The European Parliament in March last year set up an inquiry committee to investigate the use of Pegasus and other spyware in the EU after a 2021 investigation named the Pegasus Files revealed a list of 50,000 potential targets for hacking with its spyware, including world leaders as well as opposition politicians, human rights activists and journalists.
“Opaque business structures in Luxembourg allow companies to operate completely out of the public view,” a report adopted by the so-called Pega committee on Monday said.
Luxembourg hosts nine entities affiliated with NSO, foreign minister (LSAP) confirmed in July 2021. These include OSY Technologies, Q Cyber Technologies, Triangle Holdings, Square 2, Novalpina Capital Partners, Novalpina Capital Group, Northpole Holdco, NorthPole Bidco and NorthPole Newco.
NSO also has a corporate presence in Cyprus, the Netherlands and Bulgaria. The company has been linked to the murder of Saudi journalist Jamal Khashoggi but has denied any wrongdoing, saying it sells its software only to vetted clients with the aim to fight crime and terrorism.
None of the entities based in Luxembourg is authorised to export cybersurveillance products but they perform important back-office activities, including handling invoices, contracts and payments.
The Israeli firm “booked more than half of its sales over the two previous years in Luxembourg, making clear that Luxembourg functions as an important business hub for NSO Group,” the European Parliament committee’s report said, referencing reporting by the Luxembourg Times.
Hungary and Poland called out
Hungary’s ministry of the interior bought the Pegasus spyware for €6m from an NSO company in Luxembourg, the report said further.
An investigative journalist from Hungary whose phone had been hacked with Pegasus after the story broke that countries like Luxembourg are complicit in the surveillance of reporters and human rights activists.
“When it comes to the role of those countries that are hosting the legal entities, they are also profiting from the profit that was made spying on journalists, political opponents, human rights defenders,” Szabolcs Panyi said.
“It's not just about the damage done to individuals. It's about the damage done to democracy and to the rule of law. Because let's face it, if there is no more public scrutiny, if there is no dissent, opposition criticism, then there's no democracy. It's that simple,” Sophie in ‘t Veld (Renew), the committee’s rapporteur, said during a press conference on 9 May.
Members of the European Parliament in a press release published the same day said that Hungary’s use of the spyware has been “part of a calculated and strategic campaign to destroy media freedom and freedom of expression by the government.”
The Pega committee also called out Poland for its use of the spyware and urged both countries to ensure independent and judicial authorization before using spyware and judicial review after its use. The committee also said Poland and Hungary should launch credible investigations into abuse cases and ensure citizens have access to legal redress.
MEPs in a press release on 9 May said that “EU governance structures cannot effectively deal with such attacks,” calling for reform, such as bloc-wide rules on the use of spyware by law enforcement and a common legal definition of the use of national security as grounds for surveillance.
Luxembourg’s prime minister in October 2021 that the state had bought the controversial spyware. During an event he had said that “when we bought it, it was for reasons of state security.”
(DP) later said that he had spoken about this type of technology in general and not about Pegasus specifically. “For reasons of security and in order to protect investigations, it’s not possible to publish the details concerning technical equipment,” he said in answer to an urgent parliamentary question submitted after the event.
The report adopted by the Pega inquiry committee will be up for a vote in the plenary of the European Parliament on 12 June.
The European Data Protection Supervisor already in February last year suggested in the EU.