Fianna Fáil will renew scrutiny of Ireland’s links with companies selling the Predator spyware after a European Parliament committee investigating abuse of the technology reported a lack of cooperation from the Irish Government on the issue.

Citing reporting by The Currency last year, a report prepared by the Pegasus committee (named after an earlier piece of spyware used to infect the phones of MEPs, activists and journalists, or Pega in short) has now confirmed earlier draft findings that “Ireland has become the member State where some of the main spyware companies involved in scandals have registered, owing to its fiscal laws”.

The companies include Thalestris Ltd and Intellexa Ltd, two Dublin-registered companies active in Ireland to this day with Cyprus resident Sara Hamou as their director. They booked €34 million in fast-growing sales out of Ireland in 2021.

Hamou is identified in the Pega committee’s report as the second wife of Tal Dilian, a former Israeli military intelligence officer and technology entrepreneur named by MEPs as the head of the Intellexa group of companies commercialising the Predator spyware.

The Pega report seen by The Currency states:

“The Irish Government refused to respond to the question as to whether it or any law enforcement agencies had been approached by Thalestris or Intellexa, or if they had ever used their services, arguing that ‘for sound operational and national security reasons it would not be appropriate to comment on the details of national security arrangements, nor would it be appropriate to disclose the department’s cyber security arrangements or those of state offices, agencies and bodies under the department’s remit’. The Irish Government also refused to comment on any Irish links to the spyware produced by Thalestris and Intellexa. There is no publicly known evidence of abuse of spyware in Ireland.”

The European Parliament is now due to vote on recommendations resulting from the report’s findings at a plenary sitting in the coming weeks.

Fianna Fáil MEP Barry Andrews told reporters in Brussels that it was important to know whether the Irish Government used the spyware under investigation.

“The problem is that spyware is used in other jurisdictions to identify terrorism, child pornography – all very legitimate public policy gains – but the spyware evidence that is elicited is not used in prosecutions because it wouldn’t stand up to examination under fundamental rights, so it’s a very dangerous area to be in,” he said.

Andrews previously referred the issue to the Oireachtas Justice Committee to extend parliamentary scrutiny to the domestic level, leading to an initial discussion of the spyware issue behind closed doors in January. 

Asked by The Currency what were the next steps in this process, Andrews said: “I think the Justice Committee is the correct committee to examine this issue, so I wrote to the chair of the Justice Committee James Lawless who is from my party, and he undertook to carry out this hearing in the Justice Committee, and I expect that to happen before the summer.”

He added that this should cover “both the use of the software and an investigation into the registration of these companies in Ireland”.

Intellexa founder Tal Dilian.

The Pega report’s chapter on Ireland acknowledges ongoing improvements in corporate transparency legislation, and investment in the National Cyber Security Centre to address the risk of external spyware attacks.

Asked by The Currency for her party’s position, former Minister for Justice and Fine Gael MEP Frances Fitzgerald pointed out that the final report was less critical of Ireland than initially drafted but acknowledged points that the country needs to “take note of”.

“It’s very hard to get information from any government on it because they quote security sources on it,” Fitzgerald said. “But I think there were lessons in it for Ireland in terms of companies being set up, which I thought we had dealt with – the plaques on the doors, that was concerning.” She recognised that the Pega Committee still had issues with the domiciliation of those companies in Ireland.

Ireland was not the only country singled out for facilitating spyware companies with insufficient oversight. “Two member States, Cyprus and Bulgaria, serve as the export hub for spyware. One member State, Ireland, offers favourable fiscal arrangements to a large spyware vendor, and one member State, Luxemburg, is a banking hub for many players in the spyware industry,” the Pega report reads.

In a series of recommendations to the European Council for stricter regulation of this industry, the Committee “takes the firm position that the export of spyware from the Union to dictatorships and repressive regimes with poor human rights records, where such tools are used against human rights activists, journalists and government critics, is a severe violation of fundamental rights enshrined in the Charter [of Fundamental Rights of the European Union] and a gross violation of Union export rules”.

It suggests measures including restricting sales of spyware by EU-registered companies to a closed list of vetted public authorities around the world and banning “hacking as a service”, where spyware is operated by commercial companies on behalf of State agencies. 

A spokesman for the Department of Justice told The Currency:

“The Department is aware that the European Parliament’s PEGA Committee has produced a report on foot of its investigation into allegations connected with the use of surveillance spyware by Members States and notes that its draft recommendations to the Council and the Commission are subject to a vote by the full Parliament. 

“It is important to note that Irish legislation, specifically the Interception Act of 1993 (The Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993) allows for the interception of telecommunications and does not provide for what is known as ‘device interference’.”

Thomas Hubert is reporting from Brussels as part of a visit of EU institutions for Irish journalists funded by the European Commission.