ARGUMENT: REGULATING COMMERCIAL SPYWAREThe Scourge of Commercial Spyware—and How to Stop It
Years of public revelations have spotlighted a shadowy set of spyware companies selling and servicing deeply intrusive surveillance technologies that are used against journalists, activists, lawyers, politicians, diplomats, and others. Democratic nations (thus far) lag behind the United States in executing spyware-related policy commitments.
The past year has been a politically challenging one for the spyware industry. Years of public revelations have spotlighted a shadowy set of spyware companies selling and servicing deeply intrusive surveillance technologies that are used against journalists, activists, lawyers, politicians, diplomats, and others. Most notorious among them, of course, is Israel’s NSO Group and its Pegasus spyware, though it is by no means alone.
David Kaye and Sarah McKune write in Lawfare that in turn, the United States and others have increasingly come to view commercial spyware as not only a human rights risk but also a national security threat. They are acting accordingly, with the United States blacklisting bad actors and partnering to develop national, regional, and global efforts to counter commercial spyware. The Biden administration has imposed domestic constraints on the spyware industry, and 10 other governments joined the United States during the Summit for Democracy this year in recognizing “the threat posed by the misuse of commercial spyware and the need for strict domestic and international controls on the proliferation and use of such technology”—despite the fact that they (thus far) lag behind the United States in executing spyware-related policy commitments.
Kaye and McKune write:
What’s next for global regulation of the spyware industry? A moratorium remains an important way forward, a stopgap measure at a time of ongoing global abuse and intimidation, but in fact, we do not believe there is one silver bullet that will eliminate the threat spyware like Pegasus poses to human rights and national security.
Some work has made and continues to make a major impact: the reporting of human rights organizations and journalists, continued engagement by UN human rights experts, lawsuits by victims and corporate actors like WhatsApp and Apple, investigations by legislatures, restrictions and blacklists imposed by governments, and emerging multilateral conversations. Identifying key features of transparency and accountability, as done by Ní Aoláin, will allow the international community to identify technologies that are regulable, consistent with human rights law, and those that are not. Government transparency, oversight and accountability, and effective pathways to remedy must be part of the regulatory ecosystem, at national and international levels, but so must the question of whether private-sector involvement itself must be ended or at the very least subject to the narrowest boundaries. It is also critical that those governments that committed to take action at the Summit for Democracy actually do so—to establish their promised “robust guardrails” on use, prevent export to malicious actors, and “drive reform” internationally, among other things.
Ultimately, the global community sees the extraordinary abuses facilitated by the spyware industry and perpetrated by its clients. A global regime of control and accountability, driven by human rights standards and with which governments find it in their best interests to comply, must be the endgame.
