The use of Pegasus spyware to target both Catalan independence leaders and Spanish politicians – including the prime minister – has plunged Spain into a “crisis of democracy” and national security that can only be tackled with an independent investigation, a leading cybersecurity expert has warned.
Last month, researchers at the University of Toronto’s Citizen Lab revealed that at least 65 individuals connected with the Catalan independence movement had been targeted with spyware between 2017 and 2020.
A fortnight later, the Spanish government announced that the phones of the prime minister, Pedro Sánchez, and the defence minister, Margarita Robles, had been hacked with Pegasus in May and June last year.
Although the Spanish government attempted to defuse the row by sacking the country’s spy chief, Paz Esteban, earlier this week, the twin scandal is refusing to fade away.
Ron Deibert, the director of the Citizen Lab, said he had been shocked to discover Pegasus being used against political targets and their families as well as against lawyers and journalists in what was meant to be “an ostensibly democratic” society. According to its makers, the Israeli NSO Group, the spyware is sold only to governments to help them track criminals and terrorists.
Deibert told the Guardian that firing Esteban did not come close to addressing the disturbing questions raised by recent revelations.
“Removing the intelligence chief looks to me like putting someone forward as a sacrificial lamb,” he said.
“And it doesn’t answer any of the questions of who purchased the spyware, who authorised it, how was the justification given to go after people who are clearly not legitimate targets by any reasonable international standard, and involving gross violations of privacy rights. If the intent is to make this move and hope that the issue goes away, I think that’s inadequate.”
The Citizen Lab chief said last month’s report underscored the urgent need for the setting up of an independent commission that had the authority to investigate what had happened and to suggest reforms to prevent it from happening again.
“I think that’s even more necessary now in light of the dramatic findings that the prime minister and the defence minister’s own phones were hacked with Pegasus,” said Deibert.
“What’s going on? If I was a Spanish citizen, I would be demanding that there be such an impartial inquiry. But it seems like that’s maybe not going to happen.”
A fortnight ago, Sánchez’s Spanish Socialist Workers’ party (PSOE) joined the three parties on the Spanish right in vetoing a parliamentary inquiry into the Pegasus scandal.
A PSOE spokesperson said the mooted congressional committee was not needed as an internal investigation by Spain’s national intelligence centre was already underway, as was an inquiry by the public ombudsman.
Deibert, who was in Spain this week, said he had been surprised by the complacency he had encountered and disappointed that many people in the country appeared to have no problem with the targeting of the Catalan leaders.
For many in Spain, the regional independence movement – which attempted a unilateral, illegal bid to secede in October 2017 – remains a direct challenge to the “indissoluble unity” of the country that is enshrined in the constitution.
For Deibert, however, the issue transcends national politics.
“I’ve been telling people that if they draw the conclusion that this is a Catalan issue and they can maybe dismiss it as such, or put it in a little box and frame it that way, they’re grossly mistaken,” he said.
“To me what this illustrates is that you have this extraordinarily powerful surveillance technology – and a market that’s supplying it that’s almost entirely unregulated – being used by governments, as this case illustrates, that are unaccountable and have major public accountability and oversight problems. And so this is really a crisis of democracy – that’s the way I think about it – in Spain.”
Deibert also hit back at suggestions that the Citizen Lab’s investigations were biased and had been compromised by the fact that one of its researchers, Elies Campo, had himself been targeted using spyware because of his apparent links to the independence movement.
Deibert said Campo had been the victim of a “frankly baseless and really outrageous smear campaign”. He also said that he had been deeply troubled to discover that Campo’s father, a prominent doctor, had been targeted on his official hospital-issued phone, which would have contained sensitive medical information.
Deibert said he rejected any suggestions that the Citizen Lab was politically motivated or somehow beholden to the Catalan independence movement.
“We’re not a company, we never do commissioned research, we’re impartial, and we’re a university-based research group that’s run and supervised by me, the principal investigator, who manages every aspect of this project from beginning to end,” he said.
While the Spanish government has refused to speculate on who may be responsible for targeting the phones of Sánchez and Robles, referring only to “illicit” and “external” attacks, fingers have been pointed in the direction of Morocco, which was engaged in a tense diplomatic standoff with Spain when the hacks took place.
A data leak at the heart of the Pegasus investigation revealed more than 200 Spanish mobile numbers were selected as possible targets for surveillance in 2019 by an NSO Group client believed to be Morocco, but Morocco has denied spying on any foreign leaders using Pegasus, and has said reporters were “incapable of proving [the country had] any relationship” with NSO.
Deibert said that, while he had no information on those attacks, there were two possible scenarios: that it was a foreign government, possibly Morocco; or that it was a “rogue domestic agency” operating against the state.
“Given what I’ve seen in Spain, that’s an entirely plausible scenario,” he said. “Both cases – both hypotheses – point towards the urgent need for an independent, impartial inquiry.”