After a year of investigations into the illicit use of spyware in the European Union, MEPs this week overwhelmingly on a resolution calling for measures to prevent spyware abuse and singling out Malta’s cash of passports programme as a main culprit.

A resolution drafted by the EP’s ‘Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware’ (PEGA) was overwhelmingly adopted on Thursday with 411 votes in favour, 97 against and 37 abstentions.

The resolution takes aim at Malta’s golden passport programme by saying “Several key figures from the spyware industry have acquired Maltese citizenship, which facilitates their operations within and from the Union”.

In its report on the growing spyware scandal, the Committee singled out Malta as “a popular destination for some protagonists of the [global spyware] trade”.

The spyware players with passports

The Committee’s report names Intellexa spyware consortium founder Tal Dilian. Dilian, who had a career in the Israeli Defence Force, acquired Maltese citizenship in 2017 and co-owns what appears to be a shell company registered at an apparent fiduciary firm in Malta, according to research conducted by The Shift News.

The infamous Predator spyware is sold through Intellexa – a consortium of spyware vendors set up by Dilian in Cyprus – that has presences in Cyprus, Greece, Ireland, and France.

The spyware, like Pegasus, is alleged to have been used by governments in the EU and across the world to hack into the phones and access the data of journalists, politicians, NGOs and public officials.

The report also names Russian-Israeli citizen and former Israeli military engineer Anatoly Hurgin of Pegasus spyware scandal notoriety, who acquired Maltese citizenship for himself and three family members in 2015.

The EP report noted specifically how, “At the time of his application for a Maltese passport, he was already under investigation for various crimes.”

The draft report goes into detail about how as the founder of Ability Ltd, which cooperated with NSO Group on the Pegasus spyware, he handled the network side of operations at NSO. MEPs recalled that, in 2017, Ability Ltd had been placed under investigation by the US Securities and Exchange Commission for allegedly lying about its finances and that it had also nearly been delisted from the NASDAQ.

Former Intellexa owner and employee, Greek national Felix Bitzios, who was meanwhile involved in the Piraeus/Libra fraud scandal, is a director of a Malta-based company, Baywest Business Europe Ltd. That company, in turn, is 99.9166 per cent owned by a company of the same name registered in the British Virgin Islands, according to The Shift’s research.

The report also mentions the Malta-registered Baywest Business Europe Ltd legal representative Stanislaw Szymon Pelczar Ltd as being the former administrator of Krikel, which was mentioned in the Paradise Papers.

American billionaire Peter Thiel has also applied for Maltese citizenship, as is well-known, and the report spells out the connections between the Donald Trump sponsor, the spyware trade and Malta.

It notes how Thiel – the founder of PayPal alongside Elon Musk – employed former Austrian Chancellor Sebastian Kurz as a strategist.

It also notes that Thiel filed his Maltese passport application shortly after the announcement of a partnership between Kurz and former NSO Group chief executive officer Shalev Hulio.

Thiel was Facebook’s first outside investor and the founder of Palantir. The latter was connected to the Cambridge Analytica scandal, in which the data of Maltese citizens was the most harvested, pro rata, in the whole of the EU before the election of Donald Trump  in 2016 and of Joseph Muscat in 2013.

Malta’s breach of ‘sincere and loyal cooperation’

In the background, Malta was one of the member states that refused to answer the PEGA Committee’s questions and the Committee is now asking the European Commission to take action against Malta for over breaching its duty of ‘sincere and loyal cooperation’.

Malta’s refusal to answer the Committee’s questions came after its parliamentary report exposed global spyware chiefs’ growing interest in Malta, its cash-for-passports programme and its welcoming company registration regime.

Malta completely ignoring the Committee’s questions, according to PEGA Committee Chair Dutch EPP MEP Jeroen Lenaers, is “unacceptable when we are asking simple, straightforward questions that any government should be able to answer. We are not asking for state secrets.

Overall, the resolution says it “can be safely assumed” that all EU member states “have purchased or used one or more spyware systems”.

Not all governments, according to the Committee, will refrain from the illegitimate use of spyware and in the absence of a solid legal framework, including safeguards and oversight, “the risk of abuse is very high”.

Malta’s legal framework in the area of safeguards and oversight is flimsy and loophole-ridden at best.

Malta is, in fact, refusing to answer the Committee’s questions about the government’s use of spyware and the legislation governing its use, authorisation and supervision.

The resolution calls for spyware to be used by EU governments only in “exceptional cases and for a limited time”.

‘Democracy itself at stake’

MEPs stress that the illicit use of spyware has put “democracy itself at stake” and called for credible investigations, legislative changes and better enforcement of existing rules to tackle abuse.

According to rapporteur Sophie In ‘t Veld, “Democracy is about accountability. Spyware is part of the toolkit of authoritarians who undermine democracies, and it is being used against the custodians of our democracy here, in Europe, on our doorstep.”

To stop illicit spyware practices immediately, MEPs argue that spyware should only be used in member states where allegations of spyware abuse have been thoroughly investigated, where national legislation is in line with the recommendations of the Venice Commission and case law of the EU Court of Justice, and where export control rules have been enforced.

They want EU rules on the use of spyware by law enforcement, which should only be authorised in exceptional cases for a pre-defined purpose and a limited time.

MEPs argue that data falling under lawyer-client privilege or belonging to politicians, doctors or the media should be shielded from surveillance unless there is evidence of criminal activity.

They also propose mandatory notifications for targeted people and for non-targeted people whose data were accessed as part of someone else’s surveillance, independent oversight after it has happened, and a common legal definition of the use of national security as grounds for surveillance.