German police bought and used controversial Pegasus spyware sold by the Israeli NSO group in 2019, it has been revealed. The program has allegedly been used for high-profile spying by multiple governments.
The explosive revelation was made by Germany’s Die Zeit newspaper on Tuesday and was later confirmed by AFP, citing parliament sources.
According to Die Zeit, the Federal Criminal Police Office (BKA) opted to procure the highly-controversial software after domestic efforts to develop a home-grown program to monitor suspects’ phones flopped. The homegrown software, known only as ‘Trojan,’ has been in the works for years. While said to be functional in principle, it has never actually been used, the paper said.
Instead, the agency turned to outsourcing, getting in contact with the Israeli-based cyber-security company NSO
Group, known for its Pegasus
spyware. The firm maintains it works only with government entities worldwide.
First discovered back in August 2016, the program made headlines earlier this year after a collective of 17 media organizations reported that it had been used on over 50,000 high-profile targets by multiple governments. The target list included politicians, journalists and government officials from different countries, with the revelation sparking several international scandals.
Die Zeit said German authorities were in contact with the Pegasus
developer since at least 2017, when a company delegation reportedly showcased the program to the BKA in Wiesbaden.
The software boasts significantly wider functionality and spying powers than potentially allowed under German laws. NSO
Group is said to have developed a watered-down version of Pegasus
specifically for the BKA.
The procurement process, kept secret, began back in 2019, with the BKA acquiring its version of Pegasus
According to a separate report by Die Zeit, the BKA Vice President Martina Link also admitted to using the program, during closed-door hearings in the Bundestag interior committee on Tuesday. The BKA apparently told the committee that the program has been used in a “mid-single-digit number” of operations, some of them ongoing.
According to German laws, spying through smartphones and other electronic devices can be conducted only on individuals whose activities constitute an imminent danger, such as terrorism or organized crime. The matter is further complicated by a provision that even the dangerous suspects have a right to have a “core area of private life” protected.
While such restrictions made the original Pegasus
– which gains full access to data, cameras and microphones on an infected smartphone – unfit for use in Germany, the watered-down BKA version circumvented the restrictions, with illegal data supposedly not collected. Still, the data is believed to go through the NSO
Group’s servers before actually getting to the BKA. While the agency insisted the data goes only in “hashed” (in non-readable) form, legislators expressed concerns over the opacity of the process.
“This is an outsourcing of state powers of intervention, here an intervention in the area of fundamental rights is being outsourced,” digital policy spokesman for the FDP parliamentary group, Manuel Hoferlin, said as quoted by Die Zeit.
Contracting of the NSO
effectively resembled “hiring a bounty hunter” and hoping they would “break into the homes of suspects” in a legal fashion, the official added.