Citizen Lab has penned a submission to the United Nations Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, Mr. David Kaye, in preparation for his report to the General Assembly in October 2019. The submission reviews Citizen Lab research on the use of private surveillance technology against human rights actors, describes some of the common practices of concern among private companies in the surveillance industry, and proposes a set of recommendations for the path forward.

In addition to reviewing Citizen Lab research into the abusive deployment of technology manufactured by NSO Group Technologies Ltd. (a Q Cyber Technologies company), Cyberbit Ltd. (a subsidiary of Elbit Systems Ltd.), FinFisher GmbH (formerly part of Gamma Group), and Hacking Team S.r.l., the submission also seeks to highlight four important trends in the spyware industry, which provide a starting point for any discussion into future industry reform:

  • Private companies in the spyware industry sell their technology to authoritarian and repressive governments with poor human rights records. Existing regulatory and legislative regimes (such as export controls) do not appear to have been effective against such transfers.
  • Private companies in the spyware industry justify the sale of their technology to any government—regardless of that government’s human rights record—by arguing that they sell exclusively to sovereign States for the sole purpose of clients engaging in lawful activities and that such sales are done in compliance with all applicable laws.  
  • Private companies in the spyware industry operate in a non-transparent environment, creating enormous obstacles to evaluating and assessing the use of human rights due diligence processes within the industry or other mechanisms for mitigating human rights impacts.
  • In addition to the lack of transparency, private companies in the spyware industry operate in violation of a number of other fundamental human rights principles, such as the right to privacy in the Universal Declaration of Human Rights (UDHR) and the International Covenant on Civil and Political Rights (ICCPR) and rights and norms articulated in the UN Guiding Principles on Business and Human Rights (UN Guiding Principles).

The full submission can be found here and the full list of recommendations to the Special Rapporteur can be found below:

1. Describe practices of concern in the spyware industry and the aim of industry reform

The first step in ensuring successful industry reform is determining what industry practices are of pressing concern. While there is limited public information on how the spyware industry functions at least three highly problematic overarching practices of concern can be identified: limited international and national measures to hold businesses accountable, a lack of transparency regarding human rights due diligence policies or processes, and a belief that responsibility for lawful product use lies with the spyware purchaser only. In order to develop a successful and impactful accountability framework, more research is necessary to continue to document and expose these and other practices of concern by the spyware industry. Further, in addition to identifying industry practices of concern, it is also necessary to articulate the aim of industry reform. An initial list of industry reform goals might include addressing some of the clear negative trends within the industry, such as securing transparency regarding due diligence processes, preventing the sale and transfer of spyware technology to certain types of clients through more robust regulation and law, ensuring access to effective remedies for those unlawfully targeted with spyware, and re-allocating negative externalities associated with the spyware industry.

Among the specific activities that the Special Rapporteur could facilitate, we recommend:

1.1 Supporting continued research and investigation into documenting and disclosing corporate practices of concern by civil society, research groups, and other institutions with a human rights-focused mandate and facilitating a public debate and review of such unlawful or unethical corporate practices by spyware industry actors.

1.2 Condemning any activities taken by States or corporate actors to suppress, impair, limit, or otherwise interfere with research being conducted by such bodies into investigating and revealing corporate practices of concern and call on States to take concrete action to prevent such behaviour.

1.3 Engaging in a public dialogue on spyware industry reform with all relevant stakeholders and issuing a public report outlining high priority areas of concern and the key aims of spyware industry reform.

Citizen Lab recommends that the UN Special Rapporteur support continued research into spyware industry practices of concern, press for the security and safety of researchers in this space, and issue a public report outlining key practices of concern and the main goals of industry reform.

2. Develop an accountability framework for the spyware industry and take steps to ensure its implementation and enforcement

A robust accountability framework is required in order to prevent the continued sale of surveillance technology to repressive and authoritarian governments that deploy them in abusive and illegal manners. While it is commonly understood that there is a need for accountability, it is clear from the continued sale of surveillance technology that sufficient progress has not been made in ensuring tangible outcomes. An effective accountability framework needs to respond to the practices of concern within the industry and identified reform priorities, as noted above. Such a framework may be multi-faceted, considering not only international agreements, but also, for example, litigation, regulatory schemes, and export control.

Among the specific activities that the Special Rapporteur could facilitate, we recommend:

2.1 Conducting a comprehensive review of existing accountability mechanisms (such as international frameworks, litigation, regulatory measures, and export control) and issue a public report identifying key gaps and concerns regarding the effectiveness of these mechanisms.

2.2 Based on a review of prior accountability mechanisms and consultation with relevant stakeholders, issuing a public report outlining an accountability framework for the spyware industry, identifying key areas where further action is required by States, and providing a roadmap for action and implementation.

Citizen Lab recommends that the Special Rapporteur draft an accountability framework for the spyware industry based on international human rights norms and equivalent domestic norms and rules and develop a plan for ensuring its implementation and effectiveness.

3. Call on States to take concrete steps to prevent corporate human rights abuses abroad

UN treaty bodies have consistently taken the view that States “should take steps” to prevent human rights abuses internationally by companies incorporated under their laws. And most international law scholars that have examined this issue, including former UN Special Rapporteur Olivier de Schutter, believe such a State duty to regulate corporate activities human rights abuses abroad already exists under international human rights law. The competence of States to take measures impacting the extraterritorial activities of businesses domiciled in their territories is well established under international law, and as a matter of policy, such measures would also provide guidance and certainty for businesses, while protecting the State’s reputation.  

Consistent with this duty, the Special Rapporteur should call on States to take concrete steps to prevent corporate human rights abuses internationally. There are many such measures that States could take pursuant to this duty.  Among those we recommend:

3.1 Where States provide direct or indirect support to businesses operating abroad, financial or otherwise, that support should be tied to clear prohibitions against unlawful and unethical activities, and effective and ongoing due diligence, public transparency reporting, and other accountability measures to ensure compliance with these prohibitions. Such requirements could be backed by effective penalties for non-compliance, including mechanisms to freeze and, where appropriate, revoke financial support and services.

3.2 States should establish human rights-oriented government procurement standards for “dual-use” technology companies like spyware businesses. These could restrict the awarding of government contracts to those businesses that have human rights policies and due diligence processes in place, and strong records of respect for human rights overseas.

3.3 States should follow Europe’s lead and clarify or amend export controls to require licensing for spyware and surveillance technologies that is provided to designated end users and/or for designated end uses that present significant human rights risks.  

3.4 States should establish agencies with powers to investigate and remedy human rights abuses committed internationally by domiciled companies.

3.5 States should support “human-rights-by-design” principles whereby business commit to designing tools, technologies, and services to respect human rights by default, rather than permit abuse or exploitation as part of their business model. A human-rights-by-design paradigm, for example, could prevent spyware companies from designing surveillance tools and technologies easily repurposed for human rights abusing activities.

Citizen Lab recommends that the Special Rapporteur call on States to take concrete measures to prevent domiciled companies from facilitating, causing, or contributing to human rights abuses internationally, with specific recommendations for States to: make government support or procurement contracts contingent on sound human rights due diligence and other practices; clarify or amend export controls to provide for commercial spyware licensing; establish agencies with power to investigate and remedy corporate human rights abuses abroad; and establish, promote, and support “human-rights-by-design” principles and standards for technology industries.