Signal-Power Dossier — European Union | Planetary Restoration Archive

Critical

🎯 Mercenary Spyware in Member States

The European Parliament’s PEGA inquiry documented abuses of Pegasus/Predator-class spyware across the EU, warning of fundamental-rights erosion and rule-of-law risks.

PEGA Committee Findings

EU Parliament Inquiry

Scope: systemic abuse patterns; export-control gaps; weak redress
Outcome: recommendations to Commission & Member States; limited binding follow-up to date

Predatorgate (Greece) & regional clusters

Greece / Intellexa / Predator

Context: infections targeting politicians & journalists; ongoing judicial inquiries and press investigations

Critical

📡 Telecom Signalling Exploits (SS7/Diameter)

EU cyber authorities have flagged persistent signalling-layer risks across SS7/Diameter; mitigations vary by carrier, with roaming and interconnect as soft spots.

ENISA Guidance

EU Agency for Cybersecurity

Focus: regulatory guidance, national oversight prompts, vulnerability disclosure practices

Moderate

🗂️ Data Brokers & Cross-Border Demands

GDPR curbs data-broker excesses, but enforcement is uneven; new EDPB guidance clarifies how EU firms must handle third-country authority data requests.

EDPB — Article 48 Guidance

EU Data Protection Board

Key point: non-EU court orders don’t create legal basis for EU transfers; use MLAT or EU law pathways

Moderate

📺 Platform Governance & EU Enforcement

The DSA applies across the EU (Feb 2024). VLOPs/VLOSEs must assess systemic risks and offer user choice (e.g., non-profiling feeds); enforcement is ramping via the Commission & national regulators.

Guardrails

⚖️ AI Act, eIDAS 2.0 & Institutional Oversight

The AI Act (2024/1689) phases in obligations by risk tier. eIDAS 2.0 (notably QWACs) remains debated for browser trust models. EDPS continues to litigate institutional data-processing powers (e.g., Europol scope).

🕸️ Corruption Network Visualization (EU)

Relationships between spyware vendors, data brokers, telecoms, platforms, and EU/national authorities. Drag nodes to explore.

Legend: ● Authorities ● Vendors ● Brokers ● Platforms ● Telecom/Programs

🔗 Key Relationships (EU)

Spyware ecosystem (PEGA)

Core: Member-state services ↔ NSO/Intellexa-class vendors ↔ domestic political targets; export-control circumvention.

Telecom signalling

Core: SS7/Diameter interconnect ↔ roaming exposure; NRAs push mitigations; audits uneven.

Data-broker + platform loop

Flow: Apps/SDKs → aggregators → adtech & public buyers; GDPR limits + EDPB Article 48 guidance for third-country demands.

📅 Signal-Power Evolution Timeline (EU)

2016–2019: Early EU warnings on SS7

ENISA and national regulators flag interconnect insecurities; guidance begins to emerge.

2021–2023: Spyware scandals crest

Poland/Hungary/Spain cases; Greece’s Predatorgate triggers PEGA inquiry & recommendations.

Feb 2024: DSA takes effect EU-wide

Systemic risk duties for VLOPs/VLOSEs; user choice & auditing obligations.

2024–2025: AI Act adopted; oversight tussles

Risk-tiered AI obligations phase-in; EDPS litigates scope vs. Europol; eIDAS 2.0 QWAC debate continues.

⚡ Immediate Stop-Gap Actions (EU-aligned)

Adopt now; designed to dovetail with GDPR/DSA/AI Act and ENISA guidance.

🛡️ Spyware Controls (PEGA-aware)

Judicial authorization + necessity/proportionality for any invasive tool.
Public DPIA and quarterly aggregated reports per Member State program.
Vendor NDAs cannot override disclosure to courts/DPAs/EP oversight.

📡 Signalling/Interconnect Hardening

Carrier attestations on SS7/Diameter defences; roaming-edge audits.
Annual third-party testing with public summaries; incident stats.

🗂️ Data-Broker Containment

No acquisition of location/behavioral datasets without clear legal basis; DPIA + minimization.
Article 48 compliance playbook: reject direct third-country orders; route via MLAT/EU law.

📺 Platform Governance

DSA-consistent risk logs; “no informal pressure” policy with audit trails.
Political ad transparency + user choice for non-profiling feeds.

🏛️ Institutional Oversight

Independent panels incl. civil society & technologists for high-risk tooling.
Whistleblower-safe portals; contractor debarment for pattern violations.

📋 Implementation Toolkit (Model Resolution / By-law)

Edit inline; then copy or download. Text aligns to EU law refs cited above.

SIGNAL-POWER CORRUPTION PREVENTION RESOLUTION (EU)

1 — Spyware/High-Risk Tools
(a) Prior judicial authorization with necessity/proportionality; (b) DPIA published within 30 days of program start; (c) Quarterly aggregates on vendor, legal basis, categories; (d) NDAs unenforceable against courts/DPAs/EP oversight; (e) Export-control and procurement compliance per PEGA recs.

2 — Data-Broker Restrictions & Art. 48 GDPR
(a) No location/behavioral dataset acquisition absent lawful basis and minimization plan; (b) Sensitive locations embargo; (c) Reject direct third-country orders; use MLAT/EU instruments; (d) Public broker relationship log; (e) Deletion audits.

3 — Cell-Site/Signalling Governance
(a) Mandatory warrants and purge attestations for IMSI-catchers; (b) SS7/Diameter/roaming defences with annual third-party testing; (c) Interconnect incident statistics and corrective actions.

4 — Platform Governance (DSA-consistent)
(a) Systemic-risk documentation and audits; (b) Political ad transparency; (c) User choice of non-profiling feeds; (d) Public log of takedown requests and legal basis.

5 — Oversight & Remedies
(a) Private right of action where compatible with national law; (b) Whistleblower protection; (c) Contractor debarment for repeated non-compliance; (d) Independent oversight board including civil society and technologists.

EFFECTIVE DATE: [INSERT]