Inleiding en context

Goede morgen allemaal op deze dinsdag 10 januari 2023, de kop van het nieuwe jaar is er weer vanaf. Ook nu begin ik de dag weer met een klassiek liedje: https://www.youtube.com/watch?v=gSWInYFVksg Lekker wild ging het er aan toe in 1966, prachtig. Maar nu naar de ´kennisparel´ van deze dag. Dat is er één over zogenaamde Spywaresystemen die het mobiel hacken van apparaten mogelijk maken. De meest bekende is die van Pegasus, ontwikkeld door de Israëlische NSO Group. Pegasus heeft volledige en onbeperkte toegang tot het doelapparaat: het kan alle gegevens erop extraheren, geeft inzicht in alle activiteiten die ermee worden uitgevoerd (passieve monitoring), activeert de apparaten om verdere gegevens te verzamelen (actieve monitoring). Het kan worden geïnstalleerd zonder dat de betrokken personen iets merken en laat nauwelijks sporen achter. Een dergelijk gebruik van technologische hulpmiddelen baart terecht zorgen vanwege de diepgang ervan aangezien het kan zich uitstrekken over alle aspecten van het persoonlijke leven van de beoogde individuen.

Bijgesloten ´kennisparel´ heeft als doel om (a) de belangrijkste kwesties te identificeren met betrekking tot de manieren waarop Pegasus en andere spyware kan interfereren met individuele rechten en democratische processen en instellingen, (b) een beschrijving te geven van de relevante wettelijke kaders, (c) bepalen in welke mate en onder welke voorwaarden spyware rechtmatig mag en kan worden gebruikt en ten slotte (d) het presenteren van een overzicht van aanbevelingen om dergelijke voorwaarden te implementeren.

Bron

Sartor, Giovanni & Andrea Loreggia (December 2022). The impact of Pegasus on fundamental rights and democratic processes. Brussels: European Parliament, Policy Department for Citizens’ Rights and Constitutional Affairs,67 pp. https://www.europarl.europa.eu/RegData/etudes/STUD/2022/740514/IPOL_STU(2022)740514_EN.pdf

Samenvatting

The use of spyware is usually justified by invoking national security. However, it appears that in many cases spyware is used for other purposes, often pertaining to partisan political objectives or to the repression of social and political dissent. It has been recognised that many states have used national security as a cynical legal pretext to curtail freedom of expression, legitimise torture and other ill-treatment, and exert a chilling effect on minorities, activists, and political opposition. In particular, extensive evidence exists on Pegasus being used to target individuals not having any connection to serious crimes or national security threats, such as political opponents, human rights activists, lawyers, and journalists. To prevent an expansive use of the notion of national security, this notion should be understood restrictively and distinguished from the concept of internal security, the latter having a broader scope, including the prevention of risks to individual citizens, and in particular the enforcement of criminal law.

In the UN framework, surveillance activities are to be assessed according to human rights treaties such as the International Covenant on Civil and Political Rights. Abusive surveillance affects not only the right to privacy but also freedom of expression and other rights in the Covenant. Both privacy and freedom of expression can only be limited through the law and as necessary for legitimate purposes. National security may justify limitation, but in the case of Pegasus, the legality and necessity requirements are likely not satisfied. According to the European Convention on Human Rights, the requirements of legitimacy, legality, necessity, and proportionality, in the context of a democratic society, apply to targeted surveillance. An extensive case law of the European Court of Human Rights (ECtHR) has set conditions for covert surveillance to be consistent with human rights, particularly with regard to legality (accessibility of the laws authorising surveillance and foreseeability of their consequences) and notification. The Court has also granted standing to individuals even only potentially affected by covert surveillance.

In the context of EU law, targeted surveillance is relevant to the rights contained in the Charter of Fundamental Rights of the European Union, the principles contained in the Treaties (such as democracy and the rule of law), and various instruments of EU secondary law, such as those pertaining to data protection. According to the Treaty on European Union (TEU), national security is the sole responsibility of each Member State, but this does not in principle exclude that national security activities are subject to EU law, which indeed is the case when they interfere with activities regulated by EU law. The application of EU law to the use of spyware for national security purposes is, however, hindered by the exclusion of national security from the scope of two fundamental instruments: the GDPR and the ePrivacy Directive. This can hardly be justified with regard to the rights enshrined in the Charter and the principles contained in the Treaties. Because this exclusion may be used too broadly, it must be pointed out that it only concerns cases in which the spyware is genuinely used to protect national security properly understood. EU law fully applies to the use of covert investigations for law enforcement purposes. However, even in this domain, there is evidence of abuse.

The use of spyware poses a threat to the fundamental rights and basic principles of EU law, such as (representative-deliberative) democracy and the rule of law. It risks undercutting the very principles on which the EU legal system is based. In the international and European legal systems, national security activities can justify restrictions on fundamental rights, but if such restrictions are to be lawful, they need to satisfy the conditions of legitimacy, legality, necessity, balancing, and consistency with democracy. In many instances of its deployment, Pegasus has so far failed to meet these requirements, given that it has been used for non-legitimate purposes, without an adequate legal framework, in the absence of real necessity, and causing disproportionate harm to individual rights and democracy. We suggest various strategies that may help prevent abuses:

A politically feasible moratorium on the use of device-hacking tools could consist in a strong presumption against the lawfulness of their use, a presumption grounded in extensive evidence of their abusive deployment. This presumption could only be overcome when a state convincingly shows a willingness and capacity to prevent all abuses. Moreover, all Member States should be urged to ban the use of specific spyware tools where, as with Pegasus, there is strong evidence of their deployment in unlawful activities, especially within the EU. Until there is clear evidence that such unacceptable practices no longer take place, continuing to deploy Pegasus, even in the framework of lawful activities, amounts to supporting its producers and developers and thus implies a political (even if not a legal) complicity with such practices.

Afsluitend

Het mobiel hacken via Pegasus tast de privacy van mensen, gegevensbescherming en andere individuele rechten aan, zoals het recht op vrijheid van meningsuiting, vereniging van vergadering, evenals de democratische uitgangspunten van een samenleving. Politieke participatie wordt beïnvloed door spyware in de zin dat bespioneerde burgers zich daartoe gedwongen kunnen voelen door zich te onthouden van meningen met een politieke inhoud, van het uiten van hun mening en van de omgang andere activiteiten voor politieke doeleinden.

Dit doet afbreuk aan de kwaliteit van een democratie, die uiteindelijk afhangt van de inbreng en reacties van burgers. Meer specifiek beïnvloedt spyware individuen (zoals journalisten, politici en activisten) die een speciale rol spelen in de publieke discussie. Surveillance van dergelijke individuen opent ruimte voor repressie, manipulatie, chantage, vervalsing, en laster. Het verkiezingsproces zelf kan zo worden beïnvloed wanneer de verzamelde informatie, mogelijk gemanipuleerd, wordt gebruikt om lastercampagnes tegen gerichte kandidaten uit te voeren of om zich in te zetten bij andere acties die hun kansen op succes bij de verkiezingen beïnvloeden. Alleen al de angst om bespioneerd te worden kan mensen ertoe aanzetten zich niet verkiesbaar te stellen of een effectieve campagne te voeren. Alle zeilen bij dus om deze negatieve ontwikkelingen tegen te gaan.