EU Spyware Investigation Targeted by Pegasus Surveillance
A former Member of the European Parliament involved in examining spyware abuses in the European Union was reportedly targeted with Pegasus, a highly intrusive surveillance tool developed by Israel’s NSO Group. The case concerns Stelios Kouloglou, a Greek journalist and former MEP who participated in the Parliament’s PEGA Committee, which investigated the use of Pegasus and similar spyware by EU Member States.
Digital forensic researchers at Citizen Lab reportedly found evidence that Kouloglou’s iPhone had been infected with Pegasus on several occasions between 2022 and 2023. Pegasus can enable an operator to access a device’s messages, calls, contacts, files, camera, microphone, and location data. Where a compromised device is used for parliamentary work, the intrusion may also place confidential communications, sources, and sensitive policy discussions at risk.
The reported targeting is particularly serious because Kouloglou had worked on parliamentary scrutiny of spyware practices. The PEGA Committee examined allegations that governments and other actors had used commercial spyware against journalists, political opponents, lawyers, activists, and public officials. Targeting a person involved in this oversight work raises concerns about the protection of democratic institutions and the independence of parliamentary investigations.
Citizen Lab did not publicly attribute the alleged Pegasus infections to a particular government or identify the customer responsible. Reports also indicated that there was no evidence linking the targeting to the Greek government. Kouloglou reportedly intended to take legal action against NSO Group.
The incident adds to continued calls for stronger controls on commercial spyware in Europe. From a data-protection perspective, Pegasus-type tools can facilitate exceptionally broad and covert processing of personal data. Their use may interfere with the rights to privacy, data protection, confidential communications, and freedom of expression. Any public authority’s use of surveillance technology must be based on clear law, be necessary and proportionate, and be subject to effective independent oversight.
Sources: