MEP
Diana
Riba i Giner

MEP
Hannah
Neumann

MEP
Saskia
Bricmont

Our findings in an
interactive world map

This interactive world map shows the global dimension of the widespread misuse of commercially obtained surveillance spyware by state agencies:

  • Spyware misuse is not confined to repressive regimes but also occurs in European democracies.
  • Persons from all walks of life have been targeted – in particular government critics.
  • Revelations of spyware misuse demonstrate that urgent action is needed to stop this.

More than 70 countries are implicated in the global trade of spyware – as exporters, clients or both. The map includes more than 280 named persons targeted with commercial spyware by authorities from 23 different countries. In these cases, a device infection or targeting with malicious messages was detected, through research mainly conducted by CitizenLab and the Amnesty Tech; with increasing media reporting on credible investigations by authorities into spyware abuse we have also relied on such additional sources. However, the map does not include the tens of thousands of individuals whose mobile numbers were identified in a leak as potential targets of NSO clients, but where due to various reasons an infection could not be checked and/or proven. Technical proof of infection is indeed rare and requires specific forensic software and access to the potential victim’s device. There is also an increasing number of persons where an infection of their devices has been confirmed, but the responsible authorities remain unknown – such cases could also not be included in the map. Therefore, this non-exhaustive selection sheds only a small light on the widespread illegal surveillance of civilians – with many more cases remaining in the dark.

The map is organised along three categories:

  1. involved countries … read more
  2. profile of victims … read more
  3. types of software … read more

On the first map you can click on:

  • spying countries – i.e. those exposed for having misused the spyware on individuals. This will lead you to the
  • profile of victim, including activist, journalist, and politician or else where a device infection or targeting with spyware was proven and linked to a spying country.

On the second map you can click on:

  • exporting countries – i.e. those hosting companies implicated in the development, sale and servicing of misused spyware. … read more
  • client countries – i.e. those having purchased spyware, regardless of whether or not cases of misuse have been documented. Both will lead you to
  • the types of spyware that were found on devices of targeted persons.
  • Exported spyware
  • Acquired spyware
  • Acquired spyware / Exported spyware
  • All
  • Countries abusing spyware
  • Spyware exporters and clients

Please share!

Facebook
Twitter
WhatsApp
Email

Questions &
answers

This Q&A section provides basic information on implications of spyware abuse, the profile of targeted persons, involved countries and spyware companies. Furthermore, it includes recommendations of the Greens/EFA Group in the European Parliament to prevent future misuse of spyware. It also contains information on those who expose the misuse and countering measures, including at EU level. Finally, you will find tips on how to discover spyware on your phone as well as an overview of spyware programmes and manufacturers around the world.

  • Surveillance spyware are computer programmes designed to track peoples’ every digital move – and to secretly extract all data stored on a device, including most private information such as passwords, visuals, locations, contacts and encrypted messages like e-mail or messenger apps (e.g. WhatsApp, Signal or Telegram).
  • Spyware may gain control of (parts of) a phone or other electronic devices, including activating the microphone or camera as well as having the capacity to fabricate and send out messages, so that they appear to have been composed by the targeted individual.
  • Advanced types of spyware are installed and operated in complete secrecy and without the device holder’s interaction (“zero-click attack”). Other types are installed by accessing a fake website (which often imitates popular websites) or sending a fake link via SMS. For the ordinary user, spyware leaves no detectable traces with the device mostly continuing to function normally, except for possible battery issues.
  • Spyware misuse by authorities threatens the very foundations of democratic societies. This illegal intrusion into people’s privacy violates fundamental rights, erodes trust in state institutions, impedes free political competition and puts elections results into question. Therefore, a responsible use of spyware requires transparent and effective mechanisms with democratic oversight.
  • Spyware misuse poses a threat to the life and safety of any targeted person. Whilst government agencies claim to use spyware only for (serious) crime, research disclosed the widespread and unlawful surveillance of individuals which violates privacy rights and has generated information that contributed to further human rights violations.
  • A general lack of national and international regulation and oversight has opened gateways to the misuse of spyware, as companies can sell to even the most notorious dictatorships, who otherwise would not be able to develop such spyware capabilities themselves.
  • Spyware companies have developed a lucrative business model by scouring for and exploiting the weaknesses of IT systems to infiltrate private devices with spyware. By purchasing spyware from these companies, EU Member States have therefore not only contributed to security risks and fundamental rights abuses within Europe, but also outside of it as many spyware companies rely on the European market to legitimise their businesses.
  • Spyware misuse can happen everywhere and to everyone. Many targeted individuals have expressed criticism of government policies. They come from all walks of life, and include politicians, journalists, lawyers and civil society activists promoting human rights, women’s rights, and environmental protection.
  • Spyware abuse does not only violate rights of the targeted person but also their social and professional network by monitoring their exchanges with others.
  • In many countries authorities specifically target women activists with spyware, in order to extract information for defamation campaigns. Due to the increased social scrutiny women are under, public shaming of women by leaking private and intimate photos particularly trigger harassment, social ostracism and even physical attacks.
  • Victims frequently face obstacles by authorities when seeking redress, including refusal to provide information necessary to identify responsibility for the unlawful surveillance.
  • At least 20 governments from all around the world have been exposed for misusing commercially obtained spyware against civil society actors.
  • Countries who use surveillance spyware against their own citizens range from authoritarian regimes to European liberal democracies. In the EU, it has been established that 14 Member States have acquired Pegasus spyware in the last years, yet not all of them may have used it in an illegal way. So far it is unknown how many other spyware providers have sold their software to EU countries. Another big European player, Intellexa (producer of the “Predator” spyware), has just been involved in a scandal in Greece.
  • The secretive nature of spyware attacks poses a challenge to identify those responsible for misuse. Where the world map identifies countries for their involvement in spyware misuse, this is generally based on the assessment and examination of infected devices by experts, who will also refer to circumstantial evidence.
  • Surveillance spyware is developed either by governmental entities or private companies. While governmental products are generally not for sale, a range of commercial companies are selling surveillance spyware to whoever can afford it – allegedly exclusively to vetted governments. However, NSO spyware for example has been used in notorious dictatorships such as Saudi Arabia who on their own would not be able to develop such spyware capabilities.
  • The following commercial companies have sold surveillance spyware which has been misused by their client:

    NSO Group – Pegasus – Israel

    Intellexa / WiSpear / Cytrox – Predator – Greece / Cyprus / North Macedonia

    Memento Lab – RC S X – Italy

    FinFisher – FinSpy – Germany

    Candiru – Candiru -Israel

    Tykelab – Hermit – Italy

    DarkMatter- Project Raven- United Arab Emirates

    QuaDream- REIGN- Israel

    Mollitiam Industries- Invisible Man- Spain

    Paragon- Graphite- Israel

Here, we list some examples of surveillance spyware programmes which have been implicated in misuse, including the targeting of civil society actors. A more comprehensive list can be found in this study on p. 22:
open study.

  • Pegasus

    (identified in 2016 and still in use)
    “Pegasus” is a widely used spyware developed by the Israeli company NSO Group. It infects mobile devices and can track their location, extract messages, footage and other documents as well as watch and listen in live-mode through camera and microphone. Infection of mobile phones is possible without any user interaction (‘zero-click’ infection).

  • Candiru

    (identified in July 2021 and still in use)
    The Israel-based company Candiru Ltd. developed a spyware of the same name that can infect phones, computers and cloud accounts. It uses fake websites to infect devices. This spyware collects data from messenger applications and is also capable to track the browser history, to collect passwords and to monitor components such as a camera and microphone.

  • Predator

    (identified in 2021 and still in use)
    Predator was developed by the North Macedonia-based company Cytrox which then sold the tool to the Cypriot company WiSpear. WiSpear sells Predator through the Greece-based “Intellexa Alliance”, a consortium of spyware vendors with corporate presence in several EU Member states. This spyware attacks mobile devices and is often installed via a link in a personalised e-mail or SMS sent to the targets (“trusted implant”).

  • RCS / RCS X

    (earlier version identified in 2012, current version still in use)
    RCS X stands for Remote Control System that can infiltrate a device and extract data. The Italy-based company, Memento Lab, developed the spyware RCS of the no-longer existing company ‘Hacking Team’ further into the current RCS X. RCS had been widely used by authoritarian regimes in the Middle East and North Africa to spy on and repress critical voices.

  • “Hermit”

    (identified in 2022, still in use)
    “Hermit” is not the spyware’s official name, but was coined by the IT security firm who first spotted it. Hermit infects devices by first disabling a phone’s mobile data connectivity and then sending a fake message from the target’s telecom provider with a link to re-establish the connection. IT specialists traced this software back to the Italian company Tykelab, which is believed to act as front company to its Milan-based parent establishment, RCS Lab.

  • FinSpy

    (identified in 2012, company bankrupt since 2022)
    This spyware was able to extract data from a device and turn it into a 24/7 surveillance tool. Its Germany-based developer firm FinFisher filed for bankruptcy in March 2022 following a criminal investigation. This investigation was initiated by a group of NGOs who discovered that FinFisher sold its spyware to the Turkish government without the authorisation of the German federal government, where it was used during a 2017 crackdown on journalists and oppositional voices.

  • Cerebro (previous version: Eagle)

    (identified in 2007, still in use)
    Cerebro is a spyware that enables the surveillance of a victim’s entire internet traffic. It is developed and sold by the French company Nexa Technologies (formerly Amesys) which also forms part of the Intellexa consortium, a marketing label of mostly European spyware vendors to compete with NSO. There are two ongoing lawsuits against the company for having sold their services to Libya and Egypt over the last decade which led to the crushing of opposition, torture of dissidents, and other human rights abuses.

  • REIGN

    (Identified in 2022 still in use, company reported to cease operations in April 2023)
    “QuaDream” is the Israeli developer of the REIGN spyware. The company was founded in 2016 by former employees of the Israeli Company NSO Group and uses the same hacking technique than Pegasus known as a “zero-click”. Reign exploited a vulnerability in the iOS calendar to infect Apple mobile devices. Once installed, the spyware offered features similar to Pegasus. The University of Toronto’s Citizen Lab and Microsoft Threat Intelligence published an analysis of spyware Reign in April 2023. This revelation led QuaDream to declare its ceasing of operations and put all its intellectual property for sale. As of April 2023, no information was published concerning the victims of QuaDream.

  • Project Raven

    (Identified 2016, still in use)
    DarkMatter is a company based in the UAE founded presumably in late 2015. It developed the spyware software known as Project Raven. Once installed in the victims’ devices the spyware collects data including emails, photos, text messages, phone communication, location, and other private information.

  • “Invisible Man”

    (Identified 2018, still in use)
    The so-called spyware “Invisible Man” and “Night Crawler” were developed by the Spain-based company Mollitiam Industries. This spyware is capable of remotely accessing files and a target’s location, secretly switching on a device’s camera and microphone, and recording anything typed on the keyboard.

  • “First Mile”

    (still in use)
    The Cognyte Company has its headquarters in Israel – with offices in Germany, Bulgaria, Romania, Poland, Cyprus, US, Mexico, Brazil, India. It portfolio includes the spyware FirstMile

Recommendations

We call on the competent authorities in the Member States and EU institutions to conduct immediate, thorough, independent and transparent investigations into all revealed cases of unlawful surveillance with spyware.

We call for the establishment – of an EU-based centre that provides preventive services and security checks (possibly an “EU-based Citizen Lab”) to people at risk of spyware attacks notably journalists, human rights activists, and politicians. This centre should offer services like identifying whether their electronic communication devices have been targeted or infected with surveillance spyware.

Within the EU we call for a general ban for the sale, acquisition, transfer and use of surveillance spyware. If any, exceptions to this should be limited and exhaustive and accompanied by strict safeguards. Until these safeguards are is in effect, we call for an immediate moratorium.

The EU urgently needs a binding, effective and human-rights-based legal framework that:

  • imposes safeguards at national level when acting under “national security”: democratic ex-ante and ex-post control, judicial mandate, definition of national security, respect of necessity and proportionality principles,
  • provides a workable definition of misuse of surveillance spyware, which is sufficiently broad to ensure comprehensive protection, considering also technology that may gain traction in the near and far future,
  • establishes a general ban with limited and exhaustive exceptions on spyware transfer and use within the EU,
  • imposes a moratorium on the export of surveillance spyware to third countries which can only be lifted for countries proving to have strict regulations equivalent to those of the EU in place and in combination with the establishment of a human-rights-based due diligence mechanism with an independent oversight body as well as transparent reporting regulations,
  • establishes the requirement of meaningful ex-ante judicial authorisation by an impartial and independent judicial authority, which demonstrates the necessity and proportionality of the envisaged measure, and the reasons why other, less intrusive, methods do not suffice,
  • establishes a non-exhaustive but binding list of privileged professions, such as lawyers, journalists, politicians, and doctors that shall not be targeted by spyware,
  • instates a democratically legitimised control mechanism
  • recognises claims to remedy for those affected by surveillance attacks and provides appropriate support including offering legal assistance, e.g., for claims of compensation, and assistance in phone screening,
  • tackles the market of security vulnerabilities, tackles the hoarding of security vulnerabilities by Member States by introducing a mandatory reporting mechanism in order to strengthen the capabilities in cybersecurity defence throughout the EU,
  • promotes training and education in digital and cyber competence in EU Member States; not just in schools but also adult education,
  • holds software manufacturers accountable to ensure appropriate reaction when they become aware of security vulnerabilities.

Globally, we call for an immediate moratorium on spyware with the aim to establish an international ban.

Taking action

  • Civil society organizations and journalists have been at the forefront for disclosing the misuse of surveillance spyware globally. Whilst investigations of such misuse should have been the responsibility of authorities, they have frequently been obstructive, including in the context of parliamentary inquiries.
  • Ground-breaking work by CitizenLab and the Amnesty Tech has been integral to proving infections by technical means.
  • Amnesty International and Forbidden Stories, a network of journalists, discovered the systematic misuse of surveillance capabilities from a dataset including about 50,000 phone numbers. Their analysis called the “Pegasus Project” was released in June 2021 and encompassed revelations about the most popular surveillance tool Pegasus, developed by the company NSO Group.
  • Numerous lawsuits and complaints have been filed against companies for selling misused surveillance spyware. CitizenLab regularly updates a list on the status of legal action against selected companies. It lists dozens of ongoing cases against the NSO Group alone: open list
  • Legal action has shown impact: Following a criminal complaint filed by a group of NGOs against FinFisher over illegal exports of spyware, the company filed for insolvency in March 2022: open article
  • Individuals and NGOs have also directed legal action against authorities suspected of misuse of surveillance spyware. Examples include a complaint by Catalan victims against several Spanish government agencies (April 2022), complaints against the Hungarian government (January 2022), petitions to the Indian Supreme Court (2021) and a lawsuit in the UK against Saudi Arabia for spying on a UK-based dissident (2022). Civil society actors have also filed lawsuits to revoke export licenses, including in the UK (2012) and in Israel (2019).
  • In April 2022, the European Parliament established the “Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware”, known in short as “PEGA”. Its tasks include investigating the development, the (mis)use and regulation of surveillance programmes in relation to the European Union. The committee issued a report and recommendations which received a broad majority in plenary in June 2023.The recommendations tasked the Commissions to take urgent measures to prevent spyware abuse. MEPs specifically demanded the Commission to assess whether or not Member States meet minimum conditions, including full investigations of reported abuses and establishment of a legal framework on spyware abuse in line with relevant EU standards
  • Since 2021, the updated EU export regulation on dual use items – i.e., goods that may be used for civilian or military applications, explicitly includes cyber-surveillance technology. This regulation has strengthened export transparency and introduced human rights risks as assessment criteria for export licenses. However, the regulations have also been criticised as a missed opportunity to stop exports of surveillance tools to repressive regimes.
  • The EU Regulation 2018/1725 lays down the duties of the European Data Protection Supervisor (EDPS). The EDPS’s tasks are relevant for the protection of personal data from spyware misuse although they are not confined to spyware generated data. For example, in January 2022, the EDPS notified Europol of an order to delete data concerning individuals with no established link to a criminal activity. The EDPS has also argued that the current use of surveillance spyware is not in accordance with EU laws.