Spain: European Union must act to end spyware abuse after prominent Catalans targeted with Pegasus

European Union institutions are failing to end the rampant human rights violations committed with spyware, Amnesty International said today, after the organization independently confirmed new attacks using Pegasus spyware against prominent Catalans.

New research by the Citizen Lab has revealed how scores of Catalan politicians, journalists and their families were targeted with NSO Group’s Pegasus spyware between 2015 and 2020. Technical experts from Amnesty International’s Security Lab have independently verified evidence of the attacks.

Confirmed targets include Elisenda Paluzie and Sònia Urpí Garcia, who work with the Assemblea Nacional Catalana, an organization that seeks the political independence of Catalonia from Spain. Elisenda Paluzie is the current president of the group.

Catalan journalist Meritxell Bonet’s phone was also hacked in June 2019. She was targeted in the final days of a Supreme Court case against her husband Jordi Cuixart, an activist and former president of Catalan association Òmnium Cultural, who was sentenced on a charge of “sedition”.

Politician, university professor and Catalan activist Jordi Sànchez was extensively and persistently targeted with Pegasus from as early as September 2015 until July 2020.  Between 2015 and 2017, he was president of the Assemblea Nacional Catalana. His phone was successfully compromised with Pegasus on 13 October 2017, days before his arrest by Spanish authorities on a charge of “sedition”.

In October 2020, Amnesty International Spain wrote to the Spanish government asking it to disclose information on all contracts with private digital surveillance companies which was not disclosed. Amnesty International Spain also later approached the Spanish Ministry of Defense, requesting information on Pegasus use from the National Intelligence Center. They responded stating that such information falls under classified subjects. NSO states that it only sells to governments and that its tools are meant to be used to combat serious organized crime and terrorism.

The Spanish government needs to come clean over whether or not it is a customer of NSO Group

Likhita Banerji, Amnesty International’s Technology and Human Rights Researcher.

“The Spanish government needs to come clean over whether or not it is a customer of NSO Group. It must also conduct a thorough, independent investigation into the use of Pegasus spyware against the Catalans identified in this investigation,” said Likhita Banerji, Amnesty International’s Technology and Human Rights Researcher.

Amnesty International’s Security Lab peer reviewed forensic evidence from a sample of individuals first identified in the Citizen Lab investigation, and found evidence of Pegasus targeting and infection in all cases.

European Parliamentary Committee of Inquiry first meeting

The revelations come as a European Parliamentary Committee of Inquiry is set to hold its first meeting on Tuesday (19 April) into breaches of EU law associated with the use of Pegasus and equivalent spyware – a direct result of the Pegasus Project revelations in July 2021. Last week, Reuters reported that senior EU figures had been targeted with NSO Group’s Pegasus.

“We urge the European Parliament Committee of Inquiry to leave no stone unturned when documenting the human rights violations enabled by unlawful spyware, including by investigating these new revelations,” said Likhita Banerji.

“Governments around the globe have not done enough to investigate or stop human rights violations caused by invasive spyware like Pegasus. The use, sale and transfer of this surveillance technology must be temporarily halted to prevent further abuses of human rights.”

Amnesty International, alongside other civil society organizations, has previously documented the widespread and unlawful use of spyware against activists, politicians and journalists around the globe, including as part of the Pegasus Project.

In Europe, activists, journalists and other members of civil society have been unlawfully targeted in Belgium, France, Greece, Hungary, Poland, Spain and the United Kingdom.  

NSO Group has not taken adequate action to stop the use of its tools for unlawful targeted surveillance of activists and journalists, despite the fact that it either knew, or arguably ought to have known, that this was taking place. NSO Group must immediately shut down clients’ systems where there is credible evidence of misuse of its tools.