The Federal Criminal Police Office of Germany (Bundeskriminalamt, abbreviated BKA) has declined to answer Meduza’s questions about its use of the Pegasus surveillance spyware, developed by the Israeli cyber-arms company NSO Group and purportedly only licensed to state clients.
The agency explains that answering Meduza’s queries on the subject would diminish its “capabilities required for criminal prosecution and the aversion of danger.”
Meduza’s queries to BKA
- The Bundeskriminalamt is known to be a Pegasus user. Does any other law enforcement or intelligence agency in Germany use Pegasus spyware?
- Whom are you (or other German law enforcement or intelligence agencies) using this software against?
- Does Germany use Pegasus against journalists? If so, who was targeted?
- Does Germany use Pegasus against Russian citizens? If so, who was targeted?
- Does Germany use Pegasus against people located in other European countries?
- According to researchers from Citizen Lab, on February 10, 2023, the smartphone of Meduza publisher Galina Timchenko was successfully infected with Pegasus. She was in Berlin at the time. What do you know about this attack?
- Did Germany have anything to do with this attack?
When asked for comment on the Pegasus attack on Meduza CEO and publisher Galina Timchenko, BKA issued the following statement:
Please understand that we do not provide information on capabilities or tools available at the BKA with regard to covert measures. This is a highly sensitive aspect in the area of gathering criminal procedural and police information. The provision of details might, as a result, allow for extensive conclusions to be drawn about the technical capabilities and thus indirectly also about the technical equipment and know-how of the BKA. This might have a significantly negative impact on the BKA’s capabilities required for criminal prosecution and the aversion of danger and thus render the implementation of such measures far more difficult or impossible in future.
In September 2021, the German Federal Criminal Police acknowledged that it had purchased a version of NSO’s surveillance spyware.
According to a ruling of Germany’s Federal Constitutional Court, the country’s secret services can only use spyware on surveillance targets’ devices in special cases. The same court decision also limited the kinds of operations that permit the use of spyware like Pegasus. Typically, agencies using the program claim to be targeting terrorists and other dangerous criminals.
Timchenko was notified about a possible hacker attack on her smartphone by Apple, in June. Researchers at Access Now and Citizen Lab have since established that Pegasus spyware was probably installed on her phone on February 10, 2022, when Timchenko took part in a journalism conference in Berlin.
The news of a journalist being covertly surveilled in Europe sparked media criticism of the lack of transparency and accountability in the way surveillance tools like Pegasus are currently used by governments.