‘No Safe Haven’: Commercial Spyware’s Global Reach

Photo by Bernard Hermant on Unsplash

By Samuel Woodhams

New revelations about the global proliferation of commercial spyware and how it has been used to target journalists have recently emerged. In September, 2021 several news outlets reported that intelligence officials in Hungary and Rwanda successfully infected journalists’ phones with Pegasus—NSO Group’s highly sophisticated and invasive spyware technology. The news followed the July release of the Pegasus Project, a transnational investigative journalism project spearheaded by Forbidden Stories, which reported that 180 journalists globally were possible targets of surveillance by government clients of the company. The technology enables users to monitor a target’s phone calls, location, and photos. It can also remotely activate a target’s camera or microphone, turning the device into a listening and recording device. This type of attack is a journalist’s worst nightmare: not only is it a shocking invasion of privacy, but it puts the journalist, their loved ones, and their sources in danger.

In a recent report I authored for CIMA, Spyware: An Unregulated and Escalating Threat to Independent Media, I documented not only the threat spyware poses to individual journalists globally but also how its use creates a broader chilling effect within society and generally impedes the development of a robust, pluralistic, and independent news media ecosystem. How authoritarian and illiberal governments abuse this technology is well-documented. But what often gets left out of the discussion are the ways liberal democracies prop up and even legitimize the commercial spyware industry.

Liberal democracies are legitimizing an unregulated industry by  purchasing spyware from companies such as NSO Group and approving the international export licenses of domestic companies that manufacture similar technology. The role democratic countries play in facilitating the growth of spyware firms reduces the likelihood that meaningful international regulations would curtail the industry. Democratic governments are enabling the spyware industry by failing to implement domestic policies that would rein in export of the software and therefore curb its potential abuse. This undermines their commitments to supporting press freedom and independent media globally.

The Growing Suppression of Independent Media

The proliferation of commercially available spyware has allowed intelligence agencies around the world to monitor journalists both domestically and abroad in a bid to control the free flow of information.

On September 16, Peter Verlinden, a journalist based in Belgium, was confirmed to have been targeted by Pegasus software. Verlinden worked for Belgium’s public broadcaster for over 30 years covering Rwanda and the wider Central African region before becoming an independent journalist. According to Belgium intelligence agencies, the hack “was very likely initiated by Rwanda.”

Using hacking software to spy on individuals abroad is certainly not unique to Rwanda. In large part, it is enabled by the fact “there is no international law that governs the use of this technology across borders,” says former UN Special Rapporteur on Freedom of Expression David Kaye. For Kaye, this represents a new form of transnational repression, and its impact is exacerbated by the fact that, in the absence of effective legal recourse, victims are often left with no tools to defend themselves.

Spyware knows no borders; it has expanded the reach of malicious actors, allowing them to target their opponents wherever they are. This is a transnational issue, and it requires a transnational response.

Liberal Democracies’ Involvement in the Spyware Industry

In September, Deutsche Welle reported that the German Federal Criminal Police Office had been using NSO Group’s spyware since March 2021. They purchased the software despite lawyers’ objections that its capabilities far exceeded what was allowed under German privacy laws. Similarly, in 2020, the Spanish government was accused of using NSO Group’s technology to monitor several politicians in the country. According to one former NSO employee, the Spanish government had been an NSO customer since 2015.

Liberal democracies not only purchase spyware on the private market, but they also support domestic companies that manufacture and export similar technology abroad. Spain, for example, is home to the spyware firm, Mollitiam Industries. The company was permitted to sell their technology to the Colombian armed forces, who were subsequently accused of using it to track down journalists. Similarly, Germany’s FinFisher has been accused of selling their spyware to Turkish officials who also used it to surveil members of the media.

By purchasing and allowing the sale of spyware on the unregulated private market, democratic governments legitimize the industry and help create conditions enabling the misuse of the technology. Their activities risk setting an international precedent that views spyware as a vital tool for any modern intelligence agency with few safeguards to prevent repressive governments from using it in illiberal ways.

International Response and the Future of Regulation

Human rights experts, politicians, and elected leaders within the European Parliament, European Commission, and United Nations have all called for a global moratorium on the export and use of spyware. It is a position supported by countless advocacy organizations, including Privacy International, Amnesty International and Reporters Without Borders. However, regulating the sale and use of spyware has proven difficult because nearly every state has a stake in the industry, whether they purchase spyware on the private market, use it domestically, or facilitate its export.

Citizen Lab’s Bill Marczak has suggested that well-regulated law enforcement agencies that purchase and use spyware should “be working on moving the spyware market towards more ethical practices, such as by passing a supranational or international agreement preventing engagement with surveillance companies that don’t meet certain standards.” Doing so may help prevent its misuse and promote best practice within the industry.

The use of spyware to monitor journalists is a pressing and growing global issue. To help mitigate the risks the technology poses, it is vital to consider the global structures of production and dissemination that facilitate its proliferation. Doing so often means acknowledging the crucial role democracies play within the industry. It also shows that if democratic governments want to maintain their support of independent media globally, they will need to play a significant role in challenging and regulating the market, even if this is not in their immediate self-interest.

Samuel Woodhams is a digital rights researcher and freelance journalist based in London. He focuses on the intersection of surveillance technology, human rights, and democratic governance. He has written for WIRED, Quartz, Al Jazeera, and CNN on issues of digital privacy, censorship, and surveillance. He also conducts research at Top10VPN, an internet research company. His research has been featured by the BBC, Reuters, The Washington Post, the Financial Times, and The Guardian. In 2020, Samuel published a peer-reviewed article in the Georgetown Journal of International Affairs on China’s role in the rise of digital authoritarianism in Africa. Samuel holds an MSc in empires, colonialism, and globalization from the London School of Economics.

Blog Post

Comments (0)

Leave a comment