The newest discovery by Citizen Lab cybersleuths broadens the list of those allegedly targeted by state surveillance under Poland’s nationalist government with a tool marketed for use exclusively against criminals and terrorists.
In late December, the University of Toronto-affiliated security researchers determined that a Polish senator, Polish lawyer and a Polish prosecutor — all three critics of Poland’s ruling Law and Justice party — were hacked with NSO’s Pegasus. They were the first confirmations that a tool widely abused globally by repressive governments had been used in the European Union country.
The finding triggered an inquiry in the opposition-controlled Senate.
In its new findings, Citizen Lab found that Michal Kolodziejczak, a 33-year-old farmer and agrarian social movement leader was hacked several times in May 2019. That was months ahead of a fall election in which Kolodziejczak was hoping to have his group, AGROunia, become a formal political party. Support for his movement threatened to eat into a key constituency of the ruling party, farmers and other voters in the Polish countryside. Courts have so far blocked his efforts to form a political party.
The other target was Tomasz Szwejgiert, who says he collaborated for years with Polish secret services before finding himself at odds with powerful figures. He was hacked while co-authoring a book about the head of Poland’s secret services, Mariusz Kaminski. He was hacked 21 times with Pegasus from late March to June of 2019, intrusions that began after he and his collaborators sent questions to the Polish government about Kaminski.
Replying to a request for comment, a Polish state security spokesman, Stanislaw Zaryn, insisted that surveillance is only carried out in justified cases and in accordance with the law. He said due to legal limitations he could not give any details about whether specific people were surveilled.
However, he said reports about Szwejgiert’s “connections with the secret services are untrue,” and said the man has faced charges for serious economic crimes.
In one case, he spent 11 months in prison in 2018 on allegations of belonging to a criminal group that carried out a tax fraud scheme that cost the state millions of zlotys. Another allegation is that he pretended to work for the secret services in order to commit financial fraud.
Szwejgiert told The Associated Press that he was innocent and believes he was framed, insisting he had collaborated with the secret services for years.
Pegasus is ultra-invasive. The hacker gets access to a victim’s smartphone data and can surveil them in real time with the phone’s microphone and camera. The Pegasus abuse cases worldwide highlight how such technologies — used against journalists, dissidents, rights activists and politicians — pose a growing threat to democratic systems.
The revelations in Poland led ruling party leader Jaroslaw Kaczynski to acknowledge publicly for the first time earlier this month that Pegasus was bought by the Polish state. Kaczynski described it as a tool to fight crime and denied that political opponents were targeted.
As the government sought to counter perceptions that the state was engaged in mass surveillance, a ruling party lawmaker knowledgeable about state security services, Marek Suski, said last Friday that the number surveilled by the state did not exceed “several hundred people a year.”
The news drew headlines, however, shocking Poles who considered the number anything but trivial.
John Scott-Railton, a senior researcher at the Citizen Lab who found the forensic traces of hacking on the phones of all five Poles, said he believes “there is more to be found.”
“In my experience, Pegasus abuses are often the canary in the coal mine. What about other surveillance powers? Such as wiretapping and internet monitoring? These can be harder for outsiders to prove, but are ripe for abuse at a massive scale,” said Scott-Railton, who testified along with a co-researcher to Poland’s Senate commission last week.
Citizen Lab had previously confirmed the hacking of Ewa Wrzosek, an independent prosecutor fighting government attempts to politicise the judiciary, and Roman Giertych, a prominent lawyer who represents opposition leaders including Donald Tusk, a former prime minister.
Another Pegasus hack confirmed by Citizen Lab was of Sen. Krzysztof Brejza, who was running the opposition’s 2019 parliamentary election campaign at the time. Messages stolen from his phone were doctored and used in a smear campaign against him.
One aim of the Senate inquiry is to determine whether the 2019 election was fair under the circumstances. Kaczynski’s Law and Justice won by a slim margin.
Kolodziejczak believed the elections could not have been fair, given the hacking.
“They manipulate everyone’s choices in this way,” he said. “If one party knows more, it is easier for them to convince you NOT to vote for the others.”