FTM Investigation: EU Funds Digital Espionage

Hundreds of millions of euros have been allocated from the European Union budget to the European spyware industry, which makes apps and programs for the permanent surveillance of citizens, shows a journalistic investigation published yesterday by the website Follow The Money (FTM). While scandals in Greece, Poland, Hungary, Italy or Spain have revealed how journalists, activists, political opponents and even high-ranking leaders such as Emmanuel Macron or Roberta Metsola have been spied on through intrusive programs such as Pegasus or Predator, the journalistic investigation shows that hundreds of millions of euros in European funds and national subsidies have gone directly to companies that develop and market these technologies.

Follow the Money reports, supplemented by Atlantic Council data, documented how the European Defence Fund, as well as public entities in Italy and Spain, directed from a few hundred thousand to over 100 million euros to companies such as Cy4Gate, Intellexa Alliance, Verint Systems, Cognyte or RCS Labs, companies accused of selling their products to repressive regimes in Egypt, South Sudan, Turkmenistan, Bangladesh or Pakistan, where they were used against citizens, in contradiction to the declared values of the European Union.

According to official data, Cy4Gate received 103 million euros between 2020 and 2024, including grants from the European Defence Fund, although one of its products, Epeius, was identified by Google as spyware capable of taking control of smartphones and extracting personal data. The RCS Labs subsidiary has provided technology to governments with a dismal human rights record.

Verint Systems, coordinator of a FP7 project 70% funded by the EU with 15 million euros, was accused by Amnesty International of supplying interception equipment to South Sudan, and Privacy International discovered systems delivered to Kazakhstan and Uzbekistan.

France, through the European Commission, awarded a 60,000 euro contract in 2015 to Nexa Technologies, part of the controversial Intellexa Alliance, a network associated with the Predatorgate scandal in Greece, where journalists and parliamentarians were spied on. Intellexa was sanctioned by the US for using Predator spyware against American officials and experts, and Nexa, renamed RB 42, admitted to selling technology to regimes such as Egypt and Vietnam.

In Spain, the Center for the Development of Industrial Technology, under the auspices of the Ministry of Science, granted 1.3 million euros between 2019-2020 to the now-defunct Mollitiam Industries, and the European Regional Development Fund offered it over half a million for a platform for analyzing data from social media and the dark web. In Italy, the public bank Mediocredito Centrale guaranteed a loan of 2.5 million euros in 2013 for Dataflow Security, a company engaged in the development of mobile exploits and with former NSO Group employees on its team. Other Italian companies, such as Innova, Movia or Area, have benefited from direct funding from the Horizon 2020, ERDF or IPA II programs, and Hacking Team, which became Memento Labs, even received a small subsidy of 1,800 euros through the Youth Employment Initiative. The Italian company Negg Group received euro9,872 from the Ministry of Economic Development, even though its products were used to spy on targets in Italy, Malaysia and Kazakhstan.

Recent scandals confirm that the use of these tools is not just a theoretical problem. Italy admitted to a parliamentary committee that its intelligence services used the Graphite spyware, developed by the Israelis at Paragon Solutions, to attack the phones of activists who rescue migrants and journalists. Spain was rocked by the revelation by Citizen Lab that more than 60 people associated with the Catalan separatist movement were targeted by Pegasus, and that Prime Minister Pedro Sanchez and three ministers were also spied on. In Poland, Hungary and Greece, hundreds of citizens - 570 in Poland, 300 in Hungary, 87 in Greece - have been confirmed as victims.

Despite these abuses, the European Commission has remained inactive, although Parliament called in 2022 through the PEGA committee for strict regulation of the manufacture, sale and use of spyware. The committee's 2023 report warned that the Union must quickly develop its defence mechanisms against "attacks on democracy from within.” Saskia Bricmont, a Belgian MEP, said the Commission's inaction legitimises the abuses and "put in danger European security”, exposing states to vulnerabilities and blackmail from foreign governments. Hannah Neumann, a German MEP, warned that "the EU cannot defend citizens' rights and, at the same time, subsidize their surveillance. It is a betrayal of its own rules and values”.

Digital rights NGOs, such as European Digital Rights, are calling for a ban on public procurement from spyware companies, full transparency on contracts and financing, targeted sanctions against those who sell or finance these tools and reform of research and innovation programmes to exclude technologies incompatible with fundamental rights.

Natalia Krapiva, legal advisor at Access Now, told the cited source that "uncontrolled subsidies for this industry notorious for its lack of transparency generate corruption and abuses”.

While the US sanctions companies and restricts the use of spyware, Europe remains stuck between scandals and inaction, with some major cities transformed into hubs for the surveillance industry. The lack of regulation and control, combined with massive public funding, risks turning the European Union not only into a victim, but also into a sponsor of its own vulnerability.