Dieser Artikel stammt von Netzpolitik.org.Der Autor ist...
Europäische Geheimdienste haben eine Sicherheitsbeauftragte von Meta und einen Rechtsanwalt mit Staatstrojanern gehackt und überwacht. Im EU-Parlament erzählen die Betroffenen, dass sie bis heute nicht ausreichend informiert werden. Wir veröffentlichen ein inoffizielles Wortprotokoll der Sitzung.
Artemis Seaford spricht zum Ausschuss. – Alle Rechte vorbehalten Europäisches ParlamentDer Staatstrojaner-Untersuchungsausschuss im EU-Parlament hatte am 20. April seine letzte Anhörung. Zwei Staatstrojaner-Opfer berichteten über ihre Erfahrungen.
Artemis Seaford war Sicherheitsbeauftragte bei Meta und ist Staatsbürgerin von USA und Griechenland. Im März berichtete die New York Times, dass Seaford vom griechischen Geheimdienst abgehört und mehrere Monate mit dem Staatstrojaner Predator überwacht wurde, wie so viele in Griechenland.
Der griechische Geheimdienst hat eine normale Telefonüberwachung verwendet, um ihr Endgerät mit dem Staatstrojaner Predator zu infizieren. Seaford bezeichnet die Kombination der Macht des Staates mit der technologischen Kapazität von Trojanern als erschreckend.
Seaford weiß bis heute nicht, warum der Geheimdienst sie gehackt und überwacht hat. Ihre Arbeit bei Meta oder ein Artikel von ihr zu Sexismus im politischen System Griechenlands rechtfertigen den Einsatz von Staatstrojanern nicht.
Ich bin eine Privatperson. Ich bin Bürgerin eines Landes mit einer starken demokratischen Tradition und einer formalen Verpflichtung zur Rechtsstaatlichkeit. Wenn jemand wie ich heute hier vor Ihnen steht, um darüber zu sprechen, dass ich mit Predator überwacht wurde, dann kann wohl niemand vernünftigerweise erwarten, sicher zu sein.
Katalonien und CatalanGate
Danach sprach der deutsche Menschenrechtsanwalt Gonzalo Boye. Er arbeitet in Spanien und vertritt mehrere Politiker*innen der katalanischen Unabhängigkeitsbewegung.
Der spanische Geheimdienst hat Boye 2019 und 2020 überwacht, auch mit dem Staatstrojaner Pegasus. Die Überwachung erfolgte auf Anordnung des Obersten Gerichtshofs von Spanien, Boye zufolge allerdings ohne Rechtsgrundlage. Boye weiß nicht, wer von der Überwachung wusste. Aber die Regierung trägt die politische Verantwortung für den Skandal.
Zu den Mandanten von Boye zählt unter anderem Carles Puigdemont. Nach dem umstrittenen Unabhängigkeitsreferendum in Katalonien 2017 erhob die spanische Generalstaatsanwaltschaft Anklage gegen Puigdemont. Seit 2019 ist er Abgeordneter im EU-Parlament und dort auch im PEGA-Untersuchungsausschuss.
Von der Sitzung gibt es kein Transkript, daher veröffentlichen wir ein inoffizielles Wortprotokoll der Anhörung.
Institution: European Parliament
Chair: Jeroen Lenaers
Expert 1: Artemis Seaford, former Security Policy Manager at Meta
Expert 2: Gonzalo Boye , Lawyer
Note: This transcript is automated and unofficial, it will contain errors.
Editors: Anna-Lena Schmierer, Jan Lutz
Artemis Seaford, former Security Policy Manager at Meta
Jeroen Lenaers (Chair): Good morning, everybody. I’m sure some more colleagues will come in in a minute, but I would propose that we will start the meeting at this point. We have the following interpretation present today. German. English. French. Italian, Greek, Spanish, Hungarian, Polish, Slovakian, Bulgarian, Slovenian and Romanian. On the agenda, if there’s no objection, I consider it adopted.
In the beginning I want to say we’ve got two speakers today that are remotely connected. We have had, as I’m sure you all well aware, some issues in the past with the technical quality of the connection of remotely connected speakers, which led to some problems also, for our interpreters, we have done everything within our possibilities to check the connections with our speakers today and yesterday. The quality seems to be good enough for interpretation. I would also like to thank the interpreters for their efforts to make this important meeting of our committee work efficiently. And I hope that we can maintain this quality of connection so we can have a good audible and interpreted contributions from our two guests today. So once again, thank you to the interpreters and to the technicians for making today’s meeting possible.
We then start our program for today, and we’ll first have an exchange of views with Ms. Artemis Seaford, who is a former Facebook safety manager. On the 20th of March, the New York Times reported that Ms. Seaford was placed under surveillance using Predator spyware when she was working as a security policy manager in Meta security and trust team. As a US and Greek dual national, this is also the first published case of an American citizen being targeted in an EU member state by such technology.
So I welcome Ms. Seaford and I thank her for being with us this morning. I would like to pass the floor to you for about 10 minutes, after which we will open the floor for a Q&A session with the members here in the room. For those members who would like to take the floor, I would also ask you to indicate to me, so we can make a speakers list. Once again, thank you very much, Ms. Seaford. And you have the floor for about 10 minutes.
Artemis Seaford (former Security Policy Manager at Meta): Thank you, Mr. Chair. Good morning, everyone. Good morning dear members of the PEGA-Committee. I would like to thank you for affording me this opportunity to be here to tell my story in the hope that this story is helpful in the context of your important work to shed light on the abuses of the commercial spyware industry and propose meaningful regulation going forward. If that’s amenable to the committee, I would like to spend our first few minutes together to walk you through the specifics of my story. And as I do so, I invite you to reflect on three dimensions of the story that I think of as particularly important and connected to your broader work.
First, who I am as a person. I’m not a politician. I’m not a public figure. I’m not a member of any party. I’m not even a journalist. I’m a private citizen. I’m a citizen of a country with a strong democratic tradition and a formal commitment to the rule of law. If someone like me is here before you today to discuss being targeted with Predator, it seems that no one can reasonably expect to be safe.
Secondly, I invite you to reflect on the specifics of my targeting and in particular the combination of state issued wiretap for monitoring traditional communications, telecommunications with the connection of the spyware, the Predator spyware. As we will discuss in my case, not only did the two appear together, as we have seen before in other cases, but in my specific case, the official state wiretap was actually leveraged, as the evidence suggests, in order to target me with Predator. And the combination of the power of the state, on the one hand with a technological capacity of spyware and the other in my case, and I suspect in many others, is truly terrifying.
Thirdly, I kindly invite you to focus on what happened at the aftermath when the scandal broke out and how the government and the state authorities reacted. And together to discuss potentially what this means for general cases like this when a scandal of this nature erupts and what the protective instinct of the government to contain political cost, the state authorities to quash the scandal, mean for the abilities of victims to find accountability and the improvement of the oversight of intelligence services in the context of regulating commercial spyware.
But let me start at the beginning. As you already know, I’m a Greek citizen. I was born and raised in Greece, but I left. I left in the wake of the financial crisis. Like many people of my generation, looking for better professional and educational opportunities elsewhere. It was actually my particular generation that was exceptionally excited about four years ago when this new government came into office for the country to turn a fresh page and embark on a path not only of economic and financial stability, but also of institutional and social progress. Therefore, it’s particularly saddening for members of my generation to see the liberal erosion, frankly, and the backtracking of the rule of law that has occurred in the wake of the surveillance scandal.
So I have, as you know, have been working for an American company of the past few years, a big …
Jeroen Lenaers (Chair): Excuse me. We’ve lost the sound, Ms. Seaford. There’s something with your microphone that the last thing we heard was „big“. I’m looking at the technicians. Ms. Seaford, can you hear me? We will try to reboot the connection. The sound quality was good. So. We’ll take a minute. No, we can still not hear you.
Artemis Seaford (former Security Policy Manager at Meta): I can hear you just fine.
Jeroen Lenaers (Chair): You’re back. Very good. You know what? The last thing we heard you say was „big“ as in the company you work for. So if you could pick it up for me.
Artemis Seaford (former Security Policy Manager at Meta): I mean, that’s. I don’t know what happened. I just. I could hear you just fine the whole time, but. Okay. So as I mentioned, for the last few years, I was working for a large tech company in the States, but I also spent much of my some of my time back home in Greece working remotely in the midst of the COVID crisis. So it was in this context that in the fall of 2021, I made, like many of us did, an appointment to get a COVID vaccine. Now, in Greece, as I suspect in many of your respective countries, this is run by the state through a centralised platform. It’s a very successful operation which I used to make this appointment.
So the state typically sends messages in the lead up to the appointment to remind people to show up. I got a couple of these messages that contained the time, the place and the location of my appointment together with a reminder to show up. After a couple of these messages on the same day, a few hours later, I get another message. Now, this message looks identical to the first two. The time and the place and the location of my appointment are also mentioned absolutely correctly, the same framing. The only difference is that this message now contains a request to confirm my appointment and a link which I press, suspecting there is nothing wrong. I then get a couple more official messages reminding me to show up for my appointment the following day.
A year passes. I have no reason to suspect that anything is amiss until I see in the press reports of a large number of people, public figures, politicians, but also private citizens, allegedly targeted with Predator. At the beginning, I don’t really believe this. It seems very far fetched that this would happen to this group of people in Greece. You know, it’s not a country with such a tradition in my mind. So I don’t believe it.
But then I see my own name and then I realize something must be really wrong because nobody would have an interest to fictitiously to include my name in such a list if it wasn’t real. Because again, I’m not a public figure. There is no reason for my name to include, it is not widely known. So after I see my name in these reports, I contact Citizen Lab and they kindly are able to run some remote tests on my phone and confirm that yes, I was targeted with Predator.
Now of course that link was the malicious link that I mentioned earlier. And upon review I realized that it came from a different number that pretended to be the state number and the link pretended to be the official state platform with a very small difference that was virtually imperceptible that directed me to an entirely different domain that contaminated me with Predator.
Now I personally see no other way to read the evidence than to suggest that whoever sent me the malicious link had access not only to the information that was previously shared through the official message about the time, place and location of my appointment. But was also able to sandwich this malicious message very well within the real messages. Only hours after the real ones and hours before some more real ones.
So it was no big surprise when through the same leaks a few weeks later, I also found out that I had been under intelligence wiretap. The intelligence wiretap had started a few months before the Predator attack and lasted for an entire year. I actually had six renewals, which is a very high number of renewals, as you as you realise. So that moment I felt extremely shocked. I felt very lonely, I felt violated. I felt that I had some sort of digital virus that other people were afraid of getting contaminated with and therefore would sort of keep their distance. And I also felt scared. I felt that if I spoke out and complained about this, especially forces that would try to discredit me would sort of imply that there was a good reason for me to be targeted, that I had done something wrong. So I was quite scared and I was quite lost. So I looked around, tried to understand what I could do.
I thought, okay, I’m a victim of a crime, surely the state, like any other case, would sort of come to my defence and provide avenues for me to find accountability. Unfortunately, that was not quite the case. I found out, to my dismay, that after the first case broke out of this (incomprehensible) from Mr. Koukakis about a year ago, the state had removed the right to notice for victims.
Now I’ve worked in the security space. I’m very sensitive to the argument that a state needs to weight its national security interest against the right to notice of targets. But given the circumstances of this case, the fact that the right to notice for targets was removed exactly as the scandal was breaking out, that affected so many people, that nobody had any reasonable claim to believe that in their totality can possibly be national security threats. I don’t believe anybody can come to the conclusion that this was done in good faith.
So I submitted a complaint to the courts, (incomprehensible) people have, as you may know. To this day there has been an investigation in process, but no prosecutions, no charges have been filed to get it against anyone. So I have little hope, to be candid, that we’ll ever really know what happened in this case, let alone find accountability for victims. I still to this day, do not know why he was targeted. I can’t think of any legitimate reason or even illegitimate reason why that would be a motivation to have so much interest in myself by anyone.
There was some hope. At least I thought the state will use this to catalyse reform of security oversight, but also commercial spyware abuse. There was a law that came out at the end of last year. Unfortunately, our hopes in that department were also largely quashed. There were a few measures that were taken that were positive, such as the explicit banning of the private use of commercial spyware in private sale. But little was mentioned about what the government can do.
At the same time, the oversight of the independent intelligence watchdog was not improved if anything was reduced, creating confusion afterwards about what it had the power to do and not to do. Importantly, the right to notice was also entrenched in its removal for three years.
For three years, people like myself cannot go to the authorities to get information about what happened. This is why this all these leaks have been incentivised as the only way the information can be communicated. And after three years, even after three years, when I’m able to do so and people like me are able to do so, we the committee that assesses this is comprised by a majority of the same people in the same capacity that issue the warrants in the first place, as you can see, creating a pretty clear conflict of interests.
All of this put together, you know, what does this mean for us? What does it mean for me? I have personally spoken with other people in my position, many women. They tell me that, you know, they feel horrible about being targeted, but they have no incentive to speak out because they have everything to lose and very little to gain, particularly in the fact that there is no clear path to any accountability, which I find very, very sad, really, for the situation in my country. And look, if nothing else, if nothing else is disturbing here, the fact that the domestic proliferation of spyware in Greece and what the evidence suggests is that interactions of state use catalyse and enable the lack of oversight over experts.
And now we’re in a situation where we see that technology was exported to places like Sudan, where there’s a civil war alongside places like Madagascar and Bangladesh. The fact that these two come together, the domestic abuse catalyses, this lack of expert oversight and people die as a result. And paradoxically, this can also come back as a national security threat for the European Union when bad actors around the world get their hands on that technology because it was exported by the very same European countries that were trying to control it in the name of national security.
So all of this together, I look forward to the rest of our discussion. I hope that this information was useful and will be useful to the broader work of the committee, which is extremely important. I hope this the experience of the Greek state is another catalyst of the need for European level action. Given that states alone are not adequately protecting their own citizens or containing the proliferation of this technology on their own. And I look forward to your questions.
Jeroen Lenaers (Chair): Thank you. Thank you very much, Ms. Seaford, for sharing your story with us. I’m sure it raises many questions from our members as well. I’m also very happy that the technology, with one minor glitch, stayed in place. So that also should bode well for the Q&A session that we’re about to have now. We’ll do it one by one. So we have the most direct interaction. We’ll start with our rapporteur, Ms. Sophie in ’t Veld.
Sophie in ’t Veld (Renew): Thank you, Chair. And I would like to thank Ms. Seaford for being with us. This is a very valuable contribution to our work. Just a couple of questions. First of all, on the timing: Is it correct that the surveillance with Predator started in September 2021, and it was followed by the conventional surveillance by the EYP. But was there also surveillance by the EYP in August 2021? This is this is something I’m not quite clear about.
Secondly, of course, a big question mark is, in your case, but also several of the other cases, the reason. In some cases it’s fairly obvious why people have been targeted, why they would be, let’s say, a nuisance or of interest in any case to people putting them under surveillance. In your case, there’s still a big question mark.
You work at Meta and can you say something about whether you’ve been involved or not and at what point in time the work that has been done by Meta on the spyware issues They have identified, let’s say various links that have been sent, etc. Have you been involved in that?
Another thing that struck me is: An Interview with you was published in March 2021 in a in a women’s magazine, in the context of a broader story about, let’s say, women’s rights, but also harassment cases. In that interview, you mentioned harassment by a politician. A few months later, or half a year later, the surveillance starts. Is it imaginable, that there is a connection?
And my last question is: You’ve been in touch with others. You’ve said that. Have you been in touch with people that you know of who have been either targeted or they were part of, let’s say, the by-catch. They were in the entourage of somebody who has been targeted. And, you know, so unknowingly they may have been, well, surveilled even if they weren’t the targets, but they are afraid to speak out for whatever reason. Thank you.
Jeroen Lenaers (Chair): Thank you, Ms. Seaford.
Artemis Seaford (former Security Policy Manager at Meta): Thank you very much for these questions. There are many and interesting and I will try to do well by all of them. If I omit any, please call me out. So the first is the timing. Yes, indeed. My targeting by the state intelligence apparatus, to the best of my knowledge, as reported by the media, which I base this information on leaks by relevant authorities. I was targeted through a state wiretap since the summer of 2021, I believe it was July for a year. So that would mean that the state wiretap was in place a good two to three months before I was targeted with Predator, which happened in September.
And it lasted after my targeting with Predator, which the Predator targeting, that we have confirmed, although it’s possible there were more. It was for a period of about two months in the fall of 2021, but the state wiretap lasted from July 2021, so before the Predator attack, all the way to the summer of 2022. And the maximum time is, in fact a year. So they used the maximum possible time and they renewed it six times because it has to be renewed every two months. It’s a statutory requirement. So they used the entire time possible to put me under the state wiretap. The Predator was in the middle.
The second question was about reasons. That is a great question. I would love to know myself, honestly, if I want something out of it. The first thing I’d like to get out of it is to understand what happened, which unfortunately now the state is not allowing for cases like mine, although it’s obviously nothing to do with national security. At least I know that. I’m not a member of any criminal organisation or terrorist. I’ve never been on the payroll of any government. There really is, and I stress this, no legitimate national security reason that at least I can think of that would put me in this situation. Not to mention, of course, that the government continues to deny any use of Predator. So if we took the government at its word, the state surveillance would not explain it.
Given that there is no obvious smoking gun, that would bring a legitimate reason for this. Now the question becomes what would be an illegitimate reason for this and they are all off right there. The question becomes about getting into the mind of people that had a limited access to power and unlimited use of this technology to deploy at their own will without really having any constraints. So it’s extremely difficult to get into the mind of such a person, a group of people. I worked at Meta (incomprehensible) security. That means effectively keeping Meta user safe. And that was a broad series of things around content moderation and making sure to remove bad actors. In the context of this, my team worked closely with investigators that unearthed evidence of spyware on the platform that became the report that I believe that you mentioned.
I personally don’t believe there was any connection between my affiliation with Meta in the context of that work and the spyware targeting because the timing doesn’t quite make sense. The report came out in December. I was never publicly associated with that work. I’m not mentioned in the report. I never did any briefings. So both because of timing and also because it would be impossible for anybody to know what I did at Meta on this, I think, is quite unlikely. And also I wasn’t really heavily involved with this work. It wasn’t the work I did personally as an investigator. So it’s possible because anything is possible at this point, right? It’s about the relative probability. But I don’t have strong reason to believe that the Meta work was connected and it was a reason for the targeting, not to mention the fact that nobody else from Meta or any other tech company was targeted.
Okay, so then you asked me about the article. Okay. So sexism and harassment, huge issue in politics everywhere, especially in Greece. I’m afraid to say it’s a big issue not just in politics, but many aspects of public life and one that doesn’t get nearly enough attention. In my opinion. It’s a different issue, however, to the one we’re discussing today. I wrote this article to call out examples that exemplify typical behaviour that constitutes sexism and harassment in Greece and me, like many other women, have fallen prey to various forms of that. However, I don’t really see why the article itself would be a reason for this, because it doesn’t mention any particular person is not meant to photograph any particular person. So there’s nobody that is associated with him that would have a motivation, therefore, to survey me.
Now, if somebody in a position of power in the context that I mentioned earlier of having unlimited access to Predator with no constraints, saw this article and thought „she’s talking about harassment in politics, I wonder, you know, what she could know. Let me let me dig.“ It’s possible, right? I can’t rule that out. It’s just kind of an extreme interpretation of why somebody would bother to do all these things to get information for me.
And I believe your final question was about the stories of other victims and their connection to this. I have indeed spoken personally with other victims that know they’ve been targeted with Predator. And there have been obviously many reports in the press about that. However, they are not willing to speak out. It’s their story to tell and not mine. Of course, the many what I have noticed is that many of the women in particular that are involved in the scandal, unfortunately, are there because of their associations. Either they’re someone’s wife or someone’s partner or they were the object of attention, they say, by someone. So these are sort of reports.
So it’s very unfortunate. It’s particularly distasteful. I think that women are in this position, by and large, not even because of anything they do publicly, but because of their own personal associations. And I think that goes to show essentially the motivation behind all of this. Right. It’s portrayed in the media is portrayed in the press by forces close to the government as some sort of either a nonissue or something done in the name of protecting national security. Well, the intelligence system is discussed, but we see that it had evolved in the Greek context as a as a means of sort of getting personal information against people that could be used for political reasons. Extremely distasteful, in my opinion, and in betrayal of European values. I hope I covered all of your questions. Please flag. If I haven’t.
Jeroen Lenaers (Chair): Thank you. Thank you very much. I’m not sure if you could notice, but Ms. In ‚t Veld nodded. So that means that your questions, the questions were answered. Now we move to Mr. Heide. And just as a reminder, Ms. Seaford, because the technicians wrote it in the chat, just be aware: We keep the connection open with you. So that also means that when the members ask questions, you will still be visible to everybody here on the screens but not audible.
Hannes Heide (Socialists and Democrats): In fact, I do not really have another question, but I would like to summarize what you have said because these really answers to my questions. So nobody else from Marta was targeted, especially not those people which had to deal with the security standards of Metal platforms. If I got you right and there is no connection with ban by Meta platforms on companies violating the common standards. So your surveillance could not have the reason or the goal to get knowledge about your security standards and how to evade those security standards and to make it possible or make the platforms able for a surveillance spyware. If I got it right.
Artemis Seaford (former Security Policy Manager at Meta): I am not sure I understood the very last part, so I might ask you to repeat it if I don’t manage to address it (incomprehensible).
Jeroen Lenaers (Chair): Maybe repeat it anyways, so we’re very clear, Mr. Heide. The last part of the …
Hannes Heide (Socialists and Democrats): The last part was: So there was no attempt to evade the standards, the security standards of Meta platforms to make it possible to use them for surveillance, spyware or to spy on and yes, to get into it for anybody.
Jeroen Lenaers (Chair): Ms. Seaford.
Artemis Seaford (former Security Policy Manager at Meta): Thank you. Thank you. I think I understood and thank you for the question. So the first part of the question: Were other Meta employees targeted? To the best of my knowledge, there haven’t been. Of course, this is something for the company to answer conclusively because they might have information I don’t. But there haven’t been any reports of anyone associated with matter or even anybody really working in a foreign company or many foreigners in the Greek scandal. It’s a very clearly domestically focussed scandal. So I have no reason to believe that anyone else at Meta or any other tech company or any anybody working in the space that I was working in, was targeted. Which makes the suggestion that I was targeted because of my work less likely if I was really the only one and the only other. The main connection I have to the group that was targeted is that I am Greek.
Now the context of the work. There was a report, for those of you that do not know, that came out, that Meta issued. There were actually a series of reports, but the first report came out in December, I believe, 2021. And that report discussed seven companies, spyware companies, that were banned by the platform because they violated our community standards, which I believe that you’re referring to. Clearly the community standards Meta has violate espionage activity in the in protection of cyber-security. So we saw companies, I say we because I was there, but (incomprehensible), we saw companies that violated our standards by doing social engineering on the platform, trying to sort of engage with people under fake auspices, sending malware and so on.
So Meta banned, those companies, and took a series of other measures like notify victims, for example, which is crucially important. I want to stress the tech companies have done a lot in the space and Meta continues to ban companies that violate community standards in the spirit of cyber-security. However, all of that and that I was tangentially involved with when I was working a matter by sort of working on the launch of this report. All of this came after I was targeted by Predator and also came way after I was targeted by the Greek intelligence service. And even if there’s a possible connection between the nature of my work and the nature of Predator that I was targeted with, it is very hard for me to explain how the state wiretap comes into play before that.
So there are two separate issues. Meta does indeed ban companies that violate its community standards and surveillance espionage companies will, if they engage with such tactics on the platform. We can also ban these companies entirely from the platform, even if they don’t engage in such activity. But I don’t want to really speak about Metas specific work, I’m no longer there, so I’m not authorised, unable to really speak about the company. But this sort of, I hope, answers the broader connection of how the Meta work at that time connected to my specific case.
Jeroen Lenaers (Chair): Thank you very much, Mr. Kouloglou.
Stelios Kouloglou (Left): You were supplied with the same modus operandi as the Mr. Koukakis or Mr. Androulakis, that means both by the Greek secret services and by the Predator. So according to your estimation and the idea of you got after the revelation of your case, you think there was a sender coordinating those two parallel activities? This one question.
The second question is: How, after the revelation of your case, somebody from the government, a minister or somebody or an official has contacted you.
And the third question is the case of sexual harassment you are mentioning in your article, in the magazine’s paper, the one, Ms. Sophie in ’t Veld mentioned already. This incident is a real incident concerning a minister or a politician or is just a fictive case?
Thank you very much, Mr. Kouloglou. Ms. Seaford.
Jeroen Lenaers (Chair): Thank you very much, Mr. Kouloglou. Ms. Seaford
Artemis Seaford (former Security Policy Manager at Meta): So just to make sure I have everything. Your first question is about the coordination of the wiretapping with the spyware. Your second question is about whether I’ve been contacted by the government. It’s a very interesting question. And the third is about whether there’s a specific person that is described in my article and whether that could be connected to Predator. And correct me if I have misunderstood your questions.
So in your first question, thank you for that question, because I do want to stress that. My case, the way I read the evidence and of course, the evidence is here for you to sort of make inferences on your own account. But the way I read the evidence, not only was I subjected to both a state wiretap and Predator contamination, this is established, this is not up for discussion. But not only did these, two things appear in my case, as also have appeared in the case of Mr. Androulakis, as also have appeared in the case of Mr. Koukakis, as also have appeared in the case of others that have not been able to come forward.
But also additionally, in my case, we see that the state wiretap was used to create the Predator attack. The information, in other words, that was obtained through having access to my text messages, which was enabled by the state wiretap, was used, the information about my appointment, which was in my text messages because I got these reminders by the state. The timing of this messages, this was leveraged in order to create a very sophisticated, extremely sophisticated message that I think the vast majority of people would have no reason to believe was fraudulent and thereby contaminate me with a Predator.
So what we see and I ask you to come up with any alternative explanations, because I have also really tried. The other possible explanation is somebody had access to the database of the state that had information to my appointment. Now, this is extremely farfetched. Why? First, because they would have to know I made an appointment in order to go look in the first place. And I made an appointment at a very strange time because most of the people had already gotten vaccinated, I got my first job in the state. Second, they would have to not only know that information about my appointment, but also that information of the timing of the text messages, the official text messages, which wouldn’t have appeared in this database. So the alternative theory doesn’t quite stand.
The only explanation I see based on the evidence, I don’t want this to be true, I have no reason to want this to be true. But the only explanation I see is that the state wiretap was not only applied at the same time, but the information from the state wiretap was used to contaminate me with Predator providing an extremely effective, scarily sophisticated attack.
So what is what does this tell me? What does this tell us, I believe? Well, I think it shows beyond reasonable doubt that the state apparatus worked hand in hand and enabled the Predator link. It was a single operation. I do not see any other way my story, my case can make sense if that was the case. And to this day, the government denies this. And I don’t know what to make of it. How can my own government here to protect me as a European citizen, deny something that I believe, as I explained to you today, is pretty obvious? It’s quite saddening.
So your second point your second point was about … Sorry, remind me your second point really quickly.
Stelios Kouloglou (Left): Whether you, after the revelation of your case, you have been contacted by a government official.
Artemis Seaford (former Security Policy Manager at Meta): The answer is no. The short answer is no. Which was another reason, another way that I felt quite alone and I sort of realized that this was not a normal situation. So I in fact, I tried to contact people in government to offer support, for example, get information about access to Citizen Lab that I knew existed, but many potential victims perhaps didn’t. So I thought at the time „Wouldn’t it be great to get away for everybody that was involved in this list to access it?“ People had a lot of questions like, a lot of people do realize they can run a test remotely, for example. So they didn’t want to share their phone abroad or they were concerned about privacy.
So I reached out to people in government and said „Listen, there’s this option, right? Like, would you like to make use of it? Shall we set something up?“ I also offered suggestions for the new lawsuit. The point is not, however, what I did. The point is I never heard anything back in any official capacity from anyone in government. Obviously, I know people on a personal basis, but there was no official reaction and I believe that was done in general for victims, which is very saddening.
It was very clear the message that was sent. That at best the government hopes that the story will go away. So the best that we can expect as targets is that we will be ignored. And that’s the best case scenario. And frankly, I’ve been pleasantly surprised there haven’t been attempts to further discredit me at this stage. The silence that I’ve gotten is more than I hoped for in a way. I feared worse. So there hasn’t been any support or contact officially by the government in any way that I have received.
Now, the final question, I believe, was about the article. It would really sadden me if this article that I wrote talking about all the problems about sexism in Greece ended up being the reason why I was further victimized in Greece. It really saddened me if there’s this interaction effect between sexism and being a target of surveillance. But I honestly don’t know what the connection would be there. There’s no specific person that’s described that would then have a motivation in order to target me.
What I describe in the piece is driven from my real experience, but it’s a narrative juxtaposition of various of these experiences. It’s not meant to be a factual account speaking about any specific person. So many of the examples given and I give examples from other contexts as well, my professional life, and not meant to describe a single person, but they combine experiences and characteristics from various people, for example. And many of the experiences are intentionally quite generic.
So, you know, the harassment, the fact that women refusing male advances in positions of power then end up being ousted and ignored if they turn those down. And that systematically creates a problem for women when it happens at scale, given that it’s men that tend to be in positions of power, all that stuff. But that’s meant to describe through my story exemplified is broader issues not go off at any particular individual. So I’m very surprised how this piece could be specifically used by somebody who’s generally quite paranoid and wants to understand what might have against particular people. I hope this answers your questions and thank you for those.
Jeroen Lenaers (Chair): Thank you very much, Ms. Seaford. Ms. Asimakopoulou.
Anna-Michelle Asimakopoulou (Christian Democrats): Thank you very much, Ms. Seaford, for everything you’ve told us. I actually feel a connection to you. I’m also Greek-American, and I also have lived in the United States and worked for in this corporate environment for many years before I got involved in politics. And I also was very hopeful that this government of Kyriakos Mitsotakis would do a lot of good things for our country. So I thank you.
And I’d like to, if you allow me, to just tell you that I’m sorry that this experience has made any woman feel scared or like you had a digital virus or violated and I’m particularly glad that you have clarified. And I read your article, believe me. And I’m a woman in politics in general and a woman in politics in Greece. So I’m very glad that you seem to have clarified this is not a personal, specific experience, but an account which I’m sure many women can relate to.
So coming to the to the point. I would like a little clarification from you with respect to your work at Meta. And the reason is, first of all, I’m not a technician, so I don’t really understand a lot of this. But second of all, because you started with the thesis that says, now I’m a lawyer, so please excuse me if this sounds a little, you know, a little bit like a legal interrogation, because it’s not meant to be. It’s meant to be a question so I can understand.
You’ve said that, you know, the evidence basically leads to the fact that there’s some sort of state connection. As you know, the Greek government has denied that it uses Predator. Now, of course, there’s surveillance that’s done by the national authorities for various reasons. I don’t know what those are. There’s a legal framework. In fact, we really have tried very hard and we’re one of the first countries in Europe to legislate that Predator can’t be used at all. So we really are making an effort in the government to protect everybody and especially ordinary citizens.
And yes, you’re not a politician and you’re not a public figure. But it sounds to me that in your job, you are dealing with these with these issues. And I heard what you said about the timing and about the sequencing of things. But let me just put it simply: Isn’t it possible that in your work in the security division, you stepped on someone’s toes when you were investigating a company? Or isn’t it possible that maybe your name wasn’t in a report, but somebody else who was involved with somebody you’re investigating, gave your name to them so that they would want to target you and follow up on what you were doing? And doesn’t it make more sense that this timing would happen after you’ve published a report, which might be, let’s say, damaging to somebody? And couldn’t these people who are very sophisticated and again, I’m not a technician, couldn’t they somehow get the information about your … Couldn’t they come up with a scheme to send you an SMS that says something about your appointment?
Because I have to tell you, I’m really proud of the way we did the jabbing in Greece, this whole system where we were electronically notified about our appointments. This was, for me, a great success story. I mean, it was one of these wonderful experiences for all Greek people to, you know, be organised and have this done in a in a way that that resembled a, you know, an advanced European country and not something we remembered. We’ve done great things to digitize the state in this government.
So couldn’t somebody have done this technically. I mean, does it have to be the government? These are my questions. And so mostly, I guess and I wrap it up again saying that, you know, I really hope that this experience doesn’t, let’s say, get people like you to move away from Greece, because these are you are the kind of people that we want to come back to Greece and help Greece. You’re exactly that kind of woman. So please explain to me a little bit more about what you did at Meta and help me understand if this could possibly have led to somebody that would want to follow you with Predator, because I’m convinced that it wasn’t the Greek state. Thank you.
Jeroen Lenaers (Chair): Thank you very much, Ms. Seaford.
Artemis Seaford (former Security Policy Manager at Meta): Thank you Ms. Asimakopoulou. And let me tell you also on a personal note, I’m very grateful women like you are in politics, especially in the centre right. It’s very encouraging because I know that, you know, and anybody, any woman who’s in politics must have overcome a lot in order to be able to do that. So thank you for being a voice for us. There’s a lot that I agree with that you say. For example, I also applaud a lot of the work of this government. The COVID vaccine operation is a great example of a country that was able to do this at a world class scale, even though we have lots of problems with bureaucracy that are widely known.
So it saddens me personally very much to be in this position. This is why I hesitated to speak out. One of the reasons alongside my fear. I don’t like being in the position of having to bring bad news about my country to the European Parliament. I don’t like being in the position of having to speak ill about this government that I enthusiastically supported at the beginning. There are papers I wrote, that you can find online in support of this government for foreign publications. So it’s not a comfortable and a natural position for me to be in.
Unfortunately, it is one that I find myself in. And this is because I have also thought a lot about the potential reasons for my targeting. And how that worked out. I haven’t come to any good conclusions. This is why we need the justice system to work with us to get to the truth. But I do know the following facts, and I call upon you and other members of this committee to interpret the facts for themselves.
The facts are as follows: I was targeted by the state intelligence apparatus in July of 2021. So if the reason for my targeting had to do with my work and the work of Meta to ban companies such as Cytrox and other commercial spyware from the platform, how can we explain that before the Predator targeting I was also under state wiretap? Why would the state have any reason to wiretap me, even if some connection to my work at Meta that had nothing to do with the Greek state, but something perhaps to do with commercial spyware, sort of came up? That that doesn’t make any sense to me because that came before then.
The Predator targeting came before the report was published. I just want to make sure that’s clear. So the team working on Meta is a very tight knit team working on this. I have no reason to believe that my name was sort of associated with his work publicly coming out of Meta. The chances of that are (incomprehensible), particularly because the company is very careful about people it places in public positions to talk about the stuff. And I wouldn’t I wasn’t one of these people. I was working on this tangentially, but it wasn’t even at the core of my work.
The core of my work at Marta had to do with protecting users, creating and implementing new policies such as policies against bullying and harassment, policies against hate speech, coordinated hate speech and the like by violent networks. It hadn’t really, at its core, to do with spyware.
So if people like me are reasonable targets of either state wiretapping or Predator spyware, what’s next? Is a worker for Amnesty International that works in protecting victims a legitimate threat? Is a journalist working on national security, a legitimate threat? Or journalists working on spyware? So I just don’t see where that ends.
So, again, I see no legitimate reason. I see a very close interaction of state wiretapping with Predator, with the state wiretapping coming first, which makes me firmly believe that I wasn’t implicated in this whole thing because if anything, I had to do with commercial spyware or work at Meta. And then comes a Predator attack before the Meta report comes out. I’m never publicly associated with a report. I don’t even have a strong role to play in in drafting it on the investigations behind it. So these are the facts I call you to, to make their own conclusions. But I’ve shared with you one minor.
Jeroen Lenaers (Chair): Thank you. Thank you very much, Ms. Seaford. That concludes the speaker’s list. There was a follow up question of Ms. In ‚t Veld.
Sophie in ’t Veld (Renew): Yes. I’d like to come back also following on from what the question is by Ms. Asimakopoulou and others. We are talking all the time about whether or not this was state surveillance or government surveillance, sort of assuming that it is an official operation. I mean, we’ve had this this this kind of talks also when it came to other countries. And then there are those who are saying „no, no, no, it wasn’t the state, it was some mysterious third actor, maybe some individual“, which is completely implausible.
But there is a third option, which I think is the most likely one: Namely that it wasn’t an official government operation. But there are people in and around the government who have access to these structures, who have the power to order this kind of operations, because they have put people, friendly people in places to make sure that nobody is going to spill the beans. And we know that there are some, you know, people in oversight positions who are, let’s say, friendly. Now, Shakespeare used to say „hell hath no fury like a woman scorned“. I think he was wrong. Hell hath no fury like a man who fears reputation damage. So let’s say that either a man who was reading the interview suddenly panicked about his reputation, say that that person is in or close to the government and has the power to order this kind of operation. And it must have been. It must have been. You don’t just, you know, tell the EYP to start following somebody. I’m coming to a conclusion chair. But I think we want to get to the truth.
Jeroen Lenaers (Chair): I think it doesn’t mean that we always have to have seven minute questions after you already had your speaking time.
Sophie in ’t Veld (Renew): I think we have time Chair. And I think the truth is more important than a few minutes. But I’m coming to a to a conclusion. So either a person who was panicking or another person who thought that he could maybe exploit this against that particular person. Do you think that this is a plausible scenario?
Jeroen Lenaers (Chair):Thank you. Ms. Seaford.
Artemis Seaford (former Security Policy Manager at Meta): Thank you very much for this question and for all the questions from the committee. Look, I completely agree with your initial observation. This is a formally a state driven operation but in practice, it wasn’t driven for substantively legitimate state reasons. Put simply, it’s an open secret in Greece. How this happened, it’s not even a secret, I would say. It’s just open, as is discussed openly within people in the know. There is no doubt about who was behind this and how it happened. It’s not my place to speak to that, but I assure you that nobody’s even trying to keep up the pretence of the state or people in government not being involved anymore in Greece.
So the part to your second question, honestly, I would love to know this. For me, it’s the worst possible explanation that I was targeted because of this article that I wrote. Condemning sexism is sort of absurd. Is it possible that somebody read it and got worried? Of course, I don’t know who the specific person would be, but there, you know, there are a number of people that tangentially could fear that (incomprehensible) could be implicated because of what I wrote. Again, because of some sort of sexism and harassment is quite prevalent in Greek politics, as I’m sure the Greek women in the audience do know personally, or I suspect they might.
So it’s possible, I just don’t see the causal inference. I don’t see the particular people involved. And that makes me not really doubt it’s an explanation, of course, because I can’t rule out any explanation. But also I don’t understand how this would specifically happen.
Another thing that is possible which is related is that somebody in power that had the ability to do this saw this article and realized that might be able to get information on their own internal political opponents based on what I wrote, and that’s why they became interested. I think if anything, that’s more likely, because it’s sort of more open ended and fits with the facts of the situation possibly more closely.
Anything is possible. Unfortunately, I can help you more. This is why we need to push for justice and accountability in cases like this one so we can understand what happened and understand these facts and make sure they don’t happen again in the future. That’s all I have to say, really, in answer to your question. I’m sorry, I can’t really say more. I would also like to know myself.
Jeroen Lenaers (Chair):Thank you very much. There are no further questions. I would like to thank you very much, Ms. Seaford, for being with us this morning, for sharing your personal story and for answering all the questions of our members very, very comprehensively. As you know, (incomprehensible) committee because that comes also to your introduction. I think the last part of your introduction where you expressed your desire for also European solutions and a European approach to these kind of topics. Of course, this is what we are doing in this committee.
We are concluding the work as we speak. It will be concluded next month normally. So I would also like to kindly invite you to stay up to date with the work of our committee and do not hesitate to get proactively involved if you feel something is missing or something could be of added value. So thank you. Thank you very much once again for being with us. And let's stay in touch in the in the future. Thank you very much.
I'm sorry. The connection was broken. I'm not sure if there was something else Ms. Seaford wanted to say.
Artemis Seaford (former Security Policy Manager at Meta): If I may.
Jeroen Lenaers (Chair):Yes, please.
Artemis Seaford (former Security Policy Manager at Meta): If I may, a very brief conclusion. The Union, the European Parliament and its bodies alongside member states are also political organs. And I understand this issue has been heavily politicized, particularly in Greece, and I’m sure it’s probably also politicized in the context of the European Parliament. I get it.
But honestly there should be bipartisan consensus that when things like this happen that put in jeopardy the fundamental rights, fundamental privacy rights of the European Union, that there is bipartisan consensus that something must be done. It’s very clear now in the Greek context, and I’m sure in many others, that nation states cannot be trusted to be left alone to define national security as they please, with no accountability and oversight, and use that definition in order to conduct abuses like we see in the Greek context. It’s just unacceptable in the name of European values.
And we saw the US recently put out an executive order regulating the use of such technology by its own authorities. It’s shameful that the EU, which is at the forefront of privacy protection over the past few years, has been at the forefront of the rule of law for decades. It’s shameful that the EU can do so little to intervene in cases like this where we see incontrovertible and egregious abuse that will not only jeopardise the rights of us of targets, of citizens, but also backfire, cause harm in far flung places like Sudan and ultimately compromise the EU own national and regional security interests.
So I do implore you to put aside any political differences that are understandable given the context. I hate how this issue has been politicized in Greece and listen to the victim of targets like myself and find ways for bipartisan and multi-partisan consensus to move forward, creating EU standards and helping Member States live up to their own duties to their citizens on this subject. Thank you so much for your time and I look forward to tracking the outcome of the work of this committee.
Jeroen Lenaers (Chair): Thank you. Thank you very much, Ms. Seaford, for also that last statement, which I think most of us here will wholeheartedly agree to. That also concludes our first item exactly within the set timing.
Gonzalo Boye, Lawyer
Jeroen Lenaers (Chair): So we move to our second exchange of view, which we will have with Mr. Gonzalo Boye following the provisions governing the committees of Inquiry of the European Parliament. Mr. Boye was informed that he was entitled to be heard by our committee and he had made use of this opportunity. So also, Mr. Boye, we have tested your connection. There were some, some minor difficulties, but it should be good enough for our interpretation service here hopefully. I will also give you the floor for 10 minutes, after which we will again open the floor for questions and answers. And I would also again like to invite the colleagues to indicate if they would like to participate in the Q&A session. Please Mr. Boye, you have the floor.
Gonzalo Boye (Lawyer): Good morning, Mr. President, honourable members of this committee, and thank you for inviting me to to express my views and to answer the questions the Committee may have. I am a German citizen and a lawyer specialized in criminal law and human rights, and I have no doubt on the Spanish suffering my on my phone and I have no doubts on you. I have to share with you several documents that prove that, especially the recognition that that was done during a period of at least two years by the Spanish state. I have been suffering an official espionage by by the Spanish Secret Service and another unofficial done through Pegasus, which was determined by CitizenLab.
The reason why I have been under espionage all this time is only one the list of my clients. And in on top of that list is Mr. Puigdemont, who is a member of this committee and also several other Catalan independent politicians. I have never been, as far as I know, subject of espionage before, even with a list of client in different countries. That may be a reason for a Secret Service to do it. But in this occasion it was for a long period of time and also with the Association of the Supreme Court of Spain, which issued an order to spy several politicians and several lawyers. As far as we know, we don’t know also if they have spy other journalists or other politicians, but at least we know a list of more than 20 by the Secret Service officially and for security reason, alleged security reasons. I don’t know why a lawyer can have security reasons. And on the other hand, through Pegasus, we have been under espionage, at least 60 something people, according to CitizenLab, and that this has been proven.
By spying me has not only affect my personal private life, which has been under scrutiny for the last five years since I start defending Mr. Puigdemont and his colleagues, but also it has implied discipline. I do a lot of other journal lawyers and also journalists. As a matter of fact, one of the period that I was under espionage, I was held in meetings in Germany with other lawyers in very delicate cases, not related to Spain, which may have endangered those investigations. But also, don’t forget that as a human rights lawyer, I also defend people in very risky situation in different places around the world. And all that information that they have to share with my clients, with local lawyers and with journalist is information that whoever was spying us knows. First, I would like to make very clear this situation.
There are two different espionage that we have suffer. One was authorised by the Supreme Court to the Spanish Secret Service and the other one was with Pegasus. And they have absolute no doubt that this was done by the Spanish state. And because all the evidence pointed in that in the direction, but also because our the only one who has admitted that in my case, the document that they have share with you is also a recognition by the Supreme Court judge that he was authorised in my espionage and interestingwise that same judge was resolving at the same time that he was authorised in my espionage, he was resolving important process that affected, Mr. Puigdemont, Mr. Comin, Ms. Ponsati , all members of this Parliament.
During the time that I was spied by the Spanish state, it is quite clear that it has also been affected the integrity of this chamber. Because during that period of time I have assessed and advised Mr. Puigdemont, Mr. Comin, Ms. Ponsati, in front of the Jury Committee, and I have also attended the in-camera meetings of the Jury Committee in the process against Mr. Puigdemont, Mr. Comin, Ms. Ponsati. So at the same time that the Spanish Supreme Court was requesting the lifting of the immunity illegally requesting the lifting of immunity of Mr. Puigdemont, Mr. Comin, Ms. Ponsati I was under scrutiny, under espionage by the Spanish state, and I’m making a distinction between the state and the government because I always defend the presumption of innocence and I would like to assume that the Spanish government was not involved, but the state agents were clearly involved.
Since we found out all this, I have present the criminal complaint in the Court of Madrid, where I live, even as a German citizen, I live in Madrid, and until now, eight months later, I have not received a single proper answer by that court because as a supreme requirement to start an investigation against whoever was spying me, the court has a request me to surround my telephone to the Spanish police. So at the end of the day, they are saying to me that in order to demonstrate that I am a victim of a criminal offence, because in Spain it’s a criminal offence to speak to spy the people, I have to surround my phone to the state, which I have no doubt is responsible for the espionage of my phone.
And I have no doubt because there are documents to that, to a Supreme Court resolution and there is the statement of the Ombudsman, the Spanish Ombudsman, not only recognising that, but accepting that this is a sensitive case because I’m the lawyer of the Catalan independence leaders, who are member of this chamber. In my opinion, my case is crystal clear, but it’s not different to the case of several other lawyers that were also affected. Strangewise, or not strangewise, but quite clearly those lawyer also defend independent Catalan independent politicians. So it was an attack to the Catalan national minority and that was through also through the lawyers. But as I said before, and I would like to remind this committee of something, I not only defend Catalan independent politicians, I also defend people whose human rights has been violated in many countries. And I work in those countries with local lawyers who have been who has also been put in risk because of the espionage of my telephone. And that’s, as I said before, it has also affected my personal life. But we have our young daughter, 14 year old daughter has also been affected by the espionage. And we have very strict methods at home in order to keep the phones when we are having a family reunion or when we are having dinner. So we have we try to protect our our private life as much as we can. But when you are facing this sort of attack by a state, it’s almost impossible to protect. And that’s the reason why I think this committee should go the whole drill down in order to explain exactly what had happened and to find a common solution in the European frame.
As a matter of fact, I am a lawyer who really believed in the European and the rule of law and in the law, the European law, and that’s my line of defence of Mr. Puigdemont, Ms. Ponsati and Mr. Comin and that’s the reason why we have also informed the European Court of Justice of this espionage, because the time frame that I was under espionage, and I don’t know if I still under espionage by, by the Spanish state, may have affect also the integrity of the procedure that we have both, at the general Court and the European Court of Justice. I think the damage is quite big. And if we don’t respect the professional secrecy of the lawyers, we are not guaranteed a fair trial. And if we don’t currently a fair trial and due process, we don’t have a democratic system. And I’m open to any questions that the members may want to ask you.
Jeroen Lenaers (Chair): Thank you very much, Mr. Boye. It says as a technical question, it would be helpful if you could. I’m not sure how much to prevent the microphone from touching the colour of your shirt because that is a very disturbing sound when when our interpreters need to need to interpret it. I’m sorry. Sorry about that. Thank you for your for your presentation. And we will start our questions an