NSO says its software is used by vetted government clients to combat crime and terrorism but an investigation has shown it used against opposition politicians, journalists and activists  Photo: Shutterstock

NSO says its software is used by vetted government clients to combat crime and terrorism but an investigation has shown it used against opposition politicians, journalists and activists  Photo: Shutterstock

The European Data Protection Supervisor has suggested a ban of Pegasus in the EU, a spyware software linked to abuses around the world sold by a company with back-office entities in Luxembourg.

An investigation in July last year revealed more than 50,000 potential targets of the Pegasus spyware commercialised by Israeli firm NSO. This included world leaders as well as opposition politicians, human rights activists and journalists.

“Highly advanced military-grade spyware like Pegasus has the potential to cause unprecedented risks and damages not only to the fundamental rights and freedoms of the individual but also to democracy and the rule of law,” the privacy watchdog (EDPS) said in a published on Tuesday.

NSO has denied wrongdoing, saying it sells the software only to vetted clients with the aim to fight crime and terrorism. But the company faces rising pressure. The Biden administration on 3 November said it had put NSO on a commerce department blacklist for engaging in activities contrary to US foreign policy and national security.

The company’s incoming CEO after the announcement stepped down before even having taken office. NSO also from WhatsApp after a court in California threw out a claim of immunity from the company last year. A group of 86 non-governmental organisations in December called on the .

“The EDPS believes a ban on the development and the deployment of spyware with the capability of Pegasus in the EU would be the most effective option to protect our fundamental rights and freedoms,” the report published on 15 February said further.

Governments in at least two EU countries--Hungary and Poland--have purchased the spyware, prompting calls for an inquiry into abuses in member states by members of the European Parliament.

Entities in Luxembourg

Luxembourg’s prime minister in October that the state had bought the controversial spyware. During an event he had said that “when we bought it, it was for reasons of state security.”

Xavier Bettel (DP) later said that he had spoken about this type of technology in general and not about Pegasus specifically. “For reasons of security and in order to protect investigations, it’s not possible to publish the details concerning technical equipment,” he said in answer to an urgent parliamentary question submitted after the event.

“Pegasus is probably the most powerful hacking tool--or spyware--to date,” the EDPS report said. “The Pegasus spyware constitutes a ‘game-changer’, combining a level of intrusiveness that is incomparable with what we have seen before, with features capable to render many of the existing legal and technical safeguards ineffective and meaningless.”

The NSO spyware was previously linked to the murder of journalist Jamal Khashoggi. The case prompted a national review of human rights due diligence legislation as Luxembourg hosts affiliated with NSO.

None of them is authorised to export cyber-surveillance products from Luxembourg and foreign minister Jean Asselborn (LSAP) previously said they host back-office activities.

The government has set up a working group to analyse the potential for introducing national due diligence laws but it is hoping for an EU-wide directive, which the commission has promised but is late to deliver on.

“We have indeed called consistently on the European Commission to present draft legislation on this important issue, and I very much hope to see a first draft soon,” Asselborn told Delano in an published in the February edition of the magazine.

Related articles