Revelations come ahead of the first meeting of an inquiry into breaches of EU law associated with the use of Pegasus
‘The Spanish government needs to come clean over whether or not it is a customer of NSO Group’ – Likhita Banerji
European Union institutions are failing to end the rampant human rights violations committed with spyware, Amnesty International said today, after the organisation independently confirmed new attacks using Pegasus spyware against prominent Catalans.
New research by the Citizen Lab has revealed how scores of Catalan politicians, journalists and their families were targeted with NSO Group’s Pegasus spyware between 2015 and 2020. Technical experts from Amnesty’s Security Lab have independently verified evidence of the attacks.
Confirmed targets include Elisenda Paluzie and Sònia Urpí Garcia, who work with the Assemblea Nacional Catalana, an organisation that seeks the political independence of Catalonia from Spain. Elisenda Paluzie is the current president of the group.
Catalan journalist Meritxell Bonet’s phone was also hacked in June 2019. She was targeted in the final days of a Supreme Court case against her husband Jordi Cuixart, an activist and former president of Catalan association Òmnium Cultural, who was sentenced on a charge of “sedition”.
Politician, university professor and Catalan activist Jordi Sànchez was extensively and persistently targeted with Pegasus from as early as September 2015 until July 2020. Between 2015 and 2017, he was president of the Assemblea Nacional Catalana. His phone was successfully compromised with Pegasus on 13 October 2017, days before his arrest by Spanish authorities on a charge of “sedition”.
In October 2020, Amnesty wrote to the Spanish government asking it to release information on all contracts with private digital surveillance companies which was not disclosed. Amnesty also approached the Spanish Ministry of Defence, requesting information on Pegasus use from the National Intelligence Centre. They responded stating that such information falls under classified subjects. NSO states that it only sells to governments and that its tools are meant to be used to combat serious organised crime and terrorism.
The revelations come as a European Parliamentary Committee of Inquiry is set to hold its first meeting on Tuesday (19 April) into breaches of EU law associated with the use of Pegasus and equivalent spyware – a direct result of the Pegasus Project revelations in July 2021. Last week, Reuters reported that senior EU figures had been targeted with NSO Group’s Pegasus.
Likhita Banerji, Amnesty International’s Technology and Human Rights Researcher, said:
“The Spanish government needs to come clean over whether or not it is a customer of NSO Group. It must also conduct a thorough, independent investigation into the use of Pegasus spyware against the Catalans identified in this investigation.
“We urge the European Parliament Committee of Inquiry to leave no stone unturned when documenting the human rights violations enabled by unlawful spyware, including by investigating these new revelations.
“Governments around the globe have not done enough to investigate or stop human rights violations caused by invasive spyware like Pegasus. The use, sale and transfer of this surveillance technology must be temporarily halted to prevent further abuses of human rights.”
Amnesty’s Security Lab peer reviewed forensic evidence from a sample of individuals first identified in the Citizen Lab investigation, and found evidence of Pegasus targeting and infection in all cases.
Unlawful use of spyware
Amnesty, alongside other civil society organisations, has previously documented the widespread and unlawful use of spyware against activists, politicians and journalists around the globe, including as part of the Pegasus Project.
NSO Group has not taken adequate action to stop the use of its tools for unlawful targeted surveillance of activists and journalists, despite the fact that it either knew, or arguably ought to have known, that this was taking place. NSO Group must immediately shut down clients’ systems where there is credible evidence of misuse of its tools.