By Anne-Marie Brennan
Journalist Galina Timchenko and cybersecurity expert Donncha Ó Cearbhaill spoke at a meeting of the Committee on Civil Liberties, Justice and Home Affairs in October, calling for stronger action against the illegal use of spyware in the European Union.
MEPs also condemned the inaction of the European Commission in regulating spyware – which poses a key threat to investigative journalists and puts at risk its sources.
Russian journalist Galina Timchenko, from the independent Russian news outlet Meduza, spoke to the committee about her experience of being spied on.
Warning of how detrimental this practice is against the work of journalists, she said: “All EU journalists are under threat.”
Timchenko discovered the spyware Pegasus had infected her iPhone following a notification of suspicious activity from Apple.
She stressed how vital initiatives like this are in combating illegal spyware use and expressed concern that Google hasn’t followed suit.
The Russian journalist first brought her case to the tech department at Meduza, who then contacted the digital rights organisation Access Now. The surveillance was active for three weeks, only ending when her phone battery died.
Even once the spyware was removed from her phone, Timchenko experienced fallout in her work as colleagues and sources displayed hesitation in connecting with her.
Now, she routinely buys new iPhones and follows strict safety protocols to prevent further surveillance.
The journalist described the effects this experience had on her personal life, recalling the “disgusting” violation of her privacy which allowed authorities to “see private messages [she sent] to [her] grandson and daughter”.
Pegasus Project
The committee also heard from hacker and cybersecurity expert, Donncha Ó Cearbhaill, from NGO Amnesty International, who stressed the need for stronger regulations by EU institutions which he branded a “total inadequacy”.
Ó Cearbhaill carried out The Predator Files investigation into the use and development of the spyware Predator.
Through his work, he discovered that the program had been used in an attempt to surveil, not only journalists but also European officials – one being the European Parliament president Roberta Matsola.
The threat Predator displays against these European officials carries a certain irony as Ó Cearbhaill revealed the spyware was both developed and sold in the European Union.
Intellexa, the company behind the software, also facilitated the sale of Predator to the Vietnamese Ministry of Public Security.
Ó Cearbhaill identified an X (formerly Twitter) account under the name @Joseph_Gordon16 which spread links used to infect users’ devices with the Predator software.
Berlin-based journalist Khao Lê Trung, originally from Vietnam, was targeted with this method. It is suspected that the account was working on behalf of Vietnamese authorities or associated groups.
The cybersecurity expert joined MEPs in voicing his disappointment in the shortcomings of the Commission as he said: “Nothing meaningful seems to have been done to stop the use of spyware by member states.”
Ó Cearbhaill recommended that EU member states revoke all licensing agreements they currently hold with Intellexa and its associate companies.
He called for a complete ban on highly invasive spyware such as Pegasus, declaring it as “fundamentally incompatible with a right to privacy”.
“[Companies like Intellexa] are not just tech companies… they pose a severe risk to human rights violations.”
He linked the passiveness of many EU states to their inability to investigate the claims transparently and hypothesised that the desire for spyware overshadows the threat it carries in some governments.
Dutch MEP from Renew Europe, Sophia In ‘T Veld, branded the EU as the “spyware paradise of the world”, given the “guaranteed impunity to abuse spyware”.
In ‘T Veld recommended contacting Israeli authorities and tech company NSO Group to hear their justifications for the development of the infamous spyware Pegasus.
For her part, Belgian MEP Saska Bricmont from the Greens said it was now a “necessity to fully implement the European Media Freedom Act” given that the illegal use of spyware in the EU is “obviously a matter of European security”.