Venice Commission - Report on a rule of law and human rights compliant regulation of spyware
www.venice.coe.int
Disclaimer: this information was gathered by the Secretariat of the Venice Commission on the basis of contributions by the members of the Venice Commission, and complemented with information available from various open sources (academic articles, legal blogs, official information web-sites etc.).
Every effort was made to provide accurate and up-to-date information. For further details please visit our site : https://www.venice.coe.int/
1. Does your legal framework allow for the use of spyware as a tool of targeted surveillance either in criminal or intelligence investigations or is there an explicit prohibition on the use of spyware? If so, how does your domestic legal framework define spyware?
In Austria, the laws currently in force in this regard are very restrictive. For the time being, the use of spyware in the context of criminal and intelligence investigations is not permitted. It is unlikely that this situation will change in the near future following a decision of the Constitutional Court of December 2019 (see below). Investigation measures are regulated in detail in the Code of Criminal Procedure (Strafprozessordnung 1975). For instance, monitoring (surveillance) of messages (Section 134 lit. 3 in conjunction with Section 135 para. 3 of the Code of Criminal Procedure) means monitoring communication and information sent, transmitted or received by a natural person via a communication network or a Service of the Information Society. Monitoring messages thus concerns the content of messages (e.g. traditional telephone surveillance). It is permissible – under more closely defined conditions – in cases of suspected kidnapping; in the investigation of certain punishable acts committed with intent; in order to observe a criminal or terrorist association or a criminal organisation or in order to determine the whereabouts of a fugitive. However, this form of surveillance, which deals with not-encrypted messages, does not include the use of spyware. In 2018, a new Section 135a of the Code of Criminal Procedure was enacted, permitting the use of spyware to read encrypted messages. Section 135a and related provisions of the Code of Criminal Procedure (in particular the already mentioned Section 134 lit. 3a ) should have entered into force only on 1 April 2020 in order to have sufficient time to procure the necessary software as well as to take the necessary technical and personal measures. However, eventually, on 11 December 2019 the Austrian Constitutional Court repealed these provisions even before their entry into force. According to the Court, Section 135a and the corresponding provisions in the Code of Criminal Procedure violated several fundamental rights, above all the right to data protection (Section 1 of the Data Protection Act) and the right to respect for private life (Article 8 ECHR). Section 135a in conjunction with Section 134 para. 3a of the Code of Criminal Procedure provided (in specified cases and under certain conditions) for an authorisation to covertly monitor encrypted messages by installing spy software – a so-called "Federal Trojan" (Bundestrojaner) – on a computer system. Under certain circumstances, this could even include the power to intrude into and search apartments for the purpose of installing such a Trojan without the knowledge of the person concerned. In its decision, the Constitutional Court noted that surveillance within the meaning of Section 135a of the Code of Criminal Procedure had to be ordered by the public prosecutor's office on the basis of a court authorisation in accordance with Section 137 para. 1 leg.cit. Order, approval, authorisation and implementation of the measure were subject to review by the legal protection officer (Section 147 leg.cit.), who had to give his consent to certain measures and could lodge a complaint against the authorisation of the measure (para. of Section 147 leg.cit.). The Court held that covertly monitoring the use of computer systems constituted a serious interference with the right to privacy protected by Article 8 ECHR and was only permitted within extremely narrow limits in order to protect equally important legal interests. The "Federal Trojan" was a particularly intense form of surveillance measure, particularly because an overview of the data obtained by monitoring a computer system enabled conclusions to be drawn about individual users’ personal preferences and lifestyle, among others. Moreover, the Trojan affected a large number of people, including individuals who were not involved with the person who was subject to the surveillance. Section 135a of the Code of Criminal Procedure violated Article 8 ECHR because there was no guarantee that the surveillance measure would only take place if it was used to prosecute and solve sufficiently serious offences. Additionally, it was unconstitutional because the measure did not adequately secure the protection of the privacy of those affected by the Trojan. In view of the special features of the means used, an effective independent supervision would be required both at the beginning of the measure and the entire duration of the surveillance. The Constitutional Court pointed out that the legal protection officer could indeed inspect all documents relating to the investigative measure at any time and gain a personal impression of its implementation. However, there was no guarantee that after the ex-ante judicial approval of the measure, the legal protection officer would actually be able to effectively and independently monitor any ongoing covert surveillance. This would be particularly important here because the measure differed significantly from the surveillance measures previously envisaged in terms of its intensity of intervention. Finally, the authorisation to enter on premises for the purpose of installing such a monitoring program without the knowledge of the person concerned violated the right to inviolability of the home i.e., of private property. For all these reasons, the Constitutional Court annulled the contested provisions. Currently, not even the Austrian Directorate of State Security and Intelligence (Direktion für Staatsschutz und Nachrichtendienst – DSN), whose task is to protect against threats against constitutional institutions and their ability to act, is allowed to use spyware. According to Section 8 of the Law on State Security and Intelligence (Staatsschutz- und Nachrichtendienst-Gesetz), they might acquire and analyse information on the basis of information from domestic authorities etc. They may, under certain conditions, collect and process personal data, for instance by accessing data which is publicly available in the internet; by means of observation and covert investigation, or by obtaining information about traffic data and location data (cf. Sections 10 and 11 of the Law on State Security and Intelligence). However, there is no provision that enables them to use spyware. A public debate on this subject takes places regularly, however, no new legal provisions in this context have been enacted so far due to a lack of political agreement. The Ministry of Interior would appreciate surveillance methods for messenger services such as WhatsApp in order to prevent terroristic attacks. This could include using spyware in order to hack a laptop or smartphone of a potential terrorist in case of (imminent) danger. A respective bill law has already been drafted by the Ministry in the past already. Furthermore, the events of the last days (i.e. beginning of August 2024) regarding the planned terrorist attacks at the Taylor Swift concert in Vienna have raised once more the discussion whether the powers of the Directorate of State Security and Intelligence should be extended (in this context, Austria has received information from foreign intelligent services). However, as stated, no law has been enacted so far and with a view to the upcoming parliamentary elections in autumn 2024 no initiative is to be expected before 2025. In any case, when drafting such new legal provisions, the decision of the Constitutional Court of 2019 has to be respected. There is no legal definition of the term "spyware"; its prohibition rather results from the fact that there is no explicit regulation/permission for it. There would indeed have been a definition in the – repealed– Section 134 lit. 3a of the Code of Criminal Procedure. According to this definition, "monitoring of encrypted messages" would have meant the monitoring of encrypted messages and information sent, transmitted or received within the meaning of lit. 3 as well as the determination of related data within the meaning of Section 76a and Section 92 para. 3 lit. 4 and 4a Telecommunications Act by installing a program in a computer system (Section 74 para. 1 lit. 8 Criminal Code) without the knowledge of its owner or other authorised person in order to overcome encryption when sending, transmitting or receiving the messages and information.
Le législateur belge a érigé en principe général l’interdiction des écoutes, des prises de connaissance et des enregistrements des communications et des communications électroniques privées pendant leur transmission et à l’aide d’un appareil quelconque. Ces interdictions, qui concernent des atteintes graves à la vie privée, sont érigées en infractions sanctionnées par des peines correctionnelles d’amende et d’emprisonnement en vertu des articles 259bis et 314bis du Code pénal. Toutefois, le législateur belge a été amené à encadrer le recours à titre exceptionnel à une atteinte à la protection des communications électroniques privées face à certaines menaces. L’objectif recherché était de permettre, sous certaines conditions et dans le cadre d’un strict contrôle juridictionnel, d’intercepter, de prendre connaissance, d’explorer et d’enregistrer, à l’aide de moyens techniques, des communications non accessibles au public ou des données d’un système informatique ou d’une partie de celui-ci, ou d’étendre la recherche dans un système informatique ou une partie de celui-ci.
In Bosnia and Herzegovina, there is no special legal framework related to the use of espionage software.
In Bulgaria there is no specific framework for the use of spyware. While not separately and autonomously regulated, the use of spyware would be allowed under the notion of “special technical means/special investigative measures”.
The Canadian legal framework does not use or define the term “spyware”. We interpret “spyware” to refer to software that is installed or deployed on an electronic device and which enables the covert collection of data from that device. In Canada, this investigative technique is more commonly referred to as an on-device investigative tool or implant.
In Croatia there is no explicit permission or prohibition related to the use of spyware. Indeed, Croatia does not have specific spyware laws, but spyware use is implied within broader surveillance regulations.
There are no constitutional provisions on the issue in question, and until 2002 there was also no specific legislation. In 2002, a specific provision was introduced as (now) Art. 791 b of the Administration of Justice Act. It concerns “reading of non-publicly available data in an information system by virtue of programs or other equipment (data reading)”. The provision concerns reading of information systems such as computers or similar devices, e.g. tablets and mobile phones etc. It provides for the police to install so-called “sniffing software” in computers etc. by which the police may obtain information about the user’s use of the device, including handling of documents and information seeking. This is presumably what the Venice Commission refers to as “spyware”.
Yes, in Estonia, use of spyware is allowed both in criminal proceedings as well as in intelligence investigations. It is not clearly mentioned in law, but the legislation regulates covert surveillance, covert collection of samples for comparison and conduct of initial investigations, covert examination and substitution of an object (Code of Criminal Procedure, § 126), covert examination of a postal item (§ 126) and secret interception of auditory or visual information (§ 126). For intelligence investigations, Security Authorities Act allows collection and processing of information without the knowledge of data subjects (§ 21) and restrictions on right to confidentiality of messages, including wire-tapping (§ 25). The law does not define spyware while regulating the use of it.
In Finland, legal framework allows for the use of spyware as a tool of targeted surveillance both in criminal and civilian and military intelligence investigations (see in more detail below). There is no explicit prohibition on the use of spyware, and domestic legal framework does not define spyware. Instead, legal framework employs the generic notion of “software” or “programme” (see e.g. Section 42 of the Coercive Measures Act; and Section 42 of the Act on Military Intelligence below).
France’s legal framework does not address spyware directly. However, it specifically allows the collection of electronic communications, information or documents processed or stored by their electronic communications networks or services, including technical data relating to the identification of subscription or login to electronic communications services, the identification of all subscription or connection numbers of a designated person, the location of the terminal equipment used and a subscriber’s communications relating to the list of numbers called, and the duration and date of the communications (Code de la securité interieure Article L851-1).
Germany has a rigorous framework for the use of “state trojans”, which are government hacking tools permitted under tightly controlled conditions. Since 2008, federal law has authorized state hacking by police in situations involving international terrorism and for preventing terror attacks. In 2008, the Federal Constitutional Court set important boundaries for IT surveillance, distinguishing between “online searches” (secret access to stored data) and “telecommunication surveillance” (tracking ongoing communication), with stricter limits on the former due to its intrusive nature (Decision BvR 370/07). In 2017, a new law expanded the use of state hacking to all law enforcement agencies for investigating 42 types of criminal offenses, such as submitting fraudulent asylum claims, tax evasion, and drug-related crimes. Finally, in July 2021, a law (Gesetz zur Anpassung des Verfassungsschutzrechts) came into force that grants all 19 German intelligence services (16 of the Länder and 3 federal ones) the right to use state trojans to read ongoing communication on computers or smartphones and even past communication data.
There is no definition of spyware in Greek law. However, both the Constitution and criminal legislation refer to spyware, directly or indirectly, and provide for various prohibitions, as explained in the answers to the other questions of the present questionnaire.
There is no explicit authorization for the use of spyware in criminal or intellectual investigations in Iceland. However, prosecutors and the police can obtain a court order to listen to or record phone calls during criminal investigations. Access to electronic communications data, however, does not always require a court order, as it can be granted with the user’s consent.
There is no Irish law specifically governing the use of spyware in criminal and intelligence investigations. The legal framework allows for the interception of communications and the use of surveillance in criminal and intelligence investigations but the use of spyware is not explicitly contemplated nor defined in Irish legislation.
Italian law does not use the term referred to in the query, since it uses instead, in the Code of Criminal Procedure (hereinafter CCP), a broader notion such as that of “computer interceptor” (captatore informatico); see also, as to the secondary legislation of implementation, the Ministerial Decree of 6 October 2022, which defines the “electronic interceptor” (captatore elettronico) as «any disguised system, inoculated remotely, which, by eliminating the effects that prevent the knowledge of the communication or data, allows the interception of the audio-video contents and of the data exchanged or allows the interception face-to-face conversations, and remotely collects the positions taken by the equipment in the territory» (Article 1 lett. m).
Our legal framework currently lacks legislation that explicitly allows the use of spyware by investigative or intelligence agencies for criminal investigation purposes or national security purposes. Also, there is no legislation that explicitly prohibits its use. At present, Korean laws do not provide a definition of spyware. While some advocate for regulations dedicated to spyware, clearly defining what constitutes spyware and establishing conditions for its use, progress toward such regulations remains slow.
Kosovo’s legal framework contains no express reference to the employment of spyware as a method or tool of targeted surveillance. This way, it is also silent when it comes to its definition. Neither the Criminal Procedure Code nor any other relevant pieces of legislation, including the Law on Cyber Security, presently contain any definition of spyware. This being the case, the present legal framework contains no explicit prohibition on the use of spyware as such.
Legal regulation of the use of technical means of communication for covert receipt of information in the Kyrgyz Republic is carried out by the Criminal Procedure Code of the Kyrgyz Republic dated October 28, 2021 No. 129, the Law of the Kyrgyz Republic dated October 16, 1998 No. 131 "On operational-search activities", the Law of the Kyrgyz Republic dated July 5, 2022 No. 57 "On the national security agencies of the Kyrgyz Republic".
There is no explicit prohibition on the use of spyware. The penal procedural law (Strafprozessordnung = StPO) in force allows under certain circumstances surveillance of electronic communication (§§ 103 and 104 StPO) and obliges communication providers for data retention (§ 102a StPO). However all these rules do not permit the use of spyware.
In Lithuania, two legal acts are relevant in responding to the questions, i.e., the Law on Criminal Intelligence and the Code of Criminal Procedure. These legal acts form the legal framework governing the use of spyware in Lithuania.
The legal framework permits the use of spyware in cases of serious criminal offenses or national security threats.
Spyware use is not specifically regulated, consequently it would fall under general targeted surveillance measures. Indeed, Malta’s existing laws on surveillance appear fragmented and do not address the use of advanced spyware tools. The legal provisions primarily focus on traditional surveillance methods.
Targeted surveillance has its legal basis in Section 5 of the Criminal Proceedings Code - Measures of secret surveillance and Law no. 59/2012 on the special investigation activity, regulating bodies with investigative authority and secret measures of surveillance. This legal framework has been recently substantially modified by Law no. 286 of 5 October 2023, for the modification of several normative acts (regarding the special investigative activity), and all the amendments entered into force on 1 of January, 2024. One of the main changes of the Law is that special investigative activity may be initiated outside of a criminal
En l’état du droit monégasque un certain nombre de dispositions pénales peuvent être mobilisées :
La législation marocaine ne prévoit aucune autorisation ni interdiction à l’usage de logiciels espions dans le cadre de la surveillance ciblée ou d’enquêtes criminelles ou de renseignement. Le Code de procédure pénale ne fait aucunement mention aux logiciels espions.
The legal framework of Republic of North Macedonia does not specifically mention "spyware." However, the term would generally be understood in the context of tools used to monitor, intercept, or collect information from electronic devices without the knowledge or consent of the user. The use of spyware, as a tool for targeted surveillance in criminal or intelligence investigations, is regulated under the broader legal framework governing surveillance and interception of communications: The Law on Communications Surveillance (Official Gazette of the Republic of Macedonia, No. 71/2018, 08/2019 and Official Gazette of the Republic of North Macedonia No. 154/23) and the Law on Criminal Procedure (Official Gazette of the Republic of Macedonia
Law enforcement authorities:
There is no explicit prohibition either for the Police or the Intelligence Service.
Polish law does not explicitly regulate the use of spyware as a tool for targeted surveillance in criminal or intelligence investigations and does not provide a precise definition of "spyware" within its legal codes. The use of surveillance tools, including spyware, falls under the broader scope of “operational activities” regulated by laws such as the Code of Criminal Procedure (Kodeks Postępowania Karnego - KPK) or the Police Act (Ustawa o Policji) Act on the Internal Security Agency and the Intelligence Agency (ustawa o ABW I AW). These laws outline the permissible activities for gathering evidence and intelligence, including electronic surveillance. Various other laws, including the Act on Counteracting Terrorism and regulations governing the Police provide a legal basis for surveillance activities, although they do not explicitly mention spyware.
In Portuguese legal system there is no rule that clearly allows, or from which one can directly deduce, or directly prohibit, the use of some form of malware in surveillance and in collection of evidence in criminal investigations (the issue relating to intelligence actions is outside this analysis within the scope of criminal procedure).
No, there is no specific legislation concerning spyware.
San Marino legal system regulates the investigative instrument of interceptions by means of Law no. 98 of 21 July 2009 (“Law on Interceptions”), followed by Delegated Decree no. 178 of 29 December 2009 on the confidential archive referred to in Article 13, paragraph 2 of the same Law and by Regulation no. 4 of 10 June 2014 on the technical procedures for carrying out interceptions. In addition to regulating application and legitimacy conditions, these provisions also envisage a specific procedure for the adoption of the interception measure in criminal proceedings, which is entrusted to the Investigating Judge and the Judge responsible for Interceptions, as well as several moments of cross-examination to ensure the usual acquisition of evidence in the proceedings. The key moments of the taking and preservation of evidence, as well as of its use, are also regulated.
Serbian legal framework does not explicitly mention “spyware” as a term, so there is no neither explicit allowance nor explicit prohibition on the use of “spyware”. Consequently, there is no specific legal definition of “spyware” in the current legal framework of the Republic of Serbia.
There is no legal definition of spyware and no explicit prohibition on its use. The Slovak legislation uses a general term “information-technical devices”, which includes the classic surveillance methods and could also be understood to include spyware. See the answer to Q2 for more details.
There is no specific regulation on the use of any spyware (including Pegasus) by intelligence services Regarding criminal investigations the Criminal Procedure Law was amended by the Organic Law 13/2015 “for the strengthening of procedural safeguards and the regulation of technological research measures” (a translation of the relevant parts of this law is annexed to this report).
Yes. The possibility for the police and security police to use spyware was introduced by the Act (2020:62) on Secret Reading of Data (Lagen om hemlig dataavläsning, hereinafter, “the Act”). For domestic purposes, secret data reading means (Act section 1) that “information, which is intended for automated processing, is secretly and with technical means, read from or recorded in a readable information system”. “Readable information system” in turn means “an electronic communication device or a user account for, or a correspondingly delimited part of, a communication service, storage service or similar service”. Thus, it covers both physical equipment, such as a mobile phone or a computer, as well as a user account to, or a correspondingly delimited part of, a communication service, storage service or similar service.
There is no explicit prohibition on the use of spyware. At the federal level, there are three authorities provided with an explicit legal basis for the use of spyware:
The legislation of Ukraine in the field of criminal investigations or intelligence investigations does not single out spyware as a tool of targeted surveillance or as a means of collecting information.
In the United Kingdom the use of spyware is regulated by the Investigatory Powers Act 2016 (IPA) (see in particular Section 5 on Equipment interference) and the Regulation of Investigatory Powers Act (“RIPA”) 2000 - and so has full parliamentary authority and is accessible and provided by law. Other relevant legislation includes the Human Rights Act 1998 (giving force to the ECHR in the domestic legal system) and the Intelligence Service Act.
U.S. law governs and constrains the use of surveillance technologies, including technologies that might be defined as spyware, in criminal and intelligence investigations. The Fourth Amendment of the U.S. Constitution, statutory obligations, regulatory measures, and jurisprudence developed by U.S. courts together create a web of constraints, even if there is no specific prohibition of the domestic use of spyware qua spyware in U.S. law. In recent years, some states and local entities have taken action to further constrain certain intrusive surveillance technologies, but this response and its Annex generally focus on federal law and policy.
Austria
Belgium
Bosnia and Herzegovina
Bulgaria
Canada
Canada has signed onto the Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware.
There is no explicit prohibition on the use of on-device investigative tools or implants in criminal or intelligence investigations. The Canadian legal framework provides for judicial authorizations to conduct targeted investigations through the use of these tools. The collection of personal information by government institutions must also comply with applicable privacy legislation, such as the Privacy Act.
Crotia
Denmark
Estonia
Finland
The legal framework regulating the use of Pegasus and other equivalent spyware in the context of criminal investigations.
The legal framework regulating the use of spyware in the context of criminal investigations is provided by Section 26 (Installation and removal of a device, process or program) of the Coercive Measures Act.
Section 26 – Installation and removal of a device, process or program
(1) A criminal investigation official has the right to install a device, procedure or program to be used in technical surveillance in the object, substance, property, premises or other place that is targeted, or into an information system, if the performance of the surveillance requires this. In so doing the criminal investigation official has the right, in order to install, take into use or remove a device, procedure or program, to enter covertly the premises or other place or information system referred to above and to bypass, uninstall or in another corresponding manner temporarily avert or hamper the protection on the objects or the information system. Separate provisions apply to search of a domicile.
(2) A device, procedure or program for technical surveillance may be installed in premises used as a permanent residence only if the court has granted a warrant for this on the request of an official with the power of arrest.
The legal framework regulating the use of Pegasus and other equivalent spyware in the context of civilian and military intelligence
Section 42 of the Act on Military Intelligence regulates the use of spyware in the context of military intelligence gathering as follows:
Section 42
Installation and removal of a device, process or software
A public official serving a military intelligence authority has the right to install a device, process or software used for telecommunications interception, collecting data other than through telecommunications interception, data traffic monitoring, on-site interception, technical observation, technical tracking or technical surveillance of a device in the object, substance, item of property, premises or other location or in the information system targeted by the action if the use of the said intelligence collection method necessitates this. To install, start using or remove a device, process or piece of software, a military intelligence authority official has in this case the right to secretly go to the said targets or information system and to circumvent, dismantle or in some other similar way temporarily bypass the protection of the target or information system or to impede it. The installation or removal of a device, process or piece of software may not be performed at premises used for permanent residence.
The Police Act has identical provision on the use of spyware in the context of civilian intelligence.
France
Germany
Greece
There are two provisions in the Greek Constitution which are directly related to spyware:
(i)The first is Article 19, which reiterates the old-time guarantee of the secrecy of correspondence (dating from the 19 th century), provides as follows:
“1. Secrecy of letters and all other forms of free correspondence or communication shall be absolutely inviolable. The guaranties under which the judicial authority shall not be bound by this secrecy for reasons of national security or for the purpose of investigating serious crimes shall be specified by law.
2.Matters relating to the constitution, the operation and functions of the independent authority ensuring the secrecy of paragraph 1 shall be specified by law.
3.Use of evidence acquired in violation of the present Article and Articles 9 [i.e. protection of home asylum and private life] and 9A [see hereunder] is prohibited”.
(ii)The second is Article 9A, which was adopted as an amendment to the Constitution in 2001, and provides:
“All persons have the right to be protected from the collection, processing and use, especially by electronic means, of their personal data, as specified by law. The protection of personal data is ensured by an independent authority, which is constituted and operates as specified by law”.
Iceland
The legal framework consists of a joint reading of Chapter XIII of the Electronic Communications Act No. 70/2022 and Chapter XI of the Code of Criminal Procedure No. 88/2008.
In connection with proposed amendments to the Criminal Code (addressing the retrieval of profits, internet crimes etc., in line with international treaty obligations), the Ministry of Justice initiated a consultation process. This process anticipated amendments to provisions concerning the search and seizure of electronic data and the use of listening devices.
Ireland
The Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993 provides a basis for the interception of postal packets and telecommunications messages. The Criminal Justice (Surveillance) Act 2009 provides the legislative basis in Ireland for monitoring, observing, listening to or making a recording of a particular person or group of persons or their movements, activities and communications, or the monitoring or making a recording of places or things, by or with the assistance of surveillance devices, including a tracking device. These Acts include details of the purposes for which such powers are permitted to be exercised, by whom the powers are permitted to be exercised, and relevant safeguards and conditions, including prior authorisations, reporting, remedies, redress and other oversight.
In 2016, the Department of Justice and Equality announced plans to extend the interception regime to services offered directly via the internet. The 1993 Act is currently subject to review to ensure it is modernised, having regard to developments in technology.
Neither Act individually allows for the use of spyware. The 1993 Act permits interception alone, and the 2009 Act authorises the use of surveillance devices but does not give any power to interfere with computer systems and specifically excludes anything that would constitute an interception under the 1993 Act. If state spyware is deployed, it would have to be tailored to avoid capturing phone calls, text messages, and emails if they fall within the scope of the 1993 Act. There is no public information about whether state spyware has been deployed or whether An Garda Síochana (the Irish police force) has this power. However, the Department of Justice cited both Acts in response to a European Commission questionnaire that sought information from all Member States about the use of spyware by national authorities and the legal framework governing such use In addition, the Minister for Justice mentioned both Acts in response to a parliamentary question concerning the use of spyware, indicating that if the state is using spyware, it is likely under the powers contained in these Acts.
Spyware is not explicitly prohibited in Irish law. Without some statutory basis, the use of spyware would most likely constitute the offence of accessing an information system without lawful authority contrary to section 2 of the Criminal Justice (Offences Relating to Information Systems) Act 2017. There is no offence in Irish law that criminalises the surveillance of ‘over-the-top’ communications.
Italy
Recently, EU Regulation 2024/108 (Media Freedom Act) defines «intrusive surveillance software», as «any product with digital elements specially designed to exploit vulnerabilities in other products with digital elements that enables the covert surveillance of natural or legal persons by monitoring, extracting, collecting or analyzing data from such products or from the natural or legal persons using such products, including in an indiscriminate manner». The Italian Constitutional reference is Article 15 which reads: «The liberty and secrecy of correspondence and of every form of communication shall be inviolable. Limitations upon them may only be imposed by decision of the judiciary, for which the reason must be stated, in accordance with the guarantees laid down by law». Therefore, interception of communication is always under the authority of a judge and a judicial authorization is necessary in order to dispose a communication interception. For the members of Parliament, Article 68 of the Italian Constitution reads: «2) No members of Parliament shall, without the authorization of the Chamber to which they belong, be subjected to search warrants on their persons or in their homes, nor arrested or otherwise deprived of personal freedom, nor kept in a state of detention, save in the case of execution of an irrevocable sentence of conviction, unless they be caught in the act of committing an offence for which an order of arrest is mandatory. 3) A similar authorization shall be required in order to subject members of Parliament to any form of interception of their conversations or communications, and in order to seize their mail or correspondence».
It is necessary to make a distinction according to the different context at which spyware can theoretically be used:
A) in the course of a criminal proceedings (post notitia criminis). It is important to note that, according to the Article 335 CCP, the criminal proceedings start when the «Public Prosecutor enter immediately, in the dedicated register retained in his office, any notitia criminis he receives or acquires».
B) for preventive purposes ante delictum, in order to protect public security. In the Italian legal system, law enforcement authority may carry out preventive investigations measures at a time prior to the formally start of the criminal proceedings. At this respect, preventive investigation measures also include “preventive interceptions” or “ante delictum interception” (intercettazioni preventive), the regulation of which is contained in Article 226, implementing provisions CCP. The aim of this measure is not to obtain evidence in the course of criminal proceedings, but to prevent crimes;
C) during intelligence operations carried out by the Italian Security Intelligence Services. These are interceptions of communications that can be carried out even in the absence of criminal proceedings, irrespective of the existence of a notitia criminis, and can be used for the purpose of protecting national security.
The regulation of interception varies in three different contexts.
A) The use of spyware in the course of criminal proceedings was expressly legitimised only since 2017, by Legislative Decree No. 216 of 29 December 2017 which amended the general rules on “traditional” interception of communications and conversations (Articles 266 et seq. CCP) by inserting an explicit reference to the possibility for the investigating authority to use the “captatore informatico” (this is the expression used in the Italian CCP when referring to spyware. Italian jurisprudence and scholars also often resort to the use of terms such as “trojan horse” and “agente intrusore”). Before the approval of the Legislative Decree No. 216/2017 no legal provision legitimised the use of the trojan. However, in practice the spyware was still used to conduct criminal investigations prior to the 2017. The first judgment of the Italian Supreme Court dealing with this issue was the no. 16556/2009, but the most important decision is the Joint Chambers, 28 April 2016, no. 26889, in which judges legitimised, even in the absence of an ad hoc regulation, the use of the spyware exclusively to carry out interception of face-to-face conversations in proceedings only for organised crime offences, i.e. cases in which, pursuant to Article 13 of Legislative Decree no. 152/1991, interception is allowed everywhere, including in the home (protected by the Italian Constitution under Article 14). In this ruling, the trojan horse was defined as «a computer program [...] installed on a target device (computer, tablet, smartphone), usually remotely and surreptitiously, by sending it by e-mail, SMS or update application". The software is made up of two main modules: the first (server) is a small programme that infects the target device; the second (client) is the application that the virus uses to control the device». This is the only para-legal definition of spyware in the Italian criminal procedure system.
B) From a legal point of view, the regulation of ante delictum interception is contained in Article 226 implementing provision CCP, entitled «Interception and preventive control of communications». This provision establishes that «The Minister of the Interior or, by delegation, the heads of the central services referred to in Article 12 of Decree-Law no. 152 of 13 May 1991, as amended by Law no. 203, as well as the Questore or the Provincial Commander of the Carabinieri and the Guardia di Finanza, shall apply to the Public Prosecutor for the main town of the district where the person to be monitored is located or, if this cannot be determined, of the district where the need for prevention has arisen, for authorisation to intercept communications or conversations, including by telematic means, as well as for the interception face-to-face conversations, even if these take place in the places referred to in Article 614 of the Criminal Code, if this is necessary for the acquisition of information for the prevention of the offences referred to in Article 407, paragraph 2, letter a, no. 4 and 51, paragraph 3bis of the Code, as well as those referred to in Article 51, paragraph 3quater of the Code [i.e. particularly serious offences, such as mafia-type organised crime, serious drug offences or offences committed for terrorist purposes], committed through the use of information or telematic technologies. The Minister of the Interior may also delegate the Director of the Anti-Mafia Investigation Directorate, limited to the offences referred to in Article 51(3-bis) of the Code». The elements acquired through preventive activities cannot be used in criminal proceedings.
C) Article 4 of Decree-Law No. 144 of 27 July 2005, converted with amendments into Law No. 155 of 31 July 2005, and last amended by Law No. 197 of 29 December 2022, provides for the institution of “intelligence interception”. The provision establishes that «The President of the Council of Ministers may authorise the Directors of the Security Intelligence Services referred to in Article 2, paragraph 2, of Law No. 124 of 3 August 2007 to request authorisation for the interception of communications or conversations, including by telematic means, as well as for the interception of communications or conversations held in the places referred to in article 614 of the Penal Code, if this is deemed necessary for the performance of the tasks entrusted to them by articles 6 and 7 of law no. 124 of 3 August 2007». The authorisation «shall be requested to the Public Prosecutor’s Office at the Court of Appeal in Rome, that shall grant the authorisation if the conditions laid down in Article 4-bis are fulfilled».
Korea
Kosovo
None of the relevant legal instruments such as the Law on Cyber Security or the Criminal Procedure Code are by any means old pieces of legislation. The Law was adopted in 2023, whereas the Code in force was adopted in 2022. Other relevant pieces of legislation are likewise relatively recent. In this context, the lack of detailed provisions on the more modern means of technology is somewhat surprising. This is however not to say that the present framework is insufficient or incapable of addressing any problems of substance or procedure when it comes to dealing with situations resulting from the use of spyware. A whole set of provisions and procedures are in place in relation to computer and related systems.
A number of more specific pieces of legislation deal with aspects of content and procedure that are linked to surveillance. Such are the Law on Interception of Electronic Communications of 2015, the Law on the Kosovo Intelligence Agency of 2008, and the Law on State Border Control and Surveillance of 2012.
The only instrument that contains a rather technical reference to spyware is a strategic document of the government rather than a legal instrument. This is the National Cyber Security Strategy 2023-2027, which also does not define spyware; however, it includes it as part of its descriptive definition relating to "malicious software or malware". More specifically, malicious software or malware is conceived in the following terms:
"Means malicious software designed to infiltrate or damage a computer system without the owner’s consent. Common forms of Malware include computer viruses, worms, Trojans, Spyware, adware, etc."
This is the only explicit reference of Spyware to be found in any institutional document.
Kyrgzstan
According to the legislation of the Kyrgyz Republic, targeted surveillance is directly related to the implementation of operational-search activities. Operational-search activities are a type of activity carried out, openly or secretly, by state bodies authorized to do so by law within the limits of their competence by conducting operational-search measures in order to protect the life, health, rights and freedoms of a person and citizen, property, and ensure the security of society and the state from criminal attacks.
From Article 2 of the Law of the Kyrgyz Republic of October 16, 1998 No. 131 "On operational-search activities" it follows that special technical means are devices, equipment, devices, equipment that have special functions, software and design features for obtaining and documenting information during operational-search activities, including in communication networks (channels). The list of such technical means is set out in the Resolution of the Government of the Kyrgyz Republic of August 7, 2014 No. 451 "On approval of the List of types of special technical means intended for covert receipt of information in the process of operational-search activities."
The legislation of the Kyrgyz Republic permits the use of special technical means for the purposes of criminal proceedings, operational-search activities and ensuring national security exclusively by the bodies specified in the law "On operational-search activities". It is prohibited to use special technical means by individuals and legal entities not authorized to do so.
Liechtenstein
Lithuania
Specifically, paragraphs 20, 21, and 22 of Article 2, Article 10, and Article 15 of the Law on Criminal Intelligence regulate the use of technical equipment, including spyware, during criminal intelligence investigations. Additionally, Articles 154, 160 , 161 and 162 of Code of Criminal Procedure are important for the use of technical equipment during criminal investigations.
These laws do not explicitly define “spyware.” However, the Law on Criminal Intelligence provides two relevant definitions. First, “surveillance” is described as a method of gathering criminal intelligence information by extracting, identifying, and/or tracking an object (see Article 2(17)). Second, the “use of technical means” is defined as the installation and use of technical means, along with other lawful acts related thereto (see Article 2(20)).
Luxembourg
Malta
Moldova
investigation. Consequently, Section 5 of the Criminal Proceedings Code - Measures of secret surveillance applies in criminal investigations and the Law no. 59/2012 on the special investigation activity applies in intelligence investigations.
Both, Criminal Procedure Code and the Law no. 59/2012 on the special investigation activity provides that in the process of carrying out special investigative measures, use shall be made of information systems and data banks, photo, audio and video recording devices, other technical means, including special technical means for secretly obtaining information (see Article 134 para. (3) of the Criminal Procedure Code and Article 27 para (5) of the Law no. 59/2012).
The Law nr. 245 of 17 November 2008 on state secret special defines technical means intended for covert obtaining of information as technical and/or program means designed, modified or programmed to capture, obtain, intercept, collect, listen, record and transmit information signals of a sonic, visual, electromagnetic or other nature, including from electronic communication
networks, for the purpose of obtaining covert access to foreign information. The classification of special technical means intended for the covert obtaining of information is provided by the Government Decision nr. 100 of 9 February 2009. Only the authorities empowered by law to carry out operative investigative activity and legal entities based in the Republic of Moldova, who hold an activity license in the relevant field can import, export, design, production and sale of special technical means.
Accordingly, Moldovan legal framework does not define expressly spyware, but its meaning as a malicious software that enters a user's computer, gathers data from the device and user, and sends it to third parties without their consent, may be found within the definition of technical means intended for covert obtaining of information.
Monaco
L’article 389-5 du Code pénal - tel qu’issu de la Loi n° 1.435 du 8 novembre 2016 relative à la lutte contre la criminalité technologique dispose « Quiconque aura, frauduleusement, intercepté par des moyens techniques, des données informatiques, lors de transmissions non- publiques, à destination, en provenance ou à l’intérieur d’un système d’information, y compris les émissions électromagnétiques provenant d’un système d’information transportant de telles données informatiques, sera puni d’un emprisonnement de trois ans et de l’amende prévue au chiffre 4 de l’article 26. »
L’exposé des motifs de la Loi n° 1.435 du 8 novembre 2016 précitée, précise « qu’en ce qui concerne plus spécifiquement l’interception frauduleuse des données informatiques, elle est prévue par l’article 389-5 projeté qui permet de protéger le droit au respect des données transmises par et dans le système d’information, notamment via la messagerie électronique. Sur le fondement de ces dispositions, les écoutes illicites, ainsi que d’autres moyens techniques illicites de surveillance de contenus véhiculés par les systèmes pourront ainsi être sanctionnés ».
Ainsi, l’article 389-5 du Code pénal permet la protection de toutes les données transmises par messagerie électronique, et corrélativement, — la sanction des atteintes qui pourraient y être portées. Il a également pour finalité affichée l’appréhension pénale de toutes écoutes et/ou surveillances illicites. Ce dispositif permet donc, d’appréhender, lorsque ces faits sont commis par voie électronique, d’une part, l’ouverture, la suppression, le retardement ou le détournement de correspondances et, d’autre part, la captation ou l’enregistrement des paroles « à titre privé » ou confidentiel.
Par ailleurs, l’article 389-6 du Code pénal dispose :« Est puni des peines prévues respectivement pour l’infraction elle-même ou pour l’infraction la plus sévèrement réprimée, le fait, frauduleusement, de produire, importer, détenir, offrir, céder, diffuser, obtenir en vue d’utiliser ou mettre à disposition :
1°) un équipement, un dispositif y compris un programme informatique, ou toute donnée principalement conçus ou adaptés pour permettre la commission d’une ou plusieurs des infractions prévues aux articles 389-1 à 389-5 ;
2°) un mot de passe, un code d’accès ou des données informatiques similaires permettant d’accéder à tout ou partie d’un système d’information pour commettre l’une des infractions prévues aux articles 389-1 à 389-5.
Le présent article est sans application lorsque la production, l’importation, la détention, l’offre, la cession, la diffusion ou la mise à disposition n’a pas pour but de commettre l’une des infractions visées aux articles 389-1 à 389-5, comme dans le cas d’essai autorisé, de ta recherche ou de protection d’un système d’information ».
Il s’en évince par conséquent que, par application combinée des articles 389-5 et 389-6 du Code pénal, l’arsenal répressif monégasque permet de sanctionner d’une peine d’emprisonnement de trois ans et d’une amende comprise entre 18.000 et 90.000 euros, la fabrication, l’importation, la détention, l’exposition, l’offre, la location ou la vente d’appareils ou de dispositifs techniques de nature à permettre, d’une part, l’ouverture, la suppression, le retardement ou le détournement de correspondances (lorsque ces faits sont commis par voie électronique) et, d’autre part, la captation ou l’enregistrement des paroles « à titre privé » ou confidentiel.
Il en résulte par ailleurs, que le droit positif appréhende de la même manière le fait de réaliser une publicité en faveur d’un tel appareil, et sanctionne également ce comportement d’une peine d’emprisonnement de trois ans et d’une l’amende comprise entre 18.000 et 90.000 euros.
Par ailleurs, comme il a été dit, l’article 9 de la Loi n° 1.430 du 13 juillet 2016 dispose que « Les interceptions de correspondances émises par voie de communications électroniques autres que celles pratiquées à la demande de l’autorité judiciaire et sous son contrôle sont interdites sous peine d’un à cinq ans d’emprisonnement et de l’amende prévue au chiffre 4 de l’article 26 du Code pénal. »
Ces dispositions s’appliquent sans préjudice des règles fondant le droit commun de la complicité, résultant des articles 41 et 42 du Code pénal :
« Article 41.- Les complices d’un crime ou d’un délit seront punis de ta même peine que les auteurs de ces crime ou délit, sauf les cas où ta loi en disposerait autrement.
« Article 42.— Seront punis comme complices d’une action qualifiée crime ou délit: ceux qui, par dons, promesses, menaces, abus d’autorité ou de pouvoir, machinations ou artifices coupables, auront provoqué à cette action ou donné des instructions pour la commettre ou pour en faciliter l’exécution; —ceux qui auront procuré des armes, des instruments ou tout autre moyen qui aura servi à l’action, sachant qu’ils devaient y servir; ceux qui auront, avec connaissance, aidé ou assisté l’auteur ou les auteurs de l’action dans tes faits qui l’auront préparée ou facilitée, ou dans ceux qui l’auront consommée, sans préjudice des peines qui seront spécialement portées par le présent code contre tes auteurs de complots ou de provocations attentatoires à la sûreté intérieure ou extérieure de l’État, même dans te cas où le crime qui était l’objet des conspirateurs ou des provocateurs n’aurait pas été commis »..
Il en résulte ainsi, par application combinée de l’article 9 de la Loi n. 1.430 du 13juillet 2016, susvisée, et des articles 41 et 42 du Code pénal que ceux qui auraient procuré des instruments ou tout autre moyen destiné à réaliser des interceptions non autorisées de correspondances émises par voie de communications électroniques pourraient être punis d’une peine d’un à cinq ans d’emprisonnement et d’une amende comprise entre 18.000 et 90.000 euros, sous les deux réserves suivantes : que cette fourniture de moyens ait été effectivement suivie de la commission d’un acte infractionnel et que ce dernier n’ait pas été accompli par l’auteur de la fourniture de moyens (savoir, le complice).
S’agissant de la captation ou de l’enregistrement des paroles « à titre privé » ou confidentiel : Sur le terrain de la répression des atteintes à la vie privée et familiale, l’article 308-2 du Code pénal dispose
« Sera puni d’un emprisonnement de six mois à trois ans et de l’amende prévue au chiffre 4° de l’article 26, dont le maximum pourra être élevé au double, quiconque aura sciemment porté ou tenté de porter atteinte au droit au respect de la vie privée et familiale d’une personne vivante ou décédée, visé à l’article 22 du Code civil, en se livrant, sans qu’il y ait eu consentement de celle-ci, à l’un des actes ci-après :
1° écouter, enregistrer ou transmettre, par quelque moyen que ce soit, des paroles prononcées par la personne dans un lieu privé ;
2° fixer ou transmettre son image, alors qu’elle se trouve dans un lieu privé.
Le consentement sera toutefois présumé lorsque ces actes auront été accomplis dans une réunion, au vu et au su de ta personne concernée.
La confiscation du matériel utilisé et des documents ou enregistrements obtenus sera prononcée ».
Morocco
North Macedonia
No. 150/2010).
The Law on Communications Surveillance is the primary legal instrument that governs the interception of communications in North Macedonia. The law allows for surveillance in criminal investigations and intelligence activities under strict judicial
oversight. However, it does not specifically mention "spyware."
Law on Criminal Procedure outlines the procedures and conditions under which surveillance, including electronic surveillance, can be carried out in criminal investigations. It requires a court order for such activities and defines the scope and limits of surveillance measures.
Also, there is no explicit prohibition on the legal use of spyware, but its use would be tightly controlled under the legal framework for interception of communications. Unauthorized use of spyware, or use beyond the legal limits, would be illegal and subject to criminal penalties.
Netherlands
Yes. In the execution of the special investigative power in Article 126nba of the Dutch Code of Criminal Procedure, which allows for the penetration of computer systems used by suspects, law enforcement authorities may utilise a ‘technical device’. This interpretation is clarified in the explanatory report of the Computer Crime Act III (Parliamentary Series II 2015-2016, 34372, no. 3, p. 10). ‘Technical devices’ are further defined and regulated in other legislation, most notably in the Regulation of Technical Devices in Criminal Procedural Law (published on 11 July 2018).
Intelligence and security services:
Yes. Intelligence and security services are authorised to ‘penetrate computer systems’ using ‘technical devices’ under Article 45 of the Dutch Act on Security and Intelligence Services. This authority includes the use of technical devices to ‘decrypt data stored or processed in automated systems’ and to ‘take over data stored or processed in automated systems’ (Article 45(b)(d)). The explanatory report of the Act on Security and Intelligence Services explicitly states that this may involve the installation of software on devices such as laptops and smartphones (Parliamentary Series II 2016-2017, 34588, no. 3, p. 79). The term ‘technical devices’ for intelligence and security services is not further defined in other laws.
Norway
In criminal investigation, by either the Police Security Service or the “ordinary” police, the use of spyware as a tool of targeted surveillance would fall under the scope of “communication control” (kommunikasjonskontroll) in Chapter 16 of the 1981 Criminal Procedure Act. There are two provisions in this chapter that would allow the use of spyware installed on the recipient’s phone or computer.
In 2016, two provisions were added that appears to specifically allow for targeted surveillance by use of spyware. Article 216 o allows for “reading of data” (dataavlesing), which in the text is defined as “reading of non-public information in a data system”. In the preparatory works, data system is defined as “any device, consisting of hardware and software, which processes data using computer programs, see section 14.8.7. For example, computers, tablets and smartphones are included. The method gives the police the opportunity to monitor the continuous use of the computer system, and to extract information that is stored or generated in the system” (Prop. 68 L (2015-2016)).
Article 216 p, which provides the procedure for “reading of data”, explicitly allows for the use of software to be installed remotely on the target’s device and to breach security barriers on the device. The provision reads, in English (Google translate) translation:
“Data reading according to § 216 o can only be carried out by personnel who are particularly suitable for it and who are appointed by the chief of police, chief PST [Eirik Holmøyvik: Police Security Service] or the person authorized. The reading can be carried out using technical devices, computer programs or in another way. Section 199 a applies accordingly. The police can break or bypass protection in the computer system if it is necessary to carry out the reading. Technical devices and computer programs can be installed in the computer system and in other hardware that can be linked to the computer system. When the court does not decide otherwise, the police can also break in to place or remove technical devices or computer programs that are necessary to carry out the data reading.
The data reading must be arranged so that no information is unnecessarily captured about the use of the computer system by anyone other than the suspect. The reading must be carried out in such a way that there is no unnecessary risk of operational disruption or damage to equipment or data. The police shall, as far as possible, prevent the risk that, as a result of the implementation, someone is enabled to gain unauthorized access to the computer system or protected information or to commit other criminal acts.”
The preparatory works says in their comment to Article 216 p that the police will have a wide discretion in the choice of approach and tools to do the data reading, and they explicitly mention “computer program” as a possible tool.
For context:
It is also possible that the use of some types of spyware could fall under the scope of Article 216 a, which allows for “tap of communications”/“monitoring of communications”/“interception of communications” (translation from the Norwegian: kommunikasjonsavlytting). The concept is defined in section 3 of article 216 a, which in English (Google translate) translation reads:
“Communication interception can consist of intercepting calls or other communications to and from certain telephones, computers or other facilities for electronic communication that the suspect possesses or can be assumed to want to use. Communications interception is also considered identification of communications facilities using technical equipment, cf. section 216 b second paragraph letter c, which occurs by intercepting conversations or other communications.”
Typically for Norwegian legislation, the provision is neutral as to technology, which applies both to the method of intercepting and the media of communication. Yet the wording is not clear if Article 216 a would allow for software to be installed remotely on the device of the person under surveillance. Given that there is a more specific provision on data reading, It can be assumed that the use of most spyware would require a permit for data reading according to Article 216.
For the Intelligence Service, the basic criteria for targeted surveillance are found in Article 5-2 of the 2020 Intelligence Service Act. See the link above to English translation.
As for targeted surveillance using spyware, there is no explicit regulation. Chapter 6 in the law regulates the methods for information collection (open sources, human intelligence, systematic observation, technical tracking, searches etc., bugging an imagery surveillance, other technical collection, mid-point collection, end-point collection).
The preparatory works mentions that remote searches or scans of mobile phones and computers are regulated by Article 6-9 on mid-point collection (midtpunktinnhenting) or Article 6-10 on end-point collection (endepunktinnhenting). What distinguish mid-point and end-point collection, is that the former is a passive method that collect information in transit and do not require breaching of security barriers, while the latter is an active method that may require the breaching of security barriers to collect information. It can be assumed that Article 6-10 on end- point collection would allow the Intelligence Service to use spyware to do targeted surveillance. The preparatory works stress that the provisions are technology neutral. Here is a translation of a relevant paragraph in the preparatory works (Prop. 80 L (2019-2020), p. 211) that defines end- point collection:
“In contrast to mid-point collection according to § 6-9, end-point collection is not aimed at information that is in transit, but at information that is available from the end point itself. It could, for example, be a saved message. A typical end point is a computer or a mobile phone, but the provision has been designed in a technology-neutral way, so that it is irrelevant which technology is used.”
Poland
In Polish law, there is no clear prohibition on the use of spyware. The development of electronic communication presents new challenges for law enforcement authorities, related to the need to conduct operational activities in the virtual world.
Portugal
The issues have been debated following the possibilities opened up by the Cybercrime Law, which generally expanded the field of intervention of invasive measures in the collection of evidence, in response to new and more sophisticated means used by criminal agents.
The formulations of the law, in the combined reading of procedural norms of the Code of Procedure and the Cybercrime Law, however, leave to the application and robust intervention of magistrates to assess and implement, in each case, the procedural criteria and guarantees: the application in the digital environment of the rules of intervention in communications; the model of covert actions, and the requirement of necessity and proportionality, the determination of the terms of use of a given means, strict control in the authorization of the means, the consideration of circumstances, the duration of the measures and the continuous control of the results.
Romania
San Marino
However, the legislation does not provide for an explicit definition of Spyware (understood as software capable of remotely hacking an electronic device to capture its communications and contents). Indeed, Law no. 98 identifies the instrument of interception in a broad and general sense, including in this definition all “interceptions of communications that may be related to the suspected person by means of secret listening”, carried out with the aid of appropriate tools. It follows that the legal framework also applies to spyware to the extent that it is compatible.
It should be pointed out that, in practice, the number of investigations carried out by the Court of the Republic of San Marino is limited, also due to the small size of its territory and population (typical of a Microstate). Interceptions of communications have been carried out only in a few cases, while spyware has never been used.
Moreover, again due to the small size of the Republic of San Marino, the investigative measure in question, if it is intended to intercept foreign telephone users (which is almost always the case), can be implemented by the Judge of the Court of San Marino only following a specific judicial request (“Outgoing Rogatory Letters”) addressed to the Judicial Authority of the country of reference, which slows down the investigative procedures.
Serbia
Slovakia
Spain
Among the technological research measures are included the remote searches on IT equipment. This subject is regulated under general/common principles related to the interception of communications in new technologies (Chapter IV, Title VIII) and under an specific regulation on remote searches on IT equipment (Chapter IX, Title VIII).
There is no specific legal definition of spyware, however, Art 588,septies.a of the law states: “The competent judge may authorise the use of identification data and codes, as well as the installation of software, which allow, remotely and telematically, the remote examination, without the knowledge of the owner or user, of the content of a computer, electronic device, computer system, computer mass data storage instrument or database.” The underlined text in italics could be understood as the legal definition of spyware for criminal investigations in Spain.
Sweden
Switzerland
− The Federal Office of Police (fedpol), based on the Swiss Criminal Procedure Code (CPC), as from 1 March 2018;
− the Federal Intelligence Service (FIS), based on the Swiss Federal Law on the Intelligence Service (Intelligence Service Act, IntelSA), as from 1 September 2017;
− the Swiss Army, based on the Swiss Federal Army Law, as from 1 January 2018.
In theory, spyware may also be used at the level of the 26 Swiss cantons, as the preventive protection of public safety and order is the responsibility of the cantons. The cantons have laid down rules on preventive covert surveillance in their police laws. In theory, the use of spyware is also conceivable in this context; based on available information, however, there is no evidence that the cantons use this tool. There is no legal definition of spyware. The authorities generally use the term « Government Software », or « GovWare », inter alia in the government’s explanatory report on the amendments to the Swiss Criminal Code. The Swiss Criminal Procedure Code (CPC) sets out the rules governing secret surveillance measures in Chapter 8, Section 1. This chapter is entitled "Covert surveillance measures" and Section 1 deals with the surveillance of correspondence by post and telecommunications.
− Article 269 sets out the general requirements for such measures, namely a list of crimes that may prompt the use of secret surveillance.
− Article 269bis addresses the use of special technical devices for the surveillance of telecommunications, including the monitoring of conversations, the identification of individuals or property, and the determination of their location.
− Article 269ter addresses the use of special software for the surveillance of telecommunications.
− Article 269quater sets out the requirements applicable to special software for the surveillance of telecommunications.
Article 269ter paragraph (1) CPC, which entered into force on 1 March 2018, allows for the introduction of special software into a data processing system to intercept and recover the content of communications and telecommunications metadata in unencrypted form. In the original French version, it reads as follows:
1 Le ministère public peut ordonner l’introduction de programmes informatiques spéciaux de surveillance de la correspondance par télécommunication dans un système informatique dans le but d’intercepter et de transférer le contenu des communications et les données secondaires de télécommunication sous une forme non cryptée aux conditions suivantes (…).
The Code, in the original French language, is available here: https://www.fedlex.admin.ch/eli/cc/2010/267/fr, an unofficial English translation is available here: https://www.fedlex.admin.ch/eli/cc/2010/267/de.
This is the explanatory report of the Swiss government on behalf of the Swiss parliament (in original French language): https://www.fedlex.admin.ch/eli/fga/2013/512/fr. The relevant - and very detailed - explanation on Article 269ter CPC can be found on p. 2466 and following.
The Swiss Intelligence Service Act allows the Federal Intelligence Service (FIS) to use special computer programs as a search measure, subject to authorisation, in the event of a specific threat (see Article 26, paragraph 1, IntelSA). Such measures may be taken for the protection of Switzerland's internal or external security, including the prevention of terrorist activities or espionage, or for the protection of other important national interests (see in particular Article 27 and Article 19 paragraph 2 (a-d), or Art. 3 IntelSA). The Act authorises intrusion into computer systems and computer networks to obtain information held in or transmitted by them, and to disrupt, prevent or delay access to information, if the computer systems and computer networks are being used to attack critical infrastructure (Article 26 paragraph 1 (d)). The original French version of the provision is as follows:
Les mesures suivantes sont soumises à autorisation:
d) l’infiltration dans des systèmes et des réseaux informatiques dans les buts suivants:
1. rechercher les informations qu’ils contiennent ou qui ont été transmises à partir de ces systèmes,
2. perturber, empêcher ou ralentir l’accès à des informations, à condition que ces systèmes et réseaux informatiques soient utilisés dans des attaques visant des infrastructures critiques.
The official French version of the IntelSA is available at https://www.fedlex.admin.ch/eli/cc/2017/494/fr; for the unofficial English version see https://www.fedlex.admin.ch/eli/cc/2017/494/en.
This is the explanatory report of the Swiss government on behalf of parliament: https://www.fedlex.admin.ch/filestore/fedlex.data.admin.ch/eli/fga/2014/407/fr/pdf-a/fedlex-data-admin-ch-eli-fga-2014-407-fr-pdf-a.pdf, in the official French version.
The federal Army Law authorises the armed forces to penetrate computer systems and networks used for attacks on military information systems and IT networks. This is done in order to disrupt, prevent or slow down access to information. Article 100, paragraph 1(c) of the law, in its official French version, states the following:
Art. 100 Sécurité militaire
1 Les organes responsables de la sécurité militaire accomplissent les tâches suivantes:
c. ils prennent les mesures nécessaires lorsque des systèmes et réseaux informatiques de l’armée sont attaqués; ils peuvent s’introduire dans les systèmes et les réseaux informatiques servant à mener de telles cyberattaques afin de perturber, empêcher ou ralentir l’accès à des informations; le Conseil fédéral décide de la mise en œuvre de ces mesures, sauf en cas de service actif;
The original French version of the law is available under https://www.fedlex.admin.ch/eli/cc/1995/4093_4093_4093/fr, there is no English version available.
Ukraine
United Kingdom
United States of America
A. Definition of Spyware
U.S. law provides a definition of spyware in the context of “foreign commercial spyware.” 50 U.S. Code § 3232a (“Measures to mitigate counterintelligence threats from proliferation and use of foreign commercial spyware”) defines “spyware” as:
“. . . a tool or set of tools that operate as an end-to-end system of software to provide an unauthorized user remote access to information stored on or transiting through an electronic device connected to the Internet and not owned or operated by the
unauthorized user, including end-to-end systems that—
(A) allow an unauthorized user to remotely infect electronic devices with malicious software, including without any action required by the user of the device;
(B) can record telecommunications or other audio captured on a device not owned by the unauthorized user;
(C) undertake geolocation, collect cell site location information, or otherwise track the location of a device or person using the internal sensors of an electronic device not owned by the unauthorized user;
(D) allow an unauthorized user access to and the ability to retrieve information on the electronic device, including text messages, files, e-mails, transcripts of chats, contacts, photos, and browsing history; or
(E) any additional criteria described in publicly available documents published by the Director of National Intelligence, such as whether the end-to-end system is used outside the context of a codified lawful intercept system.“
A 2023 Executive Order concerning spyware, described in the previous informal response and further below, provides a similar definition for “commercial spyware”:
“The term ‘commercial spyware’ means any end-to-end software suite that is furnished for commercial purposes, either directly or indirectly through a third party or subsidiary, that provides the user of the software suite the capability to gain remote access to a computer, without the consent of the user, administrator, or owner of the computer, in order to:
(i) access, collect, exploit, extract, intercept, retrieve, or transmit content, including information stored on or transmitted through a computer connected to the Internet;
(ii) record the computer’s audio calls or video calls or use the computer to record audio or video; or
(iii) track the location of the computer.”
B. Legal Framework in Criminal Context
As noted in the 8 March response, the Fourth Amendment to the United States Constitution provides the foundation for the U.S. legal framework governing surveillance in the criminal justice system, which would include spyware. The Fourth Amendment provides:
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
The protections against unreasonable searches and seizures apply in the digital context, even if the extent to which the Fourth Amendment applies or may apply to specific uses of spyware and other surveillance technologies remains subject to further judicial evaluation. Even so, general principles of Fourth Amendment law suggest such technologies would face the same kind of constraints applied to other law enforcement surveillance tools.
The 8 March response noted a series of Supreme Court cases that indicate how Fourth Amendment protections would apply to spyware. Generally speaking, when deployed by law enforcement authorities, spyware clearly involves activity addressed by the Fourth Amendment. Early cases indicated that the use of digital technologies to conduct surveillance would be governed by Fourth Amendment principles. See, e.g., United States v. Jones (finding that the warrantless use of a tracking monitor on a suspect’s vehicle violated the Fourth Amendment) and Riley v. California (finding a warrantless search of a suspect’s mobile phone to be a violation of the Fourth Amendment). The Supreme Court’s landmark 2018 decision in Carpenter v. United States found unconstitutional the warrantless use of cell site location information, thus providing individuals with protections against the government seeking personal data from third parties. Carpenter provided a set of factors to assess the constitutionality of such surveillance practices when conducted without a judicial warrant, including factors of particular relevance to spyware, such as inter alia the revealing nature of the information collected and the amount of data sought by the government. Since 2018, applying Carpenter even in situations less intrusive than spyware, “lower courts have applied the Fourth Amendment’s protections to novel surveillance practices in cases involving pole cameras, real-time location tracking, drones, smart utility meters, medical data, social media surveillance, cell site simulators, and more." Lower courts have found Fourth Amendment protections constrain government use of technologies that may be similar to spyware as defined above. For instance, in United States v. Wilson, the court found that law enforcement installation of surveillance malware on a defendant’s computer without a warrant was an illegal search and seizure. The court in United States v. Saboonchi held that law enforcement use of malware to remotely activate the defendant's laptop webcam was an unconstitutional search. These cases lead to the conclusion that spyware, given its intrusiveness, would likely be governed strictly by warrant requirements and scope of use. That said, the law’s applicability generally to digital surveillance may be in some flux. For instance, an appellate court in Tuggle v. United States found the long-term use of a pole camera to monitor a person’s home to be reasonable under the Fourth Amendment.
C. Legal Framework in the Intelligence Context
The Foreign Intelligence Surveillance Act (FISA) sets out rules for the collection of foreign intelligence through surveillance technologies under the U.S. Foreign Intelligence Surveillance Courts (FISC) and the U.S. Foreign Intelligence Surveillance Court of Review. Section 702 of FISA authorizes collection of electronic communications of non-Americans located outside of the United States without the need for a warrant. In the context of U.S. persons, including citizens, permanent resident aliens, and U.S. corporations, FISA requires demonstration of probable cause to believe that the “target of the surveillance is a foreign power or agent of a foreign power,” that “a significant purpose” of the surveillance is to obtain “foreign intelligence information," and that appropriate "minimization procedures" are in place." Authorities are not required to demonstrate the “imminent” commission of a crime.
In a signal of how spyware is disfavored in U.S. policy because of the “counter-intelligence” risks, Public Law 117-263 (50 USC §3232a) authorizes the Director of National Intelligence to prohibit intelligence agencies from entering into contracts with companies that have acquired foreign commercial spyware.
Under the current legal framework in the United States, the most notable explicit prohibition of spyware use by law enforcement agencies is the one imposed by the Executive Order 14093 on Prohibition on Use by the United States Government of Commercial Spyware that Poses Risks to National Security. The Executive Order is applicable to federal agencies’ (including law enforcement, military, and intelligence) use of certain foreign commercial spyware. As a matter of policy, the Executive Order states that the US “has a fundamental national security and foreign policy interest in countering and preventing the proliferation of commercial spyware” and intends to advance these interests by establishing “robust protections and procedures to ensure that any United States Government use of commercial spyware helps protect its information systems and intelligence and law enforcement activities against significant counterintelligence or security risks.” To do this the Executive Order establishes “the policy of the United States Government that it shall not make operational use of commercial spyware that poses significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person.” The Executive Order prohibits operational use of commercial spyware by agencies if they determine that such use “poses significant counterintelligence or security risks to the United States”.
The 8 March response noted that the Computer Fraud and Abuse Act (CFAA) provides private individuals or entities with causes of action against the use of spyware, currently the subject of Meta’s lawsuit against Pegasus-manufacturer NSO Group in federal court in the United States. The Electronic Information Privacy Act (EIPA) makes it illegal to “intentionally intercept [...] any electronic communication” and to “use” and/or “disclose” any information which has been intercepted illegally. Further, the EIPA holds that anyone who intentionally “sends through the mail, or sends or carries in interstate or foreign commerce, any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications,” or “manufactures, assembles, possesses, or sells any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications, and that such device or any component thereof has been or will be sent through the mail or transported in interstate or foreign commerce,” shall be fined or imprisoned.