On 10 March 2022, the European Parliament set up the special PEGA Committee to investigate abuses by some Member States that used the Pegasus spyware, produced by Israel’s NSO, against journalists and political opponents. Widely considered among the most effective in surveillance, this technology has proven capable of revealing the contents and activities of smartphones without their owners’ knowledge or consent. However, the structural lack of control over who acquires it has often resulted in spyware being used by repressive governments or police forces, if not outright criminal organisations.

But the activities of the PEGA committee, focused exclusively on NSO products, risks leaving the field open to other European firms. EU Member States can count on a wide range of companies, mainly Italian ones. As computer security expert and member of Amnesty International’s Security Lab, Claudio Guarnieri, remarked during his PEGA hearing in August 2022: there are at least nine known spyware producers in Europe, and six of them are based in Italy.

Italy’s past and present show clear signs of a thriving market fuelled by public money, now saturated and seeking to find ventures abroad. Prominent buyers include illiberal regimes that can use spyware against human rights activists, journalists and political dissidents. There are precedents in Italian history, as in the case of the Milan-based company Hacking Team, whose products have been shown to have been used in Mexico and against political dissidents in the United Arab Emirates; more recently, there were reports of RCS’s technologies in Kazakhstan. Almost eight years have passed since Hacking Team imploded under the weight of a leak that revealed its dealings and clients worldwide. Today, Italy is ready to re-enter the international market.

Public money for state malware

Since smartphones have become central to nearly every aspect of our daily lives, the surveillance market has increasingly focused on tools that can break through security protections and capture information from digital devices. The result of this research is spyware, software that can infect a smartphone and steal any type of information: from the contents of private chats with family members to photos and files stored in the device’s memory. But it can also activate the smartphone’s camera and microphone remotely in order to monitor its location, or see and hear everything that happens nearby.

Over time, in Italy, the driving force behind these technologies has been considerable expenditure by national authorities. At the moment, there are at least a dozen known entities selling wiretapping tools, many of which are also supplying prosecutors’ offices with captatori informatici (as spyware is known in legal terms). There are the four usual suspects: AREA, RCS, SIO, and INNOVA, plus those that survived scandals, such as Hacking Team, now operating under the name Memento Labs. Then there are smaller firms such as Raxir and Negg, known only thanks to the researchers who have analysed their spyware, and the big ones such as Cy4gate. Having achieved impressive business results over the last eight years, these giants are now seeking to challenge NSO, drawing the attention of the PEGA Committee.

The Italian group also includes small companies that have been involved in scandals, such as eSurv and its spyware Exodus, which ended up on Google’s PlayStore and was used indiscriminately against unsuspecting victims. Others have specialised in certain sectors, such as IPS, based in the province of Latina, which has developed products for monitoring Internet traffic and social media.

These are only the tip of the iceberg, as a number of semi-unknown retailers often come knocking on prosecutors’ doors to offer their products.

According to someone with direct experience in the wiretapping sector, who spoke on condition of anonymity, the Italian market is divided up like a pie, due to the way the public prosecutors’ offices work: «The big prosecutors have more than one accredited company and all of them, for better or worse, have business», the source explained.

Each prosecutor’s office can rely on more than one firm, so that different investigations can rely on several suppliers. According to official statistics from a survey in Italy, the average length of a wiretapping operation, which includes the use of spyware, is 73,87 days. A recent bill by the Ministry of Justice included a price list with the daily cost of spyware set at 150€. Each spyware operation will therefore cost an average of 11,000€. In 2021, 2896 operations were carried out; the number of wiretaps quadrupled in the years between 2010 and 2020 and may continue to increase.

By comparison, Germany only authorised 48 spyware operations in 2020, whereas in 2019 there were 33 authorisations.

These data confirm what was told to IrpiMedia by a source who has been in the industry for years: internet-based wiretaps are the most lucrative.

At the same time, however, expenditure on wiretapping has fallen from 230 million in 2016 to 213 million in 2022. The sharpest decline has been in the price of phone call wiretapping since the early 2000s. According to another source familiar with the Italian sector, firms that were established 20 years ago raked in higher profits on wiretaps, but now their price has dropped dramatically. In the new price list they cost 3 euros, but in previous bids the cost had fallen to around 2 euros per day. Trade associations are complaining about the drop in prices.

The huge investment in surveillance that has taken place over the years has created a multitude of companies that are now facing not only competition, but also a reduction in the bugdet made available by the government. The result, as another source with direct experience in the wiretapping sector explained to IrpiMedia, is that a saturated market is driving Italian companies abroad.

Italian firms on the foreign market

Hacking Team was the pioneer in the sector. According to computer security researchers at the Citizen Lab, an interdisciplinary lab at the University of Toronto, the company had a presence in countries such as Mexico, Azerbaijan, Egypt, Sudan and Turkey between 2011 and 2014. Hacking Team had managed to sell its spyware even in the US to the FBI and the Drug Enforcement Administration (DEA), the US federal agency tasked with combating drug trafficking. Area is another Italian company that first ventured abroad, but its 2011 exports to Syria led to an investigation that was dismissed in 2018.

Despite scandals and investigations, made-in-Italy surveillance technology is still in demand abroad. In early December 2022, Cy4gate, a surveillance giant that already has customers on several continents, signed a number of contracts for a total amount €6,000,000, 85% of which were international clients. Nowadays, more Italian companies seem to be expanding further out of the country.

Among these is Innova, based in Trieste and a frequent supplier of Italian prosecutor’s offices. It was the only Italian firm at the International Exhibition for National Security and Resilience (ISNR), which was held in Abu Dhabi in October 2022. The exhibition connects regional government agencies with manufacturers from around the world, and was organised in cooperation with the Ministry of the Interior and in strategic partnership with Abu Dhabi Police GHQ. The United Arab Emirates, however, is known for human rights violations, some of which facilitated by the use of digital surveillance technology, as in the case of an iPhone spyware that was used against hundreds of activists, foreign leaders and suspected terrorists, according to Reuters.

Innova’s foreign presence did not stop at ISNR. The company was also at ISS World Latin America, which took place in Panama in October 2022, and was among the sponsors of the September event of ISS World Asia Pacific 2022 in Singapore. These trade shows are not mere opportunities for display, but allow direct contact with members of intelligence agencies from various countries, law enforcement officials and government leaders or ministers.

In the past, journalistic investigations have tried to shed light on the darker side of such events. As Al Jazeera revealed in a 2017 investigation, negotiations involve not only million-dollar deals, but also illegal plans to supply embargoed countries, circumventing sanctions and export rules.

One of the participants at the Singapore event was another Italian firm that now seems determined to expand into the foreign market: Negg.

Headquartered in Rome and with a sister company registered in Amsterdam, Negg first came into the spotlight in 2018, thanks to a report by the cybersecurity firm Kaspersky, which discovered and analysed a malware for Android that Negg had developed. Subsequently, a version of the same malware was also found for Apple devices. The spyware was linked to a number of bogus domains, some of them designed to simulate the web pages of Italian mobile phone operators such as Vodafone, tricking users into infecting their devices through a simple click.

Participating in the Singapore fair was a significant event, as Negg explained in a post on its website: «It is the first time that negg® decides to participate to [sic] such an important international event». One key motivator was to cultivate «the relationship with the Asian market», the company added.

Italy has certainly been present in the Asian Market for some time, as well as in the Arab world, a source with experience in the sector confirmed to IrpiMedia. This presence appears very solid, considering that Area SpA started a company in Oman in order to work with institutional clients in the country, as IrpiMedia reported in a previous article,

The dangers of spyware geopolitics

For the past few years, Israel’s NSO has been under scrutiny not only by European authorities, but also by US authorities: in November 2021, Washington sanctioned NSO by adding it to the Entity List, banning the export of any kind of hardware or software from the US to NSO. And in December 2022, the US Congress approved measures to mitigate threats related to the proliferation and use of foreign commercial spyware. The measures include a classified watchlist identifying foreign spyware companies that pose a risk to the US intelligence community.

The risks connected with the invasiveness of spyware are well understood by the United States, one of the countries at the forefront of online surveillance technology. This has been the case at least since 2013, when NSA whistleblower Edward Snowden revealed US surveillance programmes capable of monitoring the online activities of anyone, including European government leaders. The United States even purchased and tested Pegasus in 2019, but fears of abuse prompted a decision that went against the interests of their historical ally, Israel. This triggered a reaction from the Israeli government, which immediately started lobbying Washington to backtrack.

For Israel, the export of surveillance technology is a geopolitical tool, as a New York Times investigation revealed, and is used to make political deals, build new business relationships, and gain international support. And now that the surveillance giant has been sidelined, Italy seems to have glimpsed an opportunity for further expansion. However, the export of these technologies remains a thorn in the side for the European Union: the existing regulations are insufficient, and Italy has already demonstrated a lack of transparency on these sales in the past.

Moreover, Italy already struggles to control these companies and their technologies when they are used in investigations, as recent scandals have shown.

There is a risk that data from wiretaps might end up in the hands of third parties without the knowledge of the authorities. This happened with Area SpA, which was prosecuted because wiretapping data were found on the computers of some employees. By law, this data should only be kept on the servers of the Public Prosecutor’s Office, in vaults specifically created to protect sensitive information in investigations.

Moreover, instances of abuse raise doubts on the Italian authorities’ ability to monitor the activities of spy tech companies: one emblematic case from 2019 involved the Exodus spyware, produced by eSurv. Confidential wiretap data was stored on a server in Oregon, despite laws stipulating that it cannot be stored outside the country. Exodus was available on Google’s Play Store for about two years, hidden inside more than twenty seemingly harmless apps, such as those for marketing from Italian mobile carriers. Anyone could download it. Once installed, the software began stealing data, without properly checking whether the phone was intended to be targeted. The company was aware of what was happening, but used the unsuspecting victims as guinea pigs.

Italy’s inability to govern spyware adds to the risks it poses to human rights and has prompted UN Special Rapporteurs and experts to call on all states to impose a global moratorium on its sale and transfer to other countries. In the face of Italy’s difficulties in controlling spyware, the UN warning should weigh even more.

The PEGA Committee itself has recommended the adoption of a moratorium on spyware, and the European Data Protection Supervisor (EDPS) has called for a blanket ban on its use, citing «a level of intrusiveness that is incomparable with what we have seen before». The moratorium would suspend the sale and transfer of surveillance technology until a solid legal framework including human rights safeguards is put into place. A blanket ban, on the other hand, would make all use of these technologies illegal, as they present irreconcilable threats to democratic principles.

While the West is increasingly concerned about the abuse of spyware, Western countries themselves seem unwilling to face reality and admit that they are part of that problem. The Italian case is an emblematic one: excessive use of these technologies, combined with a constant injection of public money, leads to a domestic market that becomes the springboard towards foreign countries. Out there, among buyers awaiting new surveillance tools, lurk unscrupulous authoritarian governments and unstable countries where these technologies become an essential tool for repressing all forms of dissent.