An arsenal of angry European Parliament members (MEPs) is demanding answers from senior commissioners about why EU subsidies are ending up in the pockets of spyware companies.
The group of 39 politicians referred to recent investigations that revealed countries such as Italy, Greece, Hungary, and Spain have funnelled millions of taxpayer euros at a time to help support commercial spyware-makers' finances.
They wrote: "According to these findings, entities such as Intellexa, Cy4Gate, Verint and Cognyte – whose technologies have been linked to unlawful surveillance of journalists, human rights defenders and political actors in the EU, as well as in third countries with dreadful human rights records – have benefitted from public financing, including EU programmes.
"This raises serious questions about the governance, transparency, and accountability of the Union's funding mechanisms. In the light of the scandals uncovered in Italy, Greece, Poland, Hungary, and Spain, among others, and of the recommendations of the PEGA inquiry, it is deeply troubling that the Union is directly or indirectly enabling tools that erode democracy, fundamental rights, and the rule of law."
MEPs cited investigative journalism from Follow The Money, which revealed in September that institutions such as Spain's public-funded Centre for the Development Of Industrial Technology (CDTI) handed over €1.3 million (c $1.5 million) to now-shuttered spyware peddler Mollitiam Industries.
Funding findings According to FTM, EU science research program Horizon 2020 awarded €1.74 million (c $2 million) to projects that involved Innova, which supplied surveillance tools to Italian prosecutors' offices. The European Regional Development Fund and the European Social Fund also funded Innova around €41,350, and the former additionally doled out around three-quarters of the money for a project run by Movia between 2019-2021, a company that develops the Spider spyware. Various other EU programs have contributed funds to other spyware companies, such as Area, Memento Labs (formerly Hacking Team), and Negg Group, FTM claimed. Perhaps most controversially, the European Commission awarded a €60,000 (c $70,500) contract to France-based Nexa Technologies in 2015. At the time, Nexa was part of the Intellexa Alliance of spyware companies, which in turn was linked to the Intellexa Consortium, which was previously sanctioned by the US for its involvement in the infamous At the time, Nexa was part of the Intellexa Alliance of spyware companies, which in turn was linked to the Intellexa Consortium, which was previously sanctioned by the US for its involvement in the infamous Predator spyware
Likewise, Italy's state-owned bank, Mediocredito Centrale, was found to have acted as a guarantor to a €2.5 million (c $2.9 million) loan to Dataflow Security, an Italy-based commercial spyware developer.
FTM said that it did not prove that any of the money, in any of the cases it found, was used to directly fund spyware development, although funding was provided in several instances.
The letter addressed to senior commissioners Henna Virkkunen (Finland), Michael McGrath (Ireland), and Piotr Serafin (Poland) – who oversee tech, justice, and anti-fraud respectively – requested greater transparency over how EU funds were distributed, among other matters.
Various questions were raised by the MEPs, such as how the European Commission verifies the integrity of the entities that receive EU funds, whether any risk assessments are carried out before investments are made to spyware companies, and how much money in total has been awarded to these organizations.
They also asked for answers on how the Commission plans to ensure its funding mechanisms align with its stances on matters such as human rights and digital resilience, and why it has not implemented the recommendations made by the PEGA inquiry.
The Register approached the European Commission for a response to the letter.
For the uninitiated, the PEGA inquiry was launched in 2022 following reports of several EU governments using NSO Group's Pegasus spyware a year earlier, and three years after Saudi journalist Jamal Khashoggi's murder.
The results were published in 2023, branding the pervasive spyware use "Europe's Watergate" and a "severe violation of all the values of the European Union."
The report stated: "The spyware scandal is not a series of isolated national cases of abuse, but a full-blown European affair.
"EU Member State governments have been using spyware on their citizens for political purposes and to cover up corruption and criminal activity. Some went even further and embedded spyware in a system deliberately designed for authoritarian rule."
Among the main recommendations made by the PEGA committee were to restrict law enforcement's use of spyware only to exceptional cases, protect sensitive targets like politicians, lawyers, and doctors, and to set the conditions for legal use.
The 39 MEPs asked the European Commission to additionally commit to launching an immediate public review of EU subsidies flowing into spyware companies.
In that review, the politicians specifically requested details on all funds issued and awarded to spyware companies since 2015, a commitment to excluding all spyware vendors from future EU funding instruments, and a follow-up on the PEGA recommendations.
"Citizens of the Union have the right to know whether their taxes are being used to finance technologies that endanger their fundamental rights," they wrote.
"As Members of the European Parliament, we expect your full cooperation in ensuring accountability and restoring public trust."
Rebecca White, researcher and advisor on targeted surveillance at Amnesty Tech's Security Lab, said she and Amnesty support the letter, and highlighted the Commission's lack of communication on the matter.
She told The Register: "At Amnesty, we've documented for many years how spyware has enabled human rights abuses in Europe and beyond, and how the surveillance industry is under-regulated and thriving.
"The European Commission has remained silent. These latest allegations should alarm all of us.
"They suggest that not only is the EU failing to put out the fire, they're fanning the flames. We welcome this collective call for transparency and explanations – the Commission can no longer wash its hands of Europe's complicity in the spyware crisis, which is fuelling human rights abuses across the world."
Aljosa Ajanovic Andelic, policy advisor at European Digital Rights (EDRi), echoed the MEPs' request for a ban on spyware.
He said: "The lack of action by the Commission when it comes to spyware is appalling and dangerous. In fact, not only have they not done anything to stop the proliferation of shady spyware vendors in the EU, they actually used EU taxpayers' money to directly fund the industry. This has to stop, and we are calling for a full ban on commercial spyware in the EU."
"As the largest digital rights network in Europe, our position is firm: the use of spyware is inherently incompatible with fundamental rights, and therefore should be banned, as well as the market of private companies that are profiting from human rights violations." ®