The results of an investigation by the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) published on Monday show that Pegasus was used by the National Security Service on several people whose names have appeared in the press in recent months, said Attila Péterfalvi, president of the organization.
Hundreds of cases have been investigated by the NAIH, all of them meeting the legal criteria. The reasoning given by the customers for the surveillance was a risk to national security, Péterfalvi said. As Telex reports, the names and numbers of the people involved were not disclosed, nor could they be, as this information is confidential.
The investigation was launched ex officio by the NAIH. According to Péterfalvi, the NAIH’s investigation did not reveal any information indicating that the persons requesting and conducting the surveillance had violated any laws or regulations, nor did they violate the criteria set by the Pegasus manufacturer, as the spy software can be used on the grounds of national security risk. There was no doubt that they had not complied with the contractual terms and conditions and the Hungarian laws in effect, Péterfalvi said. According to the President of the NAIH, in all the cases they investigated, the surveillance was carried out by the National Security Service with a Ministry of Justice or court authorization.
FactPegasus was developed specifically to give nations the ability to find the perpetrators of organized crime, pedophilia, human trafficking, and terrorism. NSO Group has emphasized that it only sold its product to national governments and government agencies.
Péterfalvi also said that although such information had appeared in the press, the NAIH’s investigation had not uncovered any information that the Israeli Ministry of Defense had prohibited the use of Pegasus by Hungarian authorities.
FactAccording to the domestic office of Amnesty International, nearly 300 people were targeted by Pegasus in Hungary, but not all of these cases were investigated by the National Authority for Data Protection and Freedom of Information, as according to Péterfalvi, neither Amnesty’s domestic nor its international office provided them with the list of 300 phone numbers. According to him, both offices were contacted by the NAIH. Therefore, the NAIH’s investigation only covered those cases that had received press coverage.
Péterfalvi also said that the source of the leaked list of Hungarian targets of surveillance is unknown, the circumstances of the leak are not known, it is not known who compiled the list and how, and it is not clear how the list reached Amnesty.
According to him, it cannot be excluded that a “data breach” may have occurred during the data leak. Unauthorized data transfers may have occurred, and unlawful data processing operations may have taken place. Péterfalvi thinks it is not clear under what legal authority the data subjects (e.g. Amnesty, etc.) are processing the data. Unauthorized access by third parties to personal data of data subjects raises suspicions of misuse of personal data, espionage, etc. It cannot be ruled out that a criminal offense has been committed in this aspect of the case, he said, and he will soon file a criminal complaint.
Attila Péterfalvi was on holiday when the Pegasus case broke out, and he launched a data protection investigation into the case last August. Then, in early December, he said he would not close the Pegasus investigation until he received a full list of targets from Amnesty International. As we have also reported, the NAIH President said at the time that he would like to see the list of 300 Hungarian telephone numbers, but Amnesty would not give it to him.
Áron Demeter, the program manager of Amnesty International Hungary, told HVG at the time that they could not give the list to the data protection commissioner, simply because they did not have it and never had it. According to him, they wrote to Péterfalvi and gave him the contact details of their international headquarters, the London office.
In the featured photo: Data Protection Authority head Attila Péterfalvi. Photo by Balázs Mohai/MTI