By Brooke Spens
Abstract
Poland’s inquiry into the use of mercenary spyware is a groundbreaking initiative towards achieving accountability against the misuse of digital surveillance tools. The probe beginning in early 2024 was founded on allegations by civil society against the former ruling Law and Justice (PiS) Party for the targeting of up to six hundred individuals with Pegasus spyware.[1] This work will analyze the handling of spyware by Poland’s former government with a focus on those illegitimately targeted from military officials to political opposition figures. There will be a focus on how practices such as targeting members of political opposition threaten the safeguarding of fair elections and working democracies and the implications of Poland’s unique positioning within the European Union (EU).
Introduction: Identifying Poland’s Surveillance Environment
In December of 2023, Poland’s governing body transitioned from the Law and Justice (PiS) party to the Civic Platform (PO) party led by Prime Minister Donald Tusk. This transition prompted an unprecedented government inquiry into the previous ruling party’s use of the spyware Pegasus.[2] Pegasus spyware is an Israeli developed technology with military-equivalent capabilities able to extensively monitor the mobile devices of its chosen targets. Prosecutors investigating the case have estimated the Polish government spent $6.38 million dollars on the service,[3] a purchase increasingly contentious due to reports that the software was purchased using the Poland’s Justice Fund.[4] The public fund which was created to help victims of crime now has the potential to have purchased technology that facilitated human rights abuses. From the purchase of Pegasus in 2017 through 2022, Notes from Poland detailed the "operational surveillance” of 578 people, some warrantable cases related to terrorism and crime, and others surveilled after being deemed “inconvenient” for the ruling majority.[5] Those targeted ranged from Corporal Karolina Marchlewska and Second Lieutenant Joanna Jałocha to PiS political opposition Krzysztof Brejza; details on the significance of these individuals will be covered in subsequent sections.
The Facilitation of Poland’s Spyware Deployment[PR1]
Various historical and environmental factors in Poland enabled the pervasive utilization of mercenary spyware without the proper legal oversight. The systemic organization of Polish institutions relating to intelligence and law enforcement are one such example.[6] According to reports on surveillance in the region, few locations outside of Poland share its system of consolidating surveillance powers across security service entities. The Civilian Intelligence Agency (AW), Military Intelligence Service (SWW), Military Counter-Intelligence Service (SKW), Internal Security Agency (ABW), and the Central Anti-Corruption Bureau (CBA) all have surveillance permissions to varying degrees and across differing circumstances under Polish law.[7]CBA’s relevance to Poland’s spyware probe is due to its abilities to perform operational surveillance to obtain electronic communications, geographical data, metadata, browsing activity, and images.[8] A characteristic of significance in the legal environment of Poland is their European Union (EU) membership. EU law requires Poland to abide by Article 6 right to liberty and security; however, Poland is partially exempt to the Charter of Fundamental Rights, including articles on privacy and personal data, due to their contested opt-out status.[9]Inside of the EU, the NSO Group’s chief lawyer Chaim Gelfand revealed Poland and 13 other countries have been identified as surveilling individuals with NSO Group’s digital tools.[10] In Poland, reports of mercenary spyware began circulating after their alleged purchase of Hacking Team software in 2012, making them a top client of the notorious cyber espionage group.[11] The decision of the Polish government to conduct a probe into spyware has the possibility to introduce further revelations of utilization within the state and marks a historic move in countering the proliferation of digital surveillance technologies.
Reported Cases: Military Police and Political Opposition
In 2017 two female military officials, Corporal Karolina Marchlewska and Second Lieutenant Joanna Jałocha, reported their personal experiences of mobbing and sexual harassment within the Military Police to their superiors.[12] Instead of taking disciplinary action against the perpetrators of the sexual harassment, General Robert Jędrychowski recorded his private conversations with Joanna Jałocha regarding the topic and the Military Police undertook reconnaissance and operational activities against the two women. The women told their stories of sexual harassment and assault anonymously through the Polish newspaper Onet; the publication resulted in the removal of one commander, but harassment continued with both eventually leaving the gendarmerie.[13] In 2024, it was revealed to the women through the government’s investigation into Pegasus that the system was used to surveil them during this time along with traditional surveillance practices – one technique of various harassment forms they have been subjected to during their fight for justice.[14] A second prominent case of Pegasus use was the hacking of Kryzsztof Brejza; in 2019 at the time of infection, Brejza was the election campaign manager of the Civic Platform Party, the main opposition of PiS. Text messages obtained through these means were later manipulated and published as part of a greater disinformation campaign around the election.[15] As noted by John Scott-Railton of Citizen Lab, the watchdog group responsible for the initial reporting of Poland’s deployment of Pegasus, the hacking of Kryzsztof Brejza amidst parliamentary elections is an “ominous sign of potential election interference.”[16] The invasive technology was not limited to Brejza himself; the devices of members within his inner circle showed additional signs of compromise in 2019 through SMS messaging with recipients including his assistant Magdalena Łośko supporting, and his father Ryszard Brejza.[17] At the time of attempted infection, the phishing messages were highly specific to each individual. Ryszard Brejza received suspected Pegasus-linked domains advertising a vacation on the Baltic coast shortly before a planned trip to this destination. Magdalena Łośko’s SMS messaging infection attempts included terminology on bullying around the time she was actively discussing the topic.[18] Both cases exemplify the invasive nature of suspected targeting efforts. The cases related to Kryzsztof Brejza, Corporal Karolina Marchlewska, and Second Lieutenant Joanna Jałocha are publicized instances of Pegasus in the region, but according to Prime Minister Donald Tusk, they are three of a “very long” list of citizens targeted by the state.[19]
A Review of the Polish Government’s Inquiry
Early proceedings of Poland’s special parliamentary committee established to investigate spyware misuse included summoning key figures within the PiS government such as PiS chairman Jarosław Kaczyński. In years prior, Kaczyński stated that “There is nothing here, no fact, except the hysteria of the opposition. There is no Pegasus case, no surveillance,” contradicting the parliamentary investigations that would follow.[20] During his testimony, Kaczyński defended its use declaring it was “all in line with Polish national interest,” his statements largely represent the stance of the PiS party. [21] The notification and possible testimony of 578 citizens on the list of those surveilled are beginning steps for prosecution.[22] The National Prosecutors Office has released that 31 victims will be called as witnesses, a development that will provide more information into who and for what purpose the former Polish government was targeting citizens.[23] The group includes the two past Military Police soldiers Karolina Marchlewska and Joanna Jałocha whose stories were detailed previously yet represent a fraction of the total number surveilled. The current Justice Minister Adam Bodnar and spokesperson for the probe has labeled the scope of surveillance “shocking and depressing”, [24] and released information on the use of the spyware with 162 of the 578 cases occurring during 2021.[25] The timeline of Pegasus in the country is significant given the 2019 parliamentary elections. Following evidence of spyware interference against political opposition during this time span, the Polish Senate declared its use unlawful and “rendered the 2019 elections unfair”.[26] The Polish Senate’s findings corroborate concerns that invasive surveillance technology threatens election integrity and democratic function more broadly. [SB2] The same special commission notified prosecutors of the possibility of criminal charges against Polish ministers who used or abetted the use of spyware due to “gross violations of constitutional standards”.[27] The conduct of the Polish government is a stark contrast to the refusal by Warsaw officials to meet with the European Parliament Pegasus Panel two years ago and demonstrates Poland’s sudden shift towards reconciling abuses and becoming a model of spyware accountability.[28] On a global scale, Poland has joined 17 countries in a White House effort to counter the spread of commercial spyware recognizing the capacity of invasive digital tools to quell dissent and limit freedom of expression among other human rights.[29] Poland has experienced firsthand the threat of commercial spyware to democracy and have since become a leader in addressing the ability of spyware to enable human rights abuses and suppress civil liberties both domestically and globally.
Antoniuk, Daryna. “Over 500 People Targeted by Pegasus Spyware in Poland, Officials Say.” The Record, April 16, 2024. https://therecord.media/poland-pegasus-spyware-more-than-500-citizens.
Charlish, Alan. “Polish Minister Says Opposition Lawmaker Should Lose Immunity in Spyware Probe,” May 28, 2024. https://www.reuters.com/world/europe/polish-minister-says-opposition-lawmaker-should-lose-immunity-spyware-probe-2024-05-28/.
Gallagher, Ryan. “Hacking Team Emails Expose Proposed Death Squad Deal, Secret U.K. Sales Push and Much More,” July 8, 2015. https://theintercept.com/2015/07/08/hacking-team-emails-exposed-death-squad-uk-spying/.
“‘Gazeta Wyborcza’: How Pegasus Was Purchased for the CBA,” January 3, 2022. https://www.rp.pl/polityka/art19250101-gazeta-wyborcza-jak-kupowano-pegasusa-dla-cba.
Gera, Vanessa. “Polish Leader Admits Country Bought Powerful Israeli Spyware,” January 7, 2022. https://www.seattletimes.com/business/polish-leader-admits-country-bought-powerful-israeli-spyware/.
Gruszczak, Artur. “Electronic Surveillance in Poland,” 2023. https://safeandfree.io/wp-content/uploads/2023/11/Poland_Surveillance_FINAL.pdf.
“Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware,” March 18, 2024. https://www.whitehouse.gov/briefing-room/statements-releases/2024/03/18/joint-statement-on-efforts-to-counter-the-proliferation-and-misuse-of-commercial-spyware/.
Kirchgaessner, Stephanie. “More Polish Opposition Figures Found to Have Been Targeted by Pegasus Spyware,” February 17, 2022. https://www.theguardian.com/world/2022/feb/17/more-polish-opposition-figures-found-to-have-been-targeted-by-pegasus-spyware.
Kość, Wojciech. “Poland Launches Pegasus Spyware Probe,” February 19, 2024. https://www.politico.eu/article/poland-pegasus-spyware-probe-law-and-justice-pis-jaroslaw-kaczynski/.
Ptak, Alicja. “Almost 600 People Targeted with Pegasus Spyware under Former Polish Government _ Notes From Poland,” April 16, 2024. https://notesfrompoland.com/2024/04/16/almost-600-people-targeted-with-pegasus-spyware-under-former-polish-government/.
Roussi, Antoaneta. “How Europe Became the Wild West of Spyware,” October 25, 2023. https://www.politico.eu/article/how-europe-became-wild-west-spyware/.
Smalley, Suzanne. “Current and Former Polish Officials Face Probe of Alleged Spyware Abuse,” April 12, 2024. https://therecord.media/poland-pegasus-spyware-government-investigation.
Starks, Tim. “Inside Poland’s Groundbreaking Effort to Reckon with Spyware Abuses,” May 15, 2024. https://cyberscoop.com/inside-polands-groundbreaking-effort-to-reckon-with-spyware-abuses/.
Żemła, Edyta, and Marcin Wyrwal. “The Heroines of Onet’s Reportages, Victims of Molestation in the Military Police, Were under Surveillance with Pegasus,” April 17, 2024. https://wiadomosci.onet.pl/kraj/zglosily-molestowanie-w-zandarmerii-wojskowej-byly-inwigilowane-pegasusem/dylyrsv?utm_source=t.co_viasg_wiadomosci&utm_medium=social&utm_campaign=leo_automatic&srcc=undefined&utm_v=2.
[1] Alicja Ptak, “Almost 600 People Targeted with Pegasus Spyware under Former Polish Government _ Notes From Poland,” April 16, 2024, https://notesfrompoland.com/2024/04/16/almost-600-people-targeted-with-pegasus-spyware-under-former-polish-government/.
[2] Alan Charlish, “Polish Minister Says Opposition Lawmaker Should Lose Immunity in Spyware Probe,” May 28, 2024, https://www.reuters.com/world/europe/polish-minister-says-opposition-lawmaker-should-lose-immunity-spyware-probe-2024-05-28/.
[3] Ibid.
[4] “‘Gazeta Wyborcza’: How Pegasus Was Purchased for the CBA,” January 3, 2022, https://www.rp.pl/polityka/art19250101-gazeta-wyborcza-jak-kupowano-pegasusa-dla-cba.
[5] Ptak, “Almost 600 People Targeted with Pegasus Spyware under Former Polish Government _ Notes From Poland.”
[6] Artur Gruszczak, “Electronic Surveillance in Poland,” 2023, https://safeandfree.io/wp-content/uploads/2023/11/Poland_Surveillance_FINAL.pdf.
[7] Ibid.
[8] Ibid.
[9] Ibid.
[10] Antoaneta Roussi, “How Europe Became the Wild West of Spyware,” October 25, 2023, https://www.politico.eu/article/how-europe-became-wild-west-spyware/.
[11] Ryan Gallagher, “Hacking Team Emails Expose Proposed Death Squad Deal, Secret U.K. Sales Push and Much More,” July 8, 2015, https://theintercept.com/2015/07/08/hacking-team-emails-exposed-death-squad-uk-spying/.
[12] Edyta Żemła and Marcin Wyrwal, “The Heroines of Onet’s Reportages, Victims of Molestation in the Military Police, Were under Surveillance with Pegasus,” April 17, 2024, https://wiadomosci.onet.pl/kraj/zglosily-molestowanie-w-zandarmerii-wojskowej-byly-inwigilowane-pegasusem/dylyrsv?utm_source=t.co_viasg_wiadomosci&utm_medium=social&utm_campaign=leo_automatic&srcc=undefined&utm_v=2.
[13] Ibid.
[14] Ibid.
[15] Tim Starks, “Inside Poland’s Groundbreaking Effort to Reckon with Spyware Abuses,” May 15, 2024, https://cyberscoop.com/inside-polands-groundbreaking-effort-to-reckon-with-spyware-abuses/.
[16] Suzanne Smalley, “Current and Former Polish Officials Face Probe of Alleged Spyware Abuse,” April 12, 2024, https://therecord.media/poland-pegasus-spyware-government-investigation.
[17] Stephanie Kirchgaessner, “More Polish Opposition Figures Found to Have Been Targeted by Pegasus Spyware,” February 17, 2022, https://www.theguardian.com/world/2022/feb/17/more-polish-opposition-figures-found-to-have-been-targeted-by-pegasus-spyware.
[18] Ibid.
[19] Smalley, “Current and Former Polish Officials Face Probe of Alleged Spyware Abuse.”
[20] Vanessa Gera, “Polish Leader Admits Country Bought Powerful Israeli Spyware,” January 7, 2022, https://www.seattletimes.com/business/polish-leader-admits-country-bought-powerful-israeli-spyware/.
[21] Wojciech Kość, “Poland Launches Pegasus Spyware Probe,” February 19, 2024, https://www.politico.eu/article/poland-pegasus-spyware-probe-law-and-justice-pis-jaroslaw-kaczynski/.
[22] Daryna Antoniuk, “Over 500 People Targeted by Pegasus Spyware in Poland, Officials Say,” The Record, April 16, 2024, https://therecord.media/poland-pegasus-spyware-more-than-500-citizens.
[23] Smalley, “Current and Former Polish Officials Face Probe of Alleged Spyware Abuse.”
[24] Gera, “Polish Leader Admits Country Bought Powerful Israeli Spyware.”
[25] Antoniuk, “Over 500 People Targeted by Pegasus Spyware in Poland, Officials Say.”
[26] Ptak, “Almost 600 People Targeted with Pegasus Spyware under Former Polish Government _ Notes From Poland.”
[27] Smalley, “Current and Former Polish Officials Face Probe of Alleged Spyware Abuse.”
[28] Starks, “Inside Poland’s Groundbreaking Effort to Reckon with Spyware Abuses.”
[29] “Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware,” March 18, 2024, https://www.whitehouse.gov/briefing-room/statements-releases/2024/03/18/joint-statement-on-efforts-to-counter-the-proliferation-and-misuse-of-commercial-spyware/.
[PR1]this paragraph is super interesting!
[SB2]some sentence on the significance of an entire election being declared unfair?