There is an urgent need for a moratorium on sale of spy tech

The Pegasus scandal clearly demonstrated the dangers posed by the unchecked sale of surveillance technology to governments.

A woman checks the website of Israel-made Pegasus spyware at an office in the Cypriot capital Nicosia on July 21, 2021 [Mario Goldman/AFP]

In July 2021, an investigation by a consortium of media outlets revealed that several governments used phone malware supplied by an Israeli firm to spy on journalists, activists, opposition figures and heads of state. The revelation that Pegasus spyware, developed by Israel-based NSO Group, has been used to hack the phones of thousands of unsuspecting individuals around the world raised new questions about the sale, purchase and use of such surveillance technology and its effects on the right to privacy as well as freedom of expression.

Indeed, as Amnesty International recently said, the Pegasus scandal “exposed a global human rights crisis”. Now, this realisation must lead to a global moratorium on the sale and use of surveillance technology until a set of guidelines rooted in international human rights law is developed by states and international bodies to prevent the repeat of such abuses in the future.

What is Pegasus and who gets to use it?

Pegasus is a type of spyware that has the ability to infect a target’s phone without a malicious link, though that is one of the ways devices can be infected with the virus. Once Pegasus finds its way into a phone, operators of the tool can activate its camera and microphone, record phone calls, extract messages, emails and photos.

Recently, a list of more than 50,000 phone numbers, identified as those of people of interest by clients of NSO since 2016, has been leaked to Forbidden Stories, a Paris-based nonprofit media organisation, and Amnesty International. These organisations later shared the data with other media partners as part of “the Pegasus Project”, a reporting consortium. The consortium found that most of the targeted phone numbers belong to individuals from 10 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates.

NSO Group insists Pegasus spyware is only intended for use “against criminals and terrorists” and says it only sells the technology to governments. Furthermore, it claims that it makes its sales to foreign governments with the approval of Israeli authorities. The group’s first and so far only transparency report released in June 2021 states: “The Defense Export Controls Agency (DECA) of the Israeli Ministry of Defense strictly restricts the licensing of some of our products and it conducts its own analysis of potential customers from a human rights perspective.”

It is concerning that the government of Israel, which itself stands accused of myriad human rights law violations, appears to be the sole authority responsible for deciding which governments can be trusted to use this powerful surveillance tool.

There are also concerns that the Israeli regime has been facilitating the sale of Pegasus to governments that it views as allies or potential strategic partners. Indeed, Morocco and the UAE, two countries that are known to be using Pegasus, established diplomatic relations with Israel in 2020. Saudi Arabia, another country using Pegasus, meanwhile, is known to be engaged in backchannel diplomacy with the Israeli government. Furthermore, a July 20 article published in the Israeli daily Haaretz revealed how official visits by former Israeli Prime Minister Benjamin Netanyahu to Azerbaijan, Hungary, Mexico and Rwanda were followed by the sale of NSO Group licences to the governments of these countries.

The fallout

The Pegasus Consortium’s shocking revelation that NSO Group’s spyware has been used by at least 10 governments to target thousands of journalists, opposition politicians, activists and dissidents, has caused shock waves across the world.

Israeli, Moroccan and Hungarian governments announced that they will be investigating the allegations.

In India, the main opposition Congress party said it has reason to believe its leader, Rahul Gandhi, has been targeted with Pegasus. The party accused the government of “treason” over the incident and demanded an independent investigation. The Indian government claimed that there is “not a shred of evidence” that it used spyware against political rivals. However, the Indian government has also been accused of attempting to hack a phone number previously used by Pakistan’s Prime Minister Imran Khan.

The scandal also caused a rift between Morocco and France, as the Moroccan government has been accused of attempting to spy on French President Emanuel Macron using Israeli-made spyware.

The investigation by the Pegasus Consortium has undoubtedly put NSO Group under the international spotlight, but the Israeli spyware manufacturer has come under fire for supplying technology that enables authoritarian surveillance many times before.

In August 2016, renowned Emirati human rights activist Ahmad Mansoor received SMS text messages on his iPhone promising “new secrets” about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking the link, Mansoor sent the messages to the Citizen Lab, which “recognized the links as belonging to an exploit infrastructure connected to NSO Group”.

In September 2018, the Toronto-based Citizen Lab published a detailed investigation into the activities of NSO Group, and said, “Our findings paint a bleak picture of the human rights risks of NSO’s global proliferation.” The investigation revealed that a total of 45 countries, many with dubious human rights records, have used the group’s Pegasus spyware. “Research continues to demonstrate some highly concerning real-world examples of the abuse of NSO Group technology in practice. These uses have included apparent government customers of NSO Group abusing Pegasus spyware to target civil society groups, human rights defenders, lawyers, politicians, and journalists,” it said.

A few months later, in December 2018, a lawsuit filed by a Saudi dissident close to slain journalist Jamal Khashoggi claimed that Pegasus was used by Saudi authorities to hack his phone to spy on his communications with Khashoggi. The same month, a senior DEA official told Forbidden Stories that corrupt Mexican officials have been helping drug cartels access Pegasus and other spyware technologies.

These allegations have led to periodic calls for investigations into NSO Group’s activities, but to this day, the company continued its operations freely, and seemingly with the full support of the Israeli government.

Other surveillance technologies

While Pegasus is currently viewed as the most effective and invasive spyware available for purchase, NSO Group is not the only company selling this type of surveillance technology.

Italian company Hacking Team and Anglo-German company Lench IT Solutions plc also develop and sell spyware similar to Pegasus and have been accused of providing tools to authoritarian governments that they use to spy on activists, journalists, politicians and dissidents.

There is also dual-use technology that is designed to be used by private companies in the telecom and internet service sector for network management, but also enables governments to block access to websites, and carry out mass surveillance, including by redirecting users to websites infected with malware. These technologies are being produced by companies such as the United States-based Blue Coat, and Canada-based Sandvine and Netsweeper.

Sandvine has sold its deep packet inspection technology to the Pakistani government which purchased it using licensing fees from telecom operators, thereby avoiding public scrutiny under the garb of it not being a burden on the taxpayer. Because it is a dual use technology, the government gets away with saying it is using the web monitoring system merely to monitor grey traffic. However, according to several rights organisations and monitoring groups, the technology is also being used to carry out surveillance and censorship of human rights movements in the country. Thus, investors, companies and governments need to consider the impact such dual-use technologies may have on human rights in countries they are being sold to.

Biometric and facial recognition technologies are also being used by governments for surveillance with extensive human rights implications. In the aftermath of the police killing of George Floyd in the United States, several companies including Amazon, IBM, and Microsoft banned Police departments from using their facial recognition technology. This was a move in the right direction, as these technologies, largely developed using white subjects,  have a racial bias and their use by security agencies contribute to racial profiling and harassment of minorities. Companies need to follow this precedent and stop supplying these dangerous technologies to other governments as well.

Just last month, after the US withdrawal from Afghanistan, the Taliban got hold of US military’s biometric records of Afghan citizens who had been helping the US forces in the country. This demonstrates the irresponsibility with which such data and devices are handled by governments and militaries, and how much of a security risk they can pose. The Afghans whose biometric data has been leaked now face the risk of being targeted by the Taliban. US President Joe Biden’s proposed budget for 2022 include $11m earmarked for purchase of 95 more biometric collections devices like those now at the hands of the Taliban. It is time to revisit such decisions.

Surveillance and international human rights law

The use of surveillance technology like Pegasus by governments to spy on private citizens undermine the Universal Declaration of Human Rights (UDHR), and the International Covenant on Civil and Political Rights (ICCPR) – the two main instruments that guide the laws related to human rights in all UN member states. Indeed, such surveillance activities clearly violate the right to privacy protected by Article 12 of the UDHR and Article 17 of the ICCPR, which states that “no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation”.

While many countries limit their citizens’ right to privacy in different ways – often on the grounds of national security and counterterrorism – international law is clear that such limitations cannot and should not apply to the surveillance of the press, activists, and political leaders, as such actions undermine not only the right to privacy but other linked rights too. These include the right to freedom of expression and opinion protected by Article 19 of the UDHR and ICCPR, the right to freedom of association as protected by Article 20 of the UDHR and Article 22 of the ICCPR. Surveillance also affects vulnerable groups based on nationality, race, ethnicity, sexuality, gender, and religion, and may be in violation of protections against discrimination under Article 7 of the UDHR, and Articles 26 and 17 of the ICCPR.

Surveillance has a chilling effect on the freedom of speech, and often serves to silence people by creating the impression of being constantly observed. Whereas spying has always been a part of intelligence operations, digital spyware is way more intrusive by virtue of most of our communications and personal information being stored in our phones in this day and age of technological advancement. This is why domestic laws governing the use of surveillance technology by state and private actors need to be centred around international human rights law.

The way forward

Companies that develop and sell surveillance technology are supposed to be held to a high standard of scrutiny and compliance in accordance with the United Nations Guiding Principles on Business and Human Rights, which outline the corporate responsibility to respect human rights. This includes conducting detailed and independent human rights due diligence and human rights impact assessments before the sale of surveillance technology to a government. However, as demonstrated by Pegasus software and others being bought and used by several authoritarian regimes with histories of unlawfully using surveillance technology against members of civil society and the press, the system is not working.

There are clear steps that need to be taken to prevent continued abuse of such technologies by authoritarian governments and violent non-state entities like Mexican drug cartels.

First, there is a need for stringent licensing terms on which surveillance technology is provided to governments, including clauses that call for revocation of the right to use the technology if international human rights standards are violated with the use of the technology.

Further, strict export controls need to be put in place by governments where spyware is produced and sold so that they can fulfil their duty to protect human rights under the UN Guiding Principles. It is important that an independent human rights due diligence process is maintained by governments to determine what kind of technology is being exported, and who the potential clients are before allowing for the export of such technology to minimise abuse, especially in the case of dual-use technology.

Very importantly, there needs to be civilian oversight of surveillance measures in each country so that spyware can only be used against individuals suspected of serious crimes rather than against the political opponents of governing authorities in violation of international human rights law.

Activists and experts have long been cautioning the international community about the widespread abuse of digital surveillance technologies by governments. In 2014, UN High Commissioner Navi Pillay warned of “disturbing” lack of transparency in governmental surveillance policies and practices, “including de facto coercion of private sector companies to provide sweeping access to information and data relating to private individuals without the latter’s knowledge or consent”.

In 2019 the UN special rapporteur on the protection and advancement of the right to freedom of expression and opinion, David Kay, called for a global moratorium on the sale of surveillance technology until “effective” national and international controls can be put in place to “lessen its harmful impact” – a call that has been reiterated by Amnesty International in July in the face of the Pegasus Project revelations. Reporters Without Borders, meanwhile, has called for an Israeli moratorium on spyware exports.

Hence, it is about time that a global moratorium on the sale of surveillance technology is put in place, until domestic and international laws and regulations are adopted by governments that govern export control, licensing of technology, and human rights impact assessments centred around international human rights framework and civilian oversight of government use of technology. Until then, fundamental rights of citizens related to speech, privacy, and protection from discrimination must not be violated through unbridled surveillance, but protected as per commitments made by all governments under the UDHR.

The views expressed in this article are the author’s own and do not necessarily reflect Al Jazeera’s editorial stance.