Accountability for illegal surveillance by spyware
The sale and misuse of spyware have raised questions about serious infringements of fundamental rights and lack of accountability.
The Pegasus Project, a collaborative media investigation conducted by Amnesty International and Forbidden Stories and peer reviewed by the Citizen Lab, had access to more than 50,000 phone numbers of potential surveillance targets, and found that dissidents, human rights workers and politicians around the world have been tracked by the Israeli cyber firm NSO Group’s spyware tool, Pegasus.
According to the Washington Post, even though phone numbers were not attributed to individuals, research and interviews enabled reporters to identify more than 1,000 people from over 50 countries. This included the numbers of “several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials”.
Identifying those who commissioned the abuse is a multistakeholder endeavour
Since the publication of the Forbidden Stories investigation on 20 July 2021, two Mediapart journalists have filed a joint complaint with the Paris public prosecutor asserting that their mobile phones had been infected by the Pegasus spyware. The complaint led to a technical analysis by the French National Agency for the Security of Information Systems (ANSSI), which reached the same conclusion as the Amnesty International Security Lab: that Pegasus spyware was found on the journalists’ phones. Methods that led to infection of the devices and the dates and duration of the surveillance were also confirmed in the investigation.
The technical analysis carried out by civil society actors can confirm the existence, or past traces, of the spyware on a device – an important step towards identifying an infection and limiting the further victimization of the targeted individual. However, the stealth nature of Pegasus, and spyware in general, renders it difficult to determine who deployed it on the device and where the target’s information was sent.
However, public attribution that identifies the actor and builds on, complements and reinforces the findings of the technical analysis is a first step to achieving accountability. Accountability is a responsibility of all actors and, perhaps most importantly, is a crucial, tangible avenue for the redress of victims if their government holds accountable those who caused the violation of victims’ human rights.
To achieve accountability for abuses of human rights and fundamental freedoms due to the use of spyware, there has to be public attribution, by a government, to those who ordered or sanctioned the deployment of such tools. The government has to rely on its investigative and judicial capabilities, analysis of geopolitical events and particular timing of triggering events, in addition to forensic evidence, to link the deployment of the spyware on a device to a particular individual, group or state.
Taking legal action
In July 2021, the French government initiated a formal investigation based on a complaint filed by its citizens, an action that took it one step closer to fulfilling a responsibility to protect its citizens and human rights more broadly. However, a formal investigation is another step towards accountability as France, or any other government responsible for protecting human rights, will need to build a set of practical standards for responsible state behaviour by holding the perpetrators to account through practical measures.
The investigation put forth by the French government is an important precedent where public attention from a government is being given not only to the existence of the spyware as a tool, but also to the responsibility of its vendor – in this case the NSO Group – or a government for allowing the export of such tools.
The case is focusing attention on those who commission, finance, and/or sanction such abuse, and driving accountability on their part. In short, all of these elements must be addressed comprehensively to mitigate the detrimental phenomenon that is spyware as a service.
The responses vary from governments to individual complaints or suspicious cases of targeting by spyware. In India, for example, individuals brought forward cases to the Supreme Court, which is hearing petitions to determine the legality of surveillance of individuals critical of the current political leadership.
Likewise, Hungarian prosecutors have opened a probe into suspected unlawful surveillance following multiple complaints in the wake of allegations of misuse of the Israeli-made Pegasus spyware. Hungarian police said this week they had received two complaints about the alleged abuses, one from a private individual and one from a politician.
The non-profit organization Reporters Without Borders has taken action at the international level and referred the cases of 17 journalists from around the world to four UN special rapporteurs in order to put pressure on suspected governments to explain why they used Pegasus.
Drawing the line when it comes to individual rights
States have the legal obligation to protect and promote human rights and hold those who violate them to account. Spyware exfiltrates private and confidential information about its target in ways that, if used outside of the framework of permitted interference with human rights (legitimate aim, necessity, proportionality), leads to their violation. Moreover, when utilized by governments to target their own or foreign citizens in order to suppress opinion or dissent or illegally gain access to information, it represents a misuse of technology to perpetrate further human rights abuses and undermine democratic values and processes.
Oftentimes, the information obtained using spyware is used to commit further violations of human rights and individual freedoms, such as freedom of the press. The abuse of spyware threatens peace and human security by exposing individuals to persecution. Other governments should therefore join France to investigate and take measures to protect the rights of targeted individuals.
State-on-state espionage, regardless of the tools employed, is an inevitable and generally accepted part of international affairs.
However, if a state actor is abusing tools to infiltrate the private lives of citizens – with untold potential consequences to their human rights and fundamental freedoms – the line should be clearly drawn. In addition, spyware exploits identified software vulnerabilities and its use weakens the collective security of ICTs.
Operationalizing accountability at the international level
Redress for victims and remediation of human rights violations can come from the national level, such as in France, where a range of legislative provisions is available, including substantive laws regarding data interference and the misuse of devices. But, it can also come from the international level, where diplomatic tools and normative instruments are available.
Collectively, governments around the world shape the political and normative environment related to spyware as a service, and so a coordinated approach to responsible state behaviour at the international level would be an important step towards accountability. Discussions on the application of international law and norms are a tangible first step in this direction.
However, accountability is only possible if governments act on their responsibilities to identify the perpetrator(s) and hold individuals and governments to account for targeting individuals with surveillance tools in a manner that contravenes human rights. This is an important element of the accountability chain, in addition to challenging those who create, market, and distribute spyware, including governments that enable the export of tools to other governments with a track record of human rights violations.
Accountability also entails the willingness of governments to be transparent about their procurement of these spyware tools – in addition to taking responsibility for their use. Transparency is an important step in the readiness to demonstrate that abuses of human rights and fundamental freedoms have not been conducted in the pursuit of national security interests.
Regardless, the response of the French government and the international community will depend on the outcome of the various ongoing investigations.
If the culprit is identified, and depending on who the culprit(s) will be, the relevant governments could potentially invoke the violation of sovereignty due to domestic interference in its efforts to hold the perpetrator(s) accountable. If a state is found to have violated the human rights of citizens of another state, obligations come into force on the basis of the International Covenant on Civil and Political Rights (ICCPR) and the International Covenant on Economic, Social and Cultural Rights (ICESCR).
These are just a few examples, but it is likely that more people will come forward with complaints that they have been targeted by spyware. It is crucial for governments and the international community to move beyond technical analysis and use all of the options in their national security and intelligence toolbox to identify the entity that sanctioned or ordered the deployment of these tools, and live up to their primary responsibility to protect human rights and fundamental freedoms.
This is the moment to operationalize the concept of accountability to ensure that those who violate human rights and fundamental freedoms through the misuse of spyware are held accountable and, perhaps most importantly, to deter this malicious behaviour in the first place.
Klara JORDAN, Chief Public Policy Officer at CyberPeace Institute. Klara is also nonresident Senior fellow with the Cyber Statecraft Initiative of the Atlantic Council.
The CyberPeace Institute has joined more than 100 civil society organizations and independent experts in calling on states to implement an immediate moratorium on the sale, transfer and use of surveillance technology.
© Copyright: The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.