When the US Department of Commerce announced at the beginning of November that it had added four organizations to its list of malicious cyber actors, the reaction from technology experts, journalists and human rights defenders was nearly unanimous: Great move, but long overdue.
The department’s move comes at least 15 years after the surveillance tech industry began developing and selling technology that could be put to malicious use. During the intervening time, human rights defenders, journalists and politicians have been the victims of this hands-off regulatory approach.
But the tide is changing, it seems. In July 2021, it was revealed that the Pegasus spyware manufactured by Israeli company NSO Group has been used to monitor human rights activists, journalists and politicians around the globe. This was not the first time this firm had come under scrutiny. In 2018, Amnesty International revealed that the spyware tool has been used to surveil human rights activists in Saudi Arabia. Amnesty International supported legal action against the company for its activities in Mexico, Saudi Arabia and the United Arab Emirates. In 2020, the Citizen Lab and The Guardian revealed that NSO spyware had been used to target Togolese citizens amid pro-reform demonstrations in the country.
But a global investigation earlier this year, led by the Forbidden Stories consortium, the Citizen Lab and Amnesty Tech, may have woken law makers from their slumber, as recent regulatory actions against the NSO Group and the surveillance industry suggest. The revelations led to widespread condemnations from law makers and governments, investigations, diplomatic tensions, and even arrests.
The cynics among us may believe that the reaction is partly due to the listing of prominent politicians, such as French President Emanuel Macron and many members of his cabinet, as persons of interest by government clients of NSO. Such clients include Saudi Arabia, Morocco, Hungary, India and the United Arab Emirates.
In July 2021, right after the Pegasus revelations, former UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression David Kaye and tech policy expert Marietje Schaake wrote in The Washington Post that “we are on the precipice of a global surveillance tech catastrophe, an avalanche of tools shared across borders with governments failing to constrain their export or use.” They are right. The NSO Group, Clearview AI and Blue Wolf are just the tip of the iceberg. There is a plethora of emerging computer surveillance, facial recognition software, and other intrusion and interception technologies that we know little or nothing about.
Why? Because the firms operate in a world that is increasingly private, lucrative and transnational, to the point that UN human rights experts recently warned against the “growing use of mercenaries in cyberspace.”
Just how widespread is the private surveillance tech industry? According to a new report from the Atlantic Council, the industry has been allowed to grow in such secrecy that it is difficult to know who the players are. Analyzing providers of interception and intrusion capabilities, the report’s authors conclude that multiple firms with headquarters in the European Union and the Middle East market their tools to the United States’ and North Atlantic Treaty Organization adversaries. The authors rightly label firms such as Cellebrite and BTT as “irresponsible proliferators” for their willingness to sell these tools to potentially malicious buyers. To consider just one example: Cellebrite, a phone-hacking software built by an Israeli firm, was sold to countries such as Russia, Belarus, Venezuela and China where it could be deployed to surveil pro-democracy protesters.
The Atlantic Council report also illustrates that, for years, Western countries have facilitated the exposure, transfer and marketing of these technologies, including to known bad actors. Access Now pointed out recently that EU institutions provide funding and training in surveillance techniques to security and intelligence agencies in countries with poor human rights records, such as Niger and Tunisia. Amnesty International has also condemned the European Union for letting European companies sell their invasive biometric surveillance technologies to the Chinese government.
Should we succumb to the idea that digital surveillance has become so engrained and sophisticated that there is nothing we can do to combat it? No. Passivity is not the answer.
Risks for Human Rights Defenders
Today, more than ever, human rights activists and journalists depend on the internet and mobile phones to carry out their work. Yet they have few resources to protect themselves against spyware deployed by powerful governments.
Surveillance technology firms such as the NSO Group continue to argue that their technologies are developed for national security reasons, to help “government agencies prevent and investigate terrorism and crime to save thousands of lives around the globe.” But these tools can also land in the wrong hands, especially if the companies do not have proper business and human rights regulations in place.
The risks for human rights activists, journalists and opposition politicians are real — sometimes a matter of life and death. When Pegasus is installed on a person’s phone, the attacker gets access to the device’s messages, emails, contacts, camera and microphone, voice calls, location data and more. This is surveillance on a whole other level since it targets not only the individual but anyone in contact with that person. And let us never forget prominent Saudi journalist Jamal Khashoggi, who was murdered by agents of the Saudi government in Istanbul. Although there is no evidence that Pegasus was used on his own phones, both before and after his murder, three phones owned by members of his inner circle were infected by Pegasus.
A 2021 report by Access Now shows that the situation is getting worse, as authoritarian governments invest in spyware while companies fail to adopt human rights policies and ignore harms. Among the biggest threats are account compromise, malware on devices and communication surveillance. Those most targeted by malware are journalists, followed by workers for non-governmental organizations upholding and defending human rights. Women’s rights organizations are particularly at risk, and civic space is shrinking in jurisdictions around the world.
At a UN General Assembly side event in October 2021, the head of Amnesty International, Agnès Callamard, argued that spyware technologies are weapons against human rights and democracy. Similarly, at the end of October, Jelena Aparac, the chair-rapporteur of the UN Human Rights Council’s Working Group on the use of mercenaries, stated that cyber activities can violate “the right to life, economic social rights, freedom of expression, privacy, and the right to self-determination.” Just the thought that one’s phone could be hacked and every communication monitored has a chilling effect on the person targeted. When journalists or activists go quiet, civic space shrinks. When political opponents are targeted, electoral processes are compromised. So, too, is democracy.
Protecting the Defenders
If human rights defenders and journalists lack the power and resources to protect themselves, who is helping them? Should we succumb to security nihilism, the idea that digital surveillance has become so engrained and sophisticated that there is nothing we can do to combat it? No. Passivity is not the answer. We can still confront the surveillance industry.
As Marietja Schaake and David Kaye wrote in their July 2021 Washington Post piece, “For years, the global spyware industry has operated in the shadows, exposed only by human rights organizations and journalists.” Ironically, the people we have to thank for revealing what lies below the tip of the iceberg are not governments, who have an obligation to protect citizens, but academics, tech insiders, journalists, human rights organizations and whistle-blowers.
The Pegasus Project’s revelations, much like Frances Haugen’s revelations about Facebook, are part of a much larger battle that has been taking place for years, going back to Edward Snowden’s sharing of National Security Agency documents in 2013 and journalist Carole Cadwalladr’s investigative reporting on Cambridge Analytica in 2018. As these cases illustrate, it is often individuals and organizations who educate the public and push policy makers to act.
As the surveillance industry has grown, so has the global network of digital security defenders and researchers. Organizations such as Access Now, Amnesty International, the Citizen Lab, Front Line Defenders and CIVICert have taken on the responsibility of investigating the industry. They work with journalists from large media outlets such as The Guardian and The New York Times, as well as from local organizations such as R3D in Mexico, to bring their findings to the public.
Amnesty Tech, for example, conducts technical investigation into cyberattacks against civil society. Its Security Lab and Secure Squad provide services to human rights defenders and journalists, including peer support on tech and security and legal help. In July 2021, the Security Lab even released a mobile verification tool kit that can check if one’s phone has been targeted. Access Now, which was born out of Iran’s Green Revolution to help protesters get back online and now has offices around the world, helps human rights activists mitigate cyber harms through a digital security helpline and rapid-response emergency assistance. In Canada, we can count on the Citizen Lab for thorough investigations into the prevalence of digital espionage operations against civil society groups. Investigations like these require time and resources because they are legally fraught and involve journalists and information technology experts from around the globe.
As surveillance technologies become more invasive and illiberal governments more shameless, the work of these organizations is increasingly fundamental to keeping civil society safe. In the manner to which we have grown accustomed, governments, courts of justice, regional and international agencies will continue to respond reactively to these problems, especially since so much time has already been lost. Inertia, lack of vision and bureaucracy mean that policies and regulations rarely emerge in a preventive manner. For example, it took years of revelations by tech experts, media and human rights organizations for the United States to place the NSO Group on a blacklist and for the European Union to take a small step toward updating trade controls on dual-use technologies.
The fight of journalists, researchers, activists and rights defenders against malicious governments and the surveillance industry is uneven. Individuals typically lack the financial resources, public relations machine and battalions of lawyers that governments and tech firms have at their disposal. That is why they deserve — indeed, require — greater public support.
Raman Jit Singh Chima, Asia policy director and senior international counsel at Access Now, argues that we should “understand that people who protect civil liberties, rights and democracy are critical infrastructure,” similar to those who maintain our health facilities and water systems. Human rights defenders and journalists are essential to the well-being of our societies and the health of our democratic systems. And they are more at risk than ever, as this year’s award of the Nobel Peace Prize to journalists Maria Ressa and Dmitry Muratov recognizes.
As we await better domestic frameworks and global agreement on use and trade in intrusive surveillance, we must also remember that legislation is not the lodestar. The urgency of the situation requires collective efforts and engagement, including supporting at-risk activists and journalists, and the digital safety organizations that have been trying to help them for years.
The many investigations into the surveillance industry that are making headlines today are a wake-up call not only for policy makers but also for every citizen of every democracy. When it comes to defending shared values, we all have skin in the game.