Transparency on surveillance products suppressed by the European commission

On January 11, 2022, a little-known subgroup of the European Commission, the Surveillance Technology and Expert Group (Steg), convened at the Albert Borschette Conference Center in Brussels. Since its reactivation in June 2021, 6 meetings had taken place. One of the items on the agenda for that day was a discussion on the Pegasus spyware developed by Israel’s Nso Group. In July 2021, the international Pegasus Project investigation had exposed that at least 180 journalists have been selected as targets in countries across the globe. In parallel to Steg, the Pega Inquiry Committee was only announced by the European Parliament in March 2022. Steg, in particular, analyzes surveillance technologies and played an active role in drafting the guidelines published by the Commission on October 11, 2024, aimed at clarifying the export management of cyber-surveillance technologies. These technologies, not explicitly regulated, are assessed on a case-by-case basis based on their potential risks. Yet the whole process seems to be conducted entirely in secret, without any transparency or oversight.

Documents summarizing the January meeting, obtained by IrpiMedia through an access to documents request, are entirely redacted, even the home countries of the experts representing Eu member states are erased. Pegasus spyware was discussed again in a July 2022 meeting, but once more, all information about the 15 member state experts and two representatives from the Commission’s Directorate-General for Trade was omitted. The Expert Group’s web page listed as participating countries: Denmark, Finland, France, Germany, Hungary, Italy, Latvia, the Netherlands, Poland, and Sweden. However, in the documents IrpiMedia received, the initials of Ireland and Portugal appear in the January meeting documents – probably they escaped the Commission’s censorship. These countries were not listed on the webpage and no details about recent meetings are available.

The spyware market

According to a recent report by the Atlantic Council, Italy is the third-largest hub for spyware development globally. Germany purchased Pegasus in 2019, while Hungary and Poland are at the center of European scandals involving the abuse of Nso’s spyware against journalists and politicians. And this is just one product from one company, revelations of purchases of other spyware and abuses around their use keep coming up to the surface. The latest and most striking case involves Graphite, software developed by another Israeli company, Paragon Solutions, used to spy on 90 people worldwide. Among the targets were nine Italians, not all of whom have been identified yet, but including the editor-in-chief of the news outlet Fanpage, Francesco Cancellato, and the head of mission for the Ngo Mediterranea Saving Humans, Luca Casarini. Another scandal under scrutiny by the Pega Committee in 2022 involved Greece, which had purchased the Predator software developed by Intellexa and used it to spy on politicians and journalists.

In short, it appears that the very same countries that have been investigated for secretly acquiring spyware and targeting civil society, journalists, and politicians are also participating in the regulatory processes for these technologies, as in the case of Steg. At the very least, the participation of those countries directly involved in the use of these technologies should be made public.

Transparency and redactions

The European Commission’s obstructionism in granting access to documents is not an isolated case but seems to be part of a broader strategy to keep surveillance-related matters out of public scrutiny. Spyware is just one of the cyber-surveillance products under Steg’s mandate. Both the regulation of dual-use exports and the expert groups appointed by the Commission to draft export guidelines act as barriers to transparency. The regulation, in fact, prevents detailed reporting on dual-use goods exports by each country, as demonstrated by the latest EU Commission report, where data on cyber-surveillance tools are only provided in aggregated form. Meanwhile, the political and economic influence of member states through their experts remains opaque, obscuring the decisions that shape these guidelines.

The export regulation requires the submission of a report to the European Parliament, detailing the number of licenses issued for exporting surveillance-related dual-use goods. To compile this report, a questionnaire was sent to member states. The questionnaire seems to include only overall figures data by category and value, without details on destination countries or licensed companies. But even this aggregate information gets censored. In a previous, separate access to documents request filed by IrpiMedia, Italy’s responses were entirely redacted by the European Commission after consultation with the Italian Ministry of Foreign Affairs, citing risks to public interest, exporters’ commercial interests, and potentially significant negative impacts on international relations with affected third countries.

Privacy International had recently highlighted how “exemptions to freedom of information (Foi) laws are widely used by public authorities to prevent disclosure of information and documentation concerning details of procurement, deployment, use and evaluation of arms transfers and other transfers of equipment and capabilities to other countries. They are difficult and onerous to challenge.”

The July 2022 meeting report also highlights requests made by the Commission to group experts regarding the management of specific technologies. However, key information has been redacted. “COM [the European Commission] noted that REDACTED are used for cyber-surveillance purposes and are deployed […] without the consent or awareness of the device owner, and observed that the Regulation’s provisions must be interpreted in light of its goal to strengthen the EU’s ability to prevent the use of cyber tools for human rights abuses.”

Examples included in the new guidelines mention location-tracking devices used by law enforcement and intelligence agencies, such as GPS tracking devices or systems that use data from the advertising industry to locate a suspect. However, it is unclear if these were the products discussed in STEG meetings, as experts’ analyses remain entirely redacted. A recent SIPRI analysis—a Swedish institute monitoring arms and dual-use goods markets—notes that phone network hacking services used to locate devices might also fall under export control technologies.

IrpiMedia has previously reported on this technology, which is also offered by Italian companies like RCS and GWSim whose products are covertly tracking people all over the world on a massive scale abusing phone networks—a technology whose export is not properly regulated and that routinely abuses telecommunication providers’ infrastructures.

Discussions such as STEG’s shouldn’t be happening behind closed doors. More transparency is necessary to ensure that blanket exemptions for security-related bodies and national security matters are not abused in violation of human rights standards. More broadly the European Commission as well as Eu member-states should make available disaggregated and identifiable information on approved licences, rejected licence requests, actual exports, the authorized end user and authorized end use in order to ensure that surveillance technologies are not used in secret and exempted from public scrutiny.

Meanwhile, during the European Parliament confirmation hearing on November 5, 2024, the new EU Commissioner for Home Affairs and Migration, Magnus Brunner, was questioned twice about spyware but avoided answering, ignoring the inquiries. This suggests that the new European Commission is following the same line as the previous one: stifling public scrutiny over surveillance technologies while their abuses continue to escalate.