Poland’s phone spyware scandal raises doubts over 2019 election

A brewing scandal over the alleged historical use of controversial mobile spyware by Poland’s ruling party against an opposition lawmaker is raising questions over the legitimacy of the country’s 2019 parliamentary elections.

Internet watchdog Citizen Lab found that the NSO Group’s notorious spyware Pegasus was used to spy on three critics of the Polish government. One of the targets was named Krzysztof Brejza, a member of the Polish Senate whose phone was hacked dozens of times ahead of parliamentary elections in 2019.

Text messages stolen from Brejza’s phone were doctored and aired by state-controlled TV as part of an apparent smear campaign in the run-up to the election. Brejza’s left-leaning political coalition, Civic Platform, subsequently lost the country’s 2019 parliamentary election by a close margin. Brejza told the Associated Press, which first reported the hacks, that the election was unfair since the ruling party would have had access to his campaign’s plans.

The Polish government previously denied that it has used Pegasus, a mobile spyware that gives its government customers near-complete access to a target’s device, including their personal data, photos, messages and precise location.

Jaroslaw Kaczynski, the leader of Poland’s Law and Justice party and the country’s deputy prime minister, rebuked accusations that the Polish government used the Pegasus spyware to monitor its political opposition, but told Polish media last week that it “would be bad” if the Polish security services did not have access to mobile spying technology while other countries did.

Polish media reports that the government purchased Pegasus in 2017 using money from the so-called Justice Fund, which is supposed to help victims of crimes and rehabilitate offenders.

Amnesty International late last week independently verified that Brezja’s phone was hacked.

“We urgently need governments to implement a global moratorium on the sale, transfer, and use of spyware until human rights regulatory safeguards are in place.”
Likhita Banerji, Amnesty International

Polish prime minister Mateusz Morawiecki called the Associated Press and Citizen Lab’s findings “fake news” and claimed a foreign intelligence service could be to blame. Critics dismissed the government’s allegation, arguing that no other government would have any interest in the three Polish targets.

The other two Polish targets confirmed by Citizen Lab are Roman Giertych, a lawyer who represents opposition politicians in a number of politically sensitive cases, and prosecutor Ewa Wrzosek. Apple began notifying phone spying victims in December after it sued NSO to block the spyware maker from using any of Apple’s technologies, which would make it significantly harder for NSO to hack its targets.

Pegasus is known to be used by authoritarian governments like Bahrain, Saudi Arabia, Rwanda and the United Arab Emirates to spy on journalists, politicians and human rights defenders. But new reporting last year revealed several European Union states, including Germany and Hungary, are Pegasus customers, as is now Poland.

Polish opposition leader Donald Tusk — the new leader of Civic Platform since October 2021 — has called for a parliamentary inquiry into the government’s use of Pegasus. Guy Verhofstadt, a liberal member of the European Parliament for Renew Europe, told TechCrunch that the allegations must be investigated to get a full picture of how the Polish government is using Pegasus.

“But what we do know is deeply worrying,” he said. “This is obviously a threat to both the rule of law as well as free and fair elections — and therefore both to EU rules as well as the integrity of the European Union. If that’s not enough for a full European investigation, what is?”

When reached, an unnamed spokesperson for NSO Group declined to confirm or deny its customers but added: “The use of cyber tools in order to monitor dissidents, activists and journalists is a severe misuse of any technology and goes against the desired use of such critical tools. The international community should have zero tolerance policy towards such acts, therefore a global regulation is needed. NSO has proven in the past it has zero-tolerance for these types of misuse, by terminating multiple contracts.”

Amnesty International, which called the findings “shocking, but not surprising,” is also calling for the European Union to implement targeted sanctions against NSO Group, much like the U.S. government has done.

“This shows, yet again, that the unchecked use of Pegasus is a threat to not just politicians, but to civil society around the world. So far not enough has been done to reign in unlawful targeted surveillance,” Likhita Banerji, a researcher and advisor at Amnesty International, told TechCrunch.

“We urgently need governments to implement a global moratorium on the sale, transfer, and use of spyware until human rights regulatory safeguards are in place.”