Poland’s Supreme Court will examine the legality of evidence gathered through Pegasus spyware, setting a specific date for the landmark case.
Criminal Case and Acquittal
The ruling came in May 2023 in a criminal case where one accused faced charges including aiding in the abuse of power by a public official and disclosing state secrets. The Wrocław Court of Appeal acquitted this person, partly because evidence gathered through what was likely Pegasus spyware was deemed inadmissible as it couldn’t be admitted to proceedings or serve as a basis for factual findings.
The appellate court ruled that this method of obtaining materials for evidence cannot be considered legal.
Expert Opinions
Although Poland no longer has a license for Pegasus, experts believe the Supreme Court’s ruling in this case will be crucial. Vice President of the Panoptykon Foundation Wojciech Klicki noted that Pegasus has enormous potential for abuse and deeply invades privacy, mentioning the case of Krzysztof Brejza as an example of such abuse.
According to Klicki, if the Supreme Court ruling aligns with the Court of Appeal’s decision, it would mean that security services would lack legal security regarding the use of spyware and wouldn’t be able to use such materials in proceedings. He added that it would be an impetus to create legal frameworks that would enable security services to operate effectively while ensuring no abuses against citizens occur.
Chair of the Sejm’s Pegasus investigation committee Magdalena Sroka commented that when courts assess a person’s guilt, they consider all gathered evidence. Evidence obtained using Pegasus constitutes one of many pieces of evidence in a case, and she hasn’t encountered situations where operationally obtained evidence was the only evidence in a case.
How Pegasus Operates
The court explained in its justification how the spyware works: it enables “effective monitoring, collection, and downloading of data from infected devices.” Moreover, it can also be used to modify device content. Therefore, according to the court, this software is highly invasive, sophisticated, and stealthy, with powerful potential and practically unlimited capabilities.
After gaining control over a phone, the attackers conducting the attack obtain administrative rights, which in practice means they can do anything with the infected phone. The court emphasized that the attackers even have greater ability to interfere with the device than its user.
This occurs partly because vulnerabilities in the operating system are used to infect phones with malicious software, and the installation process is invisible to the user.
Lack of Legal Basis
The appellate court also pointed to the lack of legal basis. According to the court, Article 17, paragraph 2, point 4 of the CBA Act, which governs operational control activities, speaks generally about obtaining and preserving data. Spyware software allows for such obtaining and preserving of data through full access to mobile devices. However, the problem is that its installation occurs through phone hacking.
The existing regulations concerning operational control, including the mentioned Article 17 of the CBA Act, do not allow for such actions and do not foresee such possibilities, noted the Wrocław court.
In the court’s view, this means that the use of spyware cannot be considered consistent with the law or a legal method of obtaining evidence. The appellate court also referred to the rulings of the Constitutional Tribunal, stating that it is “difficult to accept that software allowing full control over a mobile device meets the requirements set by the Constitutional Tribunal regarding the proper specification of the used operational and reconnaissance technique, one that limits state arbitrariness and enables effective control over covert operational and reconnaissance activities.”