A special commission within Poland’s Senate concluded that the government's use of spyware, like the one made by NSO Group, is illegal.
The commission announced on Thursday the conclusion of its 18-month investigation into allegations that the Polish government used NSO’s spyware, known as Pegasus, to spy on an opposition politician and other politicians around the time of the country’s 2019 elections.
“Pegasus cannot be used under Polish law,” the report read, according to a machine translation. “This is because the Polish legal system does not allow the use of programs in which acquired operational data is transferred through transmission channels uncontrolled by the relevant services, as this creates the risk of violating its integrity and does not ensure its confidentiality, as required by law.”
In other words, NSO’s spyware is not designed in a way that respects Polish law, collects too much information and cannot guarantee that that information is secured properly, according to the report.
The commission also concluded that the Polish government used Pegasus to retaliate against opposition figures, and that these surveillance operations negatively influenced the 2019 elections in the country. The commission compared these abuses with Russian government hacker activities in the 2016 elections in the United States.
Deputy Speaker of the Senate Michał Kamiński is quoted in a press release as saying that Pegasus was used to spy on politicians in the opposition, including Polish senator Krzysztof Brejza, and to influence the political process.
“It turns out that huge amounts of money,” Kamiński said, according to a machine translation, “are not spent in order to catch Russian agents, but in order to be interested in the life and views of Polish opposition politicians and influence the political process in Poland. This monstrous weapon was not used to protect citizens, but as our committee proved, it was used to persecute people who did not like the authorities.”
John Scott-Railton, a senior researcher at the internet watchdog Citizen Lab who has been investigating NSO and its customers’ abuses for years, said the fact that a European country’s government body reached these conclusions is significant because it shows there are serious problems with the use of government spyware in democratic countries too, and not just repressive regimes.
“A lot of people when they think about Pegasus they think about dictators using spyware. And of course, it's true. But what this report basically says is, look, when Pegasus is sold to democracies, it can cause great harm to core democratic processes like elections,” Scott-Railton told TechCrunch.
Since 2016, Citizen Lab and Amnesty International have published multiple reports highlighting the abuse of NSO’s hacking tools in countries such as the United Arab Emirates, Saudi Arabia and Mexico, among many others. In the last few years, however, researchers have also found cases of abuse in European Union countries such as Poland, Hungary and Spain.
From NSO’s perspective, according to Scott-Railton, Europe has always been a good market because the company could point to it and say their tools are not abused there, given those countries' reputations. But, as evidenced by the Polish investigation, that hasn’t always been the case. Scott-Railton said the report puts pressure on other countries in Europe and elsewhere in the West that can’t justify the use of tools like NSO’s anymore.
“It raises all these questions about countries like Germany, that are apparently continued users, and think that their use is not going to be harmful elsewhere,” Scott-Railton said. “No, their use is harmful because it legitimizes NSO and keeps them buoyed with revenue. You can't do business with NSO and not contribute to the harm that it causes.”
A spokesperson for NSO did not respond to a request for comment Thursday.
Lukasz Olejnik, a Polish independent researcher and consultant, told TechCrunch that regulations on the use of surveillance technologies in Poland are “rather generic, if non-existent, according to some.” Olejnik also highlighted that the report considers all kinds of spyware like Pegasus to be illegal in Poland.
“The report adopts an interesting line of argumentation, claiming that it would be illegal to use any system that would operate in ways so the collected data (or the target details) left Polish jurisdiction (i.e. border), as well as any systems whose design or source code cannot be inspected and ‘accredited’,” Olejnik said.
That means, according to Olejnik, this conclusion could extend to Poland’s use of spyware made by other companies such as Hacking Team, a now-defunct spyware maker that sold its wares to the country from 2012 to 2015.
Dział Prasowy, a spokesperson for the Polish Senate, confirmed in a statement that "all spyware like Pegasus is illegal in Poland unless it has been accredited" by the country's Internal Security Agency (ABW) or the Military Counterintelligence Service (SKW).
Do you have more information about NSO Group or another surveillance tech provider? Or information about similar hacks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email firstname.lastname@example.org. You can also contact TechCrunch via SecureDrop.
Updated on September 11 with comment from Poland's Senate.