EU parliament spyware inquiry eyes Italian firms

Its chair, Dutch liberal MEP Jeroen Lenaers and Pega secretariat told EUobserver in an email ahead of the publication of the investigation, that Tykelab and RCS Lab could become a fresh part of the committee's probe.

"The mandate of the Pega committee is not limited to NSO/Pegasus only, but would clearly cover something like Tykelab and RCS Lab that you mention," said the Pega secretariat, in an email, with Lenaers in copy.

The committee's vice chair, German liberal Moritz Körner, made similar comments.

"We look at different firms and software. So I think Tykelab and RCS Lab could definitely become a topic in the committee," he said.

The investigation by Lighthouse Reports along with media partners Der Spiegel, Domani and Irpimedi , found that both Tykelab and RCS Lab were using surreptitious phone network attacks, and sophisticated spyware, against targets in southeast Asia, Africa and Latin America, as well as inside Europe.

EUobserver was given summary conclusions of those findings ahead of publication, including a snap shot of previously unpublished phone signalling datasets.

The phone-signalling data paints a disturbing picture of surveillance practices that are said to be almost on par with Pegasus, the Israeli software used to infiltrate mobile phones and extract data or activate cameras or microphones.

Such signals expose vulnerabilities in phone networks that in turn give up the locations of phone subscribers.

Although not explicitly highlighted in the Pega inquiry, RCS was still briefly mentioned in a 21 June hearing as part of the spyware industry by Privacy International's Edin Omanovic.

Omanovic at the time said a 2016 analysis had found over 500 firms that sell surveillance technology for government end-users for surveillance.

"They sell a full spectrum of tools ranging from spyware to techniques which take advantage of vulnerabilities in telecomms networks, to spy on people anywhere, to huge internet monitoring tools which sweep up internet traffic on a nationwide level," he said.

There is also a massive regulatory gap and lack of legal redress in case of abuse, said professor Ben Wagner, director of the AI Futures Lab at TU Delft, in comments made at the same hearing.

"We've unleashed an industry that we have not been sufficiently willing as Europeans to regulate," he said.

"Sooner or later this will be misused, whether it's in election campaigns, whether it's in so-called corruption cases," he said.

Firms that make such software often claim it is used to track down criminals or terrorists — including Israel's NSO Group that led to the European Parliament inquiry into Pegasus.

The NSO Group reportedly has active contracts with 12 of the 27 members of the European Union and is now seeking to expand its client base to Nato members, the western defensive alliance of some 30 countries.

But some state actors in the EU and elsewhere are also targeting political opponents and journalists.

The latest scandal ensnared Greek prime minister Kyriakos Mitsotakis earlier this month after it was revealed that state intelligence service EYP tapped the mobile phones of a political opposition leader and a financial journalist who works for CNN Greece.

EYP reports directly to Mitsotakis' office, which has denied any involvement.