Google, Meta and Microsoft stood together before European lawmakers on Tuesday (June 14), calling on governments to stop investing in surveillance companies and curb the growing use of sophisticated software like Pegasus.
Representatives of large technology companies, called “Big Tech”were invited this week by European lawmakers to share their views on the use of spyware in Europe, two months after the start of work by the Commission of Inquiry into the Use of Pegasus (PEGA).
“This industry seems to be thriving”Charley Snyder, Google’s chief policy officer, told MEPs, pointing out that she was “fueled by government demand”.
“While the use of surveillance technologies may be legal under national or international laws, it often turns out that they are used by governments for purposes contrary to European values: targeting dissidents, journalists, human rights defenders and opposition party politicians”he added.
These tools are far from being the prerogative of authoritarian governments or distant countries: several Member States, including Hungary and Poland, have admitted to being customers of NSO Group, the Israeli company that offers Pegasus, but have denied any act objectionable.
Spain was added to the list following the recent “Catalangate”a series of revelations indicating that Catalan independence activists were being monitored using the Pegasus spyware by national intelligence services.
“Note, with growing concern, that the unscrupulous use of these technologies can have a much wider and unintended effect, endangering large parts of the ecosystem”said Kaja Ciglic, director of digital diplomacy at Microsoft.
David Agranovich, director of security policy at Meta, the parent company of Facebook, Instagram and WhatsApp, added that “These types of means of surveillance have traditionally been the purview of governments, sophisticated surveillance, access and capabilities in personal devices, accounts on the Internet, which in democratic governments are generally subject to democratic control. »
He pointed out, however, that “The challenge of the for-hire surveillance industry is that it makes this kind of democratic surveillance difficult, if not impossible”.
The three companies also point out that the Pegasus spyware, while the most notorious following revelations made last July by a consortium of 17 media organizations, is not the only tool on the market for such purposes.
“[Le]threat analysis group [de Google] actively tracks more than 30 vendors with varying levels of sophistication and public exposure, selling exploits or surveillance capabilities to government-backed actors”said Mr. Snyder of Google.
An Apple representative, initially invited, did not take part in the discussions.
The tech giants pointed to the“huge room for manoeuvre” available to European governments to take action to solve the problems posed by these technologies.
One of the thorny issues is how lawmakers can hold spyware customers accountable.
“Ironically, groups that sell malicious tools are very particular about the privacy surrounding the products, services, contracts and prices associated with their offensive tools”said Microsoft’s Ms. Ciglic.
Member States must apply “due diligence that one would expect from other sectors”such as the obligation to “know your customer”said Mr. Agranovich.
In the current state of affairs, “Anyone willing to pay, whether it’s an authoritarian regime or an individual engaged in litigation, can simply hire these companies and deploy very sophisticated capabilities against whomever they wish”he added.
The three companies also stressed that lawmakers need to more closely regulate the use of these types of surveillance tools. Even when used legally, these tools can have harmful consequences, especially with regard to vulnerabilities of the type “zero day”that is, vulnerabilities and backdoors that cyber mercenaries can use that have not been publicly documented or fixed.
He is ” vital “ to introduce and strengthen policies to safely reveal these weaknesses to industry operators, so that they can be corrected, Snyder said. “Vendors that secretly store zero-day vulnerabilities can pose a serious risk to the Internet when the vendor itself is compromised”did he declare.
The industry has also highlighted the need to protect the people doing the research, whether they work in big tech companies or smaller companies.
Since investigations sometimes highlight users of state-backed surveillance tools, Google, Meta and Microsoft called on lawmakers to create a safe space for companies to work on this issue.
“We received threats after publishing reports”said Mr. Snyder of Google.
The PEGA Commission of Inquiry is due to complete its work by April 2023 and is expected to make recommendations on how to tackle these illegal practices. Representatives of the NSO group will be heard at the next meeting (June 21).