Pegasus is described as “probably the most powerful hacking tool” (see here). Pegasus' targets are smartphones. According to the EDPS, “it can secretly turn a mobile phone into a 24-hour surveillance device, as it gains complete access to all sensors and information of the phone. It can read, send or receive messages that are supposed to be end-to-end encrypted, download stored photos, and hear and record voice/video calls. It has full access to the phone’s camera, meaning that it might secretly use it to film you or your environment, or activate the microphone to record real world conversations […]. It also has full access to the geolocalisation module of the phone”. Some EU governments admitted to having bought Pegasus to spy on citizens, opposition politicians, journalists and/or lawyers.
The EDPS recalls that targeted surveillance (including interceptions of communications) is regulated among others by the Charter of Fundamental Rights and by European directives (ePrivacy directive, law enforcement directive) that have been interpreted by the Court of Justice of European Union (for example, see the joined cases C-511/18 and C-512/18, La Quadrature du Net and others). It states that the right to privacy may be restricted if national security is compromised, but only in cases of extreme necessity and if the restriction is proportionate to the threat.
In light of these principles, the EDPS analyses Pegasus, considered as a potential tool to pursue objectives of general interest, such as combatting terrorism and serious crime. The conclusion of the EDPS is clear: even in this context, the use of Pegasus must be banned. This type of surveillance technology might lead to unprecedented risks to the right to privacy and to an unprecedented level of intrusiveness.
This article was co-authored by Edouard Cruysmans in his capacity of Professional Support Lawyer at Stibbe.