Brussels – A new trouble is knocking at Palazzo Chigi’s doors. Amid the blizzard related to the Al Masri case and a few days after the third hotspot failure in Albania, controversy mounts over The Guardian’s revelations about the use of surveillance software against Fanpage editor Francesco Cancellato and two members of civil society. Opposition calls for Brussels to intervene. The government denies this, and the European Commission clarifies, “Investigations are the responsibility of national authorities; we expect them to verify these allegations.”
According to reports in the British newspaper, about a week ago, Meta Platforms, which operates the Whatsapp platform among others, informed 90 people in more than 20 countries that they had been spied on through Graphite software, manufactured by Israeli company Paragon Solutions. Among them, in addition to Cancellato, the founder of Mediterranea Saving Humans, Luca Casarini, and Husam El Gomati, a Libyan activist living in Sweden. All three are highly critical of the work and positions of Giorgia Meloni’s government.
Paragon Solutions, which sells software to prevent serious crimes or track criminals, said its clients are only democratic countries. Yesterday (Feb. 5), responding to allegations of involvement, the premier’s office confirmed that seven Italians were allegedly victims of a hacking attack through Israeli spyware. However, Palazzo Chigi denied that national intelligence services or the government were behind the alleged breaches.
However, the new revelations provided to The Guardian by a source “familiar with the matter” puts the government in a bind. Paragon Solutions reportedly suspended its relationship with Italy as early as last week, when the first allegations of potential software abuse surfaced, and then terminated the contract completely last night, once it was determined that Italy had violated the terms of service and the agreed-upon ethical framework.
The Democratic Party, 5 Star Movement, and AVS immediately demanded that the government report to the Parliament on the incident. Meanwhile, Pina Picierno and Sandro Ruotolo, Dem MEPs, have filed two written questions to the European Commission: “What measures does it intend to take to ascertain the extent of this violation and take action against the perpetrators of these attacks? Does it intend to launch an investigation to ascertain the perpetrators and the extent of this violation?” asks EU Parliament Vice-President Picierno. According to Ruotolo, the case “concerns the European Commission because at stake is the violation of personal data and freedom of the press.”
This morning, during the daily press briefing, came an initial response from the EU executive: “Investigations are a matter for national authorities, not the European Commission, and we expect such allegations to be verified,” said spokesman Markus Lammert. And then stressed, “In general, any attempt to illegally access citizens’ data, including journalists and political opponents, is unacceptable, if proven.”
As Lammert recalled, the European Union recently passed new legislation, the European Media Freedom Act, which came into force on May 7, 2024, but whose rules will apply in full from August 8, 2025. The law provides “specific guarantees for journalists,” the Brussels spokesman said. Indeed, one of the thorniest issues in the regulation relates precisely to the provisions on the use of surveillance software, the result of the scandal that erupted back in July 2021 over the use by several national governments—even member states, from Greece to Hungary, Spain to Poland—of another Israeli spyware, Pegasus, to monitor journalists, members of civil society, and political opponents.
In contrast to the strict limitations of the original Commission proposal, member countries had managed to introduce a derogation for “safeguard national security” cases. During the interinstitutional negotiations, the Parliament insisted on greater limitations. In the law’s final form, spyware is permitted only on a case-by-case basis and with the prior authorization of a judicial authority to investigate serious crimes punishable by imprisonment. Even in these circumstances, however, the persons concerned must be informed after the surveillance and can then challenge it in court.
Meanwhile, in a press release today, the Hellenic Data Protection Authority announced that it is “investigating a case of a malware breach of WhatsApp users’ personal data,” following a notification submitted by WhatsApp itself, as “users in Greece appear to be among those affected.”
English version by the Translation Service of Withub
