Since the worldwide media investigation into the leaked list of targets of the Pegasus spyware technology, we can no longer ignore the excesses of States using covert digital surveillance tools originally designed for counter-terrorism purposes to spy on politicians, journalists, human rights activists, lawyers, and ordinary citizens with no links to terrorism. As a recent Report of the UN Special Rapporteur on Counter-Terrorism and Human Rights (which we authored) identifies, these tools – manufactured in the USA, the EU, China, Israel, and the UAE – not only allow access to targets’ communications, contacts, geolocation and metadata, but even allow users to delete information or plant incriminating data, all while hiding their tracks. The scope of spyware use is unknown – but clearly enormous. In testimony before the European Parliament last year, the manufacturer of Pegasus – just one high-profile tool – revealed that the technology is used to target more than 12,000 individuals each year.
Spyware use risks serious violations of international human rights law. It allows repressive regimes to identify dissent and then use geolocation and real-time tracking for failsafe targeting in real life. The Special Rapporteur on extrajudicial, summary, and arbitrary executions has implicated spyware in intelligence-gathering on Jamal Khashoggi prior to his murder in 2018. Forensic analysis by The Citizen Lab at the University of Toronto has evidenced spyware present on the devices of multiple human rights activists and journalists subject to torture, unlawful arrest, and physical violence worldwide. And spyware imposes a chilling effect on civic exchange and political engagement, undermining the rights to privacy, free expression, association, and assembly.
Spyware goes further than previous forms of surveillance – like bulk communications monitoring – because it allows for manipulation of communications and records to incriminate and blackmail targets. This has potentially catastrophic impacts for fair trial and due process rights, casting doubt on evidence used against individuals and the integrity of criminal investigation.
The Lack of Inadequate Spyware Regulation
As the Special Rapporteur’s Report documents, until now there has been no systematic approach to supervise and regulate the spyware industry and the proliferation of spyware internationally to prevent human rights harms. Victims of targeting (if they ever discover it) might be lucky enough to live in a State in which State agencies can be challenged in court for alleged human rights violations (a rarity internationally). But even then, the case would suffer from the evidential and practical difficulties of holding a spy agency to account when the evidence of wrongful conduct is hidden or opaque because the spyware deletes its traces.
Some spyware makers have signed onto the UN Guiding Principles on Business and Human Rights or the similar OECD Guidelines, both sets of corporate responsibility guidelines relating to matters including human rights, employment and industrial relations, environment, anti-corruption, consumer protection, and taxation. The Guiding Principles and OECD Guidelines urge companies to respect internationally-recognized human rights and to try to prevent adverse human rights impacts linked to their operations or products. However, manufacturers of spyware cannot be held to account for failing to uphold these “soft law” commitments because of the lack of a binding enforcement mechanism (complaints under the OECD system against UK and German spyware manufacturers were effectively ignored).
While some jurisdictions have enacted human rights “due diligence” legislation (such as California, the UK, Australia, and France), its adoption is far from universal. In any event, such legislation generally stops at reporting and transparency of supply chains, rather than requiring active steps on the part of business to mitigate risks posed by their clients. Attempts to rely on private law harm-based doctrines (tort or delict) against manufacturers face issues of State immunity (where users are foreign State agencies), jurisdiction (where supply and use cross borders), and the poor analogy of human rights impacts with paradigmatic physical harms actionable in civil suit.
Finally, while spyware surveillance technology is formally subject to the export control regimes originally designed for conventional arms, such as the Wassenaar Arrangement and the EU Recast Dual-Use Regulation, that system suffers from limited international coverage and the often vague nature of export obligations, typically requiring exporting States only to “take into account” or “consider” human rights risks.
In light of the clear human rights risks, and the challenges for oversight, the UN High Commissioner for Human Rights has called for a moratorium on the trade in surveillance technology to “allow States to work on an export and control regime, as well as to boost legal frameworks securing privacy,” a call echoed by multiple UN Special Procedures mandate holders. In April 2022, the Republic of Costa Rica became the first State to demand a moratorium. This was followed in March this year by a joint position adopted by Australia, Canada, Costa Rica, Denmark, France, New Zealand, Norway, Sweden, Switzerland, the UK, and the United States recognizing the “need for strict domestic and international controls on the proliferation and use” of commercial spyware.
A Regulatory Approach for Sypware
We welcome the growing international momentum towards regulation of the international spyware trade which is fit for purpose and. As the now released position paper by the Special Rapporteur’s mandate sets out, there is novel approachbeing set out that should inform the next steps in the field. In suggesting a mechanism for an international legal response to the concerns raised by spyware, the position paper does not concede that all forms of spyware are capable of lawful use. Far from it. Certain spyware tools may never be capable of lawful application because, by their nature, their use violates principles of proportionality/necessity or undermines the integrity of evidence and due process. To avoid these problems, at a minimum, spyware must be engineered to: (a) focus on certain data, rather than automatically accessing targets’ and contacts full data, in violation of principles of proportionality and necessity; (b) flag cases of apparent misuse and build in kill switches so manufacturers can prevent it; and (c) maintain an uneditable record of actions taken by the user, so that human rights compliance can be properly assessed by judicial authorities.
As for a regulatory framework, our position does not take a hard and fast approach on the structure, but we offer a couple of ways to take forward our regulatory proposal. We make the case that the focus is less about the title of the regulatory framework but rather its agreed features that are the imperative to implement. So, the regulatory framework should: (a) be international in nature (either by way of treaty or by way of relatively consistent adoption by a large number of States); (b) depend on State obligations as a means of regulating corporate behavior; (c) be limited to the spyware field; (d) entail compulsory and concrete action on the part of States; (e) impose actual liabilities upon private entities developing spyware to undertake due diligence showing there is no real risk of spyware being used by clients to breach human rights; and (f) provide a direct form of accountability, vindicable in domestic court, whenever the company fails to do so and the spyware has infected a target.
We are under no illusion that repressive regimes will embrace this framework – the objective is instead to ensure that many of the democratic States which spyware manufacturers choose as their bases (because of their favorable commercial and stable environment) will do so, and will require it of their trading partners. If the majority of companies’ home jurisdictions and clients have signed up to a responsible regulatory regime, spyware manufacturers facing the choice between operating exclusively outside that regime or trading with its adherents are likely to choose the latter.
We urgently need a system where the developers of spyware tools are forced either to require their State customers to provide credible guarantees on future human rights compliance, or to cease supply. This will force State customers to put in place protections so that their spy and investigative agencies can provide the assurances sellers require to maintain access to the technology. The spyware trade has occurred for too long in the long shadows cast by an inadequate legal framework. The victims of the abuse of spyware oblige us to shine a light.