On Sunday, it became known that with the help of the Israeli technology company NSO‘s spy software “Pegasus”, about 50,000 mobile phones of journalists, NGO staff, politicians and human rights activists, among others, were hacked and spied on. MEP and digital freedom fighter Patrick Breyer (Pirate Party) is now calling on the EU Commission to hold mobile phone technology manufacturers accountable:
“The phone hacking attacks and the ransomware cases have a common cause: security bugs nowadays endanger human lives. In the age of the digital revolution, commercial manufacturers bear a responsibility and should be liable for damages if security bugs are their fault. The Commission should respond to the latest disaster soon and back up its alarmed rhetorics with action.”
In a written question submitted today, Breyer wants to know specifically from the European Commission:
- Will the Commission propose legislation obliging commercial IT manufacturers to fix vulnerabilities and provide patches within a reasonable timeframe after their discovery, and provide for manufacturer liability in case of failure to do so?
- What else could the legislator do to improve the security posture of mobile devices and mitigate the risks of attacks?
- Hungarian authorities are suspected to have monitored the smartphones of journalists and politicians using spyware. How will the Commission address this allegation?“
The Pirates European Election Programme reads: “With the Internet of Things, computers are starting to influence the world in direct and physical ways (e.g. car or hospital technology). IT devices that are insecure and vulnerable to integrity and availability threats increasingly endanger our lives and property. We can no longer afford security disasters to occur on a regular basis. … PIRATES want to oblige commercial manufacturers of IT equipment to provide regular updates for a reasonable period of time. If updates to fix vulnerabilities are not provided within a reasonable period of time after their discovery, commercial manufacturers should be held liable for the consequences. If a manufacturer decides to abandon a product that is still widely used, the source code and development tools should be made public so that the community can maintain it. Authorities must be required to disclose any vulnerabilities they either acquire or become aware of. There must be no backdoors in encryption technologies as this weakens and compromises the integrity and security of all systems.”