In recent months, I have been working on the Corporate Sustainability Due Diligence Directive (CS3D for short). It’s a new EU law that will force companies to make sure their supply chains are not contributing to human rights violations or to environmental damage.
So, for example, Apple will have to make sure that their lithium batteries do not contain cobalt mined by children in the Democratic Republic of Congo. They say that they already do this voluntarily but it will now be mandated.
I admit it’s not the sexiest thing in the world of Government at present, but it has some significant real-world applications. It is not for nothing that the European Parliament is split down the middle on it.
The two biggest issues are the size of companies it should apply to and whether it should apply to the downstream value chain - it is this second issue that will be most problematic. Your upstream supply chain is all the products that you require to make your product, known in business circles as inputs. So for example, the battery in your smart phone is
In the movie Hotel Rwanda, the manager of the hotel helps thousands of Tutsis and Hutus to escape the 1994 genocide. This character is based on the life and actions of Paul Rusesabagina. Despite his heroic actions, Rusesabagina is currently in a Rwandan jail serving a 25 year sentence that has been condemned by the European Parliament and other international organisations.
Rusesabagina was arrested after Pegasus spyware, employed by the Rwandan Government, hacked phones belonging to members of his family.
On 26 July 2022, Member of the European Parliament and leader of the Greek opposition PASOK party Nikos Androulakis filed a complaint with the Greek Supreme Court Prosecutor’s Office about attempts to infect his phone with another spyware product called Predator. The European Parliament’s IT service confirmed the attempted hack. The Greek Government has since banned the sale of spyware.
These examples raise a number of questions. What is the extent to which EU Member States are using this spyware? What are the circumstances in which Governments can legitimately use spyware in law enforcement? Should such companies registered in Ireland be tolerated if it is shown that their activities contribute to human rights violations?
A European Parliament report produced in June last year, examined the legal framework for the use of this spyware among Member-States across the EU. In July 2021, CitizenLab, Amnesty International and others broke the news that European Governments were using Pegasus spyware for surveillance of activists, journalists and opposition politicians. NSO, an Israeli cyber-intelligence firm, manufactures Pegasus and admitted to selling the product to 14 EU Member States. It is now blacklisted by the US Government.
Predator is sold by a company called Thalestris registered at Foley Street, Dublin 2. An investigation published in November 2022 by Lighthouse, an outlet focusing on public interest investigations, found that Thalestris sold spyware to the successors of the genocidal Janjaweed in Sudan. The Rapid Support Services (RSF) of Sudan are accused of summary executions including of children in Darfur.
A further report by a European Parliament committee in November 2022 found that Ireland had become the “Member State where some of the main spyware companies involved in scandals have registered.” The Irish Government refused to answer questions about whether it had used the services of Thalestris following an investigation by a journalist with The Currency, Joe Galvin.
As reported by Colm Keena in this newspaper, it is not clear if Thalestris has any employees in Ireland while reporting sales of €34 million to the Irish Companies Registration Office in 2021. However, the Government has said that Thalestris has not sought a licence to export spyware from Ireland. This suggests that their presence in Ireland is purely for tax purposes.
In EU countries surveyed by the report, safeguards against the abuse of such spyware are not uniformly applied, if they are applied at all. For example, the report identified the absence of redress mechanisms as a particularly significant gap in the overall governance of such techniques. Such redress would ultimately test whether spyware is capable of meeting the requirements of privacy rights in the EU.
Currently, the EU is preparing new legislation (Corporate Sustainability Due Diligence Directive) that will require companies to examine whether their supply chain contributes to human rights abuses. The question of whether the use of the product will fall in to the scope of the legislation remains to be decided.
Finally, no one seems to know which EU country, if any, is exporting these products. The export of spyware is controlled by existing European legislation but both the Cyprus and Greece Governments, like the Irish Government, initially saying they had not issued export licences for Predator or Pegasus. However, a New York Times report in December revealed that the Greek Government admitted to licencing the sale of Predator to Madagascar.
Companies use tricks to circumvent the rules. That is, the physical hardware of the product is sent to a recipient country without the software loaded on it. After that, the activation software (also referred to as the ‘license key’) is sent separately by means of a USB-memory stick
As noted by Professor Ronald Deibert of Toronto University in Foreign Affairs magazine last month, ‘there is little doubt that spyware has been used to systematically degrade liberal democratic practices and institutions.’ Therefore, the EU and its member state governments need to establish clear regulatory boundaries including disclosure about exports, standards for the use of spyware and access to justice for those affected by mercenary spyware technology.
I would strongly support Irish legislation banning the sale of such spyware in Ireland.
Finally, I am glad to say that the Oireachtas Justice Committee has confirmed that it will examine the presence of spyware companies in Ireland as part of its 2023 work programme.
Comments