David Kaye teaches law at the University of California at Irvine School of Law and previously served as the U.N. special rapporteur on freedom of expression. Marietje Schaake is International Policy Director at Stanford University’s Cyber Policy Center, president of the CyberPeace Institute and a former member of the European Parliament.
For years, the global spyware industry has operated in the shadows, exposed only by human rights organizations and journalists. The industry claims it’s in the business of fighting crime and terrorism. But its members often sell to governments that equate “criminal” and “terror” with “critic” and “dissent.”
Over the weekend, a global consortium of news organizations, including the Post, joined Forbidden Stories, a Paris-based journalism nonprofit, to reveal how hollow the claims of fighting crime and terror are. The consortium reports that Israel’s NSO Group has sold its marquee spyware, Pegasus, to clients that have deployed it against the very pillars of democratic life: press freedom, the presumption of innocence, privacy, and freedom of expression and association.
Pegasus, like other tools, turns the phones of journalists, opposition politicians and peaceful activists into real-time spying devices. A leaked list of phone numbers identified as targets for the spyware includes hundreds of journalists and politicians from Hungary, India, Mexico, Morocco and elsewhere.
Hundreds of companies globally are vying for a piece of the lucrative private surveillance pie. Some enable intrusions into one’s phone or tablet. Others develop tools for computer surveillance, for malicious uses of facial recognition, for direct access to Internet traffic, and user data and communications.
They sell and service their products for government clients without regard to those governments’ patterns of repression, and without proper or transparent due diligence.
We are on the precipice of a global surveillance tech catastrophe, an avalanche of tools shared across borders with governments failing to constrain their export or use.
The international community should take action to constrain the global spyware industry. The effort should include the following.
First, governments should implement a moratorium on the sale and transfer of spyware technology until a global export regime can identify and place these tools under global restraint.
During this pause, governments should negotiate a regime that, among other things, carefully defines the technologies at issue; requires transparent human-rights assessments for the development and transfer of any such tools; involves a public registry of tools, companies and clients: and enables public comment in the case of any application for export.
If a global regime fails to be ambitious enough, democratic nations should agree to ban spyware — both its domestic use and its export.
The European Union recently took a modest step toward regulating the trade in surveillance technologies, not only for the risk to national security, but also to human rights.
But the fact that Viktor Orban’s government in Hungary is revealed in the Pegasus Project as one of NSO Group’s clients shows why only addressing the trade in these spyware systems is not enough. It is, after all, hypocritical for European leaders to seek curbs in the trade in spyware systems when Europeans sell the methods of choice. It is even harder to be credible when the latest spyware systems are used in the E.U. to track dissent.
The double standard on the part of Israel is particularly striking. The country is home to NSO Group as well as other spyware companies, including Candiru, which Microsoft last week accused of selling tools to hack into Windows.
It is essential that Israel reins in its spyware sector and joins democratic nations in pushing back against the proliferation of technologies that operate like commercial intelligence services.
Second, export control is not the only tool available to constrain the spread of spyware. Governments using these technologies must put in place transparent, rule-of-law based requirements for any use of spyware. Any government that fails to develop such requirements — or that has a pattern of abuse — should be on a global no-transfer list. Democracies and authoritarian states will probably part ways quickly.
Third, the victims of spyware must be granted the ability to sue governments and companies involved in the surveillance industry. The persistence of transnational repression is such that individuals often are harmed by actors operating beyond their borders, but domestic law often presents barriers to accountability. Those barriers should be removed.
Finally, the companies themselves need to be subject to multi-stakeholder constraint. The NSO Group claims to adhere to the United Nations Guiding Principles on Business and Human Rights, a global standard for corporate human rights practice. But it does not subject its policy to any independent scrutiny.
Taking a page from the effort to restrict the private mercenary industry, the international community should work toward a global code of conduct and stop the proliferation of spyware for repression.
The new revelations about the reach and harms of NSO’s Pegasus software are the latest, and hopefully final, wake-up call to rein in the private spyware market.