Imagine discovering that your phone – the very device containing your most private conversations and thoughts – has been turned into a surveillance weapon against you. Not by criminals, but by your own government. For hundreds of citizens worldwide, from Mexican human rights lawyers to Armenian public figures, from European opposition politicians to investigative journalists, this nightmare became reality through Pegasus spyware.

The Pegasus scandal represents more than privacy violation; it reveals how surveillance technology is fundamentally reshaping power in democratic and authoritarian societies alike. Developed by Israeli company NSO Group and first deployed in 2011, Pegasus can transform any smartphone into a comprehensive surveillance device, accessing messages, emails, calls, and even activating cameras remotely.¹ Its “zero-click” capability means it can infect devices without user interaction, making detection nearly impossible.

The global reach of Pegasus surveillance has been staggering. In Mexico, the technology was systematically deployed against journalists, human rights activists, and lawyers investigating state violence, including international experts researching the disappearance of 43 students in Guerrero.² In Azerbaijan, the authoritarian Aliyev government wielded Pegasus against domestic critics and targeted Armenian public figures during the Nagorno-Karabakh conflict.³

Behind this apparatus stands NSO Group, founded in 2010 by Israeli entrepreneurs with deep intelligence connections. Many early hires came from the IDF’s elite Unit 8200, helping NSO quickly scale to a billion-dollar valuation by 2015.⁴ Israel classifies Pegasus as a weapon requiring Defense Ministry export approval, with deals often aligning with diplomatic interests.

While authoritarian regimes’ use of such surveillance might seem somehow predictable, the adoption of Pegasus by established democracies reveals a more troubling reality. Across Europe, from electoral interference in Poland to media suppression in Hungary to the secret purchase and deployment of the software in Germany, the use of Pegasus software in democratic states raises fundamental questions about technological authoritarianism and its compatibility with European democracy. How does such technology comply with democratic principles when it threatens the very pillars of democratic governance: free elections, press freedom, and civil society?

The implications are profound. When democratic governments increasingly rely on surveillance tools developed by private companies in foreign countries, they risk undermining the transparency, accountability, and citizen trust upon which democracy depends. This article seeks to explore what it means for European democracy when state actors – even within the EU’s institutional framework – increasingly depend on surveillance technology provided by private organizations and foreign governments, and how this dependency fundamentally alters the relationship between citizens and the state.

Europe’s Democratic Laboratory Under Siege

Europe has inadvertently become a testing ground for how surveillance technology can undermine democratic institutions from within, revealing different models of technological authoritarianism adapted to local contexts. Evidence has emerged of several European countries deploying this technology, from Poland and Hungary right into the heart of established democracies: Germany, Spain, and Greece

Poland: Electoral Interference in Real Time

Under the right-wing Law and Justice party (PiS), nearly 600 people were targeted with Pegasus in what investigators call the biggest political scandal since communism’s fall.⁵ The most prominent victim was Krzysztof Brejza, an opposition senator whose phone was repeatedly compromised during his 2019 parliamentary election campaign. The attacks stopped just days after the vote, revealing surgical precision in political targeting.⁶

The surveillance extended beyond Brejza to his campaign infrastructure and family. His assistant received suspicious messages during his European parliament campaign, while his father -completely uninvolved in politics – was targeted with ten carefully crafted messages exploiting his personal interests. This intimate surveillance enabled not just monitoring but psychological manipulation, accessing private family conversations to craft personalized attack vectors.

Hungary: Normalizing the Surveillance State

Viktor Orbán’s Hungary presents a different model: open acknowledgment and legal justification of surveillance against civil society. Primary targets were investigative journalists at Direkt36. Reporter Szabolcs Panyi had his phone repeatedly compromised in 2019, with infections often occurring after he made comment requests to government officials, suggesting real-time monitoring of journalistic work and potential source identification.⁷

Unlike other countries denying involvement, Hungary acknowledged purchasing Pegasus in 2021, claiming legal surveillance. This represents a new authoritarianism: using legal frameworks to legitimize fundamentally anti-democratic practices, shifting debate from whether surveillance should occur to whether it follows procedures.⁸

Germany: Secret Purchase, Missing Democratic Oversight

Germany’s case reveals how surveillance technology can bypass democratic safeguards through institutional secrecy. In 2017, Germany’s Federal Criminal Police (BKA) initially declined to purchase Pegasus after legal advisors warned that its capabilities exceeded German privacy laws by a wide margin.⁹ However, the BKA quietly returned to negotiations in 2019, securing the purchase with NSO’s promise to disable certain functions, though which features were switched off remains unclear to this day. The spyware was delivered in late 2020 and first deployed in terrorism and organized crime cases in early 2021, but neither parliament nor the public knew about it until investigative journalists exposed the story in September 2021, creating a political scandal over legality, transparency, and democratic oversight.¹⁰

Spain: Targeting the Catalan Independence Movement

Spain’s surveillance of Catalan independence figures represents one of Europe’s most systematic deployments of Pegasus against a political minority. Following Catalonia’s independence referendum in 2017, Spanish authorities arrested independence leaders on sedition charges while simultaneously launching a sophisticated spying operation. Between 2017-2020, Spain’s National Intelligence Center (CNI) targeted at least 65 individuals connected with the Catalan independence movement using Pegasus and Candiru spyware, with most incidents occurring in 2017, immediately after the independence bid. ¹¹

The scope and systematic nature of this surveillance drew international condemnation. As UN experts stated in February 2023: “Between 2017-2020, the devices of at least 65 Catalan minority politicians and activists were reportedly targeted by a complex and sophisticated spying programme, whose victims included Catalan minority leaders, Members of the European Parliament, legislators, jurists, and members of civil society organisations.” (OHCHR, 2023) The UN called for Spanish authorities to thoroughly investigate reports that Pegasus and Candiru spyware was used.

Spain and France: Foreign Surveillance Targets

Just two weeks after the CatalanGate revelations became public, Spain itself became a victim when the government announced that Prime Minister Pedro Sánchez and Defense Minister Margarita Robles had been hacked with Pegasus in May and June 2021, likely by Morocco during a diplomatic crisis between the two countries.¹² France experienced a similar pattern when President Emmanuel Macron’s phone number, along with those of several ministers and senior officials, appeared in the leaked Pegasus database, with Morocco again suspected as the operator. France’s cybersecurity agency became the first national authority to officially confirm the Pegasus Project’s findings, discovering the spyware on journalists’ phones at high-profile outlets including Mediapart and France 24.¹³

The Democratic Erosion Mechanism

The Pegasus scandal reveals systematic mechanisms through which surveillance technology undermines conditions making democracy possible. This erosion operates across multiple dimensions: from destroying competitive elections and press freedom to circumventing constitutional protections and normalizing state surveillance of citizens. The central question is whether democratic societies can survive when surveillance technologies make privacy – and thereby political freedom – structurally impossible.

Breakdown of Democratic Competition

Democracy depends on political opposition organizing and campaigning without ruling parties accessing their private communications. When Brejza was surveilled during Poland’s 2019 campaign, PiS potentially gained access to opposition strategy and internal discussions. This creates impossible conditions for democratic competition, if politicians know phones could be compromised, how do they plan strategy or coordinate with allies?

Collapse of Press Freedom

Journalism depends on protecting sources and conducting confidential investigations. When journalists know phones could become surveillance devices, it fundamentally alters their democratic function. The targeting of Hungarian journalist Panyi exemplifies this threat, real-time monitoring could systematically undermine investigative journalism by identifying sources and enabling preemptive responses.

Circumvention of Constitutional Protections

Surveillance technologies outpace legal frameworks designed for analog worlds. Germany’s experience demonstrates that even constitutional protections become meaningless when governments claim “national security” to justify secret surveillance tool purchases. This creates systematic rule of law erosion, where technological capabilities determine possibilities rather than constitutional principles determining permissions.

Normalization of Surveillance

When governments openly acknowledge using spyware against citizens – as Hungary did – but claim it’s legal, they fundamentally redefine the relationship between the state and its citizens. This represents a shift from the presumption of privacy fundamental to liberal democracy toward a presumption of surveillance characteristic of authoritarian systems. This normalization happens gradually: first justified for counter-terrorism, then expanded to serious crime, organized crime, and ultimately to political opposition during elections.

Breakdown of International Trust

The targeting of President Macron and his cabinet, allegedly by Morocco, shows how surveillance technologies reshape international relations. When allied nations can use commercial spyware to spy on each other’s leadership, it undermines the trust essential for diplomatic cooperation and international law. The France-Morocco case demonstrates that Pegasus has become a tool of digital diplomacy that transcends traditional intelligence boundaries.

The Intentional Erosion of Democracy

What makes this particularly troubling is that these implications appear to be intended rather than accidental side effects. In Poland and Hungary, the patterns show these tools being used deliberately to weaken democratic checks and tighten ruling parties’ grip on power. The systematic targeting of opposition figures, journalists, and civil society creates a comprehensive assault on democratic institutions.

Global Power Dynamics and Digital Sovereignty

The Pegasus scandal reveals broader dynamics about technological power and democratic governance’s future in the digital age.

Technological Dependency as Strategic Vulnerability

Beyond the immediate democratic implications for citizens, the Pegasus scandal reveals broader dynamics about technological power and democratic governance’s future in the digital age. These structural vulnerabilities expose how European democracies have become inadvertently dependent on foreign technologies while lacking adequate institutional mechanisms to protect their citizens from surveillance abuse.Pegasus Spyware in Europe: How Surveillance Threatens Democracy

Europe’s Technological Dependence

One of the most significant problems that emerges is Europe’s technological dependence, exemplified by Germany’s experience. When German authorities sought to develop domestic surveillance software, they lacked the necessary capabilities, ultimately leading to the Pegasus purchase (Carmesin & Stark, 2023). This pattern reflects a broader reality: European democracies depend on surveillance technologies developed by companies with their own geopolitical interests. Moreover, data collected on European citizens through Pegasus and similar surveillance technologies is stored on servers controlled by foreign entities, highlighting a systemic problem that extends across the EU’s entire digital infrastructure dependency.

NSO Group operates as part of Israel’s diplomatic toolkit rather than as a purely commercial entity. When European governments purchase these technologies, they enter dependency relationships that can be exploited for political purposes. Israel classifies Pegasus as a weapon requiring Defense Ministry export approval, with deals often aligning with Israeli diplomatic interests. This means European surveillance capabilities become subject to Israeli strategic calculations, creating fundamental national security vulnerabilities where democratic governments’ intelligence tools serve foreign policy objectives.¹⁴

EU Enforcement Limitations

The EU’s response reveals the limitations of supranational governance in addressing cross-border surveillance threats. While the European Parliament’s PEGA Committee conducted thorough investigations and documented extensive abuse, these findings remain non-binding recommendations. National security remains a national competence under EU treaties, meaning the Union has limited power to regulate government spyware use, even when such use threatens fundamental rights and democratic principles.¹⁵

This creates a fundamental paradox: surveillance technologies operate seamlessly across borders, threatening shared democratic values and citizen rights throughout the Union, but the institutional mechanisms for addressing these threats remain constrained by national sovereignty principles. The result is a governance gap where European integration has failed to match the transnational nature of technological threats to democracy.

Reclaiming Democratic Control

The Pegasus scandal forces confrontation with fundamental questions about technology and democracy’s relationship. The path toward digital peace requires more than technical solutions or regulatory responses. It demands fundamental reimagining of how democratic societies relate to surveillance technology, prioritizing human dignity, democratic participation, and social justice over security imperatives and technological capabilities.

This means developing technological sovereignty allowing democratic societies to control digital tools shaping their future. It means creating international frameworks for surveillance technology prioritizing human rights over commercial interests. And it means recognizing that security versus freedom is often a false choice, true security comes from strong democratic institutions, not surveillance technologies undermining democratic governance foundations.

The invisible war revealed by Pegasus is not inevitable. But winning requires recognizing technology is not neutral, surveillance capabilities will be used politically, and protecting democracy in the digital age requires active, intentional, collective effort.In surveillance’s shadows, democratic life’s very possibility hangs in the balance. The future of democratic governance may depend on ensuring digital tools serve human flourishing rather than human control.

Podcast

This article is a collaboration between Digital Peace and Hampa Stories. For additional expert perspectives and extended analysis of Pegasus and its implications for European democracy, make sure to listen to the podcast:

References

Image generated with Adobe Firefly.

1. Pegg, D., & Cutler, S. (2021, July 18). What is Pegasus spyware and how does it hack phones? The Guardian. https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones
2. The Guardian. (2017, August 3). Mexico spying scandal: human rights lawyers investigating murders targeted. The Guardian; The Guardian. https://www.theguardian.com/world/2017/aug/03/mexico-spying-scandal-human-rights-lawyers-investigating-murders-targeted
3. Amnesty International. (2023, May 25). Armenia/Azerbaijan: Pegasus spyware targeted Armenian public figures amid conflict. Amnesty International. https://www.amnesty.org/en/latest/news/2023/05/armenia-azerbaijan-pegasus-spyware-targeted-armenian-public-figures-amid-conflict/
4. Travère, A., & Rueckert, P. (2021, July 19). The Rise and Fall of NSO Group. Forbiddenstories.org. https://forbiddenstories.org/the-rise-and-fall-of-nso-group/
5. Iwaniuk , J. (2024, March 4). Pegasus probe in Poland reveals unprecedented use of spyware by previous government. Le Monde.fr. https://www.lemonde.fr/en/international/article/2024/03/04/pegasus-probe-in-poland-reveals-unprecedented-use-of-spyware-by-previous-government_6584086_4.html
6. Marczak, B. (2018, September 18). HIDE AND SEEK: Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries – The Citizen Lab. The Citizen Lab. http://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/
7. Szabolcs, P. (2021, July 19). Hungarian journalists and critics of Orbán were targeted with Pegasus, a powerful Israeli cyberweapon. Direkt36. https://www.direkt36.hu/en/leleplezodott-egy-durva-izraeli-kemfegyver-az-orban-kormany-kritikusait-es-magyar-ujsagirokat-is-celba-vettek-vele/
8. Fuchs, J. (2023, January 17). Is the EU protecting people from Pegasus spyware? Access Now. https://www.accessnow.org/eu-pegasus-spyware/
9. Carmesin, J., & Stark, H. (2023, May 18). Investigativpodcast “Der Spion in unseren Handys”: #6 Deutschland und die dunkle Seite der Macht. DIE ZEIT. https://www.zeit.de/politik/2023-05/spyware-pegasus-deutsche-behoerden-investigativpodcast
10. Flade, F., Mascolo, G., & Obermaier, F. (2021, September 7). Spähsoftware “Pegasus” auch in Deutschland eingesetzt. Süddeutsche.de. https://www.sueddeutsche.de/politik/pegasus-spionage-bka-trojaner-1.5403678
11. OHCHR. (2023). Spain: UN experts demand investigation into alleged spying programme targeting Catalan leaders. OHCHR. https://www.ohchr.org/en/press-releases/2023/02/spain-un-experts-demand-investigation-alleged-spying-programme-targeting
12. CBC. (2022, May 2). Spanish PM, defence minister targeted in Pegasus phone hack. CBC. https://www.cbc.ca/news/world/spain-spyware-pegasus-prime-pedro-sanchez-1.6437959
13. Reuters. (2021, July 21). France’s Macron targeted in project Pegasus spyware case – Le Monde. Reuters. https://www.reuters.com/technology/french-prosecutor-opens-probe-after-pegasus-spyware-complaint-2021-07-20/
14. Estrin, D. (2021, August 25). What To Know About The Spying Scandal Linked To Israeli Tech Firm NSO. NPR.org. https://www.npr.org/2021/08/25/1027397544/nso-group-pegasus-spyware-mobile-israel
15. European Parliamentary Research Service (EPRS). (2024, June 2). What action has Parliament taken against spyware abuse? Epthinktank. https://epthinktank.eu/2024/06/02/what-action-has-parliament-taken-against-spyware-abuse/