-02-15_edps_preliminary_remarks_on_modern_spyware_en_0.pdf). Back
    10. Ibid. p. 7. Back
    11. The European Data Protection Supervisor, Preliminary Remarks on Modern Spyware (15 February 2022), p. 8, (accessible at https://www.edps.europa.eu/system/files/2022-02/22-02-15_edps_preliminary_remarks_on_modern_spyware_en_0.pdf). Back
    12. EU Parliament, Investigation of the use of Pegasus and equivalent surveillance spyware (Recommendation) (15 June 2023), no. 3, (accessible at https://www.europarl.europa.eu/doceo/document/TA-9-2023-0244_EN.html). Back
    13. PACE, Pegasus and similar spyware and secret state surveillance, Resolution 2513 (2023) (11 October 2023), (accessible at https://pace.coe.int/en/files/33116/html). Back
    14. Roman Zakharov v Russia [GC], App No. 47143/06, §229, ECHR 2015. Back
    15. See for instance ECtHR, Telegraaf Media Nederland Landelijke Media B.V. and Others v. The Netherlands, App No 39315/06, §127 22 November 2012;  ECtHR, Sedletska v. Ukraine, App No. 42634/18, §§54-55, 1 April 2021. Back