The surveillance scandal made headlines but did not hurt the Greek government at the ballot box. Experts say this reflects a general ambivalence about privacy violations in the digital era.
Whatever information Thanasis Koukakis had been sharing with his readers, it was not quite enough. Someone wanted more. Twice in the space of two years, the financial journalist’s phone calls were intercepted. Koukakis found out about the first breach in July 2020, when he was handed a couple of transcripts of his calls. One of them documented an exchange with the then-correspondent of the Financial Times newspaper, who had collaborated with him. The conversation had taken place while Koukakis was waiting to collect his daughter from school. Where the exchange was drowned out by children’s voices, the transcript had been marked with the word, “unintelligible”.
Koukakis acquired the transcripts at a meeting with a whistleblower. Athens was between lockdowns at the time, and the face-masks worn to the meeting heightened the cloak-and-dagger atmosphere. Koukakis says he was initially furious to find that his privacy had been violated – but then his professional instincts kicked in. “I told myself, okay, this is the beginning of a great journalistic investigation.”
The surveillance of Koukakis’ phone turned out to be the tip of an iceberg whose scale only began emerging last summer, as the government of Prime Minister Kyriakos Mitsotakis was swamped with claims that it had spied on the phones of journalists, opposition politicians, oligarchs and top state officials. The cascade of allegations, likened in the media to Watergate, offered up an image of a government caught in the act of flouting democratic norms – undermining privacy, press freedom and the rule of law. The government dismissed, or distanced itself from, many of the claims. In the run-up to elections, it would downplay the importance of surveillance and privacy concerns, arguing that voters grappling with rising inflation and energy costs would judge it primarily for its handling of the economy.
On May 21, it was proven right. Mitsotakis’ centre-right New Democracy party trounced its opponents at the ballot box, securing more than 40 per cent of the vote. It is now expected to gain an outright majority in a second round, scheduled for June 25. The government’s success has been attributed to voters’ distrust of the leftist Syriza opposition, as well as their faith that the post-crisis economic recovery will deliver broad societal benefits. The surveillance scandal may not have helped the prime minister, but nor has it particularly hurt him.
Why did so many Greeks choose to stick with Mitsotakis? “It’s the economy, stupid,” said Tasos Telloglou, a journalist who has led the reporting on the surveillance scandal for Inside Story, an investigative outlet. “The economic rebound that began in 2018 has accelerated under this government.” Moreover, he said, Greeks tended not to view surveillance as an electoral issue. “People think it doesn’t concern them, they think it is inherent in the nature of political power. A large part of the electorate is more interested in the content of what is being revealed through the surveillance rather than the actual practice.”
During the Covid era, the Mitsotakis government was accused of sharing the data of Greek citizens without adequate safeguards, when it signed hasty deals with Silicon Valley tech giants in order to maintain public services during lockdown. The accusations – rejected by the government and tech giants – made little impact in the public sphere.
Similarly, there was little interest from the public or press when it first emerged that the government had been spying on journalists working for small or international outlets. The media began talking of a “Greek Watergate” only as the scandal spread, ensnaring prominent figures from business and politics.
In an era when more than half the global population has a social media account, ambivalence about digital surveillance is hardly unusual. The Greek government too, is far from alone in turning to tech giants to help it manage the vast troves of data generated by the public sector. One of the firms that it contracted, Palantir, also signed an agreement with the UK’s publicly funded National Health Service, NHS.
Modern Greece was established on the ruins of a police state. The country’s democratic constitution was adopted nearly 50 years ago, after the collapse of a right-wing military junta that spied on anyone it suspected of dissent. Critics say some of these tendencies have survived the transition to democracy. The current prime minister’s father, Konstantinos Mitsotakis, narrowly avoided a court summons over the wiretapping of political opponents and journalists while he was prime minister in the early 1990s. During the 2004 Athens Olympics, the phones of scores of prominent people – including the then-prime minister, his family members, and the mayor of Athens – were tapped for several months. The surveillance was reportedly carried out at the behest of US intelligence in what was also labelled a “Greek Watergate” by the press at the time.
While Greeks have learnt to be wary of the spy state, this suspicion does not extend to contemporary forms of espionage involving tech firms and the bulk sharing of data, according to Minas Samatas, an emeritus professor of sociology at the University of Crete and an expert in his country’s history of spying on its citizens. “We have a legacy of authoritarian surveillance in Greece,” he said. “Greek citizens are afraid of the police and state agencies’ surveillance, but are nevertheless relatively apathetic or indifferent to corporate surveillance, or data-veillance.”
‘A hundred missing pieces’
The role of the state in the latest surveillance scandal is not always clear cut. As Koukakis suspected, the transcripts of his phone calls had been generated through an official wiretap. A story published by Reporters United, a Greek investigative outlet, would eventually reveal that his phone had been surveilled for roughly two months in 2020 through traditional methods – at the behest of the state security agency, and on the basis of a court warrant submitted to a telecoms operator.
However, the second attempt to spy on Koukakis’ phone would dispense with these formalities. In the summer of 2021, his phone was infected with a high-tech spyware known as Predator, according to an investigation by Inside Story published in April last year. Predator is an eavesdropping tool that has pitched itself as a competitor to Pegasus, the boutique spyware favoured by repressive regimes worldwide. The makers of Predator claim it can scan the data stored on an infected smartphone and effectively turn it into a listening device. For the state institutions that remain the primary clients of such high-end spyware, the technology offers advantages over the traditional wiretap. It can be deployed speedily and with minimal oversight, bypassing courts and telecoms operators, while providing its clients with a level of deniability.
At the start of last summer, the surveillance scandal was confined to two Greeks, both of them journalists. Alongside Koukakis was Stavros Malichudis, an Athens-based reporter for the Solomon website and BIRN contributor, who had found out in November 2021 – via a left-leaning newspaper, EfSyn – that his phone was being tapped by the security services.
The story made ripples within the journalists’ communities – a cluster of independent media start-ups, many of them doing investigative work, that has sprung up on the post-crisis landscape. However, there was little interest from the mainstream press – including TV, tabloids and the last of the surviving broadsheets. Surveillance only became a big story last summer, when the leader of an opposition party revealed that his phone had been targeted with spyware. The attempt to install Predator on the phone of Nikos Androulakis, the president of the centre-left Pasok party, had come to light after a random check by technicians at the European Parliament, where Androulakis had been sitting as an MEP. In the coming months, the list of prominent names targeted by spyware or officially authorised wiretaps would grow, encompassing ministers, state officials, journalists and powerful business figures.
The Greek government has consistently denied any link to spyware such as Predator, suggesting that rogue elements were to blame for its use. “No Greek public authority has the slightest connection with any kind of illegal malicious spyware,” a spokesman told journalists last year. The government also pointed out that it has passed laws banning the sale, use and possession of spyware, re-structured its intelligence services and upgraded its privacy protocols.
Under scrutiny however, Prime Minister Mitsotakis would admit last year that Androulakis’ phone had been the target of a traditional wiretap by the national intelligence service. He described the operation as lawful but wrong, and insisted that he had been unaware of it. His critics accuse him of ducking the blame. The intelligence service, known by its Greek acronym, EYP, was brought under the direct control of Mitsotakis’ office in 2019. In the cascade of revelations triggered by Androulakis’ claim, the boss of the EYP and the prime minister’s chief of staff would lose their jobs.
While the government has maintained that the EYP stuck to conventional wiretap methods and never used Predator, its critics dispute this, pointing out that the list of individuals targeted in the official wiretaps – such as Koukakis and Androulakis – often overlapped with those later targeted by Predator. The government has also been accused of thwarting a parliamentary inquiry into the spying revelations, after it blocked crucial witnesses from testifying. The inquiry ended in a stalemate last October, with opposition parties and government submitting completely contradictory conclusions. New Democracy said the hearings proved that had no link had been found between Predator and the EYP.
Officials in Brussels say that the evidence gathered so far appears to implicate elements within the administration. “Everything is pointing in the direction of people within government circles,” said Sophie in ’t Veld, a Dutch MEP and rapporteur of the European Parliament’s committee investigating the use of spyware in the EU. “There are still a hundred missing pieces, but you can see the image.”
‘False logic’
If the surveillance scandal reflects an outright assault on privacy, the Covid-era tech contracts allude to a slower, less spectacular process – a steady erosion of privacy safeguards. Unlike the surveillance scandal, the story of the Covid contracts lacked cross-over appeal – it never went mainstream. The arcane details of Greece’s secretive deals with tech giants only seemed to interest small investigative outlets.
Greece has long been an EU tech laggard, featuring near the bottom of the bloc’s rankings for the digitisation of public services and e-government. Many public records, including the land registry, are still incomplete. Greeks also have to use a variety of identification numbers in their dealings with the state, and the legal system is among the slowest in Europe. The Mitsotakis administration, touting its technocratic credentials, secured funding from the EU to lead the Greek state into the era of e-government.
When the pandemic broke out, the government turned to Silicon Valley, signing hasty contracts with tech giants to help enforce lockdowns and shift essential services online. Marios Katsis, an opposition MP with Syriza, said the government had operated “on the margins” of acceptability in its approach to data protection and privacy. “Using the pandemic as a pretext and catalyst, it secretly concluded fast-track contracts,” he said, without meeting “the requirements for the protection of personal data.”
One of the contractors was Palantir, the controversial US firm that provides software for analysing “big data” to its clients in intelligence and law enforcement. Palantir agreed to help gather and analyse data that would support the government’s response to the pandemic – at no cost and for a fixed period. The agreement was not registered on the public procurement system – the government said this was because it was a “zero-cost” contract. Nor was the deal subject to an impact assessment study to ensure that it adhered to the EU’s privacy directives.
In fact, Palantir’s presence in Greece only became public in November 2020, some eight months after it signed the contract. Greeks would discover that Palantir had been operating in their country from a tweet sent by the-then US ambassador, listing the US companies that had been helping the Mitsotakis administration manage the pandemic.
When the government was eventually forced to publish the contract in January 2021, after it had expired, it turned out to be a mere two pages long. Analysis by the Athens-based digital rights group, Homo Digitalis, found that the original contract had been revised one week after it was signed to remove any reference to the need to “pseudonymise” the data. Lawyers from the group argued that this revision could lead to a breach of the EU laws, known as GDPR, that govern the use of the personal data of individuals living within the bloc.
“The problem starts when you choose a company like Palantir and you do that by signing a two-page long contract,” said Stefanos Vitoratos, the vice-president of Homo Digitalis. Vitoratos said he was particularly concerned about the possibility that Palantir’s platform could be linked to data harvested from a text message service that was introduced by the government to enforce the lockdown.
Ilia Siatitsa, a senior legal officer at Privacy International, a global privacy watchdog, said the Greek government had opted to collect huge amounts of data as part of its strict lockdown measures, without providing adequate safeguards. “We moved to a false logic that the more data you give, the better it is.”
In fact, the haste and lack of transparency with which the contracts were concluded have made it difficult to establish whether, and to what extent, any rules governing the use of personal data may have been violated. The Ministry of Digital Transformation said Palantir only received access to open source data concerning areas such as traffic and energy usage, as well as anonymous statistics and demographic information. The ministry said Palantir only had access to the data that the state had chosen to provide and all the shared data were destroyed when the co-operation with the firm was concluded. Moreover, the government said, none of the data gathered through the lockdown text message service were stored.
Palantir has said its role was limited to processing “open-source pandemic and high-level Greek state-owned demographic data” that was “directly relevant to managing the Covid-19 crisis”, in a statement issued in response to an investigation by Lighthouse Reports and The Guardian.
Integrity questioned
In the early days of the pandemic, the Greek government also signed a contract with Cisco, the Silicon Valley conglomerate responsible for much of the networking hardware that drives the internet. As a result of this agreement, hundreds of thousands of Greek schoolchildren were able to attend online classes via Cisco’s video-conferencing platform, Webex.
As with Palantir however, the Cisco contract was not registered on the public procurement system. It was only published some ten months after it had been signed, following pressure from opposition parties and teaching unions. And as with Palantir, the contract was approved before it had passed an impact assessment to establish its compliance with privacy laws.
After the contract was eventually published, privacy experts identified several areas that seemed to pose a conflict with Greece’s obligations under GDPR. These included a vague-seeming clause that permitted Cisco to hold onto data for seven years following the expiry of the contract. According to the experts, the clause did not adequately specify the type of data involved.
Albert Fox Cahn, the executive director of the US-based non-profit, the Surveillance Technology Oversight Project, STOP, said he was also concerned by the contract’s provision of “de-identified” telemetry data – a system used to gather information about the reliability and performance of a service, minimizing any metadata tied to a specific person. “This sort of information can easily be re-identified, giving a very invasive portrait of individual’s lives,” he said.
Cisco has emphasised that its data are collected and stored in compliance with EU laws. The company said it does not share data in any way or use it for commercial purposes, and nor does it conduct “profiling” that could lead to individuals being identified.
The contract was the subject of an investigation by an official regulatory body, the Data Protection Authority, DPA. The Authority’s November 2020 report highlighted several breaches, including a failure to adequately inform the end-users of the service – the teachers and children in Greek schools – about how their data would be used. The Authority urged the Ministry of Education to comply with the law. The government responded by challenging the integrity of the DPA and threatening it with a judicial review.
Last November, the DPA revisited the case. It praised the ministry for having complied with the bulk of its recommendations.
Official inquiries into the Covid-era tech contracts and the surveillance scandals have wound down without drawing blood. With Mitsotakis all but assured of a second term in office, the extent of privacy violations during his first term remains hazy. Inside Story journalist Tasos Telloglou said he expected the violations to continue, carefully working around any additional curbs.
“There will be extra safeguards on surveillance issues, but those who violate secrecy will be aware of those [safeguards],” he said. “Their golden rule will still be: catch me if you can. The question is: can we catch them?”