When Technology Overtakes Governance Global Voices Advox
In December 2021, Eliza Triantafillou, a journalist with independent Greek media The Inside Story, was looking for the subject of her next article when she saw that Facebook’s parent company, Meta, had published a report earlier in the month about the “surveillance for hire” industry.
The article which she produced in response is part of a series of reports by Greek journalists who have revealed details of a months-long wiretapping and surveillance scandal titled “Watergate on steroids.” These findings highlight gaps in government regulations and technical capabilities to keep up with the rapidly evolving private surveillance industry, which then enables those same governments to surveil their citizens.
So far there have been four confirmed attempts to infect journalists, politicians and even intelligence officers with spyware called Predator that can perform advanced phone surveillance, including recording conversations and accessing encrypted chats.
The Greek Connection
Last December, Triantifillou noticed that the report of Meta and another one published the same day by the Toronto research laboratory, Citizen Lab, were linked to Greece. Both reports concluded that Predator, a sophisticated surveillance spyware, was purchased for use in Greece, among other countries. Cytrox, the North Macedonian company that had developed Predator, belongs to a group of mercenary surveillance providers marketed under Intellexa, which has been present in Greece since 2020.
When Triantafillou published her article in January 2022, she focused on how Meta had deleted around 300 Facebook and Instagram accounts linked to Cytrox, and how Cytrox had “usurped» genuine URLs, including those of credible media outlets. At first glance, these links looked genuine, but they had a slightly different syntax to the actual URL (like a missing letter or an extra symbol). They could be used to trick targets into clicking on them, thereby activating the Predator infection of the phone.
“We saw that there was an uneven proportion of Greek domains in this list, as Meta reported 310 spoofed domains, and 43 of them were of Greek interest,” Triantafillou said, during an interview on Zoom. “We are a very small country. Our share of global Internet traffic is much lower than that of the other countries that these two reports consider to be customers.
The devil is in the details: “legal” versus “illegal” surveillance
When Thanasis Koukakis, another Greek journalist, read Triantafillou’s article, he realized that many of the spoofed domains on the list mimicked the news outlets he worked for or still collaborates with. Koukakis had recently discovered cases fraud in the country. He already suspected that his conversations were being listened to and, in August 2020, had filed a complaint with the ADAE (Communications Privacy Assurance Authority), asking him to carry out the necessary checks. Today, we know that he was tapped by the National Intelligence Service (EYP). He received a response from the ADAE in July 2021 indicating that there had been no violation of the law, which ultimately did not mean that he was not being spied on.
Wiretapping by EYP is technically ‘legal’, while the use of spyware such as Predator is considered illegal in Greece. Article 19 of the Greek Constitution protects the right to privacy in communications. However, exceptions are made for national security reasons and to investigate serious crimes. EYP’s surveillance of Koukakis was justified by the intelligence agency using the national security argument, although it is unclear how the work of an investigative journalist could have harmed national security . In March 2021, the government passed an amendment revoking citizens’ right to know if they had been monitored after their surveillance ended, which is why Koukakis was not told about his wiretaps.
The government, too, has used this dichotomy between legal and illegal to defend itself. The prime minister has publicly said that while surveillance of a politician was “politically unacceptable”, it was legal, and that the narrative around the issue should not undermine the “important work” of the intelligence agency. When Kyriakos Mitsotakis took power as Prime Minister, he took the EYP under his own command. Today, despite claiming to have no knowledge of the wiretapping, the head of the EYP, along with Mitsotakis’ own nephew and Secretary General in the Prime Minister’s Office, Grigoris Dimitriadis, resigned from their posts.
A bigger pattern
In November 2021, Greek journalist Stavros Malichudis was scanning the news when he saw a presentation by the newspaper Efimerida ton Syntakton. It involved EYP’s telephone tapping of a number of citizens, including journalists. The article described the case of a journalist working on migration issues. Reading the details carefully, Malichudis realized that he was that reporter. In response to letters sent by the news agency AFP – with whom Malichudis was working at the time – the Greek authorities have twice denied having spied on him. “…no surveillance of journalists takes place in Greece…For the avoidance of doubt, so would the Greek government,” read a response, signed by the Minister of State.
From wiretapping to spyware
In January 2022, still unaware of whether his phone conversations had been tapped, Koukakis, after reading the Inside Story report, sends files extracted from his phone to Citizen Lab, which later confirmed that he had been targeted by Predator. A text message from an unknown number had shared a link to what looked like a believable blog post. In reality, it was a spoofed URL. After Koukakis clicked on it, his phone was infected with the spyware. Shortly after, thanks to an article by Reporters Unitedhe discovered that he had also been bugged by the intelligence service.
While the Greek government has denied ever purchasing or using Predator, other targets have been identified. In July this year, Nikos Androulakis, the chairman of Greece’s third largest political party, PASOK-KINAL, discovered that he had received an SMS in September 2021 which contained the same link who had infected Koukakis’ phone. He had not clicked on the link and was therefore not affected. In September, another politician – a former Syriza party minister, Christos Spirtzis – said he had also been the target of an attempted installation of Predator.
This leads to a credible suspicion about the government’s role in this surveillance, which is supported by a google report. Also, the timing of Koukakis’ supposedly “legal” wiretap and the Predator infecting his phone seem too closely aligned to be a coincidence. EYP called off its surveillance after Koukakis filed a complaint, and soon after, his phone was infected with Predator. Testimony to the European Parliament in early September, Koukasis said he believed the spyware was being used by the government. “Because on the one hand, the cost of these Intellexa services, from what Citizen Lab has told us, as well as price lists that have been found on the Dark Web, cannot be supported by a private person,” he said. . “Could [the government have used] an individual as an intermediary? The answer is yes.”
Triantafillou is inclined to agree. “Our assumption – which is not just an assumption – is that you don’t have to buy it to use it,” she said of Predator. “There is also no need to use it directly.” complex corporate structure from Cytrox and Intellexa, the company that markets it, spans multiple countries and involves numerous registered entities. Intellexa founder Tal Dillian, a former Israel Defense Forces intelligence officer, moved to Greece after facing legal problems with the Cypriot authorities for a Forbes interview 2019. In 2020 Intellexa was incorporated in Greece.
With four known attempts to target Greek citizens with Predator, the question is, are there more targets? Triantafillou believes it. “When you have a very powerful and very expensive tool that is worth millions and you have created at least 50 domains and only used https://news.google.com/__i/rss/rd/articles/CBMiaGh0dHBzOi8vYWR2b3guZ2xvYmFsdm9pY2VzLm9yZy8yMDIyLzA5LzI2L3RoZS1ncmVlay1zcHl3YXJlLXNjYW5kYWwtd2hlbi10ZWNobm9sb2d5LW91dHBhY2VzLWdvdmVybmFuY2Uv0gFsaHR0cHM6Ly9hZHZveC5nbG9iYWx2b2ljZXMub3JnLzIwMjIvMDkvMjYvdGhlLWdyZWVrLXNweXdhcmUtc2NhbmRhbC13aGVuLXRlY2hub2xvZ3ktb3V0cGFjZXMtZ292ZXJuYW5jZS9hbXAv?oc=5 one to target Androulakis, Koukakis and now Spirtzis, it’s practically stupid to spend that amount of money just to target three people,” she said.
Keep up with technology
This ongoing scandal in Greece gets to the root of a problem that all countries are grappling with: the regulatory mechanisms and organizations meant to protect the digital rights of civilians have not kept up with the times.
So-called “legal surveillance” these days covers only part of the communication we undertake on our phones. Much of that – messaging on encrypted apps like WhatsApp and Signal, talking on Zoom – is outside the scope of wiretapping. They require much more advanced surveillance techniques provided by mercenary surveillance companies like Cytrox.
Rammos Christos, head of ADAE, speaking in the European Parliament, underlined this and said that his organization has the “competence to control only telecommunications service providers, not general agencies or private companies”. .
Stavros Malichudis, the journalist who was bugged by the government, had his phone checked for spyware after the recent revelations (all clear). And along with journalists Triantafillou and Koukakis, he testified in the European Parliament in early September, drawing on personal experiences to show that wiretapping and spyware monitoring are part of an insidious attempt to undermine the fundamental right to private life. A parliamentary commission of inquiry is also underway in Greece, and developments are continuing.