Activists and Policymakers Turn Up the Heat on Spyware Vendors

Do we need a regulatory system for spyware vendors? Digital rights activists think so.

We're not talking about the kind of spyware that infects consumer machines and feeds data back to advertisers, or pilfers your credit card details, even though that stuff irritates millions of people around the world every day. We're talking about a more rarified type of software used to infect specific targets. It's sold by the likes of NSO Group and Intellexa.

These programs are designed to track and intercept terrorists and other criminals. The problem, according to experts, is that governments don't always use them appropriately. In an article for the Lawfare blog, researchers from the Citizen Lab at the University of Toronto's Munk School of Global Affairs draw a direct line between the use of spyware and the death of Saudi journalist Jamal Khashoggi.

The article, written by Siena Anstis, Ronald J. Deibert, and John Scott-Railton, highlights Saudi intelligence's use of NSO's Pegasus spyware to monitor a phone used by Omar Abdulaziz, a close confidant of Khashoggi's. This enabled them to pick up disparaging comments about the Saudi Crown Prince Mohammed bin Salman, which meant that "Khashoggi's murder was thus intimately tied to unlawful use of spyware technology," they said. Citizen Labs' reporting was backed up by UN special rapporteur on extrajudicial, summary or arbitrary executions, Agnes Callemard, who cited it in her own report on the journalist's death. She has called for a moratorium on sales of spyware technology to the Saudis.

Pegasus is just the tip of the iceberg, according to the article, which highlights several other cases of activists targeted by this kind of software.

"Corporate tokenism in this space is unacceptable; companies will have to affirmatively choose human rights concerns over growing profits and hiding behind the veneer of national security," the Citizen Lab writers said, adding that an external auditor should be used to enforce compliance.

They also call for companies that create this technology to be held accountable and for their sales to be transparent. States must also establish legal regimes that hold companies and government accountable for the use of surveillance technology within their borders, they concluded.

In the meantime, investors continue to pile money into the companies selling this spyware. Novalpina Capital, an investor in NSO, pledged to reform the company in a letter to Amnesty International, although Citizen Lab lawyers say this doesn't go far enough. In the month following the letter, Yana Peel, chief executive of the Serpentine Galleries, stepped down after the Guardian revealed that she co-owns Novalpina.

The question here is what such regulation would look like. You'd hope that the Wassenaar agreement—an export framework that governs the sale of technologies between its members—would be a good way to govern the sale of these products. The problem is that this isn't legally binding. It has also been subject to some confusion in past years because the definition that most closely matches spyware—"intrusion software"—was deemed too broad and could have stymied some cybersecurity research. This resulted in a refined definition in December 2017, which went some way towards addressing those concerns.

Still, the spyware keeps on selling. And it seems that digital rights activists still have a lot of work to do.

What’s Hot on Infosecurity Magazine?