110 Aljoša Ajanović Andelić and the spyware society

00:00:10 Domen Savič / Citizen D 

Welcome everybody. It’s the 15^th… No, it’s the 4th of September 2025 and you’re listening to this episode of Citizen D podcast on the 15th of September same year. W ‘re back after a prolonged, let’s call it a vacation and with us today is Aljoša Ajanović Andelić, policy advisor at European digital rights EDRi, where he covers issues related to illegal state surveillance like spyware, journalist digital rights and the effects of techno solutionism and securitization policies on minoritized communities and people on the move. Welcome, Aljoša, it’s good to have you here. 

00:00:55 Aljoša Ajanović Andelić  / EDRi 

Thank you. Thank you for having me.  

00:00:56 Domen Savič / Citizen D 

Let’s start with the opening salvo. We’re going to be talking about the spyware issue and I was wondering, why is spyware getting so much attention in 2025? Like, if you followed this this topic like a regular person, not like a digital activist, you’d hear probably something about Pegasus a few years back and then everything went sort of silent. But now, 2025, spyware is literally everywhere. Why is that? 

00:01:32 Aljoša Ajanović Andelić  / EDRi 

Well, the answer to that question, I would say that that is because of scandals. So that would be the same answer if you had asked me five years ago because nothing has changed. So from time to time, we come across these big scandals of illegal surveillance to different types of activities to political opposition in different parts of Europe, and that is when this topic always comes back to the front pages.  

In 2025, the biggest scandal has been the Paragon scandal, which was a revelation earlier this year that said that more than 100 people were spied across Europe with this spyware called Graphite that’s developed by the Israeli company Paragon. And this is something that that has made the front pages, because in Italy, some of those victims whose identity hasn’t been fully disclosed, but three or four of them have come, have come to the front and it happens to be journalists and humanitarian aid activists in Italy who have been spied illegally by… we don’t know who. So what happened?  

After these revelations came and these people spoke as one of the affected victims is what we have seen in all other scandals. So we’ve seen that in the past in Catalonia, but also in Poland and Hungary, which is that first the state denies all type or any type of responsibility on that and then starts considering a bit. Well, yeah, we spied on these ones, but not on the other ones and so forth.  

This is where we stand at this point in Italy in in which, you know, they have recognized that those humanitarian workers from the NGO Mediterranean have been actually spied by the state because they say that their activities qualify as crimes because they have been allegedly promoting human smuggling, but in the case of the journalists, the Italian government is saying that they are not involved, even though all the evidence points to that direction.  

What is happening in 2025, again, is that many scandals are unfolding. There’s also another case in Serbia that was revealed in which the Serbian Government has developed its own spyware. So it’s not just private companies, it’s also state developed spyware, and it was used in this case to also go or investigate the phones of journalists and also politicians. 

What makes this issue so problematic, or why should everyone, even if you are not a digital rights activist, why would you care about this? It because the fact what these programs do, which is to be able to access anything in your phone. 

This is something that’s very appealing to any common citizen, because we all now rely massively on our phones, they are kind of where all our information is stored and we all can imagine what kind of privacy violation would that be: that the state accesses you. 

00:04:48 Domen Savič / Citizen D 

You’ve mentioned the state several times. Are they still the main users or the main actors in this field or are there other actors? Maybe somebody from the private sector, from the criminal underground that is also a part of this spyware ecosystem? 

00:05:11 Aljoša Ajanović Andelić  / EDRi 

Well, mainly with the biggest issues on particularly spyware have come all of them from state authorities, private companies that are the biggest sellers of this.  

So, we can think about NSO group, but also Paragon and others, they all claim to just be selling to state authorities, so it doesn’t need to be the state itself, sometimes is police force. Sometimes is the judiciary power, but it’s mainly addressed to state authorities and the main scandals that have come, they all come from targeting from States and we do believe that’s the most worrying practice and the one that we as human rights defenders to care the most, because the state is the one that should be protecting your privacy and your digital rights and not attacking them.  

We’ve also had some cases in in countries like China or Russia in which it is not the state itself that conducts these attacks, but mercenary hackers or groups of hackers who are committed to the state in some way because the state is sometimes paying for their services or is servicing them with the programs, but they are not directly part of the state. 

 So we’ve seen that groups of mercenaries using these type to conduct smear campaigns or to intimidate certain groups.  

One good example is the regular minority in China, which has been attacked massively by these types of mercenary groups, but yeah, I would say that the biggest problem we’re facing is when states use that because when private, you know, criminals could be using that, that’s something that of course we should worry about, but what we cannot tolerate is that the state is using this without our knowledge and without any transparency. 

And of course you know, bringing to this union of companies with very worrying practices such as the set and the subgroup with state action, which is, for example, the police or law enforcement investigation, which is something of a public service so to say, and then it’s tied up with these companies that have virtually no oversight, so we don’t know what’s happening. 

00:07:36 Domen Savič / Citizen D 

You’ve mentioned transparency, right, and seeing how nation states are still the biggest or the most important actor in the field. How do you see this conflict of interest on the issue or on the on the level of transparency? So on one side you want your state or your elected leaders to be transparent about the activities, at the same time I’m guessing revealing too much information about the usage of spyware by nation states could harm their defense strategies and police tactics. 

Is there any middle ground on this issue so that at the same time the state still has this competing advantage against legal usage of spyware in order to prevent crime or terrorism and at the same time to calm the people down so they’re not using it indiscriminately, for, you know, tracking journalism journalists, activists and other parties? 

00:08:51 Aljoša Ajanović Andelić  / EDRi 

Well, that’s a very good question. So first of all, I would like to start by saying that when it comes to this type of spyware—so we’re thinking Pegasus, Graphite, and all these intrusive spyware that can gain control of your device, see all its historical logs, but also see where you are, activate your phone, activate your camera and so on—for this type of capabilities, we as a digital rights organization struggle to see how this can be compliant with human rights at all.  

To break down one human right, such as the right to privacy, you need to make sure that what you’re doing is necessary and proportionate. And this type of capability is completely unable to be proportionate because once they access your phone, they can access everything. So not just the conversations, let’s say, that can be necessary to get to know the activity of someone contacting criminal activity—so to say, it’s not accessing just that. It’s accessing the whole of the phone without any limitations. And what’s more worrying, without any log for that. So we don’t know. It leaves no traces on the phone most of the time. It tracks the proof that it has been inside that phone, and also we don’t have any logs of which information has been extracted, where it went, and so on and so forth.  

So starting from this premise, with the current state of play, we would say that there is no lawful application of these types of tools. I would also say another thing, which is: we understand the national security angle. Of course, you cannot reveal everything if you want to make sure that you are keeping your population safe. But at the same time, what these scandals have shown is that national security has not been an excuse for all of them. We’ve had scandals, as I said, in Poland and Spain, which have been targeting, for example, political opposition or journalists. And the problem of using this type of programs is that there isn’t a log of what has been done.  

That means that maybe, for example, five years after the Catalangate scandal in Catalonia unfolded, we have no information about what data was extracted from those phones. Where is that data stored? Is it stored in the Spanish police servers? Does NSO Group, an Israeli company, have a copy of all that data from Spanish citizens? And what can they do with the data? With this lack of transparency at all levels—there’s no transparency on whether a state has acquired this, so procurement opacity, total procurement opacity—but there is also a total lack of transparency on its use.  

Therefore, we would say that to start, for the victims that have already come forward, they need to have this transparency in order to have their rights upheld and to have remedies for the violations they have suffered. But again, there is a lot more to ask from states. So first of all, we need to know which are all the contracts that countries have signed with private vendors, but also which tools they have developed in-house, let’s say. And also we need to make sure that the victims who have come forward have this right of knowing what has happened with their data. Because in these cases of journalists or political opponents, I would say that no one can disagree if we say that these are unlawful uses of spyware. 

 And even though someone might not hold this absolute stand as we do—which is that spyware should be totally banned—even those people could agree with me that these cases were not used for national security. So national security cannot be an excuse to not reveal these types of practices: what data was taken, from where, where it is, and which company was used to do that. 

And then there’s the security angle — like, the state keeping an edge in spyware use by not revealing too much. Because, you know, if you tell people how it works, or which version or type you’re using, you might end up warning the criminals too. 

So, is that something that resonates? Like, is that actually in place? Or do you think — as you already said — since we don’t have, what’s the word… any real stats on how successfully spyware is being used, we can’t really know if this is even working? 

Yeah, that’s definitely one of the key things — if we don’t have information about what’s happened in the last 10 years in Europe, we can’t really draw any solid conclusions. But we do agree — and you can check out the paper we wrote in 2022 on state hacking — in that paper, we outlined 11 steps that states should follow to lawfully try and hack into the phone of someone suspected of committing a very serious crime. 

But none of that is actually followed when it comes to spyware. And that’s partly because of the capabilities of the tech, but also because of the entire structure that enables spyware use — starting with this commercial market. It’s a super opaque market that thrives on opacity. These companies need secrecy to operate. 

What they do is look for vulnerabilities — in programs or operating systems we all use. Think iOS from Apple, or WhatsApp, or Meta apps. They actively try to find flaws in those systems so they can use them to infiltrate phones. And all of this is driven by demand from states, who turn to private vendors to access citizens’ phones. 

That creates a whole other market — the market of vulnerabilities — and this market moves millions behind the scenes every year. From the last 25 major vulnerabilities Apple found in its own system, 21 were used by spyware companies to infect phones. That shows how this whole thing is a major driver of the vulnerability market — and that puts everyone at risk. Because once these vulnerabilities end up in a company’s hands, we’re all potentially exposed. 

So, by allowing this private market to thrive, states are not only putting citizens in danger — they’re also putting themselves in danger. These same vulnerabilities can be used against them. They can target state officials, or even be used to extract secrets from European companies — which is a huge issue in this context where everyone’s talking about economic sovereignty. This can backfire in so many ways. 

Now, of course, states have always had secret services. They’ve always had tools to investigate and stay ahead of criminals — that’s part of what police are supposed to do, and that’s fine. But when it comes to digital rights and privacy, it shouldn’t be a carte blanche to access any phone, any time. That’s neither necessary nor proportionate. 

What we’re saying is: there are ways to hack phones that don’t violate human rights — if certain requirements are met. And that’s the direction things should go. Instead, what’s happening now is the opposite — the market is shaping how states use these tools, instead of states saying, “Let’s find a human rights-compliant way to do this,” and then turning to the private sector for help building it. 

But that’s not what happened. The industry created these monsters — tools that let you access anything — and states are just buying them. And we think that’s deeply problematic. Because even in democratic — or so-called democratic — countries, we’ve seen these tools used to avoid scrutiny, or to go after political opponents. Not just to fight crime. 

So they’re dangerous tools by nature. Which, for us, makes them incompatible with fundamental rights. And what needs to change isn’t just how states use them — the entire market and the whole concept of spyware needs to be rethought. 

00:19:03 Domen Savič / Citizen D 

And you’ve mentioned private companies, right? So, mobile phone or device developers — that’s basically the origin of this whole horror story, right? These zero-days, these issues and bugs in software and hardware that enable the development of spyware tools or spyware software. 

So how do you see the role of these companies in all of this? You’ve got Apple, Google, Samsung, and other mobile developers who, on one side, are very eager to patch and fix flaws when they’re notified. 

But do you think they’re doing enough — proactively — to sort of stave off the dangers of, yeah, the whole spyware economy, so to say? 

 00:20:04 Aljoša Ajanović Andelić  / EDRi 

Well, in this case, I’d say — as you might know — in our work as digital rights activists, we’re most of the time actively fighting against big tech. We have totally different interests, and we believe this whole structure of monopolization and oligopoly in the sector is really dangerous for all citizens. 

But when it comes to spyware, it’s true — we’ve seen some good practices from these companies. One example is the recent Paragon scandal. It came to light because WhatsApp — so, Meta — actually informed people that they’d been targeted. They found the vulnerability and let those users know. Apple, too, is now publishing a report every three months with all the bugs they’ve found and patched in their system. 

So yeah, it’s in their own interest to keep their apps as secure as possible. And that just makes sense — if people lose trust in their services or in the strength of their end-to-end encryption, they’ll switch to something else. That’s pure capitalist logic. But in this case, it actually helps us, it helps having these companies actively involved in finding and patching vulnerabilities, and being vocal about it. 

We’ve also seen, for instance, when the UK tried to push for mandated backdoors in some systems, Apple pushed back — hard. And in the end, the UK government backed off. Because not just experts, but even the companies themselves, were saying: forced backdoors are basically just vulnerabilities — they make devices less secure, and open the door to anyone who can find a way in. 

So in this case, yeah, I’d say there are some good practices. Of course, more could be done. But it’s in their interest to protect the integrity of their encryption — and that’s why, in some cases, the only information we have comes from these companies. Because detecting spyware infections is really difficult. If you’re a user who’s been infected, you’re not going to know just by looking at your phone. 

There are very few ways to detect it. There’s no proactive investigation by Member States, or by the judiciary. So we end up relying on organizations like Citizen Lab — who, in good faith, and because they care about this issue, are actively looking for infected users. They’ve even developed tools to help detect infections, but we also rely on the companies themselves to tell us who’s been targeted and whose devices have been compromised. That’s just the reality. 

And there is some legislation, like the Cyber Resilience Act — adopted by the EU a couple of years ago — that requires products on the market to actively search for and patch security flaws. So there’s at least some kind of framework pushing companies to be proactive. 

But still, we’d urge them to double down on those efforts. Because right now, when states aren’t willing to be an active ally in this fight, the companies are pretty much all we have. So that’s something we definitely recognize — and we do welcome all efforts from these companies to help detect who’s been compromised. 

00:24:03 Domen Savič / Citizen D 

Because that’s the issue in the end, right? It’s so niche, so specialized, so problematic — and at the same time, it’s commercialized. It’s literally available to almost anybody with enough funds. 

So it really begs the question: how do we move forward from here? Is everything that’s happening now — the legislative proposals, the patches — is this a genuine attempt, or maybe a valiant attempt, to actually prevent this from happening? 

Or is it all just a bit of, you know… whatever color you think spyware is — greenwashing, basically? Like, everyone knows this will keep happening, but all you really need to do is signal a little that you’re “against it,” while at the same time not doing nearly enough to actually, you know… stop it. 

00:25:10 Aljoša Ajanović Andelić  / EDRi 

That’s a very good question. And it’s funny because, in the case of spyware, there isn’t even an attempt to greenwash it. Like, no one’s even trying to say, “Yeah, we’ll address this.” What we’ve seen at the EU level over the last five years is just total inactivity. 

The only thing that’s happened is the Parliament set up an inquiry committee — and to be fair, there were some MEPs who were really involved, really pushing to denounce this and calling on the Commission to take immediate action. Because this is a major human rights scandal. 

That committee concluded its work two years ago. Its final recommendations were adopted by the European Parliament. And two years later? Nothing’s happened. 

They asked for things like setting up a European version of Citizen Lab, and proactive legislation to control the use of these tools. The Commission? Completely inactive. They promised they’d issue a communication — just a non-binding legal text — to analyze how spyware interacts with GDPR and data protection laws. And they haven’t even done that. 

At the national level, with this whole “securitization” agenda spreading across Europe, the argument we keep hearing is: “We need this to fight crime, so it’s fine.” And what’s dangerous about that is, first, it ignores the fact that this shadowy market puts all of us at risk. But second, and maybe more importantly, it shows a huge disregard for human rights. 

Even the known victims — people who’ve already been targeted and have been facing years of judicial inaction — even they haven’t had their rights restored or protected. And forget about future victims — there’s been no move to prevent it from happening again. 

We haven’t seen a single state that’s been caught up in one of these scandals come out with a strong effort to investigate, to expose what really happened, or to hold anyone accountable. Not one. And we haven’t seen any meaningful commitment from the Commission or from Member States to actually make spyware use compatible with human rights. That just hasn’t happened. 

And it’s worrying. Because right now, Europe is basically becoming a hub for these companies. There’s no legislation stopping them from setting up shop, selling these tools internally, or exporting them. 

The legal tools we do have — like the dual-use regulation — they’re failing. They don’t cover these kinds of advanced spyware tools. So what we have is a total lack of legislation. And weirdly, the Commission doesn’t seem bothered by it. 

Which is strange to me. Because I compare this kind of spyware to someone breaking into your house. These days, all your most personal information — your whole private life — is on your phone, not in your living room. And yet, the Commission might come out and say, “Yes, we’re very concerned,” or “We’re taking this seriously,” but then they do nothing. 

I keep thinking: what if there were a pandemic of people getting their homes raided by police all across Europe — would they act the same? If this was something physical, something you could see, would the response still be this passive? 

And honestly, spyware is comparable to a weapon. We’re basically letting companies set up shop in Europe to produce and sell weapons — without any oversight. And if you’ve spoken to any of the victims, or looked at the impact this has had, it’s clear how serious it is. 

Yes, there are the human rights violations — privacy, freedom of expression, freedom of assembly, and so on. But there’s also real psychological harm. We’re seeing victims across Europe suffer from PTSD, anxiety, all kinds of mental health issues. This level of state intrusion into someone’s private life can not only stop them from engaging in political action — it can destroy their sense of safety altogether. 

And no one has paid the price for that. So yeah — I’d say that’s a huge problem. 

00:30:28 Domen Savič / Citizen D 

And one final — or pre-final — question for our conversation is about the media framing of this issue, right? Journalists are one of the most important — or at least one of the most common — targets for spyware developers or users. 

Do you think the way the media frames the spyware issue helps… or maybe doesn’t help… the public understand how serious it really is? Because, the way I see it, you only really hear about it when something happens — in a specific country, or to a specific group, like journalists. 

But there’s no real broader connection being made — no ongoing conversation that ties this to state representatives, Ministries of Interior, or other institutions, right? 

So, do you think the media framing of this issue actually helps keep it alive and unaddressed — especially from a human rights point of view? 

00:31:55 Aljoša Ajanović Andelić  / EDRi 

I’d say it probably depends on the country. The role of journalists in this issue has definitely been relevant — in some cases, they’ve been the ones who actually uncovered the scandals. So sometimes it’s not even companies like WhatsApp or Meta who inform the public first — it’s journalists doing the digging and bringing these violations to light. 

So in that sense, I’d say they play a really important role. 

And then, as victims, journalists have also been very active in denouncing cases — especially when other journalists have been targeted. So they’re involved on both sides. 

At the same time, though, we see a classic divide — the same one we see in politics — where media coverage varies depending on the political alignment of the outlet. So, depending on where they stand ideologically, their opposition to spyware is either stronger or weaker. 

In countries I’m more familiar with — like Spain or Poland, for example — journalists have definitely helped keep the issue alive. Politically, spyware doesn’t get much sustained attention — there’s always noise when a scandal breaks, you get the headlines, some debate… but once that first wave passes, it’s often journalists who keep following the story and bringing it back to the surface. 

So in some cases, yeah, we’ve seen good practices. 

In other cases, the seriousness of it — the scale of the harm — has been downplayed by certain kinds of coverage. And that might be the most damaging effect: when journalism minimizes the threat or doesn’t make the public fully aware that this is a serious human rights issue. 

So maybe what’s missing is more personal coverage — stories about the victims, the real consequences in their lives. That kind of reporting could help people understand just how deep the impact is, and hopefully get more attention on the issue. 

But again, it really depends — on the country, and also the type of media outlet. Because, as usual, the big outlets owned by conservative groups tend to be more state-friendly. Their coverage often leans toward empowering law enforcement and justifying these kinds of surveillance practices. 

On the other hand, you’ve got independent investigative outlets — the ones funded by readers or private donors — and they’ve been really strong, really vocal against surveillance in general and spyware vendors in particular. 

So yeah, I’d say there’s a bit of both. 

00:34:58 Domen Savič / Citizen D 

I’m not even going to dive into the topic of personal responsibility or what individuals can do to protect themselves from spyware. But let’s wrap this up a little differently. What do you think is going to happen in this whole constellation — the EU Commission and the EU Parliament, in relation to spyware, but also everything that’s going on globally? 

You’ve got the Israeli bombing of Palestine, the Russian attacks in Ukraine… you’ve got these actors who are some of the biggest developers of spyware, but at the same time, they’re doing things that clearly don’t align with the European Union’s values. 

So, what do you think will happen? What do you see in the next 2, 3, maybe 4 years in the spyware landscape, and with the EU’s approach to it? 

00:36:10 Aljoša Ajanović Andelić  / EDRi 

Well, this last mandate started off really poorly. In the past year, since it began, we’ve seen the EU and the new Commission really falling into the trap of surrendering to US pressure and big tech interests in some areas. 

I want to believe that the EU will realize the only way to stay competitive globally is by holding on to what made it unique — its commitment to human rights. For example, there are some regulations in the digital rights space now, like the DMADSA Act, which, when we look at where the world is heading, could be seen as really innovative. These are wins for the human rights or digital rights community because they’re putting some limits on these big tech giants, while the US is going in the opposite direction. 

So, I think if the EU recognizes that its commitment to human rights is actually its strength, not its weakness (as it’s been framed in this first year of the mandate), then the natural next step would be to start taking these issues seriously. First, they need to release the communication we’ve been waiting for — it’s been blocked for over two years now, and we don’t even know why. This communication should analyze how spyware use interacts with EU law. 

Then, I’d say the EU could go further. It could tackle the biggest threat we face now: the commercial spyware market, which is thriving and fueling a market for vulnerabilities that puts us all in danger. If I were in the Commission’s cabinet, I’d say the first priority should be stopping the EU from becoming a hub for these companies. It’s self-destructive because it puts all of Europe, even its national security, at risk. 

My second priority would be ensuring that victims get remedies. We know of victims in at least seven countries in Europe, and no one has found any solution for them. The EU has the mandate and the competence to do something about this at any time, so it’s unacceptable that they haven’t. I won’t say they’ll do it, but they should. If the EU wants to maintain its relevance globally, the only way is to stick to what made it strong — protecting human rights, collective rights, and being innovative in defending those rights, not deregulating them. 

If they keep handing over tech regulation to the oligarchs, they’ll be playing into the US’s hands. The US will always be the biggest player in that field. Strategically, it’s a bad decision. So, yeah, that’s how I see the EU’s path forward. 

00:39:45 Domen Savič / Citizen D 

Excellent. Thank you, Alyosha, for dropping by. And thanks to you, listener, for tuning in to this episode of Podcast Citizen D. We’ll be back next month. Best of luck with your work in this field and everything you’re doing in the digital rights space.