Export permits and connections between companies and persons in Cyprus and Greece on the agenda of PEGA committee visit, its president tells CNA

Practices regarding the possible export of surveillance technologies from Cyprus, as well as the connections between companies and persons in Greece and Cyprus will be among the issues that are expected to be raised by MEPs in their contacts in Nicosia on Tuesday and Wednesday, MEP Jeroen Lenaers, the president of the European Parliament’s committee of inquiry to investigate the use of Pegasus and equivalent surveillance spyware (PEGA), told the Cyprus News Agency in an interview.


The visit, which is carried out in the context of an inquiry on the use of spyware in Greece, will continue from Wednesday through Friday with a series of meetings in Athens.


Lenaers told CNA that during its visit in Cyprus PEGA will focus particularly on the legal framework for the exporting of spyware and relevant technologies and software, and will seek clarifications on whether NSO Group has exported products from the country.


He also said that the spy van case is not directly related with PEGA’s investigation since it precedes the accusations on the use of Pegasus, but that he expects MEPs to pose questions regarding the way issues of surveillance are dealt in Cyprus.


Lenaers also said that he does not have additional information to that reported in Greece regarding connections between spyware companies that are or were active in the two countries, but that PEGA will ask for clarifications.


The president of PEGA also told CNA that he is glad to see the European Commission begins to tackle the issue of surveillance on an EU level, and called for minimum standards for electronic security across the EU, pointing also to the need that the EU becomes a leader in global efforts to regulate this sector.


Focus on export permits and links with Greece, Israel


Asked about the agenda of the delegation’s meetings in Cyprus, Lenaers pointed out that the visit combines contacts in both Cyprus and Greece and is longer than usual with permission by the European Parliament. He noted that there is different context in each country, as in Greece there are media reports “about the use of spyware against journalists and politicians” while in Cyprus the issue concerns more the issuing of “export permits, how that works”.


“There are some companies that have come up in the investigation that have links to Cyprus” he added, referring to NSO Group and the question of export permits.


In this context, Lenaers, said, the MEPs will meet Minister for Commerce Natasa Pilides and Deputy Minister for Digital Policy Kyriakos Kokkinos on Wednesday, as they are “responsible for parts of this legislation”, and added that he thinks that will be the “most important, most impactful part of the visit.”


When asked to comment on the conflicting claims by NSO Group and the Cypriot government regarding the issue of export permits, the head of the delegation said that during PEGA’s visit to Israel, the MEPs posed a question to the company about their claims of exports from Cyprus and Bulgaria. Their response, he continued was that “Pegasus is not the only product they sell” and that “they have a range of products.”


The way he understood the response, Lenaers added, for some products the company “might restrict themselves to the Israeli export license scheme, but it could be that for other products that are not Pegasus they could have also used Bulgaria or Cyprus.”


“If the Cypriot government says that there were absolutely no products by NSO Group licensed for export from Cyprus, then I think there is an incoherence between what NSO group says and what the Cypriot government says. If they say they never had a license for export for something like Pegasus, then that could be in line with what NSO group has been telling us” he added.


On surveillance in Cyprus and the spy van case


Regarding accusations of surveillance in Cyprus itself and whether those have been brought to the attention of the committee, the PEGA president said that as far as he knows those are definitely questions that will be asked. He added though that to his knowledge, these accusations are in a different context than in countries like Greece or Spain or Poland or Hungary.


He said that the committee has received information also through MEPs from different political parties about the potential use of spyware in prisons, and said that the government has “publicly already provided a lot information on that” and added that he is sure this issue will be posed to government representatives by members of the committee. He also pointed out that the delegation is due to meet the Attorney General on Wednesday and that he expects some questions on this to be posed.


Asked specifically to comment on whether the delegation will focus on the 2019 spy van case, Leaners pointed out that the spy van case “very much precedes the Pegasus mandate that we are investigating” and that “it doesn’t have direct relevance for our committee”.


However, he continued, he is certain there will be MEPs that will pose this issue “also from the historical perspective” regarding “the way that these issues are dealt with in Cyprus.”


In a wider sense, he continued, since PEGA investigates the use of spyware in the whole of the EU, not only in countries that are being visited, that also means that it could be of interest to look what has happened in the past, such as the case regarding the use of FinFisher in Germany, and other spying incidents in other countries.


Called to comment on reports on connections between the activities of companies providing spyware in Greece and Cyprus, Lenaers pointed out that there is a reason why the committee visits both countries, since it is well known that there are links between companies like Intellexa and people like Tal Dilian with both Cyprus and Greece as well as Israel.


“There will be questions raised, information requested on these companies and these individuals that are or have been active in both countries” he added.


Lenaers stressed that PEGA has so far conducted visits to Israel and Poland, and added that “the cooperation that we are receiving both from the Cypriot and also from the Greek government, for organising our mission and speaking to representatives of the member states at the level of ministers is really in stark contrast with the way we were received in Poland and even Israel”, adding that of course “we will have to see the atmosphere in which the meetings take place, the questions asked and answers given and the willingness to have a proper democratic dialogue”.


On the possible connections of political actors to the companies involved in surveillance which have been reported in the Greek media, Lenaers said that he can only read the same news reports and pose questions about them and that he doesn’t have additional evidence.


“We will ask questions about this. We will invite of course journalists in Greece that have been writing about certain stories, we will ask them for further clarifications, we will ask government representatives to respond” he stressed, adding that it is impossible for him to give an ultimate judgement from Brussels over these reports.


Commenting on the delegation’s upcoming visit to Athens, the president of PEGA said that the committee has added journalists that wrote recent stories to its agenda of meetings, and that he believes that they will have an interesting exchange of view with the Greek Minister of State, as well as with the MPs from the Hellenic Parliament’s special investigative committee regarding its modus operandi and the results of its investigation.


Need to look into the European framework on surveillance


On the subject of the what gaps the committee has discovered when it comes to the regulation of surveillance across the EU, Lenaers said that the first draft report by MEP Sophie in ‘t Veld is expected to be published next week and that he expects it to focus “on these import – export regulations, dual use regulations, whether they need updating to also provide for spyware like Pegasus”.


“We need to have a look at the European framework which allows for this kind of spyware to be used” he added, pointing to the case of Hungary, where PEGA will travel in February, where “the data protection authority of the Hungarian government has investigated more than 200 of these cases and came to the conclusion that everything was done according to law.”


“If you in Hungary can, according to the law, spy on 200 journalists, activists et cetera then something is not completely efficient about the law” he added.


On the European level, he pointed to concerns raised by experts during hearings of the committee on “zero day vulnerabilities, loopholes in software and hardware of our devices” and the “thriving market” which also exists in Europe making money from these vulnerabilities. He added that member states are known not to share these vulnerabilities when they are detected so that they can be patched, and that “instead they stockpile them, in wanting to use them themselves when it is convenient.”


On the side of the victims, he continued, there needs to be transparency as well as measures to address the need for them to have access to justice.


He also pointed out that even though the competence of the European Parliament lies only in the EU, the wider picture needs to be considered because “if we start really tightly regulating in the EU but these companies move abroad and continue providing the same services to the rest of the world and to many undemocratic regimes outside the EU, then in the end we haven’t won much.”


For this reason, he continued, the MEPs also look into whether the EU “can be a leading actor in a global agreement on regulating this spyware.”


Responding to a question what journalists, politicians and private citizens that could be affected can do, Lenaers said that “as sad as it sounds, if we talk about spyware at the level of Pegasus, all the digital savviness in the world will not save you” because it is such an advanced and expensive piece of technology that there is not much that a consumer can do.


“At the same time we know there are many other kind of spyware, ranging from very sophisticated to very basic” he added, pointing to issues regarding mandatory updates for mobile devices, apps or software for longer periods of time, especially in cheaper android phones which are no longer updated when new models enter the market. He pointed to the need for promoting awareness among citizens and developing minimum standards for developers.


He also expressed his satisfaction that the European Commission has realised that this issue is not important only for the member states but there is reason to get involved on the EU level as well. Pointing to the Commission’s new European Media Freedom Act he said that there “the use of spyware against journalists is not being prohibited yet because there are some exceptions, but very much clamped down upon”.


He stressed that this is the right approach that needs to be built upon, to protect not only journalists but also other groups like lawyers and private citizens.


Source: Cyprus News Agency