STEVEN FELDSTEIN, BRIAN (CHUN HEY) KOT
SUMMARY
The global spyware and digital forensics industry continues to grow despite public backlash following an array of surveillance scandals, many linked to NSO Group’s Pegasus program. This paper explores the resilience of the commercial spyware market and offers ideas about how to limit the spread of invasive cyber surveillance tools. It highlights several factors driving the industry, including elevated demand for intrusion technology from government clients and private customers, as well as inconsistent political will from democratic governments to crack down on these technologies.
KEY INSIGHTSBetween 2011 and 2023, at least seventy-four governments contracted with commercial firms to obtain spyware or digital forensics technology, according to data collected by Carnegie’s global inventory of commercial spyware and digital forensics (https://data.mendeley.com/datasets/csvhpkt8tm/10).
Autocratic regimes are much likelier to purchase commercial spyware or digital forensics than democracies: forty-four regimes classified as closed autocracies or electoral autocracies procured targeted surveillance technologies between 2011 and 2023, contrasted with thirty electoral democracies or liberal democracies.
Israel is the leading exporter of spyware and digital forensics tools documented in the global inventory: fifty-six out of seventy-four governments have procured commercial spyware and digital forensics technologies from firms that are either based in or connected to Israel, such as NSO Group, Cellebrite, Cytrox, and Candiru.
In addition to top-level commercial spyware vendors like NSO Group and Cytrox, there is a burgeoning secondary tier of suppliers composed of boutique spyware firms, hacker-by-night operations, exploit brokers, and similar groups. As large commercial firms face greater scrutiny from democratic governments about their practices, there is a corresponding increase in open-source and commercially available malware. These trends have made it less costly for governments and private actors to mount attacks and allow them to hide in the “noise” of open-source codes and gain plausible deniability.
Ongoing high demand for intrusion technology contributes to the resilience of the commercial spyware and digital forensics market. Even if one supplier is sanctioned, there is sufficient financial motivation for other suppliers to fill in the gap. Our data set shows that governments have transitioned from procuring spyware from older suppliers, like FinFisher and Hacking Team, to contracting with alternatives, such as NSO Group, Cytrox, and Candiru.
Democratic governments have been inconsistent in tackling the human rights abuses enabled by spyware. In the European Union (EU), cybersecurity companies exploit regulatory fragmentation to establish offices in member states where implementation of export controls is known to be weak. For example, NSO Group established subsidiaries in Bulgaria and Cyprus to facilitate selling its products. Intellexa, which owns a number of surveillance firms, including Cytrox and Circles, established footholds in Cyprus, Greece, and Malta. The EU should push for more consistency and minimum standards of enforcement when it comes to governing the licensing and export of intrusive technology.
Spyware companies routinely cover their tracks by creating complex corporate structures to obfuscate their legal registration, what laws they are bound by, and who their clients are. Governments in Europe, Israel, the United States, and other relevant jurisdictions should enhance their policy and regulatory cooperation on spyware. They should improve their information-sharing and create unified registries of cyber surveillance firms.
Recent developments—such as the U.S. blacklisting of NSO Group in 2021, which has driven the firm to the verge of bankruptcy—illustrate how economic leverage can force the industry to reckon with the consequences of human rights violations. The United States should seek to multilateralize the Entity List with regard to spyware companies. A good starting point would be to pressure European countries to set up a parallel entity list and to similarly sanction NSO Group, Candiru, and related firms.The United States should reconsider its current permissive approach toward digital forensics and data extraction technologies. Researchers have documented over two thousand U.S. law enforcement agencies that have procured digital forensics technology to investigate criminal cases. While these tools require physically confiscating a target’s device, the level of intrusiveness is comparable to if not greater than that of remote spyware technology. Like spyware, phone extraction enables full, retroactive access to files and messages, as well as metadata about past communications.
As a leading exporter of spyware, Israel has not sufficiently prioritized human rights considerations in its export licensing regime. The United States and other democracies should continue to use economic and diplomatic leverage to pressure Israel to restrict commercial spyware transactions to human rights–abusing countries.
INTRODUCTION
In 2021, sixteen media outlets formed a consortium known as the Pegasus Project to investigate military-grade spyware licensed by the Israeli firm NSO Group. Two of the consortium partners, Forbidden Stories and Amnesty International, had gained access to a list of fifty thousand phone numbers that were “selected for targeting” by NSO clients. The group analyzed the numbers and matched them to specific individuals and hacks. The findings were damning. From the original list, analysts identified over one thousand targeted individuals spread across over fifty countries. Victims included “several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials — including cabinet ministers, diplomats, and military and security officers.”1 At least ten prime ministers, three presidents, and one king were also found on Pegasus target lists. The investigation sent shockwaves around the world. It fueled public outrage and compelled the United States to blacklist NSO Group—driving the firm to the brink of bankruptcy.2
While NSO Group’s future is in doubt, the spyware industry as a whole remains relatively unscathed. Governments have turned to other commercial firms to accomplish their surveillance objectives. Cytrox’s Predator spyware, for example, has become a favored option for many governments and was recently the subject of investigations in Greece, following disclosures that government operators used Predator malware to hack the phones of journalist Thanasis Koukakis and opposition leader and member of the European Parliament (MEP) Nikos Androulakis.3 In addition to Greece, researchers have found that state-backed operators in Armenia, Côte d’Ivoire, Egypt, Indonesia, Madagascar, Serbia, and Spain are likely also using Predator.4 In a striking example, researchers from the Citizen Lab discovered that Egyptian operators were “simultaneously” using Pegasus and Predator spyware to hack the phone of opposition politician Ayman Nour.5
These incidences reinforce two core facts: that the spyware industry is bigger than any single company, and that governments are highly motivated to acquire these tools, even at the risk of public backlash.
The Pegasus Project investigation isn’t the first time that mercenary spyware firms have faced setbacks. Years before the Pegasus scandal, Germany’s FinFisher and Italy’s Hacking Team were dominant players in the market. Products from both companies were linked to surveillance abuses in a range of countries. At its height in 2015, Hacking Team’s products were in use in forty-one countries.6 Yet by March 2022, FinFisher had shut down its operations because of financial insolvency, following raids by German authorities and an accompanying investigation into the company.7 As for Hacking Team, the firm suffered a massive 400-gigabyte data breach in 2015 that revealed “executive emails, customer invoices and even source code.”8 The firm has struggled to recover from that episode. It has changed ownership and rebranded itself as Memento Labs but has acquired few new clients.9 While the demise of FinFisher and Hacking Team (and potentially NSO Group) shows that public investigations and advocacy campaigns can be effective, the industry’s resilience extends beyond individual firms. The collapse of these companies has done little to curtail global sales—estimated to be worth over $12 billion—and other spyware vendors continue to vie for government contracts and private customers.10
The paper begins by reviewing the international legal and policy standards governing the use of spyware surveillance. It then describes overall trends in the commercial spyware and digital forensics market and presents a global inventory of these tools.11 The inventory evaluates which governments have acquired commercial spyware and digital forensics technologies, how states are using these tools, which companies are selling spyware and digital forensics, and where these firms are headquartered. Next, the paper examines the continued resilience of the global spyware industry and discusses which factors have allowed the market to persist and thrive in such places as the EU and Israel. Lastly, the paper discusses policy responses and steps democracies can take to impose limits on the spyware industry.
WHEN IS IT PERMISSIBLE FOR GOVERNMENTS TO USE SPYWARE?
Spyware capabilities are immensely invasive. The software allows operators to gain remote access to devices so they can target individuals from almost any part of the world. Once an operator infects a device, that agent gains “complete and unrestricted access to all sensors and information on infected devices, effectively turning most smartphones into 24-hour surveillance devices.”12 Hacking represents a serious violation of the right to privacy and can be a deeply distressing experience for victims. Spyware is also a tool of intimidation for journalists, activists, and opposition politicians, serving to suppress media reporting, intimidate critics, or dissuade regime challengers from running in an election. Spyware allows agents to “get inside a political exile’s entire network without setting foot inside the target’s adopted country” while avoiding the attendant risks associated with traditional espionage.13 For this reason, the use of spyware features heavily in transnational repression. One of the most notorious cases was the assassination of exiled Saudi journalist Jamal Khashoggi in the Saudi consulate in Türkiye. After the killing, investigators examined the phones of close associates of Khashoggi’s and discovered that the devices were infected with Pegasus. Saudi security operatives likely used this information to help plan and execute Khashoggi’s murder.14
Limited circumstances can justify the use of intrusive surveillance techniques—such as preventing or investigating a specific serious crime or an act constituting a grave threat to national security. International law holds that targeted surveillance measures should be narrowly tailored to investigate specific individuals suspected of committing serious crimes or acts threatening national security. Spyware should be deployed as a last resort, after “all less intrusive measures should have been exhausted or have been shown to be futile.”15 And the duration and scope of spyware use should be strictly limited only to relevant data. In short, governments should comply with principles of “legality, necessity, and proportionality” when using cyber surveillance technologies.16 But governments rarely adhere to these standards. States exploit national security or public order rationales to give their law enforcement agencies a wide berth to deploy intrusive software against an array of targets, with little regard to the principles of necessity and proportionality. Once those agencies obtain spyware, there are few guardrails governing its use. As David Kaye, the former United Nations (UN) special rapporteur for freedom of opinion and expression wrote:
It is insufficient to say that a comprehensive system for control and use of targeted surveillance technologies is broken. It hardly exists. While human rights law provides definite restrictions on the use of surveillance tools, States conduct unlawful surveillance without fear of legal consequence. The human rights law framework is in place, but a framework to enforce limitations is not.17
Empirically, both authoritarian states and democracies routinely conduct unlawful surveillance against a host of illegitimate targets—political rivals, meddlesome journalists, or government critics. Zero-click software like Pegasus, which does not even require a victim to click on a compromised link or install a corrupted file, offers powerful temptations for political leaders to expand the net of surveillance. While there is growing public pressure among a small group of liberal democracies, such as Greece and Spain, to end their abuses, this is the exception. For the bulk of governments that deploy spyware, there is little likelihood that they will change their behavior. This has led prominent jurists, such as Dunja Mijatović, commissioner for human rights of the Council of Europe, to question whether there are any circumstances that should permit the use of spyware. She observes that tools like Pegasus are a “game-changer in digital surveillance” and that it is “virtually unimaginable that the use of Pegasus or equivalent spyware could ever be considered in accordance with the law and the necessary safeguards as outlined by the [European Court of Human Rights].”18
Spyware operations can be broken down into a couple of categories: 1) national in-house operations and advanced persistent threat (APT) groups—high-capacity actors who carry out sustained intrusion attacks over a prolonged period of time—and 2) commercial spyware vendors.19 Operations in the first category are often carried out by highly capable states, such as the National Security Agency’s “tailored access operations” group, Israel’s Unit 8200, and equivalent Chinese or Russian actors that receive direct or tacit government support. These activities are conducted in a clandestine manner and are challenging to scrutinize. They are not the focus of this paper.
Instead, this paper scrutinizes activities occurring in the second category: commercial spyware sold for profit to government and private clients. These products do not require actors to possess in-house capacity to develop or carry out cyber surveillance attacks. Instead, governments purchase these capabilities directly from companies, which provide after-sales support, such as technical upgrades, product updates, trainings, and related customer services.20 The emergence of the commercial spyware sector has given a wide range of countries the means to acquire advanced surveillance tools they would otherwise struggle to obtain.
GLOBAL CONTEXT OF COMMERCIAL SPYWARE AND DIGITAL FORENSICS
The global spyware and digital forensics industry is booming, bringing record profits in the billions of dollars. In December 2020, Steven Feldstein released a global inventory of commercial spyware that was subsequently included in the book The Rise of Digital Repression.21 The inventory revealed that at least sixty-five governments, both authoritarian and democratic, had contracted with commercial spyware vendors. While not all uses led to abuses, many incidences were linked to major human rights violations. Two years later, we have revised the global inventory and released a new version. The current data set, presented in Appendix 1, which incorporates incidents from 2011 to 2023, includes several important changes:22Incorporates two categories of targeted surveillance technologies: spyware and digital forensics (physical tools used to breach digital devices in order to extract and analyze stored data). It does not include other types of targeted surveillance, such as network monitoring or lawful interception technologies.
Organizes the data set by event type in separate entries rather than aggregating commercial spyware firms by country.
Takes advantage of the wider scrutiny of the spyware industry in the past two years, which has generated more details and sourcing about new vendors and operations.23
The results of the latest data set show that at least seventy-four governments have contracted with commercial firms to obtain spyware or digital forensics technology.
Three companies—NSO Group, FinFisher, and Hacking Team—appear most frequently in the updated data set. This is likely due to two factors: 1) all three companies have registered significant sales and transactions and have been market leaders at various times and 2) as a result, journalists have focused intensively on transactions linked to those companies, possibly overlooking other vendors (in the case of Hacking Team, its 2015 data breach gave journalists far more information to work with than they had for competing firms). In terms of government clients, the data shows that autocratic regimes are far likelier to purchase commercial spyware or digital forensics than democracies: forty-four regimes classified as closed autocracies or electoral autocracies procured targeted surveillance technologies between 2011 and 2023, contrasted with thirty electoral democracies or liberal democracies. Finally, when it comes to countries of origination, Israel is the leading exporter of spyware and digital forensics tools, with Italy and Germany a distant second and third (the latter two countries’ ranks are mostly due to the past presence of FinFisher and Hacking Team). Figure 1 visually depicts the global distribution of spyware and digital forensics surveillance vendors, exporting countries, and procuring governments.
Public scrutiny has tended to focus on top-level commercial vendors—entities like NSO Group, which are capitalized by international private equity firms. These companies offer the most sophisticated products, particularly zero-click infections, which are expensive to obtain and difficult to detect. Zero-click infections allow operators to install malware on a device without the victim having to click on a compromised link or install a corrupted file. These infections exploit security flaws in operating systems such as Apple’s iOS or Google’s Android. By simply sending a message via communications apps like Signal, iMessage, or WhatsApp, operators can remotely execute malicious codes and take control of a victim’s entire device.24 In addition to providing state-of-the-art exploits—pieces of software or code designed to take advantage of cybersecurity flaws—for customers to use against devices, firms like NSO Group offer a full package of support for clients, ranging from monitoring targets and exploitation services to ongoing servicing.
Not many companies can match the capabilities of NSO Group or Cytrox, but that may not matter. Beneath the top tier of companies lies a burgeoning secondary tier of suppliers composed of boutique spyware firms, hacker-by-night operations, exploit brokers, and similar groups. As commercial firms face greater scrutiny from democratic governments about their practices, there has been a corresponding increase in open-source and commercially available malware, which has made it easier for groups to mount attacks.25 Many of these firms are based in countries like India, the Philippines, and Cyprus. And while these tools have been described as the surveillance equivalent of “strip-mall phone repair shops,”26 Meta’s threat intelligence team observes that a “growing number” of APT groups are choosing to rely on openly available spyware tools, including open-source malware from sources such as GitHub, rather than procure more sophisticated offensive capabilities.27
There are a couple of reasons behind this shift. For one, these tools cost far less than customized exploits for sale by large commercial firms. Even if they fail to accomplish an organization’s objectives, obtaining new options takes minimal resources and energy. For example, Meta’s threat team documents a hacker organization based in Pakistan, known as APT36, that directed attacks against government, military officials, and activists. Their goal was to trick targets into installing malware to compromise their devices. To obtain the malware, APT36 simply downloaded a free tool from GitHub called XploitSPY, which they lightly modified.28 Some European companies also rely on open-source codes to craft intrusive software. GR Sistemi, an Italian surveillance tech company, created its Dark Eagle spyware by repackaging an open-source remote access trojan called AndroRAT.29 A Germany-based intelligence company called Wolf Intelligence built its WolfRAT malware using “copy + pasted open source resources.”30 In addition to repurposing openly available sources, it is not uncommon for surveillance firms to copy and recycle their counterparts’ codes. FinFisher has been accused of plagiarizing FlexiSpy, a cheap malware created by a Thai firm to help customers monitor their spouses; Hacking Team allegedly subscribed to multiple consumer malware services “to learn about new intrusion techniques.”31
Groups that rely on low-cost, open-source tools are able to hide in the “noise” and maintain plausible deniability about which organization was culpable for launching the attack. Casey Newton writes, “malware created by state actors often carries telltale signs of who developed it in its code; when everyone is using the same code, though, platforms lose an important signal. . . . If a bunch of different threat actors are throwing the same malware all over the internet, it makes it harder for analysts to pull together exactly who is behind it.”32 This helps explain why in certain situations, actors may actually prefer to use commonly sourced code for malware intrusion attacks, rather than to deploy commercial spyware alternatives. The arrival of OpenAI’s ChatGPT tool could open the door to further malfeasance: cybersecurity researchers have been able to get the text generation tool to write phishing emails and malicious code.33
DIGITAL FORENSICS: DIFFERENT TOOLS, SIMILAR OUTCOMES
The global inventory also documents government use of phone extraction or digital forensics technologies. Unlike traditional spyware, phone extraction requires physically confiscating a target’s device, making this technique less suited for transnational repression. Nonetheless, the level of intrusiveness is comparable to if not greater than that of remote surveillance technology.34 Like spyware, phone extraction enables full, retroactive access to files and messages, as well as metadata about past communications. By establishing a physical connection with the targeted mobile device, forensic hardware (such as Cellebrite’s Universal Forensic Extraction Device, or UFED) is capable of penetrating most security features in order to extract a full copy of data from a cell phone, even when the phone is locked.
A technique called physical extraction can be particularly invasive. By analyzing bit-by-bit a device’s full physical storage, physical extraction techniques can retrieve even “deleted” data from phones (deleted information often leaves behind a footprint in free storage space).35 Other products, like Grayshift’s GrayKey, utilize an exploit to bypass password-guessing limits, allowing law enforcement agencies to apply brute force to penetrate password controls and gain access to a particular device.36 The booming use of cloud storage heightens the risk that intruders can access troves of personal data even if only one device is compromised. Depending on various factors (such as the type of device, security setting, cloud account setting, and operational security), a user of these methods may obtain partial or complete access to extensive categories of data stored on the device, including contacts, call metadata, SMS messages, stored files, app data, location data, Wi-Fi networks, and keychain data.37 Unsurprisingly, these tools have become indispensable to law enforcement. In the United States alone, researchers have documented more than two thousand law enforcement agencies across local, state, and federal levels that have procured phone extraction technology to investigate cases of not just violent crimes but also minor offenses like shoplifting and graffiti.38They include municipal police departments, local sheriffs’ departments, state departments of public safety, and local and federal district attorneys. Such widespread use is problematic because there are few guidelines to clarify when deploying these tools represents an unlawful overreach of civil liberties. In the absence of regulation, it is left to individual officers or agencies to determine appropriate use—a situation that lends itself to abuse.
The similarity between digital forensics tools and remote-control spyware becomes apparent when considering use cases. While phone-cracking and spyware companies assert that they exclusively sell their products to law enforcement agencies tackling crime and terrorism, in practice, they sell their products indiscriminately, failing to adhere to minimal standards of human rights due diligence. For example, despite Cellebrite’s claim to “prioritize a human rights-based approach,” the company’s clients include some of the most repressive regimes in the world.39 Sources indicate that Cellebrite has sold its data extraction technologies to at least twenty-three governments, including such egregious human rights abusers as the governments of Bahrain, China, Myanmar, Saudi Arabia, and the United Arab Emirates (UAE).40
EXPLAINING THE RESILIENCE OF THE GLOBAL SPYWARE AND DIGITAL FORENSICS INDUSTRY
Despite growing public criticism of intrusion software, the sector as a whole continues to flourish. There is some debate about how to handle the industry—many advocates and institutions, including the UN human rights agency, have called for a moratorium on the sale or use of spyware tools “until a human rights-based safeguards regime is in place.”41 As it stands, the intrusion surveillance market is largely unregulated. It is rife with abuse, allowing governments and private actors to deploy surveillance tools with impunity against human rights defenders, journalists, and opposition politicians. There is a strong consensus that the intrusion technology market requires greater accountability and much more oversight. Yet, despite growing public criticism, it continues to operate in an unchecked manner. Public campaigns, surveillance scandals, and policy directives have manifestly failed to constrain the market. What explains this lack of success?
Part of the problem is rooted in the political economy of the spyware market. Simply put, demand for spyware technology remains extraordinarily high—whether from government clients or private companies. Even if one supplier is sanctioned, there is sufficient financial motivation for other suppliers to fill in the gap. The data appears to bear this out. Looking at the different firms that have risen and fallen over the last eleven years, the global inventory shows a clear transition from older suppliers, like FinFisher and Hacking Team, to newer entrants—NSO Group, Cytrox, Candiru, and so forth. While efforts to rein in specific companies have achieved some success, it is unclear whether these actions have dampened overall market demand for spyware. It is possible that recent scrutiny of NSO Group (as well as Cytrox) may reduce the reach of the largest commercial vendors. But as discussed, even if most top-tier firms were put out of business (an unlikely outcome), this would still not shut down the market. Rather, it would hasten decentralization and increase opportunities for boutique firms and informal hacker-for-hire operations to fill in the gap. The fact remains, as long as repressive leaders, unscrupulous law enforcement agencies, and disreputable private companies seek to acquire these tools, the market will respond accordingly. That being said, there is a significant difference in capability between second-tier hacking-for-hire tools and top-of-the-line software from entities like NSO Group. If the result of greater market regulation is to force countries like Egypt or the UAE to procure more rudimentary spyware from boutique operators, this would be a beneficial outcome.
A second problem is that democratic governments have sent mixed messages about whether they are genuinely interested in cracking down on intrusion technology. The European Union is a good example. Despite its relatively stringent rules regulating spyware exports and sales, Europe is a nexus of these technologies. An abundance of domestic commercial spyware companies are based in European countries; these firms develop and sell advanced intrusive technology in their home markets and overseas. An Italian firm, Tykelab/RCS Lab, for instance, has helped clients surveil phone networks in countries such as Costa Rica, Greece, Iraq, Kazakhstan, Libya, Malaysia, Mali, Nicaragua, and Portugal (as well as within Italy itself).42 Sweden’s MSAB, a digital forensics firm and a rival to Cellebrite, has sold its phone-cracking technology to governments in Hong Kong, Morocco, Myanmar, and the United States. Meanwhile, the Austria-based company DSIRF has developed a zero-day malware used to surveil individuals in Austria, Panama, and the United Kingdom.43
In theory, the EU has strict rules of export, but member states can easily get around them due to what Sophie in ‘t Veld, the rapporteur for the European Parliament’s PEGA Committee (which investigates the use of Pegasus and equivalent spyware), characterizes as “deliberate lax national implementation.”44 Companies commonly establish subsidiaries in member states that are willing to overlook spyware operations to evade EU controls. Council Regulation (EC) No. 428/2009 is supposed to ensure consistency across EU member states when it comes to controlling dual-use items, including intrusion software, but in practice, cybersecurity companies take advantage of regulatory fragmentation to establish offices in member states where implementation of export controls is known to be weak.45 For example, NSO Group established subsidiaries in Bulgaria and Cyprus to facilitate selling its products.46 Intellexa, which owns a number of surveillance firms, including Cytrox and Circles, established footholds in Cyprus and Greece.47 Authorities in both countries have refused to disclose Intellexa’s legal filings for non-EU sales. In ‘t Veld notes that “each time the regime for export licenses was tightened in Israel, several companies moved their export departments to Europe, in particular Cyprus.”48
For instance, in January 2023, Haaretz reported that the firm Passitora, controlled by Israeli businessman Tal Dilian and part of the Intellexa alliance, sold mobile intercept surveillance equipment to Bangladesh’s National Telecommunication Monitoring Center (NTMC). The agency monitors internet and social media use, allegedly “eavesdropping on opposition officials, protestors and ordinary citizens.” Bangladesh is not on Israel’s approved licensing list of countries for the export of sensitive technology. To get around this hurdle, Dilian incorporated a subsidiary in Cyprus (which he later relocated to Greece after he got into hot water with the Cypriot government) and exploited loose export regulations to send the equipment to Bangladesh and to later host surveillance trainings for NTMC officials in Greece.49
As it stands, EU legislation does not require member states to assess the adequacy of their legal frameworks when it comes to exporting spyware to countries of destination: “Indeed, there is no need to even consider if the end-use of the technology by the end-user is lawful in the importing jurisdiction.”50 The results are stark; member states have historically approved the “vast majority” of export licenses for cyber surveillance items.51 Research by Security for Sale shows that member states permitted surveillance technology exports at least 317 times between 2015 and 2017, while rejecting only fourteen applications.52 Notably, EU member states appear to be tightening their licensing procedures; in 2019, member states granted forty-four licenses for listed cyber surveillance items, while issuing eighty-one denials.53 Figure 2 shows licensing approvals granted by the EU for cyber surveillance items between 2014 and 2020.
EU agencies, institutions, and member states also circumvent the bloc’s own rules when it comes to exporting and transferring intrusive technologies. In a December 2022 hearing organized by the European Parliament, Ilia Siatitsa from Privacy International explained how EU institutions have facilitated the “direct transfer of surveillance equipment to third countries,” as well as financing and training security services in the use of these tools.54 Siatitsa noted that EU bodies have even promoted legislation in third countries to enable surveillance.55 In one example, Privacy International discovered that in a training session supported by the EU, the national police force of Spain promoted the use of malware or computer trojans to law enforcement authorities in Bosnia and Herzegovina. In another instance, EU allocations from the Emergency Trust Fund for Africa allowed Niger’s government to acquire mobile interception technology, despite the government’s record of human rights violations. This transaction occurred due to the European Commission’s failure to carry out a risk assessment prior to agreeing to support projects with surveillance implications.56
On the demand side, European democracies have procured commercial spyware for many years. In ‘t Veld writes, for example, that twenty-two end users in at least fourteen EU member states have acquired Pegasus. Export regulators often consider EU membership to be a sufficient guarantee for compliance with the highest standards of human rights and exempt EU countries from further human rights due diligence. Israel’s export authority, for instance, does not require EU member states to submit individual human rights assessments, which are normally required, when they apply for export licenses.57 But this presumption of compliance is clearly insufficient, considering the pattern of abuses occurring in countries like Greece, Hungary, and Spain.58 In fact, Spanish authorities have been embroiled in a sprawling spyware scandal, with more than sixty-five individuals targeted or infected by Pegasus or Candiru malware between 2017 and 2020.59 The victims—representing large swaths of Catalonia’s civil society, government, and elected officials—were likely targeted by Spain’s national government for their support for Catalan independence. Part of spyware’s appeal, including for European law enforcement, is that it allows operators to circumvent end-to-end encryption, which Ronald Deibert notes has become a “growing barrier to government mass surveillance programs that depend on the collection of telecommunications and Internet data.”60 Spyware offers a workaround, permitting agents to get inside a user’s device in order to read communications, access confidential documents, or listen in on calls before encryption or after decryption.61 Spyware’s prevalence in Europe, both as a tool of export and as an instrument of domestic surveillance, is a powerful reminder that surveillance abuses are not unique to authoritarian regimes. All countries, regardless of regime type, are susceptible to misusing spyware when safeguards and oversight are absent or inadequate.
Israel is another major exporter of commercial intrusive technologies. Our inventory shows that fifty-six out of seventy-four governments have procured spyware and digital forensics technologies from firms that are either based in or connected to Israel, such as NSO Group, Cellebrite, Cytrox, and Candiru.
Israel’s prominence in the intrusion technology market is not surprising. The country’s spyware industry has benefited from the diffusion of technical know-how from its defense establishment. A study cited by Haaretz claims that 80 percent of the 2,300 people who founded Israel’s seven hundred cyber companies had served in Israel Defense Forces (IDF) intelligence units, notably Unit 8200.62 As reported by the New York Times, nearly every member of NSO Group’s research team has worked at some level of the Israeli Military Intelligence Directorate.63 Similarly, the founders of spyware firm Candiru—Eran Shorer and Yaakov Weizman—reportedly served in Unit 8200 and worked at NSO Group before establishing a rival business.64 Tal Dilian, the founder of Intellexa, an alliance of cyber surveillance companies which includes Cytrox, served as a commander for the IDF’s Unit 81, an entity responsible for developing intelligence tools for the IDF’s special operations units and for other defense agencies.65
Israel’s government maintains significant leverage over private cybersecurity firms through export control regulations. Under the 2007 Defense Export Controls Law, manufacturers of cyber weapons are required to obtain export licenses from the Ministry of Defense to sell their products abroad. Geopolitical interests play a role in determining whether licenses will be granted.66 For example, in March 2022, Israel’s Defense Exports Controls Agency blocked Ukraine from purchasing Pegasus and restricted Estonia from using Pegasus against Russian targets.67 Reportedly, Israeli officials were concerned that these sales could “provoke a confrontation” with Russia, whose military has been supporting the Syrian government’s campaign to extinguish the remnants of the 2011 rebellion against President Bashar al-Assad—operations which are occurring near Israel’s northeastern border.68 Russia has also allowed Israel to confront Iran and Hezbollah in Syria, an arrangement that could be jeopardized if Israel were to assist Ukraine against Russian forces.69 And when the United States blacklisted NSO Group and Candiru in 2021, Israeli officials lobbied Washington to take the companies off the blacklist. They maintained that the companies’ activities were “of great importance to the national security of both countries” (Israeli officials were reportedly willing to commit to “much tighter supervision on licensing the software” if the United States lifted the ban).70
SETTING LIMITS
The proliferation of commercial intrusion technology remains a pressing problem worldwide. As our global inventory shows, more countries than ever are deploying targeted surveillance tools for a variety of objectives—many of which directly reinforce repressive political ends. Democracies are some of the worst offenders, particularly when it comes to allowing dubious companies to set up shop, exploit regulatory loopholes, ship products to bad actors, and summarily rake in profits. While high demand for spyware will likely keep the industry afloat in the near term, that does not mean policymakers’ hands are completely tied. The most realistic scenario to curb government abuse of spyware is to focus on supply-side strategies to limit states’ abilities to acquire intrusion software. This means requiring spyware and digital forensics companies to stop selling their tools to the most egregious human rights offenders, or to force vendors to implement mandatory human rights due diligence requirements. Recent developments, such as the U.S. blacklisting of NSO Group in 2021—which has driven the firm to the verge of bankruptcy—illustrate how economic leverage can force the industry to reckon with the consequences of human rights violations.71 These actions offer hope that political will is starting to build. But meaningful change will not occur without a genuine recognition from democratic policymakers that the harms from spyware outweigh its political, financial, or geopolitical benefits.
It is worth noting that while authoritarian regimes make up the majority of government spyware clients, most commercial spyware and digital forensics technology stems from Western companies based in liberal democracies. Israel, Europe, and the United States are home to numerous firms that have relentlessly exploited legal loopholes and used complex and opaque corporate structures to evade accountability. The maneuverings undertaken by Dilian illustrate just how far certain individuals will go to find friendly jurisdictions that will turn a blind eye to their activities.
Thus, a useful starting point to hold the industry accountable is for governments in Europe, Israel, and the United States to enhance their policy and regulatory cooperation on intrusion software. Mandating that companies exhibit more transparency about their ownership structure and where they are headquartered would bring considerable benefits. Spyware companies routinely cover their tracks by creating complex corporate structures to obfuscate their legal registration, what laws they are bound by, and who their clients are. After a scandal comes to light, firms will rebrand or rename themselves to create distance from the allegations. An investigative analysis from Lighthouse Reports sheds light on Dilian’s web of companies:
Three companies called Intellexa were registered, in Greece, Ireland and the British Virgin Islands. All three were owned by an Irish holding company, Thalestris. As Inside Story dug into company registers in Greece and Cyprus they found that Thalestris also controlled companies named Apollo, Hermes, Mistrona, Dernova, Lorenco and Feroveno — some of which were seemingly registered to a rubble-strewn vacant lot in downtown Limassol. Thalestris, in turn, was partly dependent on money from another Virgin Islands entity, Chadera Enterprises, which — behind a veil of anonymity — was ultimately controlled by Dilian and two of his associates, leaked documents reveal.72
Individuals like Dilian are adept at hopscotching between jurisdictions to evade accountability. An important means to counter this strategy of “deliberate corporate obfuscation” is for Europe, Israel, the United States, and other relevant jurisdictions to improve their information-sharing and create unified registries of cyber surveillance firms.73
When it comes to the EU, the bloc suffers from fragmentation. Certain member states are reluctant to enforce basic regulations governing the licensing and export of spyware. Countries like Bulgaria, Cyprus, Greece, Hungary, Italy, and Malta are havens for spyware companies—which operate with minimal oversight. The problem has become so acute that it is common practice for firms to relocate from other jurisdictions, whether from adjoining EU member states or externally, to take advantage of loose export laws. This is a clear vulnerability; it behooves the European Council to push for more consistency and minimum standards of enforcement. But the problem is more than just fragmentation; European policymakers are disinterested in acting. In ‘t Veld writes: “The European Council and the national governments are practicing omertà. There has not been any official response to the scandal by the European Council. Member State governments have largely declined the invitation to cooperate with the PEGA committee. Some governments downright refused to cooperate.”74 In Greece, following a four-day visit by the PEGA Committee to investigate evidence of broken laws related to the country’s Pegasus scandal, a senior official contemptuously uttered: “We piss on PEGA.”75 It is difficult to envision meaningful change taking root until this policy calculus shifts.
The situation in the United States is more promising. The blacklisting of NSO Group and Candiru not only hamstrung two major spyware players, but also served as a warning shot to other companies in the industry. A forthcoming executive order prohibiting U.S. government use of commercial spyware “that poses counterintelligence or security risks to the United States or risks of being used improperly” is another auspicious development.76 President Joe Biden’s administration can take further steps to build on this progress.
First, Washington should seek to multilateralize the Entity List with regard to spyware companies. A good starting point would be to pressure European countries to set up a parallel entity list and to similarly sanction NSO Group, Candiru, and other firms.
Second, the United States should reconsider its current permissive approach toward digital forensics technologies. While there is a growing norm against law enforcement agencies using spyware, the same cannot be said for data extraction techniques. Over two thousand U.S. law enforcement agencies have procured digital forensics technology to investigate criminal cases.77 The privacy consequences and potential harms from these tools are significant. These technologies allow agents to access extensive categories of data stored on devices, including contacts, call metadata, SMS messages, photos, stored files, app data, location data, Wi-Fi networks, and keychain data. At a minimum, the Biden administration should mandate a comprehensive privacy review of these technologies, evaluating the potential for overreach and abuse. Further, given the large number of U.S. companies exporting digital forensics products overseas—including to authoritarian regimes—enacting a temporary export ban (until the administration has implemented stricter licensing requirements) would be reasonable.
Third, and more difficult, the United States should take a harder stance when it comes to establishing intelligence and cybersecurity partnerships with governments that are known abusers of spyware technology. The recent agreement spearheaded by the United States to expand cybersecurity cooperation under the Abraham Accords is a good case in point. In January 2023, the United States announced it was broadening its collaboration on “cyberdefense” to include Bahrain and Morocco to the existing partnership between the United States, Israel, and UAE.78 Bahrain, Morocco, and the UAE have faced extensive criticism for deploying spyware against government critics and journalists. As Deibert notes, “All of them have a track record of using mercenary spyware to target human rights defenders and political opposition, and the UAE has a long and very disturbing history of employing defense and intelligence contractors for information operations.”79 This sends a mixed signal about U.S. policy intent. On the one hand, the Biden administration has admirably cracked down on NSO Group and other firms with unlawful patterns of behavior. Yet, by entering into a cyber agreement with governments that routinely abuse spyware, the administration undercuts its other actions.
When it comes to Israel, accomplishing a major shift on spyware is unlikely. But two small ideas could help. One of the few multilateral configurations designed to address the proliferation of intrusion malware is the Wassenaar Arrangement. While Israel has incorporated the Wassenaar list of dual-use items in its export control regime, it currently is not a formal member of the arrangement and is exempt from reporting on its transactions and full disclosure of its activities in this area.80 While Wassenaar suffers from its own limitations, such as relying on the voluntary cooperation of its members to enforce compliance, all sides would benefit from Israel officially joining the arrangement.
Second, Israel’s licensing regime, overseen by the Ministry of Defense, gives scant consideration to the human rights or democracy records of recipient governments. Israel continues to approve spyware exports to a bevy of authoritarian states. When Israel has denied licenses—such as by excluding Bangladesh from its list of approved countries—this has been done for geopolitical reasons (regarding the export prohibition against Bangladesh, Israel was concerned that sensitive technology would fall into the hands of Pakistan).81 While it is reasonable for Israel to prioritize its national security, its authorities should also take into account the human rights records of potential recipients. The Israeli government may have little interest in incorporating human rights considerations in its licensing process, but NSO Group’s blacklisting offers an opening. In Israel’s bid to reverse the U.S. decision, its government offered to implement “much tighter supervision on licensing.”82 The Biden administration should make these trade-offs more explicit: restrict commercial spyware exports to human rights–abusing countries, or other spyware firms will be placed on the Entity List.
The global spyware and digital forensics market continues to expand; governments display an unceasing appetite to acquire intrusive surveillance instruments that are doing irreparable harm to the rights to privacy and freedom of expression and opinion. As digital technology becomes central to economic and political life, it is imperative that citizens demand accountability for these products and that democratic governments respond accordingly.
APPENDIX I. GLOBAL INVENTORY OF COMMERCIAL SPYWARE AND DIGITAL FORENSICS TECHNOLOGY
Note: the complete global spyware and digital forensics inventory can be accessed here:
https://data.mendeley.com/datasets/csvhpkt8tm/10. The table below represents a distillation of more comprehensive findings.Country of deployment Regime Type Commercial Entity Description
No comments:
Post a Comment