Meta Executive surveilled by Greece

According to documents obtained by the New York Times and officials who spoke to the paper, Artemis Seaford, a Trust and Safety Manager for Facebook's parent company Meta had her phone tapped by Greece’s National Intelligence Service EYP and infected with Predator spyware.

Artemis Seaford, an American with dual Greek nationality, lived for part of her time in Greece while working for Meta between 2020 and 2022. Her job involved work on policy issues around cybersecurity and brought her into contact with Greek and other European politicians.

The fact that the official wiretap and the infection with Predator malware were happening simultaneously “indicate that the spy service and whomever implanted the spyware … were working hand in hand,” said the paper.

Greece’s National Intelligence Service EYP has previously admitted monitoring calls of 15,475 people it refused to identify, claiming the surveillance was conducted for “national security” reasons.

According to the report, Seaford’s phone was infected with Predator spyware in September 2021, some time after the official wiretap had started. The mode of infection appears to rely on access to official data. Seaford had made an appointment for a Covid-19 booster through the official Greek government vaccination platform.

As expected, Seaford received an automated SMS with details of her appointment. Five hours later she received another text, apparently from the state vaccine agency asking her to confirm the appointment by clicking on a link that looked like it was associated with the official vaccination platform. That, according to the New York Times, was the means by which her phone was infected, putting all the data on it – including conversations, texts, videos, messages and personal information – in the hands of the EYP.

The New Democracy government of Prime Minister Kyriakos Mitsotakis, has been the subject of a long-running surveillance scandal that broke with news in 2022 about the EYP’s prolific phone surveillance of journalists, politicians and other public figures, has repeatedly denied using Predator.

Government spokesman Giannis Oikonomou told the paper in an email that, “The Greek authorities and security services have at no time acquired or used the Predator surveillance software. To suggest otherwise is wrong.”

Had Artemis Seaford not seen her name on a list of surveillance targets leaked to the Greek media at the outset of the scandal in late 2021, she might never have known that she had been affected. She took her suspicions, and her devices, to the University of Toronto’s Citizen Lab for further investigation. Their timeline has now been submitted to a Greek prosecutor.

Citizen Lab’s report, which was reviewed by the New York Times, assessed that, based on analysis of Seaford’s mobile phone, her device had been infected with Predator in September 2021, two months – before the surveillance scandal broke out,

Sources who spoke to the paper apparently confirmed that an EYP wiretap had begun in August 2021 and lasted through into early 2022.

Seaford has filed a suit in Athens trying to find out who was behind the bugging and hacking, which requires prosecutors to open an investigation. But a change in Greek law brought when the surveillance scandal broke means she would have to wait three years to find out why she was bugged.

“I do not know why I was targeted, but I cannot see any reasonable national security concerns behind it,” she told the New York Times.

“Targets of abusive surveillance should have the right to know what happened to them and have means of redress just like every other crime… My hope is that my case and others like mine will not just be instrumentalized, shut down to avoid political cost for some, or, conversely, elevated for the political gain of others,” she said.

As the New York Times notes, this disclosure represents the first known instance of an American citizen working for a global corporation being targeted by a state agency in a European democracy using Predator spyware.

Calls for Europe-wide ban

While the domestic ramifications of spyware use in Greece have been dramatic, the European Parliament’s PEGA committee has been investigating the use of similar software by and in other EU member states. EDRi, the European umbrella organisation for digital rights organisations, has called on the committee to recommend an outright ban on such software across the Union.

The committee has found that spyware was used against top politicians across the bloc, including French President Emmanuel Macron and Spain's Prime Minister Pedro Sánchez. Rapporteur Sophie in’t Veld has said she wants to see a moratorium on spyware and then adoption of EU-wide safeguards on the use of such tools

“No safeguard can mitigate the human rights violations spyware tools entail. Therefore, we strongly encourage the PEGA Committee to call for a ban on spyware technologies,” the association said.

Even though the likelihood of the EU imposing a ban is unlikely, it is .. very important to call for the most rights and freedoms-protective option,” EDRi Policy Advisor Chloé Berthelemy told Blueprint for Free Speech.

“The political momentum is there, violations of people's rights are grave, already calling for a middle-ground solution runs the risk of being further watered-down or ignored by Member States,” she said.

The PEGA committee has not received full cooperation from every government it has sought answers from. Notable among those are Greece and Hungary, which has been the subject of strong criticism from committee Chair Jeroen Lenaers MEP.