Google, Meta and Microsoft presented a united front to lawmakers on Tuesday (14 June), when they called on governments to stop investing in surveillance companies and curb the growing use of sophisticated software like Pegasus.
This week, representatives from Big Tech companies were invited by European lawmakers to share their insights on the use of spyware in Europe, two months after the work of the Pegasus inquiry committee (PEGA) began.
“This industry appears to be thriving”, Google’s Senior Policy Manager, Charley Snyder, told the MEPs, stressing that it has been “fueled by demand from governments”.
“While the use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments for purposes antithetical to European values: targeting dissidents, journalists, human rights workers, and opposition party politicians”, he added.
Such tools are far from the exclusive preserve of authoritarian governments or far-flung countries: several member states, including Hungary and Poland, have admitted to being customers of the NSO Group, the Israeli company offering Pegasus, but denied any wrongdoing.
Spain was a new addition to the list following the recent ‘Catalangate’, a series of revelations showing that Catalan pro-independence activists were surveilled using Pegasus spyware by national intelligence services.
“Note, with growing concern, that unscrupulous use of these technologies can have a much broader and inadvertent effect, putting large parts of the ecosystem at risk”, declared Kaja Ciglic, senior director of digital diplomacy at Microsoft.
David Agranovich, security policy director at Meta, the parent company for Facebook, Instagram and WhatsApp, added: “These types of surveillance capabilities have traditionally been the purview of governments, sophisticated surveillance, access and capabilities into personal devices, accounts across the internet, that in democratic governments are generally subject to democratic oversight.”
He highlighted, however, that “the challenge of the surveillance or hire industry is that it makes this type of democratic oversight difficult to impossible”.
The three companies also stress that the Pegasus spyware, despite being the most infamous following last July’s revelations by a consortium of 17 media organisations, is not the only tool on the market for such purposes.
“[Google’s] threat analysis group is actively tracking more than 30 vendors with varying levels of sophistication and public exposure, selling exploits or surveillance capabilities to government-backed actors”, declared Google’s Snyder.
A representative of Apple, originally invited, did not take part in the discussions.
The tech giants pointed to the “tremendous space” for European governments to take action in order to address the issues posed by such technologies.
One thorny task is how legislators can impose accountability on the clients of spyware tools.
“Ironically, groups selling malicious tools are very particular about the confidentiality around their products, services, contracting and pricing associated with their offensive tools”, said Microsoft’s Ciglic.
Member states need to enforce “requirements of due diligence you would expect from other industries”, such as “know your client” obligations, told Agranovich.
As it stands, “anyone willing to pay, whether they are an authoritarian regime, or a private individual engaged in litigation, can simply hire these firms, and then deploy very sophisticated capabilities against whoever they wish”, he added.
The three companies also stressed that lawmakers need to provide a tighter framework for the use of these kinds of surveillance tools. Even when they are lawfully used, they can have harmful after-effects – for instance, with zero-day vulnerabilities: loopholes and backdoors that cyber mercenaries can use that have not been publicly documented, nor patched.
Introducing and enhancing policies to safely disclose these weaknesses to the industry operators, so they can be fixed, is “vital”, said Snyder. “Vendors stockpiling zero-day vulnerabilities in secret can pose a severe risk to the internet when the vendor itself gets compromised”, he declared.
The industry also emphasised that there is a need to create protection for the people conducting the research, whether working in the Big Tech or in smaller companies.
Given that the investigations sometimes put the light on state-backed users of surveillance tools, Google, Meta and Microsoft called on the lawmakers to make a safe space for companies to work on this issue.
“We have received threats after publishing reports”, declared Snyder from Google.
The PEGA inquiry committee is set to complete its work by April 2023 and is expected to make recommendations on how to deal with these illegal practices. NSO Group representatives will be heard at the next meeting (21 June).
[Edited by Luca Bertuzzi/Nathalie Weatherald]