This and other spying incidents will also be probed by a special EU committee formed last week.
The Spanish pledge came after Catalan officials accused Madrid of spying on supporters of Catalan independence.
“The government has a clean conscience and we have nothing to hide,” said the Minister for Presidency and Relations with Parliament Félix Bolaños during a visit to Barcelona on Sunday.
The Citizen Lab, in collaboration with Catalan civil society groups, announced it identified at least 65 individuals that had their phones infected with spyware.
“Victims included Members of the European Parliament, Catalan presidents, legislators, jurists, and members of civil society organizations. Family members were also infected in some cases,” read the report.
The Toronto-based lab also confirmed that the U.K. government was under Pegasus attack in 2020 and 2021, including the Prime Minister’s Office and the Foreign and Commonwealth Office (FCO).
“The suspected infections relating to the FCO were associated with Pegasus operators that we link to the UAE, India, Cyprus, and Jordan,” while the “suspected infection at the U.K. Prime Minister’s Office was associated with a Pegasus operator we link to the UAE,” The Citizen Lab said in the report.
It’s not the first time that such software was used to spy on EU citizens. The Pegasus surveillance spyware, as the EU Parliament suspects, has allegedly targeted European journalists, politicians, law enforcement officials, diplomats, lawyers, business people, civil society actors and other citizens.
This is why the EU Parliament launched last week the Pegasus Inquiry Committee (PEGA), entrusted with probing whether the use of Pegasus and other spyware violated EU legislation and fundamental rights.
Experts from Forbidden Stories—a network of journalists whose mission is to protect, pursue and publish the work of other journalists facing threats, prison, or murder—as well as the Canadian software developer The Citizen Lab and the international human rights watchdog Amnesty International outlined their research into Pegasus and other comparable spyware to members of the EU Parliament.
“We have seen many cases where innocent people such as journalists and lawyers have been targeted by spyware, and this is a huge problem for democracy and the rule of law,” PEGA’s newly elected chairman, Jeroen Lenaers, said.
Information that PEGA collects will be channeled into useful recommendations, he added. The committee’s report is due in a year.
Pegasus is the flagship product of NSO Group, an Israeli cyber-surveillance company that was the subject of a 2021 investigation conducted by 16 media organizations throughout the world, including OCCRP.
The Pegasus Project was based on a leaked set of more than 50,000 phone numbers believed to have been infected with Pegasus.
The investigation found out that “NSO Group’s technology allows its clients—which the company says are always governments, never private individuals or companies—to target specific phone numbers and infect the associated devices with Pegasus code.”
It also discovered that, rather than attempting to listen in on data passing between two devices, which is almost certainly encrypted, Pegasus allows users to seize the device directly, getting access to everything on it.
The mercenary spyware also monitors the keystrokes on an infected device—all written communications and web searches, even passwords—and returns them to the client, while also providing access to the phone’s microphone and camera, turning it into a mobile spying device that the target unwittingly carries with them.