ResearchTargeted Threats

The Dangerous Effects of Unregulated Commercial Spyware

In recent days, United Nations Special Rapporteurs have released two revelatory reports that demonstrate the dangerous effects of unchecked technology in the hands of autocrats: one relating to the proliferation and abuse of surveillance software and one that investigates the murder of Washington Post journalist Jamal Khashoggi. Both reports highlight the danger of unaccountable and unregulated surveillance technology sold to countries with egregious human rights records.

Special Rapporteur David Kaye report: call for a global moratorium on the sale and transfer of the tools of the private surveillance industry 

Governments today have access to a diverse and powerful toolkit of surveillance tools. For example, network monitoring technologies, like deep-packet inspection (DPI), can be used to gather detailed information about citizens’ online and offline behaviour. Commercial spyware, such as NSO Group’s Pegasus, can allow an operator to surreptitiously activate a target phone’s camera and microphone, turning the device into a ready-to-deploy spy. 

David Kaye, Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, has released a long-awaited report that makes it clear states have a duty to uphold and protect the human rights of citizens from targeted surveillance facilitated by these technologies. Despite this duty, surveillance of individuals—including government critics, journalists, and human rights advocates—is largely unimpeded, leading to detention, torture, and extrajudicial killings. His report reflects 11 submissions by states and 33 by civil society, including the Citizen Lab

In addition to describing the duties incumbent on states, Kaye’s report highlights how corporations in this industry facilitate surveillance abuses, contrary to their human rights obligations under the UN Guiding Principles on Business and Human Rights. In this context, he makes three important points regarding corporate practices: 

  1. Private companies selling surveillance technology cannot take the position that they lack insight into what their clients do with the technology given the broad public knowledge of repressive practices by those clients. 
  2. Private companies may seek to rely on the fact that their products are approved by export control authorities. However, this is problematic since the entire regime operates with such limited transparency and oversight that it cannot be verified that companies intend to sell for lawful purposes and that clients actually use technology in a lawful manner. As Kaye writes, “In fact, nearly all the publicly available information about the private surveillance industry has been gathered during the forensic work carried out by non-governmental and academic institutions, such as Citizen Lab, and investigative reporting.”
  3. There is an absence of effective legal remedies available for victims of targeted surveillance. Although legal proceedings have commenced against private surveillance companies or governments in at least eight countries, there remain significant barriers to justice. Coupled with unchecked abuses of power, this system of impunity makes it nearly impossible for any meaningful recourse.

To counter the invasive threat of surveillance technology in an ecosystem that is increasingly unable to contain it, Kaye suggests: “…an immediate moratorium on the global sale and transfer of the tools of the private surveillance industry until rigorous human rights safeguards are put in place to regulate such practices and guarantee that governments and non-state actors use the tools in legitimate ways.”

Calling for a full-scale moratorium is a dramatic step, and underscores the scale of the harms caused by the global proliferation of surveillance technologies and the complete lack of effective mechanisms to prevent such harm or remedies where they arise. Kaye clearly believes that such an unprecedented step is necessary to ensure the protection of human rights from governments who seek the most powerful of weapons to unjustly intimidate, silence, and punish their opponents.

Special Rapporteur Agnès Callamard report: spyware at the centre of Khashoggi killing

UN Special Rapporteur on extrajudicial, summary, or arbitrary killings, Agnès Callamard, was tasked with investigating the murder of journalist Jamal Khashoggi and has found that the Kingdom of Saudi Arabia is undeniably responsible for his extrajudicial killing. In her recent 100 page report, she declared that both Saudi Arabia and Turkey failed to conduct comprehensive investigations into Khashoggi’s murder and recommends that the current trial of 11 suspects in Saudi Arabia be suspended until such a time that it meets international procedural and substantive standards.

Deeply ingrained in this case of international murder is the exploitation of powerful spyware technologies. In line with Kaye, Callamard endorses the full suspension of spyware technologies sold to Saudi Arabia until proper protections can be implemented. 

On September 18, 2018 Citizen Lab researchers published a report that identified 45 countries in which operators of NSO Group’s Pegasus spyware may be conducting operations. One operator, given the code name Kingdom, was targeting devices in 12 countries, including Canada. On October 1, 2018 the Citizen released a second report detailing how Canadian permanent resident and Saudi dissident Omar Abdulaziz was targeted with spyware by the Kingdom operator. We assessed with high confidence that Abdulaziz’s phone was infected with NSO’s Pegasus spyware and attributed this infection to a Pegasus operator linked to Saudi Arabia.

Abdulaziz later revealed to journalists that he had been in contact with Khashoggi to develop several projects that would have given the Saudi government reason to target them both. Because of the full access to Abdulaziz’s phone that NSO’s spyware would have given its operators in Saudi Arabia, Abdulaziz believes it was the presence of the spyware that ultimately led to Khashoggi’s demise and execution. 

Because of the integral use of commercial spyware in Khashoggi’s murder, Callamard calls for an “immediate moratorium on the export, sale, transfer, use or servicing of privately developed surveillance tools to Saudi Arabia and other states until a human rights-compliant safeguards regime is in place.” If honoured, companies like NSO Group would be prohibited from conducting new business with the Kingdom. 

When asked by 60 Minutes about his role in selling NSO Group spyware to Saudi Arabia, NSO Group CEO Shalev Hulio sidestepped the question, stating: “Don’t believe newspapers.” He did not deny that NSO sold its Pegasus spyware to Saudi Arabia and would not explicitly deny that Jamal Khashoggi’s confidants were targeted with Pegasus. 

To justify the sale of technologies to oppressive regimes, NSO and others have often stated that they are only used to fight crime and terrorism. But in an unregulated environment, such justifications provide loopholes that are symptomatic of the widespread abuse in the industry. For example, Saudi Arabia has received international criticism for its laws which broadly define terrorism to include “disturbing public order,” meaning that any dissident or peaceful protester might meet the Kingdom’s criteria for spying and thereby constitute a legitimate target of spying and surveillance. 

The Guardian has also recently revealed that it has received information that Saudi Arabia intended to infiltrate the email addresses of journalists investigating the Kingdom. This revelation further highlights a chilling trend observed elsewhere: journalists and members of civic media are disproportionately targeted with powerful spyware technologies — a trend that is substiatied in Citizen Lab’s research, which has identified at least 11 journalists targeted with Pegasus. 

The global reach of repression

These reports show that commercial surveillance technology, such as NSO Group’s Pegasus spyware, extends the repressive reach of authoritarian states like Saudi Arabia. With powerful spyware, such regimes can, with greater facility and on a larger scale, target human rights defenders, political dissidents, and refugees far outside their borders. 

Liberal democratic countries in Europe and North America may no longer be the safe havens they purport to be in light of these growing capabilities, a fact which endangers fundamental human rights like freedom of expression and the right to privacy on a global scale. It also makes the call for a moratorium on the sale and transfer of the tools of private surveillance industry a necessary and critical move.

In light of the concerns raised by the Special Rapporteur reports, companies like Novalpina Capital LLP, the new majority owners of NSO Group, must take responsibility for the harms caused by the surveillance technology manufactured and sold by NSO Group. Such a step would mean respecting international human rights treaties and, as a starting point, complying with the moratorium demanded by the Special Rapporteurs. 

Special Rapporteur David Kaye is presenting his report at the 41st Session of the Human Rights Council in Geneva on 27 June 2019 on a panel with Citizen Lab’s director, Professor Ron Deibert, Luis Fernando Garcia from Mexican NGO R3D, and Danna Ingleton from Amnesty International.