An investigative report conducted by two of Germany’s biggest newspapers and two of its public radio broadcasting stations has found that the country’s government secretly purchased the controversial Pegasus spyware in late 2020, allegedly using it in criminal investigations of terrorism and organized crime since March of this year.
The use of Pegasus spyware potentially violates rulings made by the Federal Constitutional Court that limit digital surveillance on computers and phones to very specific circumstances. However, it is tough to tell at this point as the German government has avoided revealing details about how it has been used.
Pegasus spyware used covertly by German government throughout 2021
The report cites anonymous government sources in revealing that the German Federal Criminal Police Office (BKA) admitted to buying Pegasus spyware in a closed-door session of the Interior Committee of the Bundestag. The agency apparently went to great lengths to keep the purchase secret, overriding concerns of lawyers that use of the tool would exceed the authority granted by German privacy laws. BKA confirmed to reporters that it had originally begun talking to the vendors of the Pegasus spyware in 2017 and made their first purchase in 2019, and appears to have acquired a newer version with Trojan virus capabilities in November 2020.
The report says that the German government purchased a special version of the Pegasus spyware that has “certain functions” blocked to limit the possibility of abuse, though no further details were supplied in that area. The software has apparently been in use to invade phones and computers since March 2021; the BKA says that it has been used in “select operations” involving terrorism and organized crime.
Sold by Israel-based NSO Group since at least 2011, the Pegasus spyware was kept out of the public eye until it was discovered on the phone of a United Arab Emirates human rights activist in 2016. Follow-up investigation by cybersecurity firms Citizen Lab and Lookout revealed that the spyware was extremely sophisticated and essentially granted full surreptitious access to a target’s phone: microphone, camera, location, listening in on calls and text messages, exfiltrating files and logging passwords.
The Pegasus spyware has only become more of a concern since its discovery, as it has moved from delivery by spear phishing to the ability to exploit “zero-click” flaws in iMessage. NSO Group also appears to have access to a steady stream of zero-day Apple exploits that are not being reported to Cupertino or disclosed to the public.
It is not just the overwhelming technical capabilities it has, but the people that end up using it. NSO Group claims that it carefully vets customers and only sells to legitimate democratic governments that use it for legal law enforcement purposes. Incidents of it being found in the wild on infected phones demonstrate otherwise; it has been used to track dissidents, activists and journalists by a wide variety of repressive governments, and has also appeared to have leaked from corrupt officials in Mexico to some of the country’s drug cartels.
Government monitoring especially sensitive in Germany
Any revelation of secretive government monitoring will set off a flurry of concern, but the idea of “secret police” actions is particularly touchy in Germany for obvious historical reasons. The news comes on the heels of two new surveillance laws, adopted as amendments to existing laws in June, that legally enable the government to spy on phones and computers for the first time since 2008 and to circumvent encryption. However, those circumstances are supposed to be extremely limited. There is particular nervousness in the country over adoption of the sorts of police measures enabled by the Pegasus spyware as the country has been dealing with infiltration of law enforcement by right-wing extremist groups, discovered from the contents of internal department chat groups.
The use of Pegasus spyware also puts the country in a difficult position regarding its regulation of big tech firms over concerns about privacy violation and anticompetitive practices. Just weeks ago, Bundestag Digital Agenda committee chairman Manuel Hoferlin took Apple to task for its announced plan to actively scan user devices for potential child abuse images. Hoferlin penned a letter to Apple CEO Tim Cook calling the new technology “a dangerous path” and “the biggest breach of confidential communication in internet history.”
The German Green Party has demanded a “full explanation” of Pegasus software use from Chancellor Angela Merkel’s administration, and the German Federation of Journalists has called for assurances that confidential sources have not been compromised. Amnesty International also responded by calling for the adoption of public procurement rules that consider the human rights record of the vendor before purchases are made. NSO Group vowed to cut off contact with the media in late July after being pressed repeatedly about leaks indicating that a range of repressive governments had been sold its product.