00:00:10 Domen Savič / Citizen D 

Welcome everybody. It’s the 15^th… No, it’s the 4th of September 2025 and you’re listening to this episode of Citizen D podcast on the 15th of September same year. W ‘re back after a prolonged, let’s call it a vacation and with us today is Aljoša Ajanović Andelić, policy advisor at European digital rights EDRi, where he covers issues related to illegal state surveillance like spyware, journalist digital rights and the effects of techno solutionism and securitization policies on minoritized communities and people on the move. Welcome, Aljoša, it’s good to have you here. 

00:00:55 Aljoša Ajanović Andelić  / EDRi 

Thank you. Thank you for having me.  

00:00:56 Domen Savič / Citizen D 

Let’s start with the opening salvo. We’re going to be talking about the spyware issue and I was wondering, why is spyware getting so much attention in 2025? Like, if you followed this this topic like a regular person, not like a digital activist, you’d hear probably something about Pegasus a few years back and then everything went sort of silent. But now, 2025, spyware is literally everywhere. Why is that? 

00:01:32 Aljoša Ajanović Andelić  / EDRi 

Well, the answer to that question, I would say that that is because of scandals. So that would be the same answer if you had asked me five years ago because nothing has changed. So from time to time, we come across these big scandals of illegal surveillance to different types of activities to political opposition in different parts of Europe, and that is when this topic always comes back to the front pages.  

In 2025, the biggest scandal has been the Paragon scandal, which was a revelation earlier this year that said that more than 100 people were spied across Europe with this spyware called Graphite that’s developed by the Israeli company Paragon. And this is something that that has made the front pages, because in Italy, some of those victims whose identity hasn’t been fully disclosed, but three or four of them have come, have come to the front and it happens to be journalists and humanitarian aid activists in Italy who have been spied illegally by… we don’t know who. So what happened?  

After these revelations came and these people spoke as one of the affected victims is what we have seen in all other scandals. So we’ve seen that in the past in Catalonia, but also in Poland and Hungary, which is that first the state denies all type or any type of responsibility on that and then starts considering a bit. Well, yeah, we spied on these ones, but not on the other ones and so forth.  

This is where we stand at this point in Italy in in which, you know, they have recognized that those humanitarian workers from the NGO Mediterranean have been actually spied by the state because they say that their activities qualify as crimes because they have been allegedly promoting human smuggling, but in the case of the journalists, the Italian government is saying that they are not involved, even though all the evidence points to that direction.  

What is happening in 2025, again, is that many scandals are unfolding. There’s also another case in Serbia that was revealed in which the Serbian Government has developed its own spyware. So it’s not just private companies, it’s also state developed spyware, and it was used in this case to also go or investigate the phones of journalists and also politicians. 

What makes this issue so problematic, or why should everyone, even if you are not a digital rights activist, why would you care about this? It because the fact what these programs do, which is to be able to access anything in your phone. 

This is something that’s very appealing to any common citizen, because we all now rely massively on our phones, they are kind of where all our information is stored and we all can imagine what kind of privacy violation would that be: that the state accesses you. 

00:04:48 Domen Savič / Citizen D 

You’ve mentioned the state several times. Are they still the main users or the main actors in this field or are there other actors? Maybe somebody from the private sector, from the criminal underground that is also a part of this spyware ecosystem? 

00:05:11 Aljoša Ajanović Andelić  / EDRi 

Well, mainly with the biggest issues on particularly spyware have come all of them from state authorities, private companies that are the biggest sellers of this.  

So, we can think about NSO group, but also Paragon and others, they all claim to just be selling to state authorities, so it doesn’t need to be the state itself, sometimes is police force. Sometimes is the judiciary power, but it’s mainly addressed to state authorities and the main scandals that have come, they all come from targeting from States and we do believe that’s the most worrying practice and the one that we as human rights defenders to care the most, because the state is the one that should be protecting your privacy and your digital rights and not attacking them.  

We’ve also had some cases in in countries like China or Russia in which it is not the state itself that conducts these attacks, but mercenary hackers or groups of hackers who are committed to the state in some way because the state is sometimes paying for their services or is servicing them with the programs, but they are not directly part of the state. 

 So we’ve seen that groups of mercenaries using these type to conduct smear campaigns or to intimidate certain groups.  

One good example is the regular minority in China, which has been attacked massively by these types of mercenary groups, but yeah, I would say that the biggest problem we’re facing is when states use that because when private, you know, criminals could be using that, that’s something that of course we should worry about, but what we cannot tolerate is that the state is using this without our knowledge and without any transparency. 

And of course you know, bringing to this union of companies with very worrying practices such as the set and the subgroup with state action, which is, for example, the police or law enforcement investigation, which is something of a public service so to say, and then it’s tied up with these companies that have virtually no oversight, so we don’t know what’s happening. 

00:07:36 Domen Savič / Citizen D 

You’ve mentioned transparency, right, and seeing how nation states are still the biggest or the most important actor in the field. How do you see this conflict of interest on the issue or on the on the level of transparency? So on one side you want your state or your elected leaders to be transparent about the activities, at the same time I’m guessing revealing too much information about the usage of spyware by nation states could harm their defense strategies and police tactics. 

Is there any middle ground on this issue so that at the same time the state still has this competing advantage against legal usage of spyware in order to prevent crime or terrorism and at the same time to calm the people down so they’re not using it indiscriminately, for, you know, tracking journalism journalists, activists and other parties? 

00:08:51 Aljoša Ajanović Andelić  / EDRi 

Well, that’s a very good question. So first of all, I would like to start by saying that when it comes to this type of spyware—so we’re thinking Pegasus, Graphite, and all these intrusive spyware that can gain control of your device, see all its historical logs, but also see where you are, activate your phone, activate your camera and so on—for this type of capabilities, we as a digital rights organization struggle to see how this can be compliant with human rights at all.  

To break down one human right, such as the right to privacy, you need to make sure that what you’re doing is necessary and proportionate. And this type of capability is completely unable to be proportionate because once they access your phone, they can access everything. So not just the conversations, let’s say, that can be necessary to get to know the activity of someone contacting criminal activity—so to say, it’s not accessing just that. It’s accessing the whole of the phone without any limitations. And what’s more worrying, without any log for that. So we don’t know. It leaves no traces on the phone most of the time. It tracks the proof that it has been inside that phone, and also we don’t have any logs of which information has been extracted, where it went, and so on and so forth.  

So starting from this pre