Spyware Is Running Amok in Europe, EU Lawmaker Warns

Spyware such as Pegasus is being deployed by state-run organizations across the European Union to snoop on politicians and journalists with virtually no EU-level oversight, according to a draft report for the bloc's parliament. From a report: The document on the use of surveillance spyware released on Tuesday said citizens can "safely assume that all EU member states have purchased one or more commercial spyware products" such as Pegasus, developed by Israel-based NSO Group. But, "no meaningful European oversight is in place; not to curb the illegal use of powerful spyware against individuals, nor to monitor the trade in these digital goods," lawmaker Sophie in 't Veld, the report's author, said in a statement. The 159-page document focuses on the use of spyware based on investigations of journalists and civil society groups and the parliament's own research missions.

One thing I don't understand

[dargaud]

Why don't Google and Apple and Microsoft and Co analyses those spyware and plug the holes in their software ? It looks like they should have operated for at most a month, but it's been years and now even low level officials are targeted.

Re:

[JaredOfEuropa]

Likely they do not have access to the software. That is a very closely guarded secret.

Re:

[dsfhdsagsda]

Their biggest customer pays them more than you do, and that customer is using these holes. If anything, their biggest customer is demanding they NOT do exactly what you suggest.

Re: One thing I don't understand

[Big Hairy Gorilla]

Probably true. Although needs evidence. One thing for sure the tech overlords play all sides. Example Microsoft and spam. "We have implemented a robust spam control system". Q. Where does tons of spam come from? A. Azure Cloud.

Re:

[Big Hairy Gorilla]

Relax. First of all, I agree with you... and I agree there is lots of evidence. But neither of us presented it. Somebody should do that.

I get the impression though, that for the most part no one really wants to hear it. Google, Apple, and your phone company, and literally every app on your phone is raping your data daily. Did anyone stop using TikTok? or phones?

I'm running on private/encrypted communications and server infrastructure and don't use social media or much of anything in the way of phone softwar

Re:

[dargaud]

That may well be true, but when the holes are used by everybody against everybody, nobody wins and everybody loses.

Re: Fake news

[Big Hairy Gorilla]

That's bullshit, you don't know what you're talking about. EU is years ahead on privacy, lookup GDPR.

Re:

[znrt]

sorry but it looks like you don't know what he is talking about either, and i guess you are confused about the issue in general. gdpr doesn't jack shit against state or other criminal surveillance.

Re:

[Big Hairy Gorilla]

here is what he's saying and I paraphrase: "Americans are setting laws in Europe" Here's what I'm saying: Americans are NOT setting laws in Europe. Read what he said, it's pure bullshit. The flippant reference to GDPR is an example of how Europe actually has thought of data and privacy issues.

Solution: Spyware derived evidence is inadmissable

[Canberra1]

There are legal rules of evidence in most countries . Illegally obtained evidence is inadmissible. If discovery cannot discover the source, then the accused is automatically released, and can never be prosecuted. Especially if the spyware maker has been deemed a terrorist or blacklisted entity. No extraditions either. Now the UK has made it illegal for lawyers to query the source of the information.The EU probably wont go this far. Amnesty International has a tool to deep dive and discover NSO like interce

Re:

[znrt]

you're not wrong, europe is usa's bitch, today more so than ever. but ... "lord biden" no less! ... lol, he is just an employee, they come and go, and power hasn't been using royal titles for a while. they simply rotate such celebrity puppets so the populace has the illusion of choice and can blame them for everything bad, then vote for the next fucking derp. it's a remarkably stable form of tyranny.

getting back on topic: in my country this pegasus thing has been used massively, and i would assume this it a

What is a good secure online comms method?

[turp182]

I want to communicate with certain parties securely, using public internet assets for storage and transport.

What's the best approach?

At this time I use public email accounts that are shared by myself and the other party. We use drafts to communicate, messages are never sent (message are sent, but outside of private comms that are internal). Traffic accessing the account can be tracked, but not the internals (illegal content filters won't find things that aren't there).

I saw this scenario in a movie once,

Re:What is a good secure online comms method?

[serafean]

Draft emails are fun, but no, the filters have gone through them, I can almost guarantee that...

My choice:
Bought a raspberry pi (or the equivalent thereof).
Set up an XMPP server on it (ejabberd, but prosody is an equally good choice).
Set up tor on it, create a tor hidden service for the XMPP server.
Absolute must: set up TLS certificates for the XMPP server. It's a PITA, but the stream itself should be encrypted, and the cluster*** that is SSL is the only available thing.
If you want to federate, you need to force the XMPP server to connect through tor. (haven't done that, I didn't federate that server)
Check the server's logging preferences to log the bare minimum, and configure what lapse of history to store.

On Android I use Conversations.im (+orbot for tor), with OMEMO always enabled, and the initial QR code key verification.

Now, the tor part I only did for kicks as a PoC. My actual server is public facing.

Or use Signal. Doesn't pass my smell test -- no 3rd party client possible -- but seems better than all alternatives I looked at.
Actually Signal seems to be better than XMPP, as it doesn't need to store metadata in undelivered queues on its servers.

Re:

[walshy007]

Set up an XMPP server on it (ejabberd, but prosody is an equally good choice).

Silly question, why xmpp over IRC? the xmpp protocol is far more complex. The irc and/or bouncer connection is easily encrypted and if you want to be able to send messages while offline just have the front-end for everyone that they sign into be a bouncer.

Re:

[serafean]

because XMPP supports file transfers and A/V calls. Both p2p, if network configurations allows for it, but the server helps in case of NAT.
It also has server side history which allows inter-client sync, and if you're completely offline, eventually you get all the messages.
A specified e2e encryption scheme.
A stateful roster on the server.

Also once upon a time there existed a technology called "telepathy tubes" where your local text editor could collaborate with other text editors on different machines.
That's

Re:

[turp182]

Thanks for the detailed explanation. I did say using the "public internet as transport and storage".

And my comment on content filters was that I don't care about those, they can scan my stuff (nothing to see there).

I'm looking lightweight but "good" security. I outlined my approach, I don't keep much secret (most public details I divulge are accurate, those that aren't allow me to know where someone learned something...).

Regarding my few words, a friend of mine once said that he signed up for various thing

Re:

[serafean]

Once you leave unencrypted data on a remote machine, that data is gone, and considered given to the world. Aka - all security/privacy gone.

> (nothing to see there)
Until there is... That is a big and separate discussion.
Good read: https://unixsheikh.com/article... [unixsheikh.com]

> I'm looking lightweight but "good" security.
Define better your threat vector.

"good" security is defined by what you're trying to be secure from. Security from wolves isn't the same as from polar bears or mosquitos.
Same goes for IT security

Re: What is a good secure online comms method?

[Big Hairy Gorilla]

If that is on your own private email server and you use point-to-point encryption like wireguard, that would be pretty private. Otherwise signal app is currently considered quite private. If you have your own servers you could setup open source messaging servers like NextCloud talk or Prosody server software using XMPP protocol my peeps tell me is very tight.

What is spyware anyway?

[ickleberry]

In the early 2000's I remember using various Win32 spyware removers that did such shocking things as showing banner ads and collecting your browsing habits in order for them to sell.

Nowadays, most android/iOS freeware and the Windows operating system itself can be considered spyware. Spying has become normalised and that is not a good thing

Re:What is spyware anyway?

[kurkosdr]

The big difference is that spyware 1) is not disclosed and 2) doesn't have to honour applicable regulations such as the GDPR and 3) there is no limit to what data it will collect. So, no the Windows operating system itself cannot be considered spyware. All data collection it performs is disclosed, it has to honour applicable regulations in every country such as the GDPR, and won't try to steal your credit card's CVV number for the purpose of selling it to international crime rings. Please try to make sense.

Re:

[kurkosdr]

To you, the end user. It's that long text you click "I agree" to when setting up the OS or when signing up for some online service upsold by the OS (the latter applies to open-source or mostly open-source OSes too, for example, the Ubuntu One online service upsold by the Ubuntu OS comes with a TOS). Sure, most people don't read it, but if there is something egregious in there, some consumer rights group will find it and warn everyone else.

Re:

[serafean]

How can you not agree? Is it possible to not agree and access essential civil services? Can you use internet banking apps without agreeing to the iOS/Android ToS?
Without agreeing to the ToS of your ISP.
At this point you need to agree to multiple service's ToS to be a part of what we consider civilized modern society.

That, to me, doesn't qualify as choice or disclosure.

Well, technically you can use an non-intrusive OS, and a secure VPN channel. But that option isn't within the skill set of most people.

Re:

[kurkosdr]

You have confused disclosure with demanding agreement. Demanding agreement is legal (though in GDPR jurisdictions you are limited to what kind of agreement you can demand), not disclosing isn't legal. Sorry dude, there is a clear definition of what spyware is, you don't get to change it so you can air your grievances on irrelevant threads.

Re:

[serafean]

Correct, I slightly tried to nudge the discussion from "spyware/not spyware" to "what should be acceptable by citizens"
I got riled up by the mention of "I agree"

> though in GDPR jurisdictions you are limited to what kind of agreement you can demand
This is in my view a blessing.

I shall change my statement "That, to me, doesn't qualify as choice or disclosure." to only
"That, to me, doesn't qualify as choice" .
And disclosure without choice... Well. That's the point I wanted to bring up.

Already solved

[alvinrod]

Observant /. readers would know that this problem has already been solved. Scroll down just a bit further and you'll see that Greece has decided to ban the sale of it. No need to panic. Keep calm and carry on.

Technical term

[Tony Isaac]

"Running amok" must be a technical term.

Yep

[SuperDre]

And one of those states is the US.

Blame the Operating system maker

[terrorubic]

Blame the Operating System maker. Just how difficult can it be to not run an executable downloaded from an email attachment or clicking on a website