The writer is international policy director at Stanford University’s Cyber Policy Center
Last December, the European Commission announced infringement procedures against Poland, on the back of growing concerns that Warsaw’s ruling party is seeking to sideline EU laws and politicise its own judiciary. If that were not bad enough, research by cyber security watchdog Citizen Lab suggested the Polish government was using spyware against its opponents. Alongside its infringement case, the European Commission must urgently address these latest violations, which represent a new digital frontier of the rule of law.
Researchers at Citizen Lab have identified a series of cyber intrusions into the devices of Poland’s judges, journalists, opposition leaders and their lawyer, including during the 2019 election campaign. The hacks — which were facilitated by NSO Group’s Pegasus spyware — have already wreaked damage in the lives of those targeted. For example, sensitive material gleaned from opposition politician Krzysztof Brejza was broadcast through state media channels. “They were at the table during strategic political meetings and went with me to the bathroom and the bedroom,” he said in an interview this month. An avalanche of press rumours insinuating fraud, which were repeated by the national broadcaster, prompted his resignation as campaign leader for the opposition party Civic Platform.
After an initial denial, the Polish government conceded it had purchased Pegasus software, but has defended its actions by claiming it has acted in line with due process and legal provisions. It refutes having used the tools for political gain. Still, the Polish Auditing Office (NIK) alleges more than 500 of its employees’ devices have been hacked. Legal exemptions can be granted by agencies and entities which report to the organisation which is using the spyware. It is easy to argue that an activist or journalist is a risk to national security, in order to justify surveillance. This vicious cycle must be broken.
Unfortunately, EU law relating to the use of spyware by member states is unclear. When Brussels updated its dual-use export control rules last year, surveillance technologies were included on the controls list. Before granting an export licence, responsible authorities would have to be convinced these tools would not be co-opted for human rights violations. While a step in the right direction, seeking to prevent exports only tackles one side of the problem: domestic use of these tools remains unregulated.
It is good news that the EU has proved its determination to address rule of law violations in Poland. Yet further action on the use of spyware is not straightforward. It is currently unclear which EU governments use NSO’s Pegasus and similar systems. Few member states offer transparency over use of stealth hacking systems against their own citizens. Addressing the deployment of spyware by Polish authorities is likely to be unpopular if it puts pressure on all member states to come clean about their own uses of this technology.
The Polish Senate is in the process of starting an investigation into allegations of state-sponsored hacking of opposition politicians’ phones. It is also drafting a new law to prevent intrusive software being deployed again in future. However, the ruling party has boycotted it. Brejza is trying to sue Poland’s ruling party leader for slander, but he is reliant on the Ministry of Justice choosing to take up the case. Until the opposition wins a majority, legal change does not seem possible. Even with the political will to pursue these cases, prosecuting them would be a challenge. “Judges have no tools to realistically check whether the services are abusing their powers, and there is no one who could verify this later,” Wojciech Klicki of Panoptykon, a Polish NGO set up to oppose surveillance technologies, told The Guardian.
For its own part, NSO Group claims to have a zero-tolerance policy on the use of its tools against political targets, but how can it enforce this? So far, the company has not managed to prevent the use of its tools against government opponents in Poland and Hungary or even Israel, its domestic market.
Whether there will be any accountability depends to a large extent on EU leaders. Those pondering Poland’s alleged violations should seriously consider the democratic implications of spyware being used against opposition leaders, journalists and judges. This case should also serve as a warning for other European governments. At the very least, we need to impose significant limits on the use of spyware, or ideally, an outright ban on tools that are prone to abuse.