Poland’s Supreme Court has scheduled a date to review a case involving evidence gathered with the Pegasus spyware, following an appeals court’s ruling that such evidence is inadmissible.
Background on the Case
The ruling was issued in May 2023 in a criminal case where one of the accused was charged with aiding in crimes including abuse of power by a public official and disclosure of state secrets. The Court of Appeal in Wrocław acquitted this person, primarily because evidence gathered through operational and reconnaissance activities was deemed inadmissible and could not form the basis for factual findings.
The appellate court stated that such a method of obtaining materials to serve as evidence in a proceeding cannot be considered legal, as it likely involved the use of Pegasus spyware.
Expert Opinions
Wojciech Klicki, Vice President of the Panoptykon Foundation, emphasized that Pegasus has a huge potential for abuse and deeply intrudes on privacy. He noted that such abuses occurred in the case of Krzysztof Brejza and that Polish law does not protect against abuses related to spyware. Klicki believes that if the Supreme Court rules in line with the Court of Appeal, it would mean that services would not have legal security regarding the use of spyware and could not use such materials in proceedings.
Magdalena Sroka, Chair of the Sejm’s Pegasus investigative committee, commented that when courts determine guilt, they consider all gathered evidence. Evidence obtained using Pegasus constitutes one of many pieces of evidence in a case, and she has not encountered a situation where operationally obtained evidence was the only evidence in a case.
Pegasus Functionality
The appellate court explained how the spyware operates: it enables “effective monitoring, collecting, and downloading data from an infected device.” Additionally, it can be used to modify device content. The court described it as highly invasive, sophisticated, and deceptive with powerful and practically unlimited capabilities.
“After gaining control over the phone, the conducting operators obtain administrative rights, which in practice means they can do anything with the infected phone,” the court noted. The court added that even the phone’s user has fewer capabilities to intervene in the device than the attack authors.
Legal Basis Concerns
The appellate court also highlighted the lack of legal basis. According to Article 17, paragraph 2, point 4 of the CBA Act, the service conducting operational control obtained data generally. However, the problem is that installing the software involves hacking into the phone, and existing regulations on operational control do not allow for such actions.
The court stated that using spyware cannot be considered compliant with the law as a legal way to obtain evidence. The court also referenced Constitutional Tribunal jurisprudence, noting it’s difficult to accept that software allowing full control over a mobile device meets the requirements regarding the proper specification of operational techniques that limit state arbitrariness and enable effective control over covert operational activities.
