European citizens are demanding action from their governments

• Surveillance spyware are computer programmes designed to track peoples’ every digital move – and to secretly extract all data stored on a device, including most private information such as passwords, visuals, locations, contacts and encrypted messages like e-mail or messenger apps (e.g. WhatsApp, Signal or Telegram).
• Spyware may gain control of (parts of) a phone or other electronic devices, including activating the microphone or camera as well as having the capacity to fabricate and send out messages, so that they appear to have been composed by the targeted individual.
• Advanced types of spyware are installed and operated in complete secrecy and without the device holder’s interaction (“zero-click attack”). Other types are installed by accessing a fake website (which often imitates popular websites) or sending a fake link via SMS. For the ordinary user, spyware leaves no detectable traces with the device mostly continuing to function normally, except for possible battery issues.

• Spyware misuse by authorities threatens the very foundations of democratic societies. This illegal intrusion into people’s privacy violates fundamental rights, erodes trust in state institutions, impedes free political competition and puts elections results into question. Therefore, a responsible use of spyware requires transparent and effective mechanisms with democratic oversight.
• Spyware misuse poses a threat to the life and safety of any targeted person. Whilst government agencies claim to use spyware only for (serious) crime, research disclosed the widespread and unlawful surveillance of individuals which violates privacy rights and has generated information that contributed to further human rights violations.
• A general lack of national and international regulation and oversight has opened gateways to the misuse of spyware, as companies can sell to even the most notorious dictatorships, who otherwise would not be able to develop such spyware capabilities themselves.
• Spyware companies have developed a lucrative business model by scouring for and exploiting the weaknesses of IT systems to infiltrate private devices with spyware. By purchasing spyware from these companies, EU Member States have therefore not only contributed to security risks and fundamental rights abuses within Europe, but also outside of it as many spyware companies rely on the European market to legitimise their businesses.

• Spyware misuse can happen everywhere and to everyone. Many targeted individuals have expressed criticism of government policies. They come from all walks of life, and include politicians, journalists, lawyers and civil society activists promoting human rights, women’s rights, and environmental protection.
• Spyware abuse does not only violate rights of the targeted person but also their social and professional network by monitoring their exchanges with others.
• In many countries authorities specifically target women activists with spyware, in order to extract information for defamation campaigns. Due to the increased social scrutiny women are under, public shaming of women by leaking private and intimate photos particularly trigger harassment, social ostracism and even physical attacks.
• Victims frequently face obstacles by authorities when seeking redress, including refusal to provide information necessary to identify responsibility for the unlawful surveillance.

• At least 20 governments from all around the world have been exposed for misusing commercially obtained spyware against civil society actors.
• Countries who use surveillance spyware against their own citizens range from authoritarian regimes to European liberal democracies. In the EU, it has been established that 14 Member States have acquired Pegasus spyware in the last years, yet not all of them may have used it in an illegal way. So far it is unknown how many other spyware providers have sold their software to EU countries. Another big European player, Intellexa (producer of the “Predator” spyware), has just been involved in a scandal in Greece.
• The secretive nature of spyware attacks poses a challenge to identify those responsible for misuse. Where the world map identifies countries for their involvement in spyware misuse, this is generally based on the assessment and examination of infected devices by experts, who will also refer to circumstantial evidence.

• Surveillance spyware is developed either by governmental entities or private companies. While governmental products are generally not for sale, a range of commercial companies are selling surveillance spyware to whoever can afford it – allegedly exclusively to vetted governments. However, NSO spyware for example has been used in notorious dictatorships such as Saudi Arabia who on their own would not be able to develop such spyware capabilities.
• The following commercial companies have sold surveillance spyware which has been misused by their client:

  NSO Group – Pegasus – Israel

  Intellexa / WiSpear / Cytrox – Predator – Greece / Cyprus / North Macedonia

  Memento Lab – RC S X – Italy

  FinFisher – FinSpy – Germany

  Candiru – Candiru -Israel

  Tykelab – Hermit – Italy

  DarkMatter- Project Raven- United Arab Emirates

  QuaDream- REIGN- Israel

  Mollitiam Industries- Invisible Man- Spain

  Paragon- Graphite- Israel

Here, we list some examples of surveillance spyware programmes which have been implicated in misuse, including the targeting of civil society actors. A more comprehensive list can be found in this study on p. 22:
open study.

• Pegasus

  (identified in 2016 and still in use)
  “Pegasus” is a widely used spyware developed by the Israeli company NSO Group. It infects mobile devices and can track their location, extract messages, footage and other documents as well as watch and listen in live-mode through camera and microphone. Infection of mobile phones is possible without any user interaction (‘zero-click’ infection).

• Candiru

  (identified in July 2021 and still in use)
  The Israel-based company Candiru Ltd. developed a spyware of the same name that can infect phones, computers and cloud accounts. It uses fake websites to infect devices. This spyware collects data from messenger applications and is also capable to track the browser history, to collect passwords and to monitor components such as a camera and microphone.

• Predator

  (identified in 2021 and still in use)
  Predator was developed by the North Macedonia-based company Cytrox which then sold the tool to the Cypriot company WiSpear. WiSpear sells Predator through the Greece-based “Intellexa Alliance”, a consortium of spyware vendors with corporate presence in several EU Member states. This spyware attacks mobile devices and is often installed via a link in a personalised e-mail or SMS sent to the targets (“trusted implant”).

• RCS / RCS X

  (earlier version identified in 2012, current version still in use)
  RCS X stands for Remote Control System that can infiltrate a device and extract data. The Italy-based company, Memento Lab, developed the spyware RCS of the no-longer existing company ‚Hacking Team‘ further into the current RCS X. RCS had been widely used by authoritarian regimes in the Middle East and North Africa to spy on and repress critical voices.

• “Hermit”

  (identified in 2022, still in use)
  “Hermit” is not the spyware’s official name, but was coined by the IT security firm who first spotted it. Hermit infects devices by first disabling a phone’s mobile data connectivity and then sending a fake message from the target’s telecom provider with a link to re-establish the connection. IT specialists traced this software back to the Italian company Tykelab, which is believed to act as front company to its Milan-based parent establishment, RCS Lab.

• FinSpy

  (identified in 2012, company bankrupt since 2022)
  This spyware was able to extract data from a device and turn it into a 24/7 surveillance tool. Its Germany-based developer firm FinFisher filed for bankruptcy in March 2022 following a criminal investigation. This investigation was initiated by a group of NGOs who discovered that FinFisher sold its spyware to the Turkish government without the authorisation of the German federal government, where it was used during a 2017 crackdown on journalists and oppositional voices.

• Cerebro (previous version: Eagle)

  (identified in 2007, still in use)
  Cerebro is a spyware that enables the surveillance of a victim’s entire internet traffic. It is developed and sold by the French company Nexa Technologies (formerly Amesys) which also forms part of the Intellexa consortium, a marketing label of mostly European spyware vendors to compete with NSO. There are two ongoing lawsuits against the company for having sold their services to Libya and Egypt over the last decade which led to the crushing of opposition, torture of dissidents, and other human rights abuses.

• REIGN

  (Identified in 2022 still in use, company reported to cease operations in April 2023)
  “QuaDream” is the Israeli developer of the REIGN spyware. The company was founded in 2016 by former employees of the Israeli Company NSO Group and uses the same hacking technique than Pegasus known as a “zero-click”. Reign exploited a vulnerability in the iOS calendar to infect Apple mobile devices. Once installed, the spyware offered features similar to Pegasus. The University of Toronto’s Citizen Lab and Microsoft Threat Intelligence published an analysis of spyware Reign in April 2023. This revelation led QuaDream to declare its ceasing of operations and put all its intellectual property for sale. As of April 2023, no information was published concerning the victims of QuaDream.

• Project Raven

  (Identified 2016, still in use)
  DarkMatter is a company based in the UAE founded presumably in late 2015. It developed the spyware software known as Project Raven. Once installed in the victims’ devices the spyware collects data including emails, photos, text messages, phone communication, location, and other private information.

• “Invisible Man”

  (Identified 2018, still in use)
  The so-called spyware “Invisible Man” and “Night Crawler” were developed by the Spain-based company Mollitiam Industries. This spyware is capable of remotely accessing files and a target’s location, secretly switching on a device’s camera and microphone, and recording anything typed on the keyboard.

• „First Mile“

  (still in use)
  The Cognyte Company has its headquarters in Israel – with offices in Germany, Bulgaria, Romania, Poland, Cyprus, US, Mexico, Brazil, India. It portfolio includes the spyware FirstMile