Venice Commission - Report on a rule of law and human rights compliant regulation of spyware
www.venice.coe.int
Disclaimer: this information was gathered by the Secretariat of the Venice Commission on the basis of contributions by the members of the Venice Commission, and complemented with information available from various open sources (academic articles, legal blogs, official information web-sites etc.).
Every effort was made to provide accurate and up-to-date information. For further details please visit our site : https://www.venice.coe.int/
4. Has there been any official evaluation of the need for, or added value of, spyware?
No, there has not been an official evaluation.
Le Comité permanent R a annoncé une enquête pour déterminer si ce logiciel est utilisé par les services de renseignement belges.
N/A
/
The House of Common’s Standing Committee on Access to Information, Privacy and Ethics prepared a report about the Device Investigative Tools Used By The Royal Canadian Mounted Police And Related Issues. This report examines the benefits and risks of the use of on-device investigative tools and examines egislative and non-legislative measures that could be considered to better regulate these types of tools in Canada.
/
N/A
No such official evaluations are publicly available.
Up until now, there has not been any official evaluation sof the need for, or added value of, spyware. The annual reports by the Intelligence Ombudsman – who is responsible for overseeing the legality of civilian and military intelligence and the implementation of fundamental and human rights in intelligence activities – are silent on the use of spyware, and the need for, or added value of, spyware.
/
/
N/A
A consultation process was conducted regarding the permission to store telecommunications data for criminal investigations. It is important to note in this respect that the Data Retention Directive (Directive 2006/24/(EC) was declared invalid in 2014 by the Court of Justice of the EU. This ruling, made in response to a case brought by Digital Rights Ireland against the Irish authorities, found that blanket data collection violated the right to privacy.
Yes. In March 2024, the Irish government signed up to the US-led Joint Statement on Efforts to Counter the Proliferation and Misuses of Commercial Spyware. On the Irish government’s website, the Department of Foreign Affairs stated;
One of the latest official assessments of the whole matter is the one gathered in the results of the fact-finding activity carried out by the 2nd Senate Permanent Commission (Justice) on the various issues concerning interception of communications and conversations (see annex). The results of the fact-finding investigation can be found in the «Documento approvato dalla 2ª Commissione permanente (Giustizia) nella seduta del 20 settembre 2023 (relatori: Bongiorno, Berrino e Zanettin) a conclusione dell’indagine conoscitiva sul tema delle intercettazioni».
/
To this date, there has been no evaluation of the need for, or added value of, spyware. One would think that the National Cyber Security Strategy would be the right instrument to evaluate such a need or discern its proper value and define its place in the legal and institutional framework of the country. However, no such analysis can be found in this strategic document. And obviously the same applies to other potentially relevant documents.
There is no evidence of an ongoing assessment of the need for or added value of spyware.
There is no official evaluation. It may play a role that in Liechtenstein no special secret service does exist.
There is no available information on this matter.
/
/
No.
Les autorités monégasques ont engagé une réflexion sur les moyens de lutter contre des logiciels espions dans le contexte soulevé par la question posée.
/
I cannot find any official evaluation specifically assessing the need for or the added value of spyware in North Macedonia.
Law enforcement authorities
Not spyware specifically. There was a significant political and public debate during the adoption of and implementation of the 2020 Intelligence Service Act, but the main issue there was bulk collecting of electronic communication, which for internet traffic would also include persons in Norway, since most domestic internet traffic is routed by other countries.
In Poland, there has been no specific official evaluation solely focused on the need for or added value of spyware. However, the broader context of surveillance and intelligence activities, including the use of advanced monitoring technologies like spyware, has been examined through various governmental and legislative reviews.
/
/
To date, no official assessment has been made specifically for spyware, taking into account both the small number of judicial cases (due to which spyware has not yet been used in investigative activities) and the already existing (and extensive) legislation on interceptions, which can generally include the various forms of interception of communications related to the suspected person.
According to official information, it is not.
We are unaware of any official evaluation of the need for spyware.
The evaluation of the topic it is taking place since December 2023, linked to the use of the Pegasus Spyware in the context of the secessionist process in Catalonia.
Yes. The initial authority to use spyware was preceded by a commission of inquiry (as is the norm for any new legislation in Sweden), Hemlig dataavläsning – ett viktigt verktyg i kampen mot allvarlig brottslighet, SOU 2017:89. The Act introduced in 2020 was to apply for a limited period of time (until March 2025). During 2023, the operation of the Act was reviewed by another commission of inquiry, Hemlig dataavläsning – utvärdering och permanent lagstiftning, SOU 2023:78. The general conclusion of this second commission of inquiry was that the Act, even though only a short period of time had elapsed, had been used more than expected, and that it was an essential tool of investigation which should be made permanent.
In theory, parliament is bound by the constitution and by international law (Article 5 paras 1 and 3 Const.), however there is no abstract judicial control of federal laws (Article 190 Const.).
The officials didn't provide the evaluation of the need of spyware.
/
The United States has evaluated commercial spyware and concluded, in the 27 March 2023 Executive Order, that “[t]he growing exploitation of Americans’ sensitive data and improper use of surveillance technology, including commercial spyware, threatens the development” of an international technology “ecosystem,” and added further:
Austria
Belgium
Bosnia and Herzegovina
Bulgaria
Canada
The Federal Court of Canada, in 2019 FC 141, addressed the legal basis for authorization the installation of implants on devices and identified associated search protocols to be used in association with them.
Crotia
Denmark
Estonia
Finland
France
Germany
Greece
Iceland
Ireland
‘The proliferation of commercial spyware and the manner in which these technologies are being misused by authoritarian regimes and in democracies are matters of serious concern that require a coordinated international response. Ireland welcomes the opportunity to join this important collective action. We are committed to the principles of the Joint Statement and share the objectives of curbing the proliferation of these technologies and developing and implementing policies to discourage their misuse. These technologies can play a legitimate and important role in supporting the work of law enforcement agencies and security services, when used in a manner that is consistent with respect for human rights, the rule of law, and democratic principles. This initiative also seeks to elaborate best practice in this context.
Italy
Korea
Kosovo
The present Cyber Security Strategy has a four-year lifespan, covering the period between years 2023 and 2027. In this connection, it is a rather missed opportunity to delve into such critical dimensions of cyber security.
Of course, the National Cyber Security Strategy is not a static document and it can be both reviewed and revised. Other alternatives also exist, including the possibility of developing a ministerial or governmental concept paper that could in turn inform and dictate any subsequent legal and institutional changes.
Kyrgzstan
Liechtenstein
Lithuania
Luxembourg
Malta
Moldova
Monaco
Morocco
North Macedonia
Netherlands
Yes. In 2022, the Research and Data Centre of the Dutch Ministry of Justice and Security published an evaluation report on the Dutch hacking power for law enforcement authorities. It is an empirical study into the implementation of the hacking power (Article 126nba, 126uba, 126zpa DCCP).
Between March 2019 and March 2021, the hacking power was issued in 26 criminal investigations. It has been used in criminal investigations into more serious forms of traditional crime such as (attempted) murder, cases involving narcotics, falsification of documents, money laundering, sexual offences, terrorism offences, and membership of a criminal organisation. The report clarified that the Dutch police used of a commercial tool in the ‘vast majority’ of cases. The name of the commercials tool(s) used is not public.
Intelligence and Security Services
Yes. The entire Act on intelligence and security services was evaluated in 2020, including the hacking power in Article 45. However, its focus was not on ‘targeted surveillance’ but rather on the use of hacking at organisations and the acquisition of bulk datasets. Following reports from oversight bodies, it recommended improvements for the reconnaissance phase in the use of hacking powers and regulations for acquiring and processing bulk datasets. These regulations are, in part, implemented in the recent legislation focusing on ‘State actors with cyber programs’ (2024).
Norway
There was no significant public debate on the introduction of “data reading” for the police in 2016. However, in Norway, legislative reforms such as this is usually based on a comprehensive evaluation and assessment by an independent expert group. This was also the case for the 2016 reform that allowed for spyware in “data reading”. The 2016 amendments were based on
recommendations by the “Method control panel” (Metodekontrollutvalget) in a 2009 Norwegian Public Inquiry (official series of documents from independent law commissions). The report (reference: NOU 2009: 15, Hidden information - open control) can be found here: https://www.regjeringen.no/contentassets/ac3de9f4288f481e8d6b7971a82310d1/no/pdfs/nou200920090015000dddpdfs.pdf. Summary on “data reading” on p. 26.
Here is an op-ed by the then Minister of Justice, justifying the introduction of “data reading” for the police (Google Translate works fine): https://www.aftenposten.no/meninger/debatt/i/18zwQ/dataavlesing-vil-gjoere-hverdagen-tryggere-anders-anundsen .
From legal academia, the introduction of “data reading” has not met strong objections, but here is a paper that points to some issues concerning safeguards (in Norwegian, but with an English abstract): https://phs.brage.unit.no/phs-xmlui/bitstream/handle/11250/174670/Rettfærd%20dataavlesing.pdf?sequence=3&isAllowed=y . The main criticism is that the use of spyware should not be regulated in the same chapter and according to the same logic of safeguards as other surveillance, and that such spyware should be subject to third-party assessment to prevent abuse.
Poland
Portugal
Romania
San Marino
Serbia
Slovakia
Spain
4.1.- Current parliamentary developments linked to the use of Pegasus:
The plenary session of the Congress of Deputies passed a resolution on 21 December 2023 to set up two commissions of Inquiry.
1) Parliamentary Committee of Inquiry into the spying and intrusion into privacy and intimacy, through the Pegasus and Candiru malware, of political leaders, activists, lawyers, journalists, institutions and their families and relatives. The purpose of the Committee is as follows:
a) To know in detail the involvement of state institutions in alleged unlawful interference against political leaders, institutions and other individuals.
b) To investigate the alleged responsibility and misuse of technical bodies in all ministerial departments and the linking of these bodies to espionage.
d) To know the contracts, costs and contracting processes for the alleged development and/or purchase of Pegasus software or other tools used for espionage by official bodies..
e) To investigate all initiatives carried out by state authorities in order to persecute political dissidence.
f) To propose and raise redress measures for all those affected by illegal investigations, as well as accountability for misuse of government machinery.
g) To propose appropriate control, investigation and prevention measures to shield democracy from abuses of state power and prevent its use against civil and political rights.
The Committee was constituted on 28 February 2024 by electing its governing bodies.
2) Parliamentary Committee of Inquiry into the so-called 'Operation Catalonia' and the actions of the Ministry of the Interior during the governments of the Popular Party in relation to the alleged irregularities linking high-ranking officials and police commanders to the existence of a vigilante plot.
In relation to the use of spyware, the following purpose of the Commission should be emphasised.
...
d) To know the contracts, expenses and contracting procedures for the alleged development and/or purchase of software called "PEGASUS", or other tools allegedly used for spying by official bodies.…
The Committee was constituted on 28 February 2024, by electing its governing bodies, with the commitment of the Committee's chair to begin its work quickly.
4.2.- Current judicial and legal developments linked to the use of Pegasus
Bill to reform the legal framework
On 8 September 2023, the Parliamentary Group of the Basque Nationalist Party presented a bill to amend Law 11/2002 and Organic Law 2/2002. The bill proposes a strengthening of prior judicial control by replacing the figure of the single Supreme Court magistrate in charge of these matters with a three-member chamber of Supreme Court magistrates. The bill has been adopted as a full initiative by the lower Chamber on 27 February 2024 but has not yet been passed by the Chamber.
Ex-post judicial control over the use of Pegasus in the frame of the secessionist process in Catalonia.
The investigating court number 29 of Barcelona in preliminary proceedings 1154/2023 investigating the use of Pegasus to spy on politicians and other relevant persons in the context of the Catalan independence process requested the Council of Ministers to declassify the judicial resolution issued by the judge of the Supreme Court in charge of authorising the interception of communications of these individuals. This judge’s decision was issued at the request of the director of the CNI and supposedly authorised the use of the Pegasus programme. The Council of Ministers agreed to the (partial) declassification of the decision of the Supreme Court judge by agreement of the Council of Ministers of 16 January 2024. The decision of the Supreme Court judge was sent to the investigating judge and is part of the judicial file, which is still secret and therefore not yet known to the public.
c) To know in detail all the Foreign Ministry's activities in relation to the investigations carried out in an allegedly illegal manner, without being sub judice, of the Generalitat's delegations abroad.
Sweden
In addition to this commission of inquiry, the oversight body, the Security and Integrity Protection Board (below p. 6) has made a number of proprio motu investigations into how the Act is being applied.
Switzerland
Ukraine
United Kingdom
United States of America
The United States has a fundamental national security and foreign policy interest in countering and preventing the proliferation of commercial spyware that has been or risks being misused for such purposes, in light of the core interests of the United States in protecting United States Government personnel and United States citizens around the world; upholding and advancing democracy; promoting respect for human rights; and defending activists, dissidents, and journalists against threats to their freedom and dignity.
In terms of the national security and foreign policy interests, the Executive Order noted that there is value in “ensuring that technology is developed, deployed, and governed in accordance with universal human rights; the rule of law; and appropriate legal authorization, safeguards, and oversight, such that it supports, and does not undermine, democracy, civil liberties, and public safety."
As explained in the 8 March note, the U.S. Government has also evaluated spyware and specifically designated several foreign companies “for their role in developing, operating, and distributing commercial spyware technology used to target Americans, including U.S. government officials, journalists, and policy experts."