{"id":1763,"date":"2024-06-14T21:43:47","date_gmt":"2024-06-14T20:43:47","guid":{"rendered":"https:\/\/www.mediadefence.org\/ereader\/publications\/modules-digital-rights-europe\/module-4-surveillance-searches-seizures\/bulk-data-interception-copy\/"},"modified":"2024-06-17T08:42:52","modified_gmt":"2024-06-17T07:42:52","slug":"spyware","status":"publish","type":"publication","link":"https:\/\/www.mediadefence.org\/ereader\/publications\/modules-digital-rights-europe\/module-4-surveillance-searches-seizures\/spyware\/","title":{"rendered":"Spyware"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Targeted surveillance describes surveillance which focusses on obtaining information about the communications of a specific individual, such as a person who is already a suspect in a criminal case.\u201d[footnote]N\u00f3ra N\u00ed Loide\u00e1in, Bulk Surveillance: Europe\u2019s Recent Landmark Judgements (5 July 2021), (accessible at https:\/\/digitalfreedomfund.org\/bulk-surveillance-europes-recent-landmark-judgements\/).[\/footnote] A prominent example is the use of spyware, a malicious type of software which \u201cinterferes with a device\u2019s normal operation to collect information without alerting the user\u201d.[footnote]Amnesty International, What is spyware and what can you do to stay protected? (14 December 2023), (accessible at https:\/\/www.amnesty.org\/en\/latest\/campaigns\/2023\/12\/what-is-spyware-and-what-you-can-do-to-stay-protected\/#:~:text=Spyware is a type of,to a device by default).[\/footnote]<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The most intrusive type of spyware currently known to the public is Pegasus spyware, which is manufactured by the Israeli cyber-arms company NSO Group and is exclusively sold to governments. In 2021, the Organised Crime and Corruption Project (OCCPR), released a report which outlined the use of Pegasus spyware on, inter alia, journalists, human rights defenders, activists and political figures worldwide.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Pegasus spyware can be installed covertly on an individual\u2019s device, often their mobile phone. Once installed, the spyware turns the device into a full-time surveillance tool, granting unrestricted access to the stored data, as well as the device\u2019s camera, microphone, messages, photos, passwords, calls, and geolocation.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Methods of implantation on a device include the clicking on a malicious link by the user or the use of a wireless transmitter in close proximity to the phone. However, one of the most concerning revelations about Pegasus spyware is its capability to infect a device through the so-called \u201czero click\u201d-method, which does not require any act by the user or any \u201cjailbreaking\u201d of the system.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Once a device is infected, it is extremely difficult to detect the spyware as well as its actions, for instance whether there has been an extraction of data.<\/p>\n\n\n\n<ol class=\"wp-block-list\" start=\"1\">\n<li><strong><em>International standards<\/em><\/strong><\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Various international bodies have expressed serious concern over the use of spyware, including the UN Human Rights Committee.[footnote]HRC, <em>Concluding observations on the seventh periodic report of Germany <\/em>(30 November 2021), CCPR\/C\/DEU\/CO\/7, paras 42-43, (accessible at https:\/\/documents-dds-ny.un.org\/doc\/UNDOC\/GEN\/G21\/357\/46\/PDF\/G2135746.pdf?OpenElement); HRC, <em>Concluding observations on the fifth periodic report of the Netherlands <\/em>(22 August 2019), CCPR\/C\/NLD\/CO\/5, paras 54-55, (accessible at https:\/\/documents-dds-ny.un.org\/doc\/UNDOC\/GEN\/G19\/249\/80\/PDF\/G1924980.pdf?OpenElement); HRC, <em>Concluding observations on the sixth periodic report of Italy<\/em> (1 May 2017), CCPR\/C\/ITA\/CO\/6, paras 36-37.[\/footnote] As pointed out by the UN OHCHR, the development and use of pervasive surveillance tools is \u201cprofoundly alarming\u201d, threatening the rule of law and eroding pluralistic democracies.[footnote]UN Human Rights Council, <em>The right to privacy in the digital age. Report of the Office of the United Nations High Commissioner for Human Rights<\/em> (4 August 2022), A\/HRC\/51\/17, para 54, (accessible at https:\/\/documents-dds-ny.un.org\/doc\/UNDOC\/GEN\/G22\/442\/29\/PDF\/G2244229.pdf?OpenElement).[\/footnote]<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The targeting of journalists, human rights defenders and others with this spyware tool constitutes a serious interference with the right to privacy (Article 17 ICCPR)[footnote]<em>Ibid<\/em>. paras 4-5 and 9, (accessible at https:\/\/documents-dds-ny.un.org\/doc\/UNDOC\/GEN\/G22\/442\/29\/PDF\/G2244229.pdf?OpenElement).[\/footnote]which, in particular when carried out for political reasons, can never be justified.[footnote]<em>Ibid<\/em>. paras 18-19.[\/footnote]<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In addition, the use of Pegasus spyware violates freedom of expression, protected on the international level by Article 19 ICCPR. Infecting a personal communication device with spyware permits \u201cinsights into the thinking processes of individuals subject to hacking, as well as their political and religious views and beliefs\u201d.[footnote]Ibid, para 9, (accessible at https:\/\/documents-dds-ny.un.org\/doc\/UNDOC\/GEN\/G22\/442\/29\/PDF\/G2244229.pdf?OpenElement); see also Human Rights Council, <em>Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye <\/em>(22 May 2015), A\/HRC\/29\/32, para 20, (accessible at https:\/\/documents-dds-ny.un.org\/doc\/UNDOC\/GEN\/G15\/095\/85\/PDF\/G1509585.pdf?OpenElement\/).[\/footnote] This is especially true in the journalistic context as the protection of journalistic sources is circumvented and the mere existence of spyware creates a chilling effect.[footnote]<em>Ibid<\/em>. para 10.[\/footnote]<\/p>\n\n\n\n<ol class=\"wp-block-list\" start=\"2\">\n<li><strong><em>Regional standards: EU<\/em><\/strong><\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">In the EU, targeted surveillance measures \u2013 with the exception of national security measures excluded from its scope by Article 4(2) TEU \u2013 must comply with applicable Union primary and secondary law, in particular the EU Charter, the ePrivacy Directive and the Law Enforcement Directive.[footnote]See: The European Data Protection Supervisor, Preliminary Remarks on Modern Spyware (15 February 2022), p. 6, (accessible at https:\/\/www.edps.europa.eu\/system\/files\/2022-02\/22-02-15_edps_preliminary_remarks_on_modern_spyware_en_0.pdf).[\/footnote] Article 52(1) EU Charter requires all acts limiting fundamental rights to confirm with the requirements of proportionality and necessity. [footnote]Ibid. p. 7.[\/footnote]<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Due to the quality and quantity of data stored on smartphones, the EU Data Protection Supervisor, considers it \u201chighly unlikely that spyware such as Pegasus, which de facto grants full unlimited access to personal data, including sensitive data, could meet the requirements of proportionality\u201d as \u201cthe interference with the right to privacy is so severe that the individual is in fact deprived of it\u201d and that the protection of third parties and those who are afforded special protection, such as lawyers, is not guaranteed.[footnote]The European Data Protection Supervisor, Preliminary Remarks on Modern Spyware (15 February 2022), p. 8, (accessible at https:\/\/www.edps.europa.eu\/system\/files\/2022-02\/22-02-15_edps_preliminary_remarks_on_modern_spyware_en_0.pdf).[\/footnote]<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In a similar approach, the European Parliament has condemned \u201cthe use of spyware by Member State governments, and members of government authorities or state institutions for the purpose of monitoring, blackmailing, intimidating, manipulating and discrediting opposition members, critics and civil society, eliminating democratic scrutiny and the free press, manipulating elections and undermining the rule of law by targeting judges, prosecutors and lawyers for political purposes.\u201d[footnote]EU Parliament, Investigation of the use of Pegasus and equivalent surveillance spyware (Recommendation) (15 June 2023), no. 3, (accessible at https:\/\/www.europarl.europa.eu\/doceo\/document\/TA-9-2023-0244_EN.html).[\/footnote]<\/p>\n\n\n\n<ol class=\"wp-block-list\" start=\"3\">\n<li><strong><em>Regional standards: CoE<\/em><\/strong><\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">On 23 October 2023, the CoE\u2019s Parliamentary Assembly issued a resolution expressing its deep worry about \u201cmounting evidence that Pegasus and similar spyware have been used illegally or for illegitimate purposes by several member states, including against journalists, political opponents, human rights defenders and lawyers\u201d and condemned its use for political purposes.[footnote]PACE, <em>Pegasus and similar spyware and secret state surveillance, Resolution 2513 (2023)<\/em> (11 October 2023), (accessible at https:\/\/pace.coe.int\/en\/files\/33116\/html).[\/footnote]<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Even before the revelations about the intrusiveness of Pegasus spyware, ECtHR\u2019s Grand Chamber has acknowledged that against the backdrop or rapid technical advancement, domestic law must be sufficiently clear \u201cto give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities are empowered to resort to any such measures.\u201d[footnote]<em>Roman Zakharov v Russia<\/em> [GC], App No. 47143\/06, \u00a7229, ECHR 2015.[\/footnote]<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The ECtHR has yet to deliver its first judgment on a case concerning the use of Pegasus spyware. However, its caselaw gives some insights into how it approaches such matters.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The use of intrusive spyware against journalists goes to the heart of their right to private and family life (Article 8 ECHR), as well as their freedom of expression (Article 10 ECHR), as it gives access to a range of sensitive information and correspondence and creates a chilling effect for those contributing to public debate. Its use fails to meet the conditions of the so-called three-part test, in particular the requirements of necessity and proportionality. Lastly, Pegasus spyware circumvents the protection of journalistic sources, without which, as stressed by the ECtHR, sources may be deterred from speaking to the press, which in turn cannot fulfil its public watchdog role.[footnote]See for instance ECtHR, Telegraaf Media Nederland Landelijke Media B.V. and Others v. The Netherlands, App No 39315\/06, \u00a7127 22 November 2012;&nbsp; ECtHR, Sedletska v. Ukraine, App No. 42634\/18, \u00a7\u00a754-55, 1 April 2021.[\/footnote]<\/p>\n\n\n\n<div class=\"wp-block-group highlight\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<h3 class=\"wp-block-heading has-text-align-center\"><strong>Litigating spyware cases: Victim status<\/strong><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">In contrast to cases concerning mass surveillance legislation, individuals targeted with spyware, such as Pegasus spyware, have usually been informed by technical experts, their devices\u2019 manufacturer or civil society organisations that they have been specifically targeted and that their devices have been infected. However, they often face other obstacles in litigating their cases, as the majority of the information about the hacking remains solely in the domain of the attacking state. These difficulties include, but are not limited to the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Meeting the burden of proof required by the court they are accessing;<\/li>\n\n\n\n<li>Difficulties in obtaining detailed technical evidence that the hacking took place;<\/li>\n\n\n\n<li>Submitting details on the date and length of the infection, the data accessed\/extracted and the aim of the measure; <\/li>\n\n\n\n<li>Identifying the attacking state. &nbsp;<\/li>\n<\/ul>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Targeted surveillance describes surveillance which focusses on obtaining information about the communications of a specific individual, such as a person who is already a suspect in a criminal case.\u201d[footnote]N\u00f3ra N\u00ed Loide\u00e1in, Bulk Surveillance: Europe\u2019s Recent Landmark Judgements (5 July 2021), (accessible at https:\/\/digitalfreedomfund.org\/bulk-surveillance-europes-recent-landmark-judgements\/).[\/footnote] A prominent example is the use of spyware, a malicious type of [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":0,"parent":1760,"menu_order":441,"template":"page-templates\/chapter.php","publication-category":[],"class_list":["post-1763","publication","type-publication","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Spyware | eReader<\/title>\n<meta name=\"description\" content=\"In this module series, Media Defence unpacks digital rights and freedom of expression questions in the context of Europe.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.mediadefence.org\/ereader\/publications\/modules-digital-rights-europe\/module-4-surveillance-searches-seizures\/spyware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Spyware | eReader\" \/>\n<meta property=\"og:description\" content=\"In this module series, Media Defence unpacks digital rights and freedom of expression questions in the context of Europe.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mediadefence.org\/ereader\/publications\/modules-digital-rights-europe\/module-4-surveillance-searches-seizures\/spyware\/\" \/>\n<meta property=\"og:site_name\" content=\"eReader\" \/>\n<meta property=\"article:modified_time\" content=\"2024-06-17T07:42:52+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.mediadefence.org\\\/ereader\\\/publications\\\/modules-digital-rights-europe\\\/module-4-surveillance-searches-seizures\\\/spyware\\\/\",\"url\":\"https:\\\/\\\/www.mediadefence.org\\\/ereader\\\/publications\\\/modules-digital-rights-europe\\\/module-4-surveillance-searches-seizures\\\/spyware\\\/\",\"name\":\"Spyware | eReader\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.mediadefence.org\\\/ereader\\\/#website\"},\"datePublished\":\"2024-06-14T20:43:47+00:00\",\"dateModified\":\"2024-06-17T07:42:52+00:00\",\"description\":\"In this module series, Media Defence unpacks digital rights and freedom of expression questions in the context of Europe.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.mediadefence.org\\\/ereader\\\/publications\\\/modules-digital-rights-europe\\\/module-4-surveillance-searches-seizures\\\/spyware\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.mediadefence.org\\\/ereader\\\/publications\\\/modules-digital-rights-europe\\\/module-4-surveillance-searches-seizures\\\/spyware\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.mediadefence.org\\\/ereader\\\/publications\\\/modules-digital-rights-europe\\\/module-4-surveillance-searches-seizures\\\/spyware\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.mediadefence.org\\\/ereader\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Publications\",\"item\":\"https:\\\/\\\/www.mediadefence.org\\\/ereader\\\/publications\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Modules on Litigating Digital Rights in Europe\",\"item\":\"https:\\\/\\\/www.mediadefence.org\\\/ereader\\\/publications\\\/modules-digital-rights-europe\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Module 4: Surveillance of Journalists, Searches and Digital Device Seizures\",\"item\":\"https:\\\/\\\/www.mediadefence.org\\\/ereader\\\/publications\\\/modules-digital-rights-europe\\\/module-4-surveillance-searches-seizures\\\/\"},{\"@type\":\"ListItem\",\"position\":5,\"name\":\"Spyware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.mediadefence.org\\\/ereader\\\/#website\",\"url\":\"https:\\\/\\\/www.mediadefence.org\\\/ereader\\\/\",\"name\":\"eReader\",\"description\":\"Media Defence\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.mediadefence.org\\\/ereader\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Spyware | eReader","description":"In this module series, Media Defence unpacks digital rights and freedom of expression questions in the context of Europe.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.mediadefence.org\/ereader\/publications\/modules-digital-rights-europe\/module-4-surveillance-searches-seizures\/spyware\/","og_locale":"en_US","og_type":"article","og_title":"Spyware | eReader","og_description":"In this module series, Media Defence unpacks digital rights and freedom of expression questions in the context of Europe.","og_url":"https:\/\/www.mediadefence.org\/ereader\/publications\/modules-digital-rights-europe\/module-4-surveillance-searches-seizures\/spyware\/","og_site_name":"eReader","article_modified_time":"2024-06-17T07:42:52+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.mediadefence.org\/ereader\/publications\/modules-digital-rights-europe\/module-4-surveillance-searches-seizures\/spyware\/","url":"https:\/\/www.mediadefence.org\/ereader\/publications\/modules-digital-rights-europe\/module-4-surveillance-searches-seizures\/spyware\/","name":"Spyware | eReader","isPartOf":{"@id":"https:\/\/www.mediadefence.org\/ereader\/#website"},"datePublished":"2024-06-14T20:43:47+00:00","dateModified":"2024-06-17T07:42:52+00:00","description":"In this module series, Media Defence unpacks digital rights and freedom of expression questions in the context of Europe.","breadcrumb":{"@id":"https:\/\/www.mediadefence.org\/ereader\/publications\/modules-digital-rights-europe\/module-4-surveillance-searches-seizures\/spyware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mediadefence.org\/ereader\/publications\/modules-digital-rights-europe\/module-4-surveillance-searches-seizures\/spyware\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.mediadefence.org\/ereader\/publications\/modules-digital-rights-europe\/module-4-surveillance-searches-seizures\/spyware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.mediadefence.org\/ereader\/"},{"@type":"ListItem","position":2,"name":"Publications","item":"https:\/\/www.mediadefence.org\/ereader\/publications\/"},{"@type":"ListItem","position":3,"name":"Modules on Litigating Digital Rights in Europe","item":"https:\/\/www.mediadefence.org\/ereader\/publications\/modules-digital-rights-europe\/"},{"@type":"ListItem","position":4,"name":"Module 4: Surveillance of Journalists, Searches and Digital Device Seizures","item":"https:\/\/www.mediadefence.org\/ereader\/publications\/modules-digital-rights-europe\/module-4-surveillance-searches-seizures\/"},{"@type":"ListItem","position":5,"name":"Spyware"}]},{"@type":"WebSite","@id":"https:\/\/www.mediadefence.org\/ereader\/#website","url":"https:\/\/www.mediadefence.org\/ereader\/","name":"eReader","description":"Media Defence","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mediadefence.org\/ereader\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/www.mediadefence.org\/ereader\/wp-json\/wp\/v2\/publication\/1763","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mediadefence.org\/ereader\/wp-json\/wp\/v2\/publication"}],"about":[{"href":"https:\/\/www.mediadefence.org\/ereader\/wp-json\/wp\/v2\/types\/publication"}],"author":[{"embeddable":true,"href":"https:\/\/www.mediadefence.org\/ereader\/wp-json\/wp\/v2\/users\/6"}],"up":[{"embeddable":true,"href":"https:\/\/www.mediadefence.org\/ereader\/wp-json\/wp\/v2\/publication\/1760"}],"wp:attachment":[{"href":"https:\/\/www.mediadefence.org\/ereader\/wp-json\/wp\/v2\/media?parent=1763"}],"wp:term":[{"taxonomy":"publication-category","embeddable":true,"href":"https:\/\/www.mediadefence.org\/ereader\/wp-json\/wp\/v2\/publication-category?post=1763"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}