The EU Parliament’s committee of enquiry into Pegasus and other spy software is calling for Europol to investigate the scandal. However, there are reasons why the police agency’s powers are limited.
While the EU Parliament is looking into the spyware scandal in a committee of enquiry, the role of the police agency Europol is also being discussed anew in the EU. The mandate of the committee on the use of Pegasus and equivalent spy software (PEGA) was recently extended until 10 June. This was decided by the Conference of Presidents of the EU Parliament last week. This also gives a little more time to present the final report on the European spying scandal, which rapporteur Sophie in´t Veld called “Europe’s Watergate” in a preliminary version in November.
In it, the Dutch-born, left-liberal politician in´t Veld demanded that Europol investigate the apparent misuse of the spy programmes. The police agency could be entrusted with investigations if two or more member states are involved and the crime being prosecuted has a cross-border character. This would be conceivable in the countries Poland, Hungary, Spain, Greece and Cyprus, which are mentioned first in the PEGA report. There, governments have used the Pegasus and Predator software to spy on opposition members, critical journalists, lawyers and activists.
Act of cybercrime
“Europol’s mandate tends to be neutral as regards the crime perpetrator when determining which crimes fall within its scope,” explains Chloé Berthélémy, senior policy advisor at the Brussels-based civil rights organisation European Digital Rights (EDRi), when asked by netzpolitik.org. This means that the Hague-based agency could also investigate governments. Europol could also alert member states to a cross-border crime that was not on their radar, Berthélémy said. “However, it is highly unlikely that one Member State would use Europol as a means to investigate another’s use of spyware.”
The use of Pegasus and Predator could in many cases constitute the offence of cybercrime, which, like corruption and extortion, falls within Europol’s remit, in´t Veld’s interim report says. In it, the rapporteur vehemently emphasises the demand for Europol investigations against the governments mentioned.
Last year, the EU Parliament approved a new regulation that gives Europol even more powers. Article 6, for example, allows the executive director to “proactively” propose investigations, even if the crime is committed in only one member state. However, Europol refused to make use of the new powers in the case of “Europe’s Watergate” and to open an investigation, criticises in´t Veld. On 28 September 2022, the PEGA Committee therefore sent a letter to Europol Director Catherine de Boelle demanding that the agency finally take action.
Letter to five EU member states
In fact, Europol wrote to five EU member states shortly afterwards, but they remain unnamed. Considering the countries affected by the spying scandal, these are probably the governments in Warsaw, Budapest, Madrid, Athens and Nicosia. In the letter, de Boelle asked whether “relevant information” was available to Europol at national level and whether there were ongoing or planned criminal investigations.
In her letter, Europol only asked whether the agency could help the member states, says the rapporteur in´t Veld when asked. There is, however, “ample evidence, and indeed very alarming evidence, of criminal activity” in the countries. So Europol is allowing crimes not to be investigated, according to in´t Veld.
However, Europol is not allowed to “initiate” investigations. This would also contradict the spirit of the EU treaties, according to which the European Union may not carry out police operations on the territory of a member state unless the latter expressly invites it to do so. The politician in´t Veld, who is experienced and respected in the EU Parliament, also knows this.
Europol request could be rejected without comment
Like in´t Veld, the head of PEGA, Jeroen Lenaers, comes from the Netherlands. When asked, the Christian Democrat confirmed that a proposal by Europol to initiate, conduct or coordinate criminal investigations was not binding and could be rejected by the member states concerned without giving reasons. However, the PEGA Committee has “confidence that Europol will do the utmost within the remits of its new powers to support the Member States, in the interest of the citizens of Europe and public security within the EU”, says Lenaers.
After an initial response in October, Europol reported again on 20 December to the EU Parliament on its activities in relation to the use of spyware. Four of the five member states replied that they had at some point “initiated a criminal or judicial investigation procedure in connection with the suspected unlawful use of surveillance and interception software software in their country”, but that some of these investigations had already been discontinued. Lenaers now intends to ask Europol for “additional clarifications”.
As far as is known, Europol has so far only been asked by one of the states concerned to check whether relevant information in the case is available in Europol’s data repositories. Europol is also said to have assisted the police in Cyprus with investigations. This involved forensic examinations of the confiscated equipment of an ex-intelligence agent from Israel.
Europol lacks accountability and transparency
In´t Veld, this clearly does not go far enough. “Paradoxally, contrary to Europol, the US is actively investigating the use of spyware in the EU,” writes the left-liberal politician in her PEGA interim report. In November, the US FBI is also said to have visited the government in Athens for this purpose. These powers are also demanded in´t Veld: “In addition, the Europol Regulation should be adapted, so that in exceptional cases Europol can also start a criminal investigation without the approval of the Member State.,” the report states in paragraph 610.
The demand for such a kind of European FBI is not new and has been raised in Germany by politicians from the Social Democrats, the Greens, Liberals and Christian Democrats. However, this would not be legally possible, the EU Commission confirmed in its answer to a parliamentary question. Therefore, MEPs have put a stop to the extension of powers to coercive measures in the negotiations on the new Europol Regulation.
“We, as civil society, do not believe that bolstering policing infrastructures at European level will solve the political issues raised by the spyware scandals,” says Europol expert Chloé Berthélémy. EDRi had therefore spoken out against the expansion of Europol’s powers because the agency already lacks accountability and transparency. The demand would strengthen police systems “that overly target and discriminate against marginalised communities”.
Proposal: Europol database for the use of spyware
So how could Europol continue to act in “Europe’s Watergate”, even without being given FBI-like powers to do so? “Europol can only use this provision [of Article 6] to exert political pressure on Member States to initiate investigations into the use of Pegasus,” says Berthélémy.
This is also the view of Patrick Breyer, who sits in the EU Parliament for the Pirate Party Germany: “In order to exert political pressure against the abuse of power and spying on political opponents and critics, Europol, as an independent European authority, should definitely demand the initiation of investigations in all countries where there is a suspicion of a criminal offence.”
A database could also be set up at Europol in which the 27 member states should note every use of a state Trojan, suggests in´t Veld. Europol should also include “spyware abuse by governments” in its annual Internet Organised Crime Threat Assessment (IOCTA) report. Europol currently has no knowledge of which EU member states are currently using spyware, the agency’s vice-chairman recently explained in response to a parliamentary question.
Whether Europol is the right address for more transparency in matters of spyware also remains questionable. For according to another answer, the agency itself has sounded out the “products available on the market” for spyware programmes. Europol also offers numerous measures for leveraging or circumventing encrypted communication. However, Europol is not allowed to use own spyware in the EU member states, as this is also a sovereign coercive measure that is only permitted to authorities of the respective country.