There's a report out this week from the Citizen Lab that ought to make every one of us angry - and it makes me angrier than most, since I've spent my whole working life fighting exactly this. Stelios Kouloglou, a Greek member of the European Parliament until last year, had his phone infected with Pegasus, the zero-click spyware that needs you to do nothing at all to end up owned, twice over - in October 2022 and again in March 2023 - and he wasn't some random target, he was sitting on the PEGA Committee, the parliamentary body set up to investigate the abuse of this very technology. Someone put military-grade spyware on the phone of a man whose job that month was scrutinising military-grade spyware, days before his committee's hearings and again as it finalised its report.
The truly damning part comes after the hack, in what hasn't happened since - the PEGA Committee did its work and published its recommendations back in May 2023 and the European Commission has sat on its hands ever since, so we now have the grotesque situation where a parliamentarian was surveilled for investigating surveillance and the institution that could actually do something about it has chosen to do nothing, whilst national governments quietly keep the door open because they rather like having these tools themselves. Hannah Neumann, who negotiated for the committee, called it a total disregard for the role of Parliament - and I'd say it reaches further than Parliament, all the way down to the rest of us.
So there's the outrage, real and serious as they come, the surveillance I've spent a whole career fighting - and no one should be in any doubt where I stand on it. But there's a second story buried in that same report - and I can't in good conscience write about the first without commenting on the second, since Kouloglou told the reporters, in his own words, that on the phone they hacked there were "15 years of photos, messages, you name it, messages with the prime ministers, with the members, the leaders of the different political parties and journalists ... everything". Fifteen years of data, every last byte, sitting on an insecure device used by a politician investigating surveillance technologies - and the researchers found that Apple had warned him three separate times that his phone looked to be under attack by mercenary spyware, warnings he says he simply never saw.
The Data Protection Officer in me needs to say the uncomfortable thing - and I say it as someone entirely on his side. A phone was never built to be a filing cabinet and it makes a terrible one, the least secure object most of us own, a small radio-connected computer that lives in your pocket and gets lost and stolen and left in taxis and taken off you at borders, running software so complex that no one on earth can promise it's free of security vulnerabilities Pegasus needs - and treating it as the safe home for fifteen years of your life is a data breach waiting to happen. The whole horror of targeted spyware is its reach, it doesn't just read the message in front of you, it takes the lot, photos, the years of correspondence and every contact you've ever kept - so the most powerful single thing you can do to mitigate it is to make sure there's very little on the device for it to reach in the first place. He did the exact opposite, packing his entire existence into one basket and then seemingly concerned only when it was compromised.
This is the part that worries me far more than one man's phone - Kouloglou isn't careless by the standards of his profession, if anything he was better placed than almost any politician alive to understand the threat, since he spent a year and a half studying it in committee - and he still kept his whole life on his handset and still walked past three separate warnings from Apple. So what on earth is everyone else doing? If the man on the spyware committee treats his phone as a vault and never notices the alarm going off, then the average minister or MEP or overworked staffer, none of whom has spent five minutes thinking about any of this, is a soft target - and that stops being an individual failing and becomes a systemic blindness running right through the political class about what these devices actually are and what they can't be trusted to hold.
None of this is hard to fix, which is what makes it so maddening. Anyone handling foreign-policy contacts and sensitive committee work should be carrying a hardened, locked-down device that's centrally managed, that holds parliamentary business and nothing else, that never once touches a personal email account or a family photo or a fifteen-year message history, let alone any third party apps or app stores - and they should have a separate, ordinary phone for their own life that never goes anywhere near official work. The whole point is ruthless minimisation, so that when one of these things does get infected - and some of them always will - the attacker walks off with this month's committee papers rather than the keys to your entire existence. This is standard practice in any serious ministry and in every intelligence-adjacent job on earth - and it's frankly a scandal that the European Parliament hasn't made it mandatory, issued the devices and drilled its members until no one ever ignores an Apple warning again.
Underneath all of this sits an institutional gap nobody much wants to talk about. We have a European Data Protection Supervisor whose job is to watch how the EU institutions handle our personal data - necessary work, but it stops at the systems and barely touches the people, so who exactly is watching how the politicians themselves handle data and technology, the devices in their pockets, the archives they let pile up, the warnings they wave away? An institution can run immaculate systems on the back end whilst every member walks around with their whole working and personal life on a consumer handset - and right now no one really owns that problem. Perhaps that's a role the EDPS needs to grow into - setting real standards for how office-holders handle data and devices and then holding them to it, since the weakest point in the whole chain is almost always the phone in the pocket of the member who never read the manual.
As a DPO I am constantly telling my clients not to use mobile devices as filing systems, precisely because they are such a weak and vulnerable link in the security chain - I expect to have to tell business clients this who don't have the experience or knowledge, that is precisely why they hire me. I expect a much higher standard by default, from those elected official's whose very job is to investigate and legislate against these types of threats. It is unconscionable to ignore what we now know - that we have elected politicians with security clearance using their vulnerable mobile devices as archival information systems for criminals and rogue states to access at will.
The Commission should of course be acting on this, the PEGA reforms it shelved, the spyware trade the EU still won't confront, the basic security of its own elected members - but if you've watched this Commission for any length of time you already know it won't - this is a Commission that shows no real appetite for security or protection of any kind, too busy keeping the Trump administration placated to spend its energy defending its own parliamentarians from being hacked.
All elected officials who have access to anything even remotely sensitive should be required to undertake specialised security training to mitigate the very real risks of these types of hacks occurring. Rest assured this is not going to decrease - it is only going to increase because the very people who write the laws write the cheques to these surveillance companies and they are not going to give up the power these tools gives them - they never have and they certainly won't in the current global political climate.
No person with any sort of security clearance should ever be using their work phone as an archiving system for their entire life - the security teams at the Parliament, Commission and every other EU institution need to immediately review policies, training and implement change management to ensure this level of breach never happens again - it is inexcusable, it is preventable and it is absolutely essential to protect our democracy and every thing that comes with it.
