European Parliament Condemns Commercial Spyware

European lawmakers on Thursday denounced the commercial spyware industry and chastised half a dozen member nations for deploying spyware against citizens or selling it abroad.

See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm

The European Parliament accused Hungary, Poland and Greece of violations of European Union law for their use of commercial spyware against opposition figures and others in a resolution capping a yearlong investigation into continental use of smartphone surveillance through apps such as NSO Group’s Pegasus (see: PEGA Committee Calls for Limits on Commercial Spyware).

In a vote in which 411 voted for, 97 voted against, and 37 abstained, the Parliament also called on Cyprus to evaluate its export licensing regime for spyware. Spain should complete legal reforms and fully investigate all alleged cases of the use of spyware, the resolution says.

The Parliament set up the PEGA Committee in March 2022 after reports surfaced of European countries deploying spyware against political opponents and civil society.

“Spyware is part of the toolkit of authoritarians who undermine democracies, and it is being used against the custodians of our democracy here, in Europe, on our doorstep,” said Dutch Member of Parliament Sophie in ‘t Veld, rapporteur of the committee report.

One of the recommendations approved by lawmakers is for member countries to discontinue use of commercial spyware by the end of this year unless they can demonstrate that alleged cases of abuse have been fully investigated and they have a legal framework governing its deployment. Governments should also by then revoke export licenses not in line with export regulations controlling the sale of dual-use items, the resolution states. In ‘t Veld has accused Cyprus, Greece, Bulgaria and possibly other countries of allowing illicit export of surveillance apps.

The vote comes amid backlash against commercial spyware that has included the United States limiting security agencies’ ability to purchase the apps and a recently formed coalition of 10 countries worldwide dedicated to imposing heavier export controls. Criticisms from European institutions and the American government may not be enough to stymie the expansion of the industry, which now constitutes at least 35 companies. An April report from the U.K.’s National Cyber Security Center predicted growing demand for spyware will drive industry expansion. “Oversight of the commercial intrusion cyber sector will almost certainly lack international consensus, be difficult to enforce and subject to political and commercial influence,” the report concluded.

In large measure, the commercial spyware industry supports a semi-hidden market for zero-day exploits. European lawmakers hope they can undercut it in a call for a ban on the sale of software vulnerabilities except “for any purpose other than strengthening the security” of a system.

The resolution also calls for the European Commission to increase support for bug bounties and to set up a bloc-wide mandatory vulnerability disclosure process.

Lawmakers also called on the commission to create an institute dubbed the EU Tech Lab to investigate spyware.