Two Catalan politicians will file lawsuits against spyware

Two leading members of the Catalan independence movement whose mobile phones were targeted with spyware are to take legal action against the former head of Spain’s national intelligence centre (NIC).

The announcement came after a joint investigation by the Guardian and El País revealed that Roger Torrent, the speaker of the Catalan parliament, and the former regional foreign minister Ernest Maragall were among at least four pro-independence activists targeted using Israeli spyware that its makers say is sold only to governments to track criminals and terrorists.

Torrent has said the revelations were proof of the Spanish state’s “dirty war” against its political opponents, while Maragall said he was not surprised to learn he had been targeted.

On Thursday, the pair – both MPs for the pro-independence Republican Left of Catalonia party – said they would file a legal complaint against Félix Sanz Roldán, who was head of the NIC when their phones were targeted last year. The Guardian has approached Roldán for comment.

“The acts that took place constitute offences under criminal law – the offence of unauthorised intrusion and of computer espionage or illegal eavesdropping,” Torrent and Maragall said in a statement, adding that the offences were punishable with prison sentences.

They said they had decided to take action against Roldán after reports emerged that Spanish intelligence services had purchased the Pegasus spyware from the Israeli NSO Group despite denials from the interior ministry.

In a statement to the Guardian and El País earlier this week, the interior ministry said: “Neither the interior ministry, nor the national police, nor the Guardia Civil have ever had any relationship with the company that developed this program, and, as such, have never contracted its services.”

It added that the actions of state security forces were always conducted “with the utmost respect for the law”.

The NIC said in a statement that it acted “in full accordance with the legal system, and with absolute respect for the applicable laws” and that its work was overseen by Spain’s supreme court.

It did not respond to specific questions about the alleged use of Pegasus spyware.

NSO Group has denied it has any role in operating its hacking software and has said it has no knowledge of who its government clients target.

The company said it operated under “industry-leading governance policies” and that it could not confirm or deny which authorities used its technology because of confidentiality constraints.

According to WhatsApp, a total of 1,400 users were targeted in a mass attack in April and May last year, which is now the subject of a lawsuit by the messaging app against NSO Group.

According to the lawsuit, the spyware exploited a previous vulnerability in WhatsApp software that would have given the operator potential access to everything on the target’s mobile phone – including emails, text messages and photographs. It could also have turned on the phone’s recorder and camera, turning it into a listening device.

The California company has claimed 100 members of civil society – including journalists in India, human rights activists in Morocco, diplomats and senior government officials – are alleged to have been affected.

John Scott-Railton, a senior researcher at Citizen Lab who has closely monitored the use of NSO Group’s spyware and collaborated with WhatsApp to engage members of civil society targeted by the the 2019 attack, described the targeting as disturbing.

“This case is extremely troubling because it suggests that possible domestic political espionage was taking place,” he said.

“And certainly we look forward to continuing to investigate the targeting that happened in Spain.”

The Spanish government has said it has no evidence of the targeting of senior Catalan independence campaigners, adding that it is a legal, rather than political, matter.

“When questions of this nature arise, the procedure is well known: you inform the relevant judicial authorities about the hack or tapping, or the theft from a device, and they can then investigate whether it has happened and under what circumstances,” the government’s spokeswoman, María Jesús Montero, told reporters on Tuesday afternoon.

“Any mobile phone tapping always requires preliminary judicial authorisation. This isn’t something for the government.”