The rise of surveillance apps such as mSpy, FlexiSPY, and Hoverwatch creates a new privacy threat for citizens and public institutions. Marketed as “parental control tools,” these apps can be used for covert communications monitoring, often violating Cypriot and EU law.

Recent concerns have surfaced over government employees using official @gov.cy email accounts to access or even purchase spyware tools. This practice breaches disciplinary rules under the Public Service Law. It may also constitute a criminal offence, which prohibits the interception of private communications and the possession of surveillance software without lawful authorisation.

“Spyware is not just a private risk; when government employees misuse official emails for such tools, it becomes a matter of national security and public trust,” said Criton Tornaritis, Founder of deleteme.com and Managing Partner at Tornaritis Law, tornaritislaw.com. “Our mission is to give visibility into these risks and actively help individuals and institutions to scan and clean their digital footprint.

Monitoring software, often marketed as parental control tools, has become easy to buy and install in the digital age. Popular examples include:

• mSpy

• FlexiSPY

• Spyzie

• Hoverwatch

These platforms promise tracking calls, texts, GPS, and social media activity. However, while the marketing may look harmless, its use by government employees, primarily through official email accounts, creates serious legal, ethical, and security concerns.

The Legal Framework in Cyprus

1. Secrecy of Communications

   • The Constitution of the Republic of Cyprus guarantees the secrecy of correspondence and communications.

   • Any interception or surveillance is only lawful with specific judicial authorisation.

2. Law for the Protection of the Confidentiality of Private Communication

   • Criminalises illegal interception and the possession, distribution, or use of surveillance devices/software.

3. GDPR & Cyprus Law

   • Any covert collection of personal data (emails, messages, location) violates GDPR’s lawfulness, fairness, and transparency principles.

   • Cyprus law provides for administrative fines and criminal sanctions for serious breaches.

4. Public Service

   • Using official government emails for private spyware purchases or communication is a disciplinary offence.

🔍 How Cyber Deleteme Identifies Spyware Risks

Cyber Deleteme division provides data broker removals, breach monitoring, and compliance-ready reports to protect individuals, families, and institutions from data misuse and surveillance threats.

At Cyber Deleteme, we specialise in detecting and analysing spyware-related risks, including cases where government employees may be exposed. Our scanning process includes:

1. Email & Domain Monitoring

   • We scan for government email addresses (@gov.cy) appearing in spyware-related transactions, leaks, or dark web marketplaces.

2. Infostealer Log Analysis

   • Spyware often harvests credentials and uploads them to underground forums. We analyse infostealer databases to identify whether official accounts appear in these logs.

3. OSINT & Broker Intelligence

   • Continuous monitoring of open-source intelligence (OSINT) and data brokers to flag employees linked with spyware purchases or accounts.

4. Risk Scoring & Alerts

   • Each identified exposure is given a risk score (low/medium/high), highlighting if:

     • Government resources were used,

     • Data was exfiltrated abroad,

     • A breach of legal obligations (Law 92(I)/1996, GDPR) is likely.

5. Compliance Reports

   • Findings are compiled into reports suitable for disciplinary proceedings, regulatory notifications, or legal action, ensuring accountability and remediation.