WE DON’T know for certain that Saudi Crown Prince Mohammed bin Salman hacked into Post owner and Amazon founder Jeff Bezos’s iPhone by sending him malicious code on WhatsApp, though a contracted cybersecurity consultancy has concluded as much with “medium to high confidence.” We do know, however, that spyware sold by private companies has been responsible for similar intrusions — and that the world has done far too little to shed light on the shadowy industry that sells these tools.

Once upon a time, high-tech surveillance was out of reach for all but the most sophisticated countries. Now, almost any government that wants to penetrate citizens’ (or noncitizens’) most sensitive communications can do so, simply by buying one of the more than 150 tools available on the market. These products can be used for tracking down terrorists domestically or for spying on enemies abroad. But they can also be used for stamping out dissent, blackmailing business executives or many other nefarious ends.

There’s NSO Group in Tel Aviv, whose Pegasus software has been harnessed by Saudi Arabia, Mexico and other governments to target hundreds of civil society organizers around the world. There’s DarkMatter in Abu Dhabi, which transformed a human rights defender’s baby monitor into an eavesdropping device. There’s the Anglo-German Gamma Group, whose FinSpy program in 2012 transmitted the communications of an Ethiopian dissident back to that country’s then-ruling regime — along with the Web searches of his young son. There’s Hacking Team in Milan, which reportedly has the capability to carry out an attack of the sort Mr. Bezos may have suffered.

NSO Group claims it only sells its technology to countries with acceptable records on civil liberties that seek the tool for criminal investigations. Yet not only has NSO furnished authoritarian regimes with its product anyway; it has also looked the other way when governments go after dissenters — and even aided them. At least NSO claims to have a policy; other companies don’t even pretend. Similarly, while some countries have imposed export controls on spyware purveyors, many licensing regimes are too opaque to do much good. And other countries have done nothing.

U.N. special rapporteur David Kaye this summer urged a global moratorium on the sale and transfer of spyware until the international community devises a regulatory framework. That’s the correct approach. Governments should require vendors to certify that clients pass human rights muster, and that they don’t abuse a tool after purchase. A body of independent reviewers, in turn, should certify that the companies are living up to those obligations.

The world has a spyware proliferation problem. Democracies that work together to stem the flow won’t stop countries such as China from exporting surveillance systems to despots around the world. But it will at least tell those who care about civil liberties that this abuse is the exception, and not one that should be tolerated or condoned.

Read more: