The Pegasus case, revealed by the consortium of journalists Forbidden Stories, has uncovered a spy system of unprecedented scale.
Day after day, spy software revelations multiply, involving new countries.
Me Etienne Drouard, lawyer specializing in personal data at Hogan Lovells, former member of the CNIL and contributor to the development of the GDPR, deciphers for "20 Minutes" the issues raised today by the revelation of this case.
Militants, journalists, political opponents, but also heads of state ... The Pegasus affair, revealed by the consortium of journalists Forbidden Stories, has uncovered a spy system on an unprecedented scale. The use of spyware capable of infiltrating mobile phones and accessing all data (messages, photos, emails, etc.), including those contained in encrypted messaging (Signal, WhatsApp or Telegram) , caused a real scandal, and many diplomatic tensions.
Marketed by the Israeli company NSO Group, this software would have been used to spy on more than 50,000 phones in different countries.
This case, with global repercussions, today poses many legal questions on the security of personal data, the use of spyware, and the legal proceedings that could result from it.
Me Etienne Drouard, lawyer specializing in personal data at Hogan Lovells, former member of the CNIL and contributor to the development of the GDPR, deciphers for
20 minutes
the issues raised today by the revelation of this case.
What are the consequences of such surveillance, both at the level of state security and at the diplomatic level?
In terms of sovereignty, this is a real subject since we are witnessing a democratization of espionage. To give you a somewhat quantified example, when a hacking solution - a “flaw” that allows an operating system to be hacked - is sold on the
dark web
, it costs between 2 and 3 million euros. And it's almost a disposable handkerchief since if you get spotted, the loophole will be filled, and you will have to pay again to find a new one. Until now, only large states had the means to "buy" loopholes, and they were satisfied with a form of balance between them, a bit like the proliferation of nuclear weapons.
With its computer spy solution platform, which it sold licenses to many users around the world, NSO Group has reshuffled the cards by offering very attractive prices. The market the Israeli company was addressing was in fact a "poor man's" spy market, unable to buy loopholes on the
dark net.
.
With a subscription taken out for the year, some players were able to access 10, 15, 20, or 50 IT vulnerabilities.
All of this was made possible because security, and espionage, have become a real market.
And when you can provide solutions under the guise of business secrecy - and since hacking is considered a service - it quickly becomes profitable.
If we do not put an end to this democratization of espionage today, we will face a proliferation of threats.
And from today's scandal, we will soon deduce the normality of tomorrow ...
How to face this new threat?
Should States really worry about this spyware?
Either we deal with this case immediately, over media and political time, condemning these practices, without going any further. Either we treat it legally under French law and European law. If there is no prosecution when the criminal offenses are characterized, anyone will be able in the future to use these kinds of tools and software for espionage purposes. The sovereignty issues that are played out around this technology go far beyond borders. We now know that with the use of vulnerabilities from one of the three main operating systems (Android, iOS and Windows Mobile), we can potentially hack the whole world. France must have a diplomatic and criminal reaction.
There is something to cause real concern for states.
International trade negotiations, under tapping, we do not conclude them the same!
A sale of Rafale, or a sale of a nuclear power plant, under tapping, is not negotiated in the same way.
It is a real power struggle on all levels, economic, commercial, military, strategic, health… which is played out through espionage.
And the more this market is democratized without the powerful States regulating it by sanctions, the more espionage will be the work of any swindler, and therefore no longer only the prerogative of certain authoritarian governments.
What lawsuits can now be brought against NSO Group, the software publisher, and its customers?
The Paris public prosecutor has already provided a first response by opening a judicial investigation on Tuesday. He believes that criminal liability can be sought in the area of invasion of privacy and in the context of computer hacking, that is to say fraudulent penetration into an information system or fraudulent extraction. data from an information system. But there are other qualifications that may apply. Those resulting from the Data Protection Act and the GDPR, on the protection of privacy and personal data. In particular the fraudulent collection of personal data, the diversion of purpose, and the transfer of illicit data outside the European Union. But also the violation of personal data.
The advantage of these other criminal qualifications is that you only need to see that the software is installed for them to be triggered.
And the penalties incurred are much more severe: up to 5 years in prison, and a fine of 300,000 euros to 1,500,000 euros.
The software publisher, NSO Group, which can be considered as "a pirate", and all its customers around the world, therefore risk a lot under French law.
They committed offenses both against people located on French soil, whatever their nationality, but also against French people living all over the world.
Faced with this number of criminal qualifications, there is no doubt that French law can cross borders ...
Society
"Project Pegasus": "It is not sure that Macron's phone was hacked", explains cybersecurity expert
World
"Project Pegasus": A defense council allowed "a progress report" on the ongoing investigations
Smartphone
Spying
Cybersecurity
Monitoring
Pegasus Project
Personal data
By the Web
Piracy
listening