As abusive uses of spyware continue to proliferate, countries such as the United States, the U.K., France, and Costa Rica have led several high-profile initiatives to respond to the threat. Alongside these efforts has been important work by regional organizations and United Nations entities. At the heart of all of these efforts is an emerging understanding of the existential risk spyware poses to democracy, human rights norms, and civil society.
The “Pall Mall Process,” which emerged from the U.K.-France Cyber Initiative, is the most intriguing of recent developments. An international initiative led by France and the U.K., it has brought in other countries, the private sector, and civil society to “tackl[e] the proliferation and irresponsible use of cyber intrusion capabilities.” Pall Mall reflects an emerging consensus among key States that inaction on spyware is no longer an option for democracies, and that the costs of misuse – both for the rule of law and for national security – are untenable.
Several thoughtful assessments of the Pall Mall Process highlight gaps, most notably the narrow focus on “commercially available” spyware which, by its very nature, fails to grapple with irresponsible use and proliferation by governments, as well as the vast expenditures of money supporting the development of spyware capacity with few restraints on design or export.
But the key question now, and particularly for a new British government, is how it and its French counterparts might assume more robust leadership with respect to global spyware regulation. If Pall Mall is not to be consigned to the scrap heap of talking points, France and the U.K. must become advocates for national regulation and regional and global coordinated action. In doing so, they can learn from the United States, which has leveraged a mix of targeted sanctions and export controls to restrict the reach of certain commercial spyware technologies.
Spyware Abuses and the Pall Mall Process
Thanks to investigations by advocacy groups such as Citizen Lab, Amnesty International, and others, it is indisputably clear that spyware technology has been opportunistically deployed, under the cover of national security, to target journalists, human rights defenders and opposition politicians, and on a scale that defies belief. Alongside these galvanizing concerns, countries will also be mindful of the risk that these technologies pose to their own security, should they continue to proliferate, including into the hands of recalcitrant governments, criminals, and U.N. designated terrorist organizations.
The question is: what more can countries like France and the U.K. do, building on their first commendable step in the form of the U.K.-France Cyber Initiative? It is crystal clear that the spyware scourge needs global, comprehensive, and broad-ranging regulation. An additional question is: how can this Anglo-Franco partnership on spyware be leveraged to help the European Union build on the comprehensive Pegasus report of the European Parliament and more firmly bring into focus for its members the importance of regulating spyware in a comprehensive and practical way domestically?
The Pall Mall Process culminated in a February 2024 London conference, and brought together an unusual mix of twenty-five States as well as the African Union and the Gulf Cooperation Council, a political, economic, and social union between six countries in the Middle East. Like Costa Rica’s call for a moratorium on the sale, use, and transfer of spyware, Pall Mall’s goal is to bring groups of States together to focus on collective action and build a network of governments united in their willingness to act. While Pall Mall has potential, it has yet to produce concrete results.
A unique feature of Pall Mall is that it also brought together industry (BAE Systems, Google, Meta, and Microsoft), civil society, and academics. The Process advertised its goals as “establish[ing] guiding principles and highlight[ing] policy options for States, industry and civil society in relation to the development, facilitation, purchase, and use of commercially available cyber intrusion capabilities.” The declaration explicitly recognized the indispensability of oversight, precision, transparency, and accountability, terms that have long been absent from regulatory conversations among institutional actors about cyber intrusion capabilities, including spyware, and long sought by NGOs and civil society. Despite the clarion call to action for industry and governments alike, pressing them to “ensure that the development, facilitation, purchase, export, and use of commercially available cyber intrusion capabilities does not undermine stability or threaten human rights and fundamental freedoms, including in cyberspace,” Pall Mall was low on specifics.
So, what is the best way forward? Pall Mall’s current commitments are thin; setting out “steps” to tackle the misuse problem, including developing existing international export control frameworks, and unspecified domestic action in national jurisdictions. Ongoing dialogue was affirmed, and another conference proposed for 2025 (the details and substance of which has yet to emerge). But, regretfully, meaningful collective action from both countries and the wider group invited to the Pall Mall Process is still awaited. The moment is ripe for action and the U.K. and France are well placed to lead again, and they can do so by learning from effective and deepening domestic measures in the United States.
U.S. Action on Spyware Abuses
In this context, France and the U.K. should take note that despite a lack of broader traction some States have not waited for the crowd to move and are instead proceeding tentatively forward on regulation. Just two days before the Pall Mall conference, the U.S. State Department announced restricted visa access for “individuals believed to have been involved in the misuse of commercial spyware.” This policy may be applied to citizens of any country, even those whose citizens do not typically require a visa to enter the United States. Adding to this policy, the State Department announced in April 2024 that it was imposing visa restrictions on 13 different individuals who were “involved in the development and sale of commercial spyware” or their immediate family members.
On top of visa restrictions, in March 2024, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions against “two individuals and five entities associated with the Intellexa Consortium for their role in developing, operating, and distributing commercial spyware technology used to target Americans, including U.S. government officials, journalists, and policy experts.” The Consortium is a complex network of companies founded by former Israeli military intelligence officer Tal Dilian (one of those named individuals now under U.S. sanctions), that have sold commercial spyware to repressive political regimes. All property of these individuals or entities within the United States must be blocked and reported to OFAC and any transactions involving any property or interests by these persons or entities are also generally prohibited. Any person or institution that does engage in transactions with these blocked persons or entities may face similar sanctions.
These sanctions are consistent with 50 U.S.C. § 1710 which became effective in April 2024. The statute, aimed at “confronting asymmetric and malicious cyber activities,” enables the president to sanction individuals the Treasury Secretary, Attorney General, and Secretary of State determine were involved in cyber-enabled activities that have or are reasonably likely to pose “a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.” Possible sanctions include ineligibility for, or revocation of, visas to enter the United States or blocking of property and property interests. This type of concrete domestic action builds important gap-filling work in the absence of comprehensive global regulation of an industry in distinct need of sustained oversight.
What Is Needed Now?
If Pall Mall is to achieve political and legal significance, specific and collective action is required. France and the U.K. need to move forward with urgency and purpose, matching meaningful action with rhetoric. The U.K. and France have not taken any concrete domestic measures to further the goals outlined in the Pall Mall Process nor to regulate spyware or cyber-intrusion more generally – and certainly, nothing close to the steps taken by the U.S. government domestically.
For London, domestic legislative action is critical given the opportunities that lie ahead for a new government with a vast majority to move an ambitious legislative agenda on human rights abuses. The U.K. is now led by a Prime Minister, who, before he assumed office, was regarded as one of the U.K.’s leading human rights lawyers, with a long-standing reputation for upholding the rule of law. The U.K. has made some efforts related to cyber security, most notably through the introduction of the Cyber Security and Resilience Bill and the Digital Information and Smart Data Bill, both of which are still awaiting consideration by the U.K. Parliament. Regrettably, however, neither bill targets commercial spyware or related cyber intrusion technology. Instead, the former is focused on protecting important national infrastructure from ransomware and other cyber-attacks, and the latter deals with data privacy and protection. Presuming the expected timeline holds, both bills might be expected to become law in 2026.
The U.K. should use the legislative opportunities ahead to seek to harmonize national spyware regulation with the basic minimums the PEGA Committee endorsed including transparency, oversight, and accountability as well as specifying procedures to protect human rights through the surveillance lifecycle from design and development through use and transfer. The U.K. should also adopt a liability-based model in parallel to any export regimes. Adopting a human rights-based approach to surveillance requires regulating the design, use, and transfer of these technologies, but also, as per the U.S. practice of getting tough with abusers, they would be well served by “naming and shaming” companies and individuals using all of the criminal and civil tools at their disposal.
Such initiatives would build on the promising developments regarding State accountability for spyware in the English courts. The Court of Appeal recently held in Shehabi and Mohanned v. Kingdom of Bahrain that Bahrain is not immune under the UK State Immunity Act from claims regarding the use of spyware to infect laptop computers of human rights and pro-democracy activists. This case involved the alleged use of “FinSpy,” produced by the Gamma Group (also known as FinFisher). A previous case found Saudi Arabia was not immune for the alleged use of Pegasus spyware.
For France, a series of opportunities lie ahead in the EU context. Paris can assume an invaluable leadership position by supporting implementation of the PEGA Committee Report and encouraging the EU Polish Presidency starting in January 2025 to lead on spyware regulation given Warsaw’s unique position, having suffered widespread spyware abuse at the hands of the previous Polish government. France can make it a political priority to support updating EU dual use regulations which were described by the PEGA Report as “weak and patchy.” France’s leadership in the Pall Mall Process must extend to the EU where it can build the necessary political will and momentum to ensure that export control regimes are strengthened such that all major exporting nations agree to parallel rules and oversight procedures. For Pall Mall to be concrete and meaningful, France should in parallel endorse and adopt a liability based model of accountability, which would be complementary to any export reforms — something like that which was proposed by the Mandate of the Special Rapporteur for counter-terrorism and human rights in 2023.
Given the current uncertainty around the upcoming U.S. election, the need for other States countries to assume and demonstrate leadership on tackling abusive surveillance technologies is acute.
Having established the partnership and now the process, the French and British have a unique opportunity to join the United States in a fight for the life and health of democracies and civic space worldwide. The U.K.-France Cyber Initiative and the Pall Mall Process are commendable first and early steps, ready to be re-energized, re-focused, and made practical to meet the moment.