As part of their upcoming crackdown on the use of spyware, particularly by EU governments, European parliamentarians are concerned that Malta is providing ‘golden passports’ to the executives behind spyware firms.

According to Dutch MEP Sophie in ’t Veld, three EU states in particular are facilitating the proliferation of spyware across the bloc.

These are Malta, which she says is “providing golden passports to the executives behind the spyware companies”, as well as Cyprus, which is the companies’ hub for international trade and Luxemburg, which is their preferred destination for financial operations.

“This is not about a handful of governments spying on their citizens, it is all over Europe. All governments are using this, and some governments are abusing it,” in ’t Veld told The Financial Times this week.  “Different EU member states play different roles in a scheme that spans the whole of Europe.

“The whole business is intertwined with governments and government funding.”

She observed how the authorities’ attitudes in direction of the enforcement of guidelines on the usage of spyware had gone from “the presumption of compliance [by member states] to the pretense of compliance”.

It is the NSO Group’s Pegasus spyware that MEPs have a particular problem with, and Malta had allowed Anatoly Hurgin, who is indelibly linked to the NSO Group and the development of Pegasus, to acquire Maltese citizenship through its passports-for-cash programme.

Hurgin obtained his Maltese citizenship through the golden passport scheme while facing charges of fraud, smuggling, and money laundering in Israel, as well as five violations of US federal law for defrauding shareholders of a Florida-based company.

Earlier this month, MEPs demanded Europol probe illegal use of the Pegasus spyware in Europe against politicians and journalists

The European Parliament’s Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware (PEGA) to launch an investigation into the state use of spyware against citizens in four EU countries:  Hungary, Poland, Spain, Greece, as well as against the European Commission, journalists, politicians, NGOs and public officials.

PEGA chair Jeroen Lenaers, sent a letter to the executive director of Europol, demanding the agency use its new mandate to help their work.

The letter published by the PEGA committee, dated 28 September, explains “there has been a string of revelations about the illegitimate use of spyware”.

However, “with every day that passes, the risk of evidence disappearing or being destroyed, increases” and “there are concerns about the capacity and willingness of national authorities to investigate swiftly and thoroughly,” Lenaers added.

He invited Europol to issue “a proposal for an investigation to the Member States concerned,” based on a recent regulation that allows the agency to initiate probes on crimes that “affect common EU interest.”

According to PEGA, acts of computer crime, corruption, racketeering, and extortion that have been reported with the spyware cases all fall within Europol’s mandate.

Against the backdrop of accusations of serious violations of fundamental rights, and undermining of democracy in Europe with the help of Pegasus spyware, it is unacceptable that the NSO Group and the Israeli authorities refuse to confirm if export licenses for, and contracts with the Polish authorities have been repealed or not. They should give full transparency immediately.”

NSO Group’s Pegasus spyware is a mobile phone surveillance app that enables customers to remotely exploit and monitor devices. The company is a prolific distributor of surveillance technology to governments around the world, and its products have been regularly linked to surveillance abuses.

Pegasus became known for the telltale malicious links sent to targets via SMS for many years. The practice was used by NSO Group customers to target Ahmed Mansoor, dozens of members of civil society in Mexico, and political dissidents targeted by Saudi Arabia, among others, according to Citizen Lab.

More recently, NSO Group is shifting towards zero-click exploits and network-based attacks that allow its government clients to break into phones without any interaction from the target, and without leaving any visible traces.

Assassinated journalist Daphne Caruana Galizia had first sounded the alarm about Hurgin when she wrote about how he was previously a member of the Israeli Defence Forces (IDF) and that his companies Ability Inc, Ability Computers, Software industries Ltd and Active Intelligence Labs Ltd specialise in “phone hacking and cutting-edge surveillance technology.”

The issue, in ’t Veld warned this week, is far more extreme than previously believed: “This is not just threatening the privacy of individuals. This is threatening democracy because they’re using it against journalists, politicians, lawyers, and activists. This is a real poison for our democracy.”

“On the one hand, we’re all saying that our democracy and our free society are being attacked from the outside by the Russians, but they’re also under attack from the inside. We are completely defenseless,” she said.