The European Union’s data protection authority on Tuesday called for a ban on the development and the use of Pegasus-like commercial spyware in the region, calling out the technology’s “unprecedented level of intrusiveness” that could endanger users’ right to privacy.
“Pegasus constitutes a paradigm shift in terms of access to private communications and devices, which is able to affect the very essence of our fundamental rights, in particular the right to privacy,” the European Data Protection Supervisor (EDPS) said in its preliminary remarks. “This fact makes its use incompatible with our democratic values. “
Pegasus, a highly-skilled military-grade intrusion tool, was developed by NSO Group in Israel. It can break into Android or iOS smartphones and turn them into remote monitoring tools capable of extracting sensitive data, recording conversations and following users’ movements.
Pegasus not only grants unrestricted device access, but also stealthily installs on targeted devices using zero-click exploits such as FORCEEDENTRY and KISMET that do not require interaction by the user.
While NSO Group repeatedly claims that software is sold to governments only for fighting crime and terrorist acts, and that it is on a “life-saving mission,” there has been growing evidence of widespread misuse of Pegasus to hack phones of dissidents and journalists in many countries including Israel.
According to a series of disclosures by the business publication Calcalist in recent weeks, dozens of citizens in the country were targeted by Israel Police with the NSO Group’s spyware to gather intelligence without a search warrant authorizing the surveillance.
Stating that Pegasus should not be compared with law enforcement interception instruments so much as to government trojans and police officers, the EDPS stated “National security” cannot be used to justify the extensive use of these technologies or to argue against the European Union’s involvement. “
Furthermore, the watchdog has proposed better supervision over the use of surveillance measures, a stricter implementation of data protection regulations, and strengthening legislation outlawing the use of sophisticated hacking tools such as Pegasus to safeguard against unlawful use.