By Jonathan Rozen, Technology and Human Rights Fellow (2025-26)
The views expressed below are those of the author and do not necessarily reflect those of the Carr-Ryan Center for Human Rights or Harvard Kennedy School. These perspectives have been presented to encourage debate on important public policy challenges.
February brought a flurry of surveillance news from Poland, Greece, Angola, and the U.S., highlighting issues of privacy and accountability.
As concerns coalesce over access to data from devices infected with spyware and cases of targeting continue to emerge, U.S. lawmakers have raised questions about the removal of individuals from a sanctions list aimed at curbing such abuses.
As concerns coalesce over access to data from devices infected with spyware and cases of targeting continue to emerge, U.S. lawmakers have raised questions about the removal of individuals from a sanctions list aimed at curbing such abuses.
On February 25, prosecutors in Poland charged two former intelligence chiefs in connection with the use of Pegasus spyware sold by NSO Group. The National Prosecutor's Office said the chiefs failed in their duties by allowing Pegasus to be used without it having “required legal accreditation of ICT security” and without determining the technology "ensures the security of classified information."
Pegasus is a deeply invasive commercial spyware that can grant an attacker remote access to a device, including its photos, contacts, and communications. It can also turn on the camera and microphone, offering visuals and audio from a target's surroundings.
“Under Polish law, IT systems that process classified information…must be accredited. The aim is to ensure that users of the system have exclusive control over the information processed there,” said Wojciech Klicki, vice president of the Panoptykon Foundation, a Polish surveillance watchdog group. “The prosecutor's office has brought charges against the people who were responsible for verifying the security of Pegasus but failed to do so.”
Poland’s national news agency reported that both men denied wrongdoing.
Similar questions of access emerged with documents made public in 2024 from a lawsuit filed in California by WhatsApp against NSO Group, which indicated Pegasus installation was “a matter for NSO and the system to take care of, not a matter for customers to operate.” NSO also said it had disconnected Pegasus customers over abuses.
But an NSO spokesperson told TechCrunch at the time that “the system is operated solely by our clients and that neither NSO nor its employees have access to the intelligence gathered.”
Over 500 people, including opposition political figures, were targeted with Pegasus in Poland between 2017 and 2022, according to local officials.
Spyware has been used repeatedly against journalists and other members of civil society around the world.
Spyware has been used repeatedly against journalists and other members of civil society around the world. Victims have described a deep sense of exposure from people they do not know or trust gaining access to their personal lives. Surveillance harms stem from being known in an abusive way and can be considered violations of epistemic rights, which relate to who is (or is not) entitled to certain information.
Investigations of the use of Pegasus in Poland are ongoing, and Klicki said he has yet to see actions properly addressing the "scope of possibilities" offered by the spyware, as well as its abuse.
“The issue of Pegasus and spyware can be viewed from the perspective of human rights, surveillance, and the right to privacy. But there is also the perspective of national security," Klicki explained. "[A]llowing commercial tools over which one does not have full control always poses a risk. The Polish authorities did not verify this risk and thus endangered national security.”
The Polish National Prosecutor's Office did not respond to emailed questions about the implications of the former intelligence chiefs’ alleged failures.
Who Gets to Know?
Pegasus is not the only spyware raising concerns about who controls data from targeted devices.
FlexiSPY, which sells spyware that was installed on Kenyan journalists' devices while in police custody in May 2025, says on its website that data recorded with its products is transmitted to the company's servers.
Kenyan police officers are facing allegations of perjury for denying that they installed spyware on the journalists’ phones, and FlexiSPY did not respond to questions emailed in September 2025 about its activities in Kenya and management of collected data.
“This [Kenyan] government has no idea on how to protect its own citizens…we are very far off in terms of realizing the true implementation of what data privacy means,” said Ian Mutiso, the journalists' lawyer. “It is indeed a very serious concern to know that this data [may be] in the hands of third parties.”
Concerns in Poland and Kenya echo those raised by leaks reported in December about the Intellexa Consortium, a network of surveillance firms that sell Predator spyware. The leaks indicated company staff may have remote access to data of their customers' targets.
On February 26, a Greek court convicted four Intellexa-linked individuals on misdemeanor charges over the use of Predator, including to target journalist Thanasis Koukakis. The four denied wrongdoing, but the court ordered them to a combined 126 years and eight months in jail and referred the case back to prosecutors for further investigation. The sentence was suspended pending appeal.
Three of the individuals found guilty were among the Intellexa-related actors added to U.S. government sanctions lists in 2024, which cited human rights and national security concerns. Then, in late December 2025, the U.S. Treasury Department removed three individuals from those lists, including one subsequently convicted in Greece.
On February 13, five U.S. Congress members wrote to the Treasury Department and State Department to express “deep concern” over the “decision to lift U.S. sanctions on enablers of the Intellexa Consortium” and requested briefing by February 27 to explain the delistings.
The Treasury Department did not reply to emailed questions about the reasoning and due diligence surrounding the delistings.
Also in late February, news broke that the phone of prominent journalist and lawyer Teixeira Cândido had been infected with Predator in 2024, marking the first-ever public confirmation of spyware use in Angola. Cândido has since filed a criminal complaint with the general prosecutor, citing his constitutional right to privacy, and Angola's main opposition party has called for an investigation.
“I don't know what was taken from my phone,” Cândido said in a recent interview.
Intellexa founder Tal Dilian, one of those convicted in Greece and sanctioned by the U.S., did not respond to emailed questions about Predator’s use in Angola and staff access to its systems. But a lawyer for him responded to the December leaks investigation with a statement denying connection to “events in Greece” and emphasizing “governments bear full responsibility” for use of “active cyber-tools” after purchase.
Necessary and Proportionate?
The cases in Poland, Greece, and Angola, along with numerous other proceedings around the world and U.S. sanctions, showcase various risks associated with commercial spyware.
Hinako Sugiyama, who supervises the International Justice Clinic at the University of California, Irvine, said it's "practically impossible" to build safeguards against spyware abuse because under human rights law surveillance must pass tests of necessity and proportionality. The total access to a device that spyware provides, along with the risk of “unauthorized access” from third parties, means it is difficult to imagine how such technology could pass these tests, she said.
“To enable audits and access to remedy in case of abuse, every action by law enforcement during the course of spyware use should be logged,” Sugiyama emphasized. “But many commercial spyware are designed rather not to leave any traces—and that is a sales point.”
TA Design | Adobe Stock
