Authorities blasted for allowing spyware exports

2 mins read

Cyprus authorities were grilled by MPs over the country’s alleged role as an export hub for spyware used in eavesdropping cases that have shaken the EU.

An official of the Commerce Ministry told the House Legal Affairs Committee the authority had never issued a license to any company to export any ‘spyware’, only to be shot down by MPs pointing to evidence proving otherwise.

The Permanent Secretary of the Commerce Ministry, Loukis Symeonides, told the parliamentary Committee any permission for exporting spyware software is given under strict criteria.

He argued that “as far as we know, no licenses have been issued for spying devices”.

Another official of the ministry argued that “we can assure you that since PEGA (the probing committee on spyware set up by the EU Parliament) launched its probe, and even as far back as when the investigation into the ‘black van’ case, we have not licensed any export of malicious software”.

However, one piece of evidence presented, a ministry document obtained and published by Phileleftheros, suggested otherwise.

According to the document, carrying the seal of the Commerce Ministry, in December 2021, a company operating legally out of Nicosia received a license to export spyware to Israel.

This document describes the dual-use item as “interception equipment designed for extracting the client device or subscriber identifiers (e.g., IMSI, TIMSI of IMEI) signalling or other metadata transmitted over the air interface”.

According to the export license issued, the foreign-owned company in Nicosia was to ship the dual-use item to a business based in Israel.

The dual-use item was to be re-exported from Israel to a third country. The value of the equipment exceeded €200,000.

When confronted by MPs, including findings by the EU Parliament’s PEGA Committee, Symeonides revised his statement, conceding that the ministry had authorised software with dual usage, not malicious spyware.

A third official working on issuing export licenses said, “the items we have are divided into two categories”.

She added, “They can be used for legitimate purposes but can also be used maliciously”.

The software falls under two categories, software that can be used by state services or malicious spyware.

However, the question of why would software that could potentially be used as spyware be greenlighted for export was not answered by officials.

The island’s role was highlighted by the European Parliament’s Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware (PEGA).

“Cyprus has played a major role as an export hub for spyware and should repeal all export licenses it has issued that are not in line with EU legislation,” said PEGA’s report in May.

PEGA has asked for the findings of a probe carried out by the Republic into the case of the infamous “black spy van” case to be made public.

The company which created the surveillance software in Greece was established by the former Israeli spy Tal Dilian, the main suspect in Cyprus’ black van’ case.

Headed by the former Israeli intelligence agent, WiSpear, a company specialised in providing end-to-end WiFi interception and security solutions, was reportedly the owner of the black van impounded in Cyprus.

Last year, the data protection watchdog imposed an administrative fine of €925,000 on WiSpear for GDPR violations.