Inside Poland’s groundbreaking effort to reckon with spyware abuses
When a European Parliament panel probing spyware abuses on the continent approached the Polish government almost two years ago, officials in Warsaw refused to meet them. The government flatly asserted that it was operating under the law and largely stonewalled the investigation.
Two years later, the government accused of abusing that tool is out of power, and Poland is establishing itself as a trailblazer in how to reckon with spyware abuse by investigating the previous government’s use of the technology and disclosing to victims whether they were targeted.
“What’s happening in Poland is basically unprecedented for spyware abuse accountability,” said John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, which worked to uncover spyware abuses by the government in Warsaw. “Poland was a very dark spot in the spyware abuse space. And suddenly it is becoming the obvious leader in accountability around spyware abuse. This is remarkable.”
In April, Poland’s national prosecutor revealed that the government led by the conservative Law and Justice Party targeted nearly 600 people for Pegasus surveillance between 2017 and 2022. Criminal charges could be on the way. Additionally, Poland has signed onto a Biden administration pledge to encourage like-minded nations to counter the proliferation and misuse of spyware.
Natalia Krapiva, tech-legal counsel with the digital rights group Access Now, called Poland’s shift “a really groundbreaking development.” Among nations confirmed to be major users of the industry-leading Pegasus spyware made by the Israeli firm NSO Group, “we haven’t seen anything like this,” she added.
“I can’t tell what is the most precedent-setting thing,” Scott-Railton said. “The notification to victims? The government coming out and providing a bunch of context publicly? Maybe the investigations of political abuses?”
An atypical — but not unique — set of circumstances have gotten Poland to the place it is now on spyware, namely that a new government is investigating its predecessor over allegations of surveillance that targeted its political opposition. That confluence of factors raises questions about whether other nations could, or would, follow in its footsteps. But groups that track and combat spyware abuses hope Poland might serve as a model to others seeking to address their past use.
On the ground in Poland
In 2021, Citizen Lab determined that Pegasus had infected the phone of Krzysztof Brejza, a member of the European Parliament for Poland. At the time of the infection in 2019, Brejza was an opposition figure. His text messages were then doctored and leaked.
“I was shocked,” he told CyberScoop, describing the surveillance and harassment he was subjected to as “sick.”
His wife, Dorota, has been representing him as his lawyer in civil cases seeking answers about what happened. In one such case, a judge confirmed that spyware was found on Brejza’s phone and ordered a state broadcaster, which had published his hacked and doctored messages, to pay compensation to Brejza and apologize for their conduct.
“We had no hope this case would ever be solved,” Dorota said, adding that she and her husband were “very happy about” the government investigation into the breach of Krzysztof’s phone and others.
Civil society groups have been documenting the targeting of figures like Brejza using highly invasive spyware for years, but when governments are believed to be behind such activity, they often deny it outright. Official investigations in Poland are providing additional confirmation of their work.
“We have been facing a lot of disinformation discarding our work both by governments but also by pro-government groups and the companies themselves,” said Krapiva, whose group Access Now sometimes collaborates with Citizen Lab. “Each time there’s an investigation they try to deny, say that our methods are incorrect, that we don’t have enough evidence.”
Having a government confirm the cases that Citizen Lab identified “is a huge deal,” she said. “It really strengthens our standing.”
NSO Group has argued in the past that its tool is used by clients in the course of legitimate law enforcement or counterintelligence investigations, and while some of the 600 individuals that Polish officials say have been targeted by Pegasus represented legitimate targets, “too many” were not, according to Tomasz Siemoniak, the minister who oversees Polish security services.
NSO Group declined to comment on the Polish investigation. The Polish government did not respond to requests for comment.
A spokesman for the Law and Justice party, Rafał Bochenek, said in a statement that the party “refutes any accusation” that its “politicians acted unlawfully or illegally concerning how the Pegasus software was used.” Bochanek said the use of Pegasus followed procedure and was approved by a judge.
Bochanek accused the current government of “using Pegasus and other issues to seek political revenge on Law and Justice” and “behaving in a manner that would not be countenanced by any Western government,” citing a constitutional dispute that has led the party to say it will no longer testify before the parliamentary committee investigating the use of NSO software.
Jaroslaw Kaczynski, the leader of the Law and Justice party, has in the past dismissed allegations that the government abused Pegasus as “the hysteria of the opposition.”
A model for spyware abuse accountability?
Civil society groups have documented the use of Pegasus across the world, from Mexico to the United Arab Emirates, and they hope Poland’s attempt to document and impose accountability for its misuse might serve as a model for others.
“They’re taking very seriously the steps that they need to take in order to get to the bottom of the spyware use — who authorized it, were any constraints imposed on it, who were all of the targets who were actually subjected to the spyware,” said David Kaye, the former United Nations special rapporteur on the promotion and protection of the right to freedom of opinion and expression. “You’ve got both the political and then the legal/criminal approaches that are going on at the same time.”
The fact that this investigation is being carried out by a government against the party previously in power raises questions about whether it is an exercise in political retribution, but Kaye, who is currently a professor at the University of California Irvine, is encouraged by what he has seen so far and considers Justice Minister Adam Bodnar a serious human rights attorney committed to the rule of law.
But Kaye cautions that the investigation remains in an early stage. “It seems like what they’re trying to do at this stage is just to understand what happened,” Kaye said, adding that it remains to be seen how best to ensure that spyware, if it’s going to be made available, is subject to due process.
Whether the combination of a change in power and the specific personalities involved in Poland is replicable elsewhere is unclear, Kaye said.
Mexico had a change in government in 2018 that gave civil society groups some hope of accountability over that nation’s use of spyware, but that hope fizzled after no major results and reports of ongoing spyware abuses.
“It’s possible that some governments come in and they see the power of these tools and say, ‘Eh, we don’t need to pursue this too rigorously because maybe we’ll want these tools,’” Kaye said.
Scott-Railton believes that others can follow Poland’s lead.
“Poland is making a very good case for the replication of this model,” he said. “They’re doing it in a way that doesn’t just say, ‘all spyware bad.’ Poland is saying, ‘We found cases where this has been used in criminal investigations. We’ve also found abuses.’ This may be more palatable to other governments seeking to investigate their own spyware abuse crises.”
Promising signs, unanswered questions
For some of Poland’s spyware victims, the country’s investigation represents a positive step forward, but many questions remain.
Dorota Brejza said Poland still needs to pass legislation to establish greater court authority over the country’s secret services if it hopes to further crack down on spyware abuses.
This is the earliest stage of the Polish effort, Kaye noted.
Krzysztof Brejza has his own questions about his case.
“We’re still waiting for the truth about Pegasus, about the whole operation against my family and against my friends — who made the leak, why it was used against me,” he said.