The misuse of offensive cyber capabilities (OCCs) also known as surveillance spyware infringes on fundamental human rights, including privacy and freedom of expression, and threatens peace and security, and undermines trust in technology. It is time for a moratorium on the sale and use of spyware.
We have witnessed reports of a growing international and highly lucrative market for OCCs since August 2016, when researchers at Citizen Lab discovered NSO Group’s Pegasus spyware deployed to target the device of Ahmed Mansoor, a prominent UAE-based human rights defender. Civil society organizations and NGOs, such as the CyberPeace Institute, have repeatedly expressed concern about countries that abuse OCCs to target dissidents, opposition figures, journalists, lawyers, and other members of civil society. It is evident that the real impact of the sale and use of OCCs is that people’s lives are at stake.
Companies claim that their products and services – which exploit software vulnerabilities – are only sold to government agencies to fight crime and terrorism. However, in the name of “national security” the reality is very different, these companies sell OCCs to customers with known records of serious human rights abuses. Compounding this problem is the fact that vendors are able to shield themselves from scrutiny by hiding behind shell companies and in tax havens. Governments also avoid public transparency and accountability for their surveillance operations, and jeopardize the rule of law.
States have the legal obligation to protect and promote human rights and hold those who violate them to account. Spyware exfiltrates private and confidential information about its target in ways that, if used outside of the framework of permitted interference with human rights (legitimate aim, necessity, proportionality), leads to their violation. Moreover, when utilized by governments to target their own or foreign citizens in order to suppress opinion or dissent or illegally gain access to information, it represents a misuse of technology to perpetrate further human rights abuses and undermine democratic values and processes.
At the World Economic Forum meeting in Davos, in May 2022, the CyberPeace Institute joined Access Now, the Office of the High Commissioner for Human Rights, Human Rights Watch, Amnesty International, the International Trade Union Confederation, and Consumers International to call on decision makers to take action and initiate a moratorium limiting the sale, transfer and use of abusive spyware until people’s rights are safeguarded under international human rights law.
This is in addition to a call made in 2021, in which the CyberPeace Institute joined more than 100 civil society organizations calling for a global moratorium on the sale and transfer of surveillance technology until rigorous human rights safeguards are adopted to regulate such practices and guarantee that governments and nonstate actors don’t abuse these capabilities.
The Pegasus Project, a collaborative media investigation conducted by Amnesty International and Forbidden Stories and peer reviewed by the Citizen Lab, had access to more than 50,000 phone numbers of potential surveillance targets, and found that dissidents, human rights workers and politicians around the world have been tracked by the Israeli cyber firm NSO Group’s spyware tool, Pegasus.