Germany's Federal Criminal Police Office (BKA) purchased access to NSO Group's Pegasus spyware in 2019 after internal efforts to create similar iOS and Android surveillance tools failed.
The federal government revealed the agreement with NSO in a closed-door session with the German parliament's Interior Committee on Tuesday, reports Die Zeit.
When the BKA began to use Pegasus is unclear. While Die Zeit says the tool was purchased in 2019 and is currently used in concert with a less effective state-developed Trojan, a separate report from Suddeutsche Zeitung, via DW.com, cites BKA Vice President Martina Link as confirming an acquisition in late 2020 followed by deployment against terrorism and organized crime suspects in March.
Officials made the decision to adopt Pegasus in spite of concerns regarding the legality of deploying software that can grant near-unfettered access to iPhone and Android handsets. As noted in the report, NSO's spyware exploits zero-day vulnerabilities to gain access to smartphones, including the latest iPhones, to record conversations, gather location data, access chat transcripts and more.
Germany's laws state that authorities can only infiltrate suspects' cellphone and computers under special circumstances, while surveillance operations are governed by similarly strict rules.
BKA officials stipulated that only certain functions of Pegasus be activated in an attempt to bring the powerful tool in line with the country's privacy laws, sources told Die Zeit. It is unclear how the restrictions are implemented and whether they have been effective. Also unknown is how often and against whom Pegasus was deployed.
According to Die Zeit, Germany first approached NSO about a potential licensing arrangement in 2017, but the plan was nixed due to concerns about the software's capabilities. Talks were renewed after the BKA's attempts to create its own spyware fell short.
In July, a cooperative report from 17 media organizations exposed methods by which Pegasus has been abused by authoritarian governments to spy on human rights activists, journalists and business leaders. The same report noted a leaked list of more than 50,000 phone numbers that are thought to be tied to people of interest for supposed NSO clients.
Tuesday's news comes less than a month after the Bundestag's Digital Agenda committee chairman, Manuel Hoferlin, declared Apple to be on a "dangerous path" with plans to enact on-device child sexual assault material monitoring. Hoferlin expressed unease over the initiative in a letter to Apple CEO Tim Cook, saying the system undermines "secure and confidential communication" and represents the "biggest breach of the dam for the confidentiality of communication that we have seen since the invention of the Internet," according to a machine translation of the text.
Apple has since postponed the feature's rollout as it gathers feedback on the matter.