The wiretapping case had a “happy ending” for the National Security Service and the government of Kyriakos Mitsotakis, since the Supreme Court announced that it will only prosecute four private persons for misdemeanours. Here are all the steps that the investigation failed to take.
by Eliza Triantafillou / Tasos Telloglou
Part 3 - What the prosecutors and Zisis did not do
What didn't they do? Even though they already knew –since early February 2023– that on December 16, 2021 (the day the two investigations by Citizen Lab and META on Intellexa's Predator were published) two Greek employees of the company had visited a data center maintained by Intellexa at a site in Maroussi and removed servers and other equipment without warning, they never called them to testify.
Two useful questions they could have asked, had they called them, would have been what those servers were used for and where had they been taken to. If they really wished to shed light to the case, they could have had the privacy of the two employees' communications lifted, in order to find out who and why had ordered them to rush to the data center. Additionally, none of the prosecutors turned to META (Facebook's parent company), which in its communication with the DPA said that it possessed data including, among other things, the "target" users and the Facebook accounts through which the targeting was done. META says that in order to provide this information, a formal request for judicial assistance would have to be made; something which the prosecution authorities never made. Prosecutors did not make a formal request to Citizen Lab either, which has useful technical aspects of the case at its disposal.
The only Intellexa employee called to testify named Merom Harpaz as the head of the company's offices in Athens and the one who did all the hiring. Merom Harpaz was never called to testify. By the way, the employee who made the technical presentations of the products (proof of concept) exclusively to foreign customers of the company, states in his testimony that the only customers of Intellexa were governments and government agencies. He also named his immediate supervisor, who was also not called to testify.
There was also a delay in the inspection by the Communications Privacy Authority (CSA) of the NIS's Technology Support, Development and Innovation Centre (KETYAK), where, according to press reports, the Predator system was initially installed. As expected, no surveillance equipment was found during the CSA's inspection in November 2022.
The delay in comparing the list of Predator targets with the list of legitimate privacy waivers under the pretext of national security is also of significance. This was finally done in June 2024 by the Deputy Attorney General of the Supreme Court, in a rather problematic manner. On the one hand there was the reluctance of the CSA to proceed with this audit ex officio, by going to the providers, and on the other hand there was the delayed order of the Prosecutor General's Office that reached the CSA in October 2023, shortly before the two prosecutors were removed from the investigation by decision of the Supreme Court Prosecutor and after the unconstitutional replacement of the members of the CSA –whose term of office had expired– with other persons of the government's liking.
Prosecutors also did not investigate the persons who paid the servers that hosted the fake websites (such as blogspot.edolio5[.]com, which was used 86 times to infect devices or emvolio-gov[.]gr), or the persons who paid to send the SMS that were infected with links from these malicious websites to the targets. These persons used means of payment such as Paypal, prepaid electronic cards from Viva and a prepaid Mastercard issued by the National Bank of Greece. The lifting of the privacy of the transactions could possibly have revealed where the money needed to make the electronic payments was transferred from.
And while the Data Protection Authority has been stressing, since last summer, that further investigation is needed, having exhausted all the means at its disposal, the Supreme Court Deputy Prosecutor asked them once again, for a second time in two years, if they had taken any other steps and what they were. It should be noted that no one from the DPA was called as a witness, nor was the Authority's technical assistance sought in understanding complex technical issues included in its finding that had to do with the Predator software and the channels of infection used by its operators.
Comments
Post a Comment