Greece Spyware Case Heading to European Court of Human Rights Highlights Wider Use in the EU

US and European governments have grown fond of painting Israel-connected spyware companies as rogue operators engaged in surveillance that is at odds with “Western values.”

A case in Greece, which will now be heard by the European Court of Human Rights (ECHR), adds to the mounting evidence that illegal spyware use in the EU is well out of control without any help from the Israelis. The embrace of surveillance technologies by the Greek prime minister (a US darling in recent years) might also help explain why US companies suddenly became so interested in opening up shop in Greece.

The Greek scandal started back in 2020 when Thanasis Koukakis, a financial journalist known for his corruption investigations of powerful banking figures, got a tip that he was under surveillance. After confronting authorities, the wiretaps on his phones were discontinued.

A year later, however, he received a text message asking, “Thanasis, do you know about this?” He clicked on the link, and it infected his iPhone with Predator. Spyware like Predator can hack into devices remotely, giving its operators full access to a phone and has been used on journalists and activists around the world.

The most well-known is the Israeli company NSO Group’s Pegasus. Predator is similar and is the product of the companies Intellexa, based in Greece, and North Macedonia-based Cytrox.

Intellexa was established by former Israeli Defense Force intelligence officer Tal Dilian, who was previously associated with NSO Group. According to Forbes, Dilian took over  Cytrox in 2019 to make Intellexa a “one-stop-shop” for hacking and electronic surveillance services and products. Israel Aerospace Industries was an early investor in Cytrox but sold its shares around early 2019 to Intellexa.

Other people in Greece were also targeted by Predator, including Nikos Androulakis — member of the European Parliament and at the time, the leading candidate to take over Greece’s center-left party.

The EU – like the US – has been singularly focused on NSO’s Pegasus in recent years while ignoring the risk of homegrown spyware. The Ursula von der Leyen-led European Commission, usually hungry for more power, has mostly ignored the proliferation of spyware within the EU, saying it’s a matter for individual countries to handle. From Euractiv:

Dutch MEP Sophie in ‘t Veld, who has been spearheading the work of the now-concluded Pegasus investigation in the European Parliament, thinks that this could affect the European Council, the Commission, and other EU bodies like the border agency Frontex.

She complained that “the European Union has every reason to investigate very thoroughly.” Yet, EU institutions have kept quiet about it so far, dubbing it a matter for national authorities to investigate.

In ‘t Veld has previously told EURACTIV about her dissatisfaction with the Commission’s lack of action regarding spyware. In the Commission’s view, enforcing the law on spyware is up to the member states. However, in ‘t Veld thinks that is just a “fig leaf” and a pretext for the institution not to do its job….

EURACTIV filed an access to document request to the European Commission requesting to access internal documents related to Pegasus, Predator, and spyware in general. The request was denied based on the high sensitivity of the information.

The issue might get harder for von der Leyen and company to ignore after the Jan. 29 ECHR announcement that it will hear the landmark case brought by Koukakis. Depending on the court’s ruling, it could have major implications for state surveillance across the EU.

⚖️@ECHR_CEDH has ruled admissible the appeal of @nasoskook for his surveillance by 🇬🇷 National Intelligence Service (EYP) on grounds of “national security” during 2.5 months in 2020 (20 June – 18 August).https://t.co/XJLMJldL3A pic.twitter.com/boqZ43zbQm

— Vas Panagiotopoulos (@criticalvas) January 30, 2024

The case is expected to be heard in June, after both sides – the Greek State and the journalist – have submitted their formal positions to the preliminary questions of the @ECHR_CEDH. If all goes to plan, the decision will be announced in September.

— Vas Panagiotopoulos (@criticalvas) January 30, 2024

The EU likes to consider itself a champion of human rights. (The Charter of Fundamental Rights of the European Union includes the respect for private and family life (Article 7) and the protection of personal data (Article 8)). It has denounced the use of spyware, and yet the bloc is increasingly deploying its own homegrown spyware and other advanced surveillance technology.

US & EU HYPOCRISY

The EU and the US in recent years have tried to shift the blame of the proliferation and illegal use of spyware onto Israel and its notorious NSO Group. The US has even blacklisted NSO, Intellexa, and Cytrox. There’s no doubt that Israeli companies have been at the forefront of these technologies, but the criticism coming from Washington and Brussels has little to do with the fact that such surveillance is a violation of human rights and antithetical to a functioning democracy.

The case in Greece is already helping to shed light on how widespread the use of spyware is in the EU. A European Parliament report from last year shows the bloc’s surveillance problem goes far beyond Pegasus and Predator. A few takeaways:

• “Member States are not just customers of commercial spyware vendors, they also have other, different roles in the spyware trade. Some host spyware vendors, some are the preferred destination for finance and banking services, and yet others offer citizenship and residency to protagonists of the industry.”
• “… concerns have been raised about certain countries’ permissive intelligence frameworks, ineffective checks, lax oversight practices and political interference.”
• “Spyware is clearly also used by law enforcement, not just by intelligence agencies. There are serious concerns about the admissibility in court of such material as evidence in the context of EU police and justice cooperation, including within Europol and Eurojust, if such information were to originate from investigation methods applied without proper judicial oversight. Depending on the national legislation, the use of spyware is legitimate in investigations under judicial oversight.”
• “It can be safely assumed that authorities in all Member States use spyware in one way or another, some legitimate, some illegitimate. Spyware may be acquired directly, or through a proxy, broker company or middleman. There may also be arrangements for specific services, instead of actually purchasing the software. Additional services may be offered, such as training of staff or the provision of servers. Spyware is not to be seen in isolation, but as part of a wide range of products and services offered in an expanding and lucrative global market. It is important to realise that the purchase and use of spyware is very costly, running into millions of euros. But in many Member States this expenditure is not included in the regular budget, and it may thus escape scrutiny.”

At a recent major defense expo in the heart of France there were no Israeli spyware firms to be found. They are facing pushback from worldwide clients, but it has nothing to do with their treatment of “human animals” in Gaza and the West Bank.

No, the reason was largely because US and EU firms want a bigger share of the market for offensive spyware and have been critical of Israeli companies in the same field, such as NSO Group and its Pegasus spyware.

While the US blacklists Israeli and Israeli-owned spyware firms, it continues to develop and deploy even more powerful surveillance tools against Americans and the rest of the world. Researchers have documented over two thousand U.S. law enforcement agencies that have procured digital forensics technology, which require physical possession of a target’s device in order to install, but the level of intrusiveness can be even greater than that of remote spyware technology. Antony Loewenstein writes in “The Palestine Laboratory” that “the likely reason behind Biden’s moves against NSO was US concerns that an Israeli company was encroaching on American technological supremacy.”

There are also European firms who were out in force at the Milipol Paris showcasing the same abilities that the West criticized NSO for. From Haaretz:

Though Israeli offensive cyber firms did not attend, their European competitors did: RCS, producer of the Hermit spyware that is considered a competitor of NSO’s Pegasus; Memento Labs, formerly known as Hacking Team; and IPS-Intelligence, all Italian firms, were present. Alongside these known spyware vendors, previously unreported ones also pitched on the expo floor: Invasys, a Czech firm being revealed here for the first time, offered an “offensive cyber” program Kelpie with the ability to hack iPhones and Android and thus access fully encrypted communications apps.

Mitsotakis’ Embrace of Surveillance

One area where Greece’s case differs from the rest of European countries using spyware is in the level of involvement from the prime minister’s office.

The European nations, by and large, leave it up to domestic intelligence to conduct such surveillance, but Greek PM Kyriakos Mitsotakis took a more hands-on approach. One of his first acts as prime minister was to put Greek intelligence under his office’s direct control. (While his office has denied the use of any illegal spyware technology, that doesn’t mean data couldn’t have been purchased from a private operator).

In May of 2022 Mitsotakis delivered a speech to the US Congress, waxing on about democratic values. The American government and US companies were impressed. Washington has been funneling military equipment to Greece at an increased rate in recent years.

Just last month, it was reported that the Biden administration is offering the Greek government three 87-foot Protector-class patrol boats, two Lockheed Martin C-130H airlifters, 10 Allison T56 turboprop engines for Lockheed P-3 patrol planes plus 60 M-2 Bradley fighting vehicles and a consignment of transport trucks. And it’s all free, made available under “excess defense articles.” Elsewhere, Athens is buying a larger arms package that includes 40 Lockheed F-35 stealth fighters, for $8.6 billion.

The Greek newspaper Kathimerini recently reported that the country is preparing to transfer S-300 long-range surface-to-air missile systems to Ukraine, in direct violation of its decades-old deal with Russia. When Athens received the weaponry from Moscow back in 1998 it agreed to never give it to another country (let alone one that is at war with Russia).  Such a move would poison longstanding good ties between Athens and Moscow.

But Athens’ demonstration of its non-agreement capability is just another sign that it is now a wholly-owned subsidiary of the US. More evidence: in 2022 Greece canceled the long-planned privatization for the Alexandroupolis port with Mitsotakis declaring it too precious of a resource to relinquish. Instead it has been gifted to the US, which has made a fortress out of the port 18 miles from the Turkish border. In November, Greece closed a deal to bring a floating gas storage and regasification unit to the port– which will be serviced by American LNG supplies that can be fed into a pipeline from Alexandroupolis north to Bulgaria.

Mitsotakis has been lauded by the Wall Street Journal for opening up Greece to US companies:

Pfizer—led by Greek-American Albert Bourla —announced plans for new digital labs in Thessaloniki, Mr. Bourla’s hometown. Last year, Microsoft made an even bigger show of confidence in Greece by announcing plans for three new data centers to serve the broader region. Microsoft won’t put a value on the investment, but local officials have said it is more than $100 million.

“We took a bet, but we think it will be a very good bet,” said Theodosis Michalopoulos, Microsoft’s general manager for Greece, Cyprus and Malta.

Bureaucracy and outdated regulations have slowed work developing the data centers, which will take years, he said. “It hasn’t been easy, but we’re getting through.”

Amazon was given the red-carpet treatment. According to Vice:

As Athens is being roiled by government surveillance, a different kind of surveillance is taking place in the Aegean with Astypalea not the only petri dish for large corporate interests: Amazon has its eyes on the Greek island of Naxos, which has a population of 22,000. Naxos is billed as a “smart hub,” for Amazon Web Services, which plans to upgrade much of the island’s services. The project is reportedly the product of a star-studded dinner in the summer of 2021 between Jeff Bezos and Mitsotakis, with actor Tom Hanks and fashion designer Diane von Furstenberg also in attendance. …

Drones are a key component of the project, and will reportedly not only be used to drop medicines to remote areas but also be military-grade and could aid coast-guards in “vessel monitoring.” Amazon plans to upgrade the island’s internet as well as facilitate remote medical consultations, introduce “smart taxi payments, smart parking sensors and electric vehicle chargers.” The company also plans to “smarten” the waste and water management but has not specified how.

Mitsotakis also signed a zero-cost deal with Palantir that gave the company wide-ranging access to Greek citizens’ personal data, but it was later canceled after intense backlash in the country.

There’s this idea that the spyware revelations mean that Mitsotakis pulled the wool over the eyes of such outfits. A 2022 guest essay in the New York Times by Alexander Clapp, for example, pushed this narrative:

The problem here is not that corruption under Mr. Mitsotakis is necessarily more endemic than under previous Greek governments — or in many other European countries. (Opposition leaders and journalists have been targeted by spyware in France, Spain, Hungary and Poland.) It is, rather, the unsustainable contradiction between the country Mr. Mitsotakis insists on pitching abroad — an unimpeachably democratic state whose respect for the rule of law and liberal bona fides ought to be rewarded with corporate investments and tourism dollars — and the one he actually presides over.

What this fails to consider is that the Mitsotakis government made Greece a more attractive location for US firms because of its embrace of surveillance – whether conducted by the government or by private companies. Or was it really just Mitsotakis talking up the rule of law and democracy that led Palantir, Microsoft, Amazon, and others to suddenly become so interested in opening up shop in Greece?