Pegasus - spyware that challenges the law.

Legal Watch No. 37 – July 2021

Pegasus – spyware that challenges the lawIn July, the Pegasus project revealed the unprecedented surveillance impact of Israeli spyware that can listen to and extract data from smartphones running iOS or Android.

This is the conclusion of an international investigation conducted by the NGO Forbidden Stories, with the help of Amnesty International and the Citizen Lab at the University of Toronto, as well as 17 major international media outlets, including Le Monde and The Guardian.

While the software has already been talked about in the past, recent information provides a better understanding of the extent of surveillance made possible without the knowledge of smartphone users.

Around 50,000 target telephone numbers were reportedly selected, including a thousand in France, concerning civil society actors, journalists and politicians.

Among the 55 countries listed as clients of NSO, which markets the software, are Saudi Arabia, the United Arab Emirates, India, Hungary, Rwanda, Mexico and Kazakhstan.

NSO claims to follow a strict ethics policy and only deals with intelligence and law enforcement agencies for the purposes of combating crime, terrorism, drug trafficking and pedophilia.

These allegations, as well as the assurances given by the software owner, raise practical and legal questions.

Even if guarantees are taken upstream of marketing, what are the real means of ensuring compliance with the contractual framework between NSO and its official clients, and its use by unauthorized parties and against political or civil society "targets", for example?

The particularly intrusive and undetectable nature of this technology raises questions about the regulation of surveillance techniques in the international and European context.

In Europe, while law enforcement has specific investigative powers, these are strictly regulated by the GDPR and by national laws transposing the European "police-justice" directive of April 27, 2016.

In France, this is Chapter XIII of the Data Protection Act.

Data processing carried out more specifically by state security or national defense is excluded from the scope of the European Directive but remains subject in France to the Data Protection Act.

The clandestine introduction of spyware into computer systems can only be authorized under specific legal provisions.

The matter is regulated by laws no. 2015-912 of July 24, 2015 relating to intelligence and no. 2017-1510 of October 30, 2017, known as the SILT law.

The CNIL also points out that there must be elements presenting a concrete threat to the bodily integrity, life, freedom of people, or an attack on the fundamental interests of the nation.

If the principles of the law apply, on the other hand, the CNIL has no power to control the implementation of intelligence service files.

In its recent opinions on the bill on the prevention of acts of terrorism and intelligence (now voted on), it reiterated its request to be able to exercise its control powers in a manner adapted to new investigative techniques.

She also called for the strengthening of the powers of the Intelligence Techniques Control Commission (CNCTR).

Both the CNIL and the European Data Protection Committee stress the importance of effective supervision in the field of intelligence and state security, particularly in the context of increasingly intrusive processing, combined with the development of cutting-edge technologies that ignore borders.

These requirements are among the criteria cited by the Committee in its recent recommendations on the essential guarantees to be provided by third countries to the EU in terms of surveillance.

They aim to protect European data from disproportionate interference in the event of international transfer.

Given the increasing ease with which communications data can be intercepted, more fundamental questions arise about the technical measures that should be taken to limit these risks.

In its press release of March 9, 2021 on the "ePrivacy" Regulation, the European Committee emphasizes the need to maintain data confidentiality throughout the communication process, and data encryption.

In the same perspective, the question arises of the advisability of maintaining "back doors" in communication terminals for intelligence purposes, at the risk of seeing an increase in abuses and misappropriation of data beyond all control.

And also

France:

The CNIL has published its position regarding the mandatory extension of the “health pass” in certain places.

Without calling its principle into question, it recalls the need to limit its use in a context of demonstrated health emergency, requests an evaluation of the system by parliament in the autumn and underlines the ethical aspects of the problem, which go beyond questions of data protection.

She requests that the legislator take into consideration "the risk of habituation and trivialization of such devices that infringe on privacy and of a shift, in the future, and potentially for other reasons, towards a society where such controls would be the norm and not the exception."

Also in connection with the health crisis, the CNIL has reiterated the principles to be respected when communicating to doctors the list of their unvaccinated patients.

Two sanctions are worth noting., imposed by the CNIL on July 22 and 28 against

• on the one hand of the AG2R La Mondiale group for an amount of 1.75 million euros for failure to comply with GDPR obligations regarding data retention and information of individuals,
• and on the other hand of the Monsanto Company for an amount of 400,000 euros, for not having informed the people included in a lobbying file.

ANSSI and DINSIC are publishing a guide aimed at explaining in a practical and concrete manner how agility and security contribute to the secure development of projects and the management of digital risk.

The guide offers progressive support, workshop by workshop, concrete examples and method sheets.

Europe:

Amazon has just been fined a record €746 million by the Luxembourg data protection authority. for non-compliance with the principles of the GDPR, and in particular advertising targeting without the consent of the data subjects.

This decision of July 15th follows the collective complaint initiated by the civil liberties association

La Quadrature du Net filed a complaint with the CNIL in France, referring to the Luxembourg authority due to the location of Amazon's headquarters in Luxembourg. The company has announced that it will appeal this decision.

The Dutch Data Protection Authority has fined TikTok €750,000, for lack of clear information on its data processing.

The information, available only in English, was considered incomprehensible to children, the main users of the application.

International :

UNITED STATES : The National Institute of Standards and Technology (NIST) has published a guide to identifying and managing bias in artificial intelligence: “a proposal for identifying and managing bias within artificial intelligence”.

Zoom has agreed to pay $85 million to settle a lawsuit in the United States.

It was accused of sharing its users' data and of not protecting them from certain computer attacks ("zoombombing").

The company is committed to training its employees on data protection and strengthening its security measures.

Anne Christine Lacoste

Partner at Olivier Weber Avocat, Anne Christine Lacoste is a lawyer specializing in data law; she was Head of International Relations at the European Data Protection Supervisor and worked on the implementation of the GDPR in the European Union.