One of Catalonia’s most senior politicians has been warned his mobile phone was targeted using spyware its makers say is only sold to governments to track criminals and terrorists.
A joint investigation by the Guardian and El País has revealed that the speaker of the Catalan regional parliament, Roger Torrent and at least two other pro-independence supporters were told they were targeted last year in what experts said was a “possible case of domestic political espionage” in Europe.
According to a US lawsuit, the spyware exploited a previous vulnerability in WhatsApp software that would have given the operator potential access to everything on the target’s mobile phone – including emails, text messages and photographs. It could also have turned on the phone’s recorder and camera, turning it into a listening device.
Torrent, who was warned about the targeting by researchers working with WhatsApp, said it seemed clear the “Spanish state” was behind the alleged attack on his phone, and that he believed it had most likely occurred without any judicial authority.
WhatsApp believes the attacks occurred over a two week period in April to May 2019, when a total of 1,400 of its users were allegedly targeted by the ‘Pegasus’ spyware sold by the Israeli company NSO Group.
The popular messaging app claims more than 100 members of civil society, including journalists in India, human rights activists in Morocco, diplomats, and senior government officials, are alleged to have been affected.
WhatsApp has launched a lawsuit against NSO Group in the US. NSO Group insists its spyware is only sold to government clients for the purpose of tracking down terrorists and other criminals.
It has said it has no independent knowledge of how those clients, which in the past have reportedly included Saudi Arabia and Mexico, use its hacking software.
Until now, it has not been suggested that any European country used NSO Group’s software in the 2019 attacks. But in an interview, Torrent expressed dismay that he may have been surveilled by the Spanish state.
“It seems wrong that politicians are being spied on in a democracy with the rule of law,” Torrent said. “It also seems to me to be immoral for a huge amount of public money to be spent on buying software that can be used as a tool for the persecution of political dissidents.”
The Guardian and El País contacted several Spanish authorities for comment.
Spain’s National Intelligence Centre (CNI) said in a statement that it acts “in full accordance with the legal system, and with absolute respect for the applicable laws” and that its work is overseen by Spain’s supreme court. It did not respond to specific questions about the alleged use of NSO Group spyware.
In addition to Torrent, researchers at Citizen Lab at the University of Toronto Munk School – who collaborated with WhatsApp after the alleged hacking attempts were discovered – alerted two other pro-independence individuals last year that they had been targeted.
One, Anna Gabriel, is a former regional MP for the far-left, anti-capitalist Popular Unity Candidacy (CUP), who is currently living in Switzerland after fleeing Spain because of her alleged involvement in organising the illegal Catalan referendum.
Her lawyer said in a statement that Gabriel received notice last year from Citizen Lab that her phone had been targeted.
Another target, Jordi Domingo, received a notice from WhatsApp that his phone had been targeted. Although Domingo is an activist who supports Catalan independence, he said in an interview that he did not consider himself to be a key figure and that he believed the true target of the attempted hack may have been a prominent lawyer who shares his name and helped to draft the Catalan constitution.
In a statement, the Spanish prime minister’s office said: “The government has no evidence that the speaker of the Catalan parliament, Roger Torrent, the former MP Anna Gabriel and the activist Jordi Domingo have been the targets of hacking via their mobiles.
“Furthermore, we must state that any operation involving a mobile phone is always conducted in accordance with the relevant judicial authorisation.”
John Scott-Railton, a senior researcher at Citizen Lab who has closely monitored the use of NSO Group’s spyware and collaborated with WhatsApp to engage members of civil society targeted by the the 2019 attack, confirmed – with Torrent’s permission – that Torrent had been targeted using NSO’s spyware.
“Given the nature of this attack and the limited information collected by WhatsApp on its users, we can confirm that the telephone was targeted. However, additional investigation would be necessary to confirm that the phone was hacked. At this time we have no reason to believe that it wasn’t,” Scott-Railton said in an interview.
He added: “This case is extremely troubling because it suggests that possible domestic political espionage was taking place. And certainly we look forward to continuing to investigate the targeting that happened in Spain.”
In US court filings in response to claims by WhatsApp, NSO Group has denied allegations that it bore any responsibility in the targeting of individuals and said it did not operate the technology itself.
“Government customers do that, making all decisions about how to use the technology,” NSO said in its legal filing. “If anyone installed Pegasus on any alleged “target devices” it was not [the] defendants [NSO Group]. It would have been an agency of a sovereign government.”
Asked to comment on this story, NSO Group said it operated under “industry leading governance policies” and that it could not confirm or deny which authorities use its technology because of confidentiality constraints.
“Once again speculative comments from CitizenLab only serve to highlight its continued, naive and ulterior agenda which fails to competently address the challenges faced by law enforcement agencies,” an NSO Group spokesperson said.
The spokesperson added: “We do however appreciate your bringing this issue to our attention. In line with our human rights policy we take our responsibilities seriously and if warranted, will initiate an investigation.”
The news is expected to send shockwaves across Spain and the European Union, and will raise questions about whether the spyware was deployed legally against a senior political leader.
Torrent said he would seek an investigation. He also confirmed that he observed “suspicious behaviour” on his mobile phone in 2019 and earlier, including the disappearance of WhatsApp messages. Citizen Lab said in a memo to Torrent that this suspicious activity suggested his phone had been successfully infected.
“It’s a pretty serious matter for everyone; any democrat should feel very uncomfortable over news like this,” Torrent said, adding that one of the most progressive government in Spain’s history needed to ask itself “whether this case will serve to put an end to the dirty war”.
Mathias Vermeulen, a Brussels-based public policy director of AWO, a new data rights agency, said the story would resonate in Brussels, where privacy has been at the centre of the policy agenda for a decade.
“While there is quite some hesitation from the European institutions and member states to get involved in domestic struggles over political power, if these allegations point in the direction of the Spanish state, then I think we are entering a whole new level of controversy within Brussels,” he said.
“Some member states with a more authoritarian past – like Germany – are sensitive to any allegations of surveillance of political opponents. It brings back some of the darker periods of Europe’s history.”