“We all carry a spy in our pocket” – Natalia Krapiva of Access Now on the surveillance of journalists and civilians
Governments around the world are acquiring increasingly sophisticated spyware, often in the name of fighting crime and terrorism, which often end up being used against journalists and activists, sometimes even in democratic states. Natalia Krapiva, Senior Tech-Legal Counsel at Access Now said to Átlátszó that governments – including Western democratic states – often act as if fundamental rights stop existing in the digital sphere. After the elections, the new Hungarian government – just like its Polish counterpart – promised to reveal the scope of Orbán-era spying. According to Ms. Krapiva, this is a good start, but more protections are needed to prevent future governments from abusing their powers.
Natalia Krapiva is Senior Tech-Legal Counsel at Access Now, a global human rights organisation that works to defend and extend digital rights around the world. A member of the New York State Bar and former prosecutor at the Brooklyn District Attorney’s Office, Krapiva leads Access Now’s strategic litigation and accountability work, including investigations into spyware and state-sponsored digital attacks against civil society.
Átlátszó: In the past few years, many journalists and activists have reported an increase in online surveillance, hacking attempts, and other forms of attacks. What do you consider to be the most dangerous source of attacks on journalists and activists?
Natalia Krapiva: The most dangerous actor is often the government, especially in countries with weak democratic institutions and limited legal protections for citizens. The problem is not confined to domestic repression. We increasingly see transnational attacks, where refugees and dissidents are targeted abroad by the governments they fled.
Technology companies can also be complicit. They may enable government unlawful surveillance or fail to prevent abuses. In some cases, companies themselves collect data in ways that violate rights or can facilitate abuses, for example, by selling user data.
The collection of data for advertising purposes is particularly problematic. One example is a form of spyware known as AdInt, which uses advertising infrastructure and data to target individuals. In many cases, Big Tech’s commercial incentives align with governments’ desire to monitor people.
The Hungarian government likely used Cobwebs illegally in violation of GDPR.
In the US there is more potential for this technology because the data protection laws are laxer. However, even there some agencies already dropped contracts due to uncertainty over its legality.
Earlier in June, we reported on a study by the Belgrade Centre for Security Policy about digital attacks on activists and journalists. One of their most surprising findings was that such attacks were more common in West- and North-European countries than in non-EU states in the Western Balkans. Is this a new phenomenon, or did Western governments always employ such tactics, just with less advanced technology?
Governments, including democratic governments, have always had an instinct to try to know what is happening in areas they do not fully control. Journalists are of particular interest if they investigate crime and corruption and have sources the government also wants to know about.
However, new technologies have made surveillance much easier.
Everyone today carries a mobile phone. In many ways we carry a spy in our pockets.
Several European countries have been proven to use spyware. Italy has been connected to Paragon, Spain to Pegasus and Greece to Predator. The problem is that there are very few ways for surveillance targets to know whether they have been monitored, while government transparency on such actions remains very limited. On paper, governments may purchase spyware to target terrorists and criminals. But when there is a journalist exposing corruption, the temptation to use these tools against them can be very strong, particularly if there are no consequences of surveying citizens.
In some of the most well-know cases of secret surveillance of journalists, the targets were reporting on illegal migration and border enforcement. Governments tried to justify their surveillance by saying that they had insight into criminal activities, or other actions that could pose risks to national security. Do such connections justify monitoring them?
Governments may make that argument, but both national and European laws protect privacy, freedom of expression and access to information. Any surveillance measure must be proportionate to the threat. Use of spyware against someone who may be talking to an individual who is under suspicion of having committed a crime does not provide a strong justification for such monitoring, and by that logic, the surveillance of almost anyone could be justified.
Journalists, by the nature of their work, communicate with a wide range of sources, including government officials and members of criminal organisations. The same is true for lawyers, who are also becoming targeted by intelligence agencies in an increasing frequency. Surveillance of these professions can therefore be disproportionate to any alleged threat. The same concerns apply to NGOs assisting vulnerable groups. It is extremely difficult for them to do their work if they know they are constantly being watched.
The surveillance of lawyers is particularly concerning because attorney-client confidentiality is a fundamental legal protection. Around the world, however, we continue to see lawyers being targeted. In Poland and Mexico for example, Pegasus was used to monitor a prosecutor, as well as international investigators investigating organized crime.
Is the problem that laws have not yet caught up with technology, or that governments do not respect the laws that already exist?
Most countries already have constitutional protections for privacy. The problem is that many governments act as if these protections do not apply to new technologies. At Access Now,
we argue that fundamental rights exist in the digital sphere just as much as in the so-called real world.
It is important to consider what exactly is being surveilled. Today, a smartphone is almost an extension of a person’s mind. If governments can access it, they gain access to an enormous amount of highly sensitive information.
What about situations where authorities are not spying on people directly but instead use data already collected by others, such as internet service providers and social media companies? Using these datasets, a state may gather information about someone without even directly bugging their phones.
Personal data requires stronger protection from third parties. A knowledgeable actor can infer a great deal from something as simple as an IP address or a phone number. Some companies even sell data collected through cookies, legally or illegally. For example, in the US, the police can purchase personal data from data brokers and use it in investigations, a practice that digital rights organizations have argued is unconstitutional.
Banking data is another major issue because our purchases reveal a great deal about us. This is especially problematic in the United Statesas it has weaker data protection, compared to the EU countries. However, as in the case of Hungary, some EU states may also be potentially violating GDPR by using purchased advertising data for surveillance without the knowledge or consent of individuals.
How would it be possible to prevent such data from being used to attack activists or journalists?
Globally, there should be much greater transparency regarding how this data is collected and who it is shared with and for what purposes. States need to ensure there is strong regulation requiring companies to provide legal basis for collecting and processing information and that they provide their users with informed consent and an opportunity to object. At the moment, data collection often relies on users simply ticking a box next to a disclaimer, and sometimes not even that. Companies must provide real choice to the users, not an illusion of a choice.
For example, the collection of data should be limited to what is lawful, but also necessary and proportionate to a legitimate aim.
There should also be strict rules governing who within the government can access collected information. Governments already possess enormous amounts of data, and access to it should be minimized and compartmentalised. For example, there is no reason for a president of the country to be able to access any citizen’s data collected by services at will.
This is one reason why we oppose digital identity systems that centralize all personal information in one place and make it accessible to government authorities. Another very dangerous proposal is requiring internet users to provide their identity documents to register for social media or other popular online services. Such a requirement would largely eliminate the need for spyware because surveillance would become built into the system itself, depriving people of privacy and anonymity and making persecution and abuse far easier.
Despite government’s general desire for control, Access Now has been working with governments to draft legal and operational protections against surveillance. Which governments have been the most receptive, and what were you able to achieve?
We take a multi-pronged approach to fight surveillance. First, we help NGOs protect themselves from digital attacks and investigate incidents that have already taken place. Second, we engage in advocacy. We work with national governments, the European Union, and the United Nations, presenting the findings of our investigations and advocating policy changes, including restrictions on the use and sale of spyware and greater accountability for companies and governments.
Interestingly, some of our biggest successes have come in the United States rather than Europe. Both the previous and current U.S. administrations have imposed restrictions and sanctions on companies such as NSO Group, Intellexa, and Candiru. These measures have been effective because these companies want access to the U.S. market.
For the United States, spyware is also viewed as a national security issue.
American officials have been targeted with Pegasus abroad, and because these tools are developed by foreign companies, the information they collect may end up on foreign servers accessible to other governments.
In Europe, we are supporting legal cases against spyware companies. Litigation may ultimately prove more effective here, as demonstrated by criminal proceedings in Greece.
We hope that European governments will also impose sanctions and stop using these tools themselves. Even governments such as those of the Netherlands, Germany, and Belgium have been reportedly users of Pegasus spyware. Germany, for example, that it operates a customized version of Pegasus.
The Hungarian governments also have a history of using Pegasus and the Devil’s Tongue spyware against journalists and political opponents. The new Hungarian government have promised to publish documents about politically motivated covert surveillance operations ordered since 2010, which signals at least some willingness to rectify this issue. By your experience, how would a meaningful reform be possible in Hungary?
We currently cooperate with Hungarian partners, including civil society organisations such as TASZ, and hope to deepen that cooperation after the elections.
As for possible changes in Hungary, Poland offers an important precedent. The new Polish government increased transparency regarding the use of Pegasus, notified victims, declared certain surveillance practices unlawful and launched prosecutions. It is encouraging that similar issues are now part of the public debate in Hungary.
At the same time, it is not enough simply to investigate the wrongdoing of previous governments. Poland has not yet introduced sufficient safeguards to prevent future governments from abusing spyware. The recommendations of the European Parliament’s PEGA Committee could provide a useful framework.
If these recommendations are implemented, countries such as Poland and Hungary could become examples for others, including Italy, Spain, or Greece. We also hope that civil society organisations that were previously targeted can play a role in designing and implementing safeguards against unlawful surveillance.
Written and translated by Zalán Zubor, the Hungaran version of the story is here. Cover photo: Natalia Krapiva/Acces Now, montage by Átltszó
Share:
Your support matters. Your donation helps us to uncover the truth.
- PayPal
- Bank transfer
- Patreon
- Benevity
Support our work with a PayPal donation to the Átlátszónet Foundation! Thank you.
Support our work by bank transfer to the account of the Átlátszónet Foundation. Please add in the comments: “Donation”
Beneficiary: Átlátszónet Alapítvány, bank name and address: Raiffeisen Bank, H-1054 Budapest, Akadémia utca 6.
EUR: IBAN HU36 1201 1265 0142 5189 0040 0002
USD: IBAN HU36 1201 1265 0142 5189 0050 0009
HUF: IBAN HU78 1201 1265 0142 5189 0030 0005
SWIFT: UBRTHUHB
Be a follower on Patreon
Support us on Benevity!
