Regulating the Global Spyware Market Won’t Be Easy
Emily Taylor | Tuesday, July 27, 2021
Like picking up a rock in the garden, the NSO
Pegasus spyware scandal exposes a repulsive world teaming with life in the muck
and mire—so much so that it is tempting to put the stone back in place and
pretend that world doesn’t exist. There are many layers to the story: the human
cost, the murky ethics of selling powerful spy tools to states with poor human
rights records, and the complexities of trying to regulate the global market
for such software. They all point to a challenge that will be with us for some
time, despite the popular outrage the scandal has caused. The stories of the
human cost are awful. Take Cecilio Pineda Birto, a Mexican journalist who wrote
about corruption
(http://theguardian.com/news/2021/jul/18/revealed-murdered-journalist-number-selected-mexico-nso-client-cecilio-pineda-birto)
and whose phone number appears on a leaked list of 50,000 numbers that is
reportedly a master list of phones targeted by NSO Group’s clients using
Pegasus software. Pineda was shot dead as he waited for his car to be washed.
He was 38 years old. Reading about his death, it’s impossible not to wonder
whether the NSO Pegasus tool’s ability to track a target’s location, or turn on
a smartphone’s camera and microphone to film and eavesdrop on them, played a
part in helping his killers to track him down. And who was the customer? Was it
the Mexican state, or a drug cartel? Could the answer have been both? Pineda’s
murder is just one of many stories, from Morocco’s intelligence agency spying
on French President Emmanuel Macron, to Saudi Arabia, the United Arab Emirates,
Azerbaijan and other governments allegedly using NSO’s technology to target
human rights lawyers, activists and journalists
(http://washingtonpost.com/investigations/interactive/2021/nso-spyware-pegasus-cellphones/)—citizens
and non-citizens alike, at home and abroad. That authoritarian states use
surveillance technologies to spy on those who seek to expose their corruption
and rights abuses is outrageous, but regrettably, it is nothing new. This
privatized, opaque and global market for spyware, in which multibillion-dollar
firms like Israel’s NSO work with intelligence agencies and governments all
over the world, regardless of their human rights records, is the “bugs under
the rock” moment (/) 28/07/2021 There Are No Easy Answers to the NSO Pegasus
Software Scandal https://www.worldpoliticsreview.com/articles/29835/there-are-no-easy-answers-to-the-nso-pegasus-software-scandal
2/5 revealed by the Pegasus scandal. The surveillance technologies in question
do have legitimate law enforcement uses, for instance to track terrorist groups
or organized crime. But there appear to be few, if any, effective checks and
balances to ensure that such powerful tools are not used for the purposes of
repression. NSO is not the only actor implicated in the broader repercussions
of this scandal. Other vendors sell spyware, and those sales are subject to
export licenses granted by states—in this case, Israel. Last year, in a little
reported development, a Tel Aviv court refused an application supported by
Amnesty International to revoke NSO’s export license
(https://www.amnesty.org/en/latest/news/2020/07/israel-court-notorious-spyware-firm-nso/)
due to past abuses of its software by states like Saudi Arabia, the UAE,
Morocco and Mexico. Much like the international arms trade, the market for spyware
is a global one, and private actors are key suppliers to many governments.
Marietje Schaake, a former European parliamentarian and the current president
of the Cyber Peace Institute, has long campaigned against the export of “dual
use” technologies, or goods, software and technology that can be used for both
civilian and military applications, of which Pegasus is one example. She points
out that private contractors such as NSO are often based in democracies such as
Israel, yet sell spyware to regimes that are well known for violating human
rights at their most basic level. In an interview with Tech Policy Press,
Schaake condemned NSO’s response to allegations of abuse of the Pegasus spyware
(https://techpolicy.press/the-sunday-show-surveillance-and-the-future-of-tech/)
by authoritarian regimes as hypocritical “nonsense.” Speaking to me over the
weekend, Schaake warned of another risk associated with the free trade in
intelligence grade technologies: “It puts authoritarian regimes on a fast track
to achieving competing capacity to that of democratic societies.” Much like the
international arms trade, the market for spyware is a global one, and private
actors are key suppliers to many governments. Western firms sell arms not only
to NATO allies but also to friendly countries, such as Saudi Arabia, with
well-documented records of repression and human rights abuses. These countries
often have legitimate reasons for purchasing those weapons or spyware, as well
as illegitimate, repressive ones. It is fair to question whether vendors should
be the the arbiters of whether their state customers are lying to them about
the intended use of these purchases. Campaigners against these surveillance
tools have long pressed for updating the rules governing export controls on
dual-use technologies, which are covered by the non-binding Wassenaar
Arrangement, to include spyware. In May 2021, the European Parliament and
European Council adopted a regulation to modernize the European Union’s system
for the control of exports, brokering, technical assistance, transit and
transfer of dual-use items
(https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2021:206:FULL&from=EN).
The regulation introduces 28/07/2021 There Are No Easy Answers to the NSO
Pegasus Software Scandal https://www.worldpoliticsreview.com/articles/29835/there-are-no-easy-answers-to-the-nso-pegasus-software-scandal
3/5 due diligence obligations for producers of such goods and puts greater
responsibility on those companies to address the risks to international
security posed by the dual-use items they sell. Of course, export controls
would not have prevented the import of Pegasus software by Hungarian Prime
Minister Viktor Orban
(https://www.theguardian.com/news/2021/jul/18/viktor-orban-using-nso-spyware-in-assault-on-media-data-suggests),
allegedly to spy on Hungarian investigative journalists. Edward Snowden has
called for a ban on the global market for spyware
(https://www.theguardian.com/news/video/2021/jul/19/edward-snowden-spyware-industry-should-not-exist-video),
but he is a bit light on details for how such a ban should be enacted, given
that the technology already exists out there and there are plenty of willing
buyers. A United Nations report authored by David Kaye in 2019 similarly called
for a moratorium on the global sales of spyware until more robust human rights
protections are put in place
(https://www.worldpoliticsreview.com/articles/28016/can-a-u-n-report-help-rein-in-expansive-and-abusive-digital-surveillance),
but it generated little follow-up. I asked Sir David Omand, the former head of
the British signals intelligence agency GCHQ and author of “How Spies Think,”
what could be done to reduce the risks of abuse in future. Omand told me that
reaching a universally accepted international agreement on spying and software
would be “next to impossible.” But he does think that improvements in national
requirements for due diligence prior to the sale and export of such technology
could help, and that some well-established objective criteria could be used to
navigate the decision-making process. “It is legitimate to sell tools for law
enforcement or national security to countries that have in place protections
for individual privacy rights, including transparent law, an independent
judiciary, proper regulation and independent oversight,” he explained. The
strength or weakness of such constraints will guide an assessment on the
likelihood of future abuse. “Without such controls,” he added, “verification of
how the technology is being used is problematic.” Change could also come from
an unexpected source. Some Big Tech companies are using their deep pockets to
mount legal challenges, threatening to hit NSO where it hurts most—in the
wallet. WhatsApp is currently suing NSO for its alleged hacking of WhatsApp’s
end-to-end encrypted chat app back in 2019. Even if the challenge fails, the
litigation process is likely to shine some disinfecting sunlight on the murky
world of surveillance tech. Unlike governments, tech companies are unlikely to
also be potential or actual customers of NSO. What’s more, the spyware
manufacturer is making some tech companies look bad. Alleged weaknesses in the
security of Apple’s iPhone have received a lot of airtime over the past week.
That’s bound to irritate a company that has made a major selling point of its
commitment to user privacy and security. Apple did not join in a statement that
several tech companies, including Microsoft and Cisco, filed in support of
WhatsApp’s suit (https://www.business-humanrights.org/en/latest-news/how-does-apple-technology-hold-up-against-nso-spyware/)
stating that NSO’s actions make technology less safe for everyone. Perhaps in
the future it ay hange its ind https://www.worldpoliticsreview.com/articles/29835/there-are-no-easy-answers-to-the-nso-pegasus-software-scandal
