Data Protection Complaint: Use of Pegasus violates fundamental rights

The GFF has lodged a complaint with the Federal Data Protection Commissioner, Ulrich Kelber, against the use of Pegasus spyware by the Federal Criminal Police Office (BKA). “Through the use of this Trojan, a private, foreign company – which is suspected of spying on journalists and human rights activists on behalf of authoritarian states – gains access to highly sensitive data belonging to citizens in Germany,” said David Werdermann, GFF’s case coordinator. “Apart from the fact that the software is unlikely to comply with the standards applicable in Germany, such outsourcing of state tasks violates fundamental rights.”

In 2021, it emerged that the BKA had secured the services of the Israeli NSO Group and has been using the “Pegasus” software since that year. “Pegasus” is spyware that is secretly installed on smartphones to access data and intercept encrypted communications. The NSO Group faces international criticism for allegedly spying on journalists, human rights activists, lawyers and dissidents, as well as foreign politicians and diplomats, on behalf of authoritarian states. The BKA states that it uses a modified version of the software. However, it is doubtful whether this meets the requirements that German law imposes on the use of state Trojans. In particular, it would violate fundamental rights if sensitive data, such as intimate messages or nude images, were first stored on NSO Group servers and only deleted subsequently. The GFF hopes that its complaint will prompt the Data Protection Commissioner to review the software and object to its use by the BKA.

The GFF also criticises the fact that the Federal Criminal Police Office exploits security vulnerabilities kept secret in order to infect smartphones with the Trojan. Without reporting security vulnerabilities to manufacturers, they cannot be patched. This weakens IT security as a whole. Following a complaint by the GFF, the Federal Constitutional Court ruled in June 2021 that German authorities must weigh up the benefits for investigations against the risks to IT security when keeping security vulnerabilities secret. According to media reports, the Federal Government now plans to introduce such a vulnerability management system.

“The planned introduction of a vulnerability management system is a long overdue step, which we owe to our constitutional complaint against the state Trojan in Baden-Württemberg,” said Ulf Buermeyer, Chair and Legal Director of the GFF. “However, the federal government is acting inconsistently by continuing to use the NSO Group’s Pegasus Trojan. In view of the global spying attacks on journalists and human rights activists, the security vulnerabilities exploited by Pegasus must be reported to the manufacturers immediately.”