Legend has it that Pegasus, the famous winged horse with an indomitable character, was only captured and dominated by Bellerophon with golden bridles given to him by the goddess Athena. Finally, and with the help of Zeus, Pegasus managed to get rid of his annoying rider and was turned into a constellation that watches over us from the sky.
Technology has resurrected a modern version of that winged horse from Greek mythology: the Pegasus spy program, capable of monitoring and interfering in our lives, in the most daily and most intimate aspects, in a hitherto unprecedented way, evidencing the weakness of states and democracies.
What is Pegasus?
Pegasus is a computer espionage program (or spyware) developed by the Israeli company NSO Group, intended exclusively for governments to prevent terrorist attacks and other crimes against state security.
However, reality has shown its use to spy on heads of state, opposition leaders, large businessmen, journalists, lawyers and human rights activists. To find out about the abuses of Pegasus, the European Parliament has initiated the creation of an investigation commission that must present a report in March 2023.
The concern that has arisen is due to the fact that, unlike the traditional surveillance programs, Pegasus remotely accesses phones and installs itself easily on the devices, taking advantage of the weaknesses of the operating systems (iOS and Android), either through a message or a call, which does not even need to be opened nor answer.
Once installed, it exerts a high degree of interference in the private life of those being spied on. It grants complete, indiscriminate and unrestricted access to all your information (messages, calls, photos, audios, videos and geolocation data). It can even activate the phone’s camera or microphone without the user knowing.
In this way, it allows not only to spy on the chosen device, but also to know information contained in it about third parties unrelated to the whole process and, in addition, to impersonate the user’s personality with the volume of information that can be known about him. All this without the latter suspecting the installation of Pegasus, because once the mobile is turned off, its trace disappears.
The legal problem that it raises –beyond the question of who has spied on, or whether a State is going to allow another State to spy on its leaders or its citizens under the pretext of national security or political interests– is whether Pegasus or alternatives, due to their powerful characteristics, suppose an unjustified, and therefore illegal, interference in the private life of citizens, or if, on the contrary, the end justifies the means and national security justifies spying with infallible computer programs of massively and indiscriminately.
And the scandal broke
In Spain, the use of Pegasus jumps to the media with the denunciation of the espionage of Catalan pro-independence politicians (the CatalanGate) and with the Government statement, dated May 2, 2022, on the use of Pegasus to spy on both the Prime Minister and the Defense Minister.
Although initially the debate was raised by the use of Pegasus by the Government, opening the discussion between privacy and national security and the role of the National Intelligence Center and what is known as the Official Secrets Commission, with the espionage of the President of the Government the debate It should focus on the use of this type of system, on the danger to fundamental rights, especially for our privacy and for democracies, and whether there are adequate guarantees to be able to control them.
An eternal and false debate
Although national security is a legitimate objective that allows us to use spyware and limit our fundamental rights, in a democratic State governed by Law, any limitation of rights must be contained in a clear and predictable norm, necessary in a democratic society. This requires applying a strict proportionality test, so that if there are less harmful mechanisms to achieve a legitimate goal, these are the ones that should be used.
This is indicated by both the courts and the data protection authorities, such as the European Data Protection Supervisor. Pegasus is relatively new, but the danger of applying technology to the massive use of personal data to spy on citizens is not.
Already in 1978, the European Court of Human Rights ruled on the issue in the Klass case and, forty years later, in 2021 in the Big Brother Watch case, it concluded that, although these systems in themselves do not contravene the European Convention on Human Rights, it is necessary that “they be limited to cases strictly necessary to safeguard democratic institutions” and that they have “adequate and affective guarantees against abuse”.
Likewise, the Court of Justice of the European Union, in 2020, in the Quadruture Du Net case, stated that the restrictions on the protection of personal data must be established without exceeding the limits of what is strictly necessary, for which it will be essential to carry out the corresponding weighting.
More forceful has been the European Data Protection Supervisor who, in Observations published in February 2022, with express reference to Pegasus, recognizes its potential and the difficulty of its control and – doubting that its use could be considered proportionate even with the legitimate purpose of preventing crime or maintaining national security, due to the high level of interference in private life – recommends its prohibition. That is, the end does not justify the means.
So spy yes or spy no?
If the objective is to spy on a third party without the purpose being legitimate and provided for in a regulation, no. We cannot spy on the neighbor on the fifth floor no matter how much we dislike what he does. But even if there is a legitimate purpose, such as ensuring national security or protecting the rights of third parties, not everything goes.
We need a rule that provides espionage, that contains adequate guarantees to avoid injuring fundamental rights and that ensures that the means used must pass the proportionality test. Pegasus is disproportionate and does not get over it; due to its own characteristics, it does not comply with European privacy protection standards. But what about other systems?
In the case of Spain, there is a forecast of to spy, but the guarantee of rights must be ensured. It is not only that the Spanish Constitution guarantees fundamental rights, but that there are rules that regulate the National Security Strategy, the CNI as the competent body, official secrets, as well as electronic communications, their interception and data protection in the field penalty (and out of it). We can criticize the clarity and quality of the rules, but there are, there are.
Given that it seems undeniable that surveillance systems are necessary to guarantee the stability of States, if they finally decide to use them, only guarantees remain.
Among the guarantees to be reinforced, cited in the Observations of the European Data Protection Supervisor of 2022, the following stand out:
strengthen its effective supervision through data protection authorities and judicial controls before and after its use;
strictly apply data protection regulations;
reduce the risk that the data obtained with these programs reach databases located in the European Union;
and, finally, empower civil society to learn about the use of these systems.
We are configuring the parameters of privacy in a digitized world open to new threats that shake the stability of States, but we must avoid turning our democratic States into police States. Otherwise, as the European Court of Human Rights already ruled in the Klass case, we run the risk of “destroying democracy with the intention of defending it”.