Trading in spyware is a “shady business” that on paper appears to be regulated but in practice is “the wild west”, according to a Dutch member of the European Parliament, Sophie in ‘t Veld.
The Democraten 66 liberal party member is the rapporteur for a committee in the European Parliament that is investigating the regulation and misuse of spyware within the EU and has been at the forefront of calls for action to counter what she says is a threat to European democracy.
She is concerned that technology that can be used to secretly infect people’s smartphones, get access to their data and turn their microphones and cameras into surveillance devices has been used within Europe for purposes other than criminal investigations and legitimate intelligence operations, and has been sold to regimes outside Europe with dire human rights records.
In draft reports and draft recommendations for parliament she has produced over recent months, two products loom large: Pegasus, which is produced by the Israeli-based NSO Group, which has been blacklisted by the United States; and Predator, which is produced by the Intellexa Group, the holding company of which has its registered address on Foley Street, Dublin 2.
[ Karlin Lillington: Pegasus Project exposes menace of surveillanceOpens in new window ]
Intellexa is one of several technology businesses founded over recent years by Tal Dilian, a former Israeli military intelligence officer and now a serial entrepreneur who has a golden passport from EU member state Malta. Intellexa’s Predator is at the heart of a huge and ongoing controversy in Greece, where multiple investigations are under way into the alleged surveillance targeting of politicians, business figures and journalists.
In a draft recommendation produced by in ‘t Veld for the European Parliament in January, she referred to “government bodies in several countries, both member states and third countries, [having] used Pegasus and other brands of surveillance spyware against journalists, politicians, law enforcement officials, diplomats, lawyers, business people, civil society actors and other actors, for political and even criminal purposes”.
In her draft report in November for the PEGA Committee of Inquiry, which is investigating the use and abuse of spyware, she focused on the controversial use of the technology by Poland, Hungary, Greece and Spain and what she referred to as the “welcoming export climate” in Cyprus for spyware companies.
The number of EU states that are abusing spyware is limited, in ‘t Veld told The Irish Times. There are “four or five” countries where there is a “blatant deliberate attack on democracy” using spyware, she said. But it is a mistake to think that the misuse of the technology by some is not a threat to the EU generally. “You cannot say I have gangrene in my arm but the rest of my body is fine.”
The targeting of a senior political figure by one member state for domestic political reasons can result in that person being secretly spied on during high-level European Union meetings. Members of the European Parliament have been targeted, as have members and officials of the European Commission.
Some of the alleged “perpetrators” of the misuse of the technology are themselves members of the European Council by way of their senior political roles. And yet, according to in ‘t Veld, the commission and the member state governments are loath to target the problem.
“You have to remember when it comes to the trade in spyware, there are two actors that have an interest in maintaining the status quo. One is the semi-criminal industry and the other is the governments. And that is a very unusual alignment.”
In her November draft report, in ‘t Veld documented how Dilian got in trouble with the authorities in Cyprus after he gave an interview to Forbes about a van kitted out with equipment worth $9 million (€8.4 million) so that it could hack into any smartphone within a radius of 500 metres. Other technology for intercepting data from wifi networks was also highlighted.
The publicity worked out badly for Dilian and the business he was developing with a view to competing with the better known NSO Group. The van was seized by the authorities and a criminal investigation initiated. It was this that led to the former intelligence officer moving his corporate affairs from Cyprus to Greece and other locations, and incorporating an Irish holding company, Thalestris Limited. Initially, Thalestris had its registered address at a solicitor’s practice in a unit of a business park in Balbriggan, Co Dublin.
“It is remarkable that the application to incorporate Thalestris Limited in Ireland was submitted in November 2019 by a company formation specialist, only 12 days after the criminal investigation into Dilian and his company WiSpear [part of the Intellexa Alliance] by the Cypriot authorities was publicly revealed,” in ‘t Veld wrote in her report.
As well as the holding company, an Irish company called Intellexa Ltd was also established, with the same registered address. The purpose of the company, according to filings in the Company Registration Office in Dublin, is the provision of “intelligence products for law enforcement agencies”.
Fine Gael MEP and former minister for justice Frances Fitzgerald said the report raised hugely important issues for the European Union but was a “bit harsh” in terms of its criticisms of Ireland
Both companies have since moved their registered office address to Foley Street. Because they file consolidated accounts, and Thalestris has subsidiaries in Greece, Switzerland, Cyprus and the British Virgin Islands, little information is available as to the level of activity, if any, in Ireland. There is no indication it has any place of business in this jurisdiction, or any employees.
The most recent consolidated accounts for Thalestris say its Irish subsidiary recorded a loss of €545,486 in 2021. The group overall recorded a 2021 turnover of €34.3 million, of which €29.5 million involved sales in the Middle East and sales of €2.2 million in Europe. It also traded with customers in Asia, Africa and Latin America.
The sole director of Thalestris and its Irish subsidiary is a Polish national, Sara Hamou, who is reportedly married to Dilian and is an “offshoring specialist”. Hamou has an address in Cyprus and gave evidence by way of correspondence from there to a Greek parliamentary inquiry last year, having claimed that she could not appear before the committee in person.
“Some 5,500 pages of documents, including the minutes and the deposition of Hamou, have been classified, although it is entirely within the powers of [the Greek] parliament to declassify them,” in ‘t Veld said in her report. “Quite paradoxically, the inquiry committee thus serves to shield information instead of providing access to it.”
In her report, she says Intellexa’s presence in Ireland is used to avoid tax. The consolidated accounts filed by the group show a 2021 loss of more than €6 million, and loans at a high interest rate from an entity apparently based in the British Virgin Islands.
[ Spyware business with Irish links ‘has not sought’ to export product from IrelandOpens in new window ]
In the report in ‘t Veld says, in reference to Intellexa: “Ireland has become the member state where some of the main spyware companies involved in scandals have registered, due to its fiscal laws.” Elsewhere she said, “Ireland offers favourable fiscal arrangements to a large spyware vendor.” Both comments are in reference to Intellexa.
Asked about this, the Dutch politician says it is not her role as a parliamentarian to tell the Irish Government what to do, “but let’s say, as a citizen, I find it very difficult to understand why a company [engaged in the type of activities that have been ascribed to Intellexa] gets a tax break. That makes no sense.”
Fine Gael MEP and former minister for justice Frances Fitzgerald, who is a substitute member of the European Parliament committee, says in ‘t Veld’s report raised hugely important issues for the European Union but was a “bit harsh” in terms of its criticisms of Ireland.
“We need to take the whole issue of spyware very seriously, particularly when there are links made to Ireland,” she says. “However, it is also important not to overreact at this stage and instead to be methodical in order to get to the facts. For example, the Department of Finance would say that references in the current draft report to taxation arrangements are unsubstantiated.”
Fitzgerald says more work needs to be done on the whole area of spyware by the Government and the National Cyber Security Centre, and she urges the latter to do a full review of the use of spyware in Ireland. “It may find that there is none in use at all, which would be very positive. Ireland is a country with a strong commitment to the rule of law and due process.”
The most important safeguard against the misuse of corporate structures is transparency, and new measures in this regard are being introduced, she says. In an amendment to in ‘t Veld’s report, Fitzgerald refers to a new Government Bill that will introduce greater transparency in relation to the use of Irish limited partnerships, a type of legal entity that is being marketed internationally as having many of the attractions of an offshore company.
“More broadly, across Europe and the wider world, evidence of the use of spyware is rightly causing serious concern,” she tells The Irish Times. “This investigation by the European Parliament has the opportunity to shine a light and also to show the way in terms of necessary reforms and best practice. The current draft recommendations are very worthwhile and should be considered.”
[ Spyware Pegasus found on hacked mobile phones of four human rights defendersOpens in new window ]
A central element to the draft recommendations is the introduction of a definition for national security that would be applied across the European Union. “We are all in favour of national security,” in ‘t Veld tells The Irish Times. “The point here is that it is not about national security. That is a facade, a pretext.”
National security is an area of national as against EU competence “but that does not mean you have an unlimited carve-out from European law”. If national security is defined by national states, it can be easily abused “because they don’t have to justify it to anyone. They are not accountable to anyone ... They have created for themselves an area of complete lawlessness.”
“Everyone here is fretting about democracy in Brazil, democracy in the United States, democracy in Israel. They should equally be fretting over the state of democracy in the European Union, because we have a problem here. We see that democracy is completely unequipped with this type of attack on democracy.”
In ‘t Veld would like to see more co-operation between the European Union and the US in relation to the control of spyware, more pressure being applied by the European Commission on Israel – “the real cradle of this whole industry” – and greater implementation by European governments and agencies of the controls and laws that already exist in relation to the surveillance of citizens and the export of products that can have a military use.
In 2021 Citizen Lab, a Canadian research laboratory focused on technology, security and human rights, said it believed Predator was being used by government customers in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia and Serbia. There have also been reports of its use in Colombia, Ivory Coast, Vietnam, the Philippines and Germany.
[ ‘Asleep at the wheel’: Canada police’s spyware admission raises alarmOpens in new window ]
Fianna Fáil MEP Barry Andrews wrote recently to the Oireachtas Joint Committee on Justice saying Ireland was at risk of becoming a “haven” for companies involved in the sale of spyware to countries with a history of human rights abuses. In his letter, Andrews drew attention to recent research by a Dutch NGO, Lighthouse Reports, which said it had established that Predator had been sold to a notorious militia in Sudan called Rapid Support Forces.
“I am hopeful that the Joint Committee on Justice can investigate this issue as a matter of importance,” wrote Andrews in relation to spyware and Ireland. The committee wrote back in January saying it had decided to add the topic to its work programme for 2023.
For in ‘t Veld the need for action is urgent, not least because elections are due to take place this year in Spain, Greece and Poland, three member states that feature strongly in her draft report. “We have to be absolutely sure that the elections are clean, that they are free and fair.”
A request for a comment from Intellexa met no response. The Department of Justice was asked if Irish security and intelligence services used spyware, if the use of spyware was legal and what controls govern its use by the Irish security services. In its response the department did not say whether the State used spyware or not but did say “the ability to lawfully intercept communications is an important tool in combating serious crime, terrorism, and protecting the security of the State”.
The interception of telecommunications messages is provided for by the Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993, it said. Authorisation for interceptions by An Garda Síochána can only be granted for the purposes of investigating serious crime or protecting the security of the State, and by the military for the purposes of defending the security of the State. Interceptions are also possible for the investigation of offences allegedly committed by members of An Garda Síochána in the context of the Garda Síochána Ombudsman Commission. A designated serving judge of the High Court oversees any authorisations, and reports annually to the Taoiseach, the department said.
“Legislative proposals, with a view to modernising the current legal framework, are being prepared by the department for the consideration of the Minister and the Government,” it said.