On April 3–4, 21 countries, led by France and the United Kingdom, signed a non-binding Code of Practice to address the multiple challenges they face from the proliferation and irresponsible use of “the development, facilitation, purchase, transfer and use of commercial cyber intrusion capabilities (CCIC).” I have written previously on the potential of the “Pall Mall Process,” emerging from the U.K.-France Cyber Initiative to regulate spyware. Now this new Code of Practice demonstrates concrete action to advance regulation and accountability of a surveillance tech market conspicuously defined by misuse, egregious human rights violations and a lack of transparency.
This week’s court ruling ordering NSO Group to pay $167 million damages to Meta, highlights the gravity of the harms caused to journalists, human rights advocates, lawyers and government officials. The decision reflects a growing recognition that civil remedies should count the costs of the violations caused by spyware. But this one case does not solve the larger problem of systemic abuse and underscores the pressing need for robust international frameworks to regulate commercial spyware and protect human rights.
The new Code is a positive development towards creating a global regulatory mechanism for spyware. Nonetheless, a fundamental question remains, whether this Code is sufficiently robust to stem the abuses and flagrant misuse of surveillance technology by both authoritarian and careless states, as well as malign non-state actors.
The reasons for regulation are compelling. As the 2024 Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware led by the United States unequivocally set out, such powerful and invasive tools have been used to “target and intimidate perceived opponents and facilitate efforts to curb dissent; limit freedoms of expression, peaceful assembly, or association; enable human rights violations and abuses or suppression of civil liberties; or track or target individuals without proper legal authorization, safeguards, or oversight.” The Code of Practice is a significant advancement, injecting new momentum to regulatory efforts–but it also comes with drawbacks and concerns that I set out below.
The Code has several positive features. It is structured with a short overarching Preface, followed by four Pillars that variously address Accountability (Pillar 1), Precision (Pillar 2), Oversight (Pillar 3) and Transparency (Pillar 4). Encouragingly, the Code demonstrates a clear move from exhortation to action by twenty-one States (not yet including the United States., which has recently indicated an intention to sign on). It is unambiguous about the security and human rights challenges posed by commercial cyber intrusion capabilities:
“… the proliferation of CCICs raises questions and concerns over the impact of their potential irresponsible use on national security, respect for human rights and fundamental freedoms, international peace and security, and an open, secure, stable, accessible, peaceful and interoperable cyberspace.” (Section 1.2.a)
The Code has a wider reach than simply addressing mercenary spyware, as its scope is focused on commercial cyber intrusion capabilities broadly defined. On the one hand, this means States are taking seriously the multiple tools being deployed to target their national security integrity that also produce grim human rights effects. Yet the Code’s wider aperture may inadvertently obscure the unique threats posed to legal and political systems by the flagrant abuse of mercenary commercial spyware. This in turn raises profound questions about whether the Code goes far enough to address spyware’s unique vulnerabilities and abuses.
Second, this Code positively affirms State human rights obligations: it is grounded in and makes substantial references to the human rights treaties and standards. References throughout the text include: ‘human rights and fundamental freedoms’ (Section 2.a.i & 3.b), protection of privacy and freedom of expression (Section 2.a.i & 3.b), ‘principles of sovereignty and non-intervention’ (Section 3), the and ‘business-related human rights violations’ (Section 6), accountability including under international human rights law (Section 8), echoing human rights treaty standards, CCICs only being used for ‘lawful, legitimate and necessary’ purposes (Section 8.a.i.), that ‘export control licensing decisions’ should account for ‘internal repression’ and the ‘commission of violations or abuses of human rights’ (Section 8.b.i), the obligation to ‘assess vendors’ with regard to the rule of law and applicable international law (Section 8.c.i.), mitigate adverse human rights impacts (Section 8.c.iv), provide support for victims (Section 8.e), and undertake oversight with due diligence with reference to ‘principles such as lawfulness, necessity, proportionality, and reasonableness’ in the work of States (Section 10). This integration of rights language is progress—and demonstrates a positive development that places human rights compliance at the heart of State practice.
Third, the Code affirms accountability as an indispensable part of regulation. It identifies transparency mechanisms to enable adequate knowledge of cyber intrusion capabilities (Pillar 4); and introduces a new terminology of ‘precision’ in CCIC use to (theoretically) preempt manifest human rights abuses (Pillar 2). Politically, the Code shows the determination of the United Kingdom and France to build on the Biden administration’s actions to address the double scourge of spyware-exposed security vulnerabilities and rights violations. This need is compelling, as I estimate that over 100 States have used or acquired spyware capacity.
Nonetheless, I offer some caveats. The Code is premised on an acceptance of spyware (and other tools) used by States. It is remarkable to see this breakneck embrace by States who previously feigned embarrassment and dodged positive affirmation of domestic spyware deployment when abuses were revealed. This turnabout represents a break with the firm affirmation by the U.S. government and other States in the 2024 Joint Statement that held unequivocally:
“We therefore share a fundamental national security and foreign policy interest in countering and preventing the proliferation of commercial spyware that has been or risks being misused for such purposes, in light of our core interests in protecting individuals and organizations at risk around the world; defending activists, dissidents, and journalists against threats to their freedom and dignity; promoting respect for human rights; and upholding democratic principles and the rule of law.”
Worryingly, we appear to be marching toward a new world of normalized spyware usage. The move is highly challenging for rights protection, for civil society and for State security. The Code accepts that there is a legitimate state market for these tools including spyware, and de facto affirms they are in widespread usage:
“Many of these tools and services can be developed or used for legitimate purposes” (Section 2.a).
“The market for CCICs encompasses a wide variety of cyber intrusion companies offering products and services that are continually evolving and diversifying” (Section 2.b).
The Code’s approach ignores previous calls for a ban or moratorium on the use of surveillance tools like mercenary spyware. Even as human rights experts, including myself, have called for regulation, we have done so by arguing for a capabilities-based or compliance-by-design approach. Acknowledging that a market exists for a product does not mean accepting it is a regular or normal market and misses a fundamental point that the market can only be regulated in human rights terms if the products themselves are compliant by design. The Code is weak on this fundamental point, making only one reference to ‘security by design’ (Section 4), rather than explicitly calling for human rights compliance by design as a baseline.
Moreover, the Code adopts a weak framework for regulation, namely the terminology of ‘proliferation and irresponsible use’, which has emerged in arms control and new technology spaces as a for state commitments and actions when States were unwilling to develop concrete, binding norms. Drawing lessons from international arms control agreements, the establishment of binding legal standards, rather than voluntary codes, has proven more effective in curbing the misuse of dangerous technologies. For example, when the Joint Declaration on UAV’s used this language civil society was clear that:
“[i]f the concept of ‘responsible use’ is to be part of this framework, specific work must also be undertaken to reach a common understanding of what this means, and which at least meets existing law and standards …”
The danger of ‘proliferation and irresponsible’ use language is that it risks legitimizing the use of tools that cause systematic and fundamental violations of human rights across the globe. The States who signed this Code must guard against the risk that the language of “preventing proliferation” operates inadvertently as an enabler of use, rather than a restraint.
And while this Code has a wider ambit than spyware, spyware regulation is the litmus test by which this Code’s robustness and relevance must be judged. Spyware-related rights violations range from express relationship to violations of non-derogable rights like the right to life and torture, and to derogable rights like privacy, freedom of expression and association where abuses are widespread and undercounted. Spyware is not just any other surveillance tool. Without robust international law-compliant regulation on how it is designed, applied, authorized, sold, transferred and overseen, it may in fact be per se non-compliant with international law. It is not simply a tool among many, it is a tool that currently functions as an existential threat to the viability of human rights protections, and perhaps even democracy itself across the globe.
For this reason, the language of “irresponsible use” must be understood, by definition, as sweeping in all the existing treaty and customary international law obligations of States to protect human rights. While this Code explicitly recognizes and affirms those norms (Section 3.a-b), it falls short by not ensuring that this grundnorm animates the Code as a whole. The bottom line of regulating spyware must be: even where lawfully permitted and authorized, spyware must be a tool of last resort for States and must always be subject to strict legal and judicial controls.
Spyware should not be available to governments that cannot demonstrate independent judicial oversight and accountability. This is where strict controls on transfers of this technology are critical. Implementing stringent export controls and holding vendors accountable for the end-use of their produces are essential steps in preventing the proliferation of spyware to regimes with poor human rights records. Yet the Code’s commitment to legality and existing human rights standards is undermined by its language: it states that governments “may [not must — my addition] incorporate principles such as lawfulness, necessity, proportionality, and reasonableness” in their regulation (Section 10).
While this soft-law approach does not guarantee ongoing abuse, it provides little by way of concrete tools to prevent it. Bad outcomes are not inevitable because of this language of “irresponsible use.” But better practice exists—and the Code’s signatories should build on it. For example, the explicit articulation by 2021 NATO Artificial Intelligence Strategy sets out six “Principles of Responsible Use”—lawfulness, responsibility and accountability, explainability and traceability, reliability, governability, and bias mitigation—that can serve as a model for strengthening and augmenting the Code’s language. Moreover, States must be reminded that they are fully bound by their existent hard law human rights and humanitarian law obligations when they purchase, use, host, share and transfer spyware.
In short, the Code marks real progress and demonstrates a serious commitment by some States to ensure practical regulation of digital surveillance tools, including spyware. But it stops short of agreeing to a hard legal standard by which States commit to preventing spyware abuses in their domestic law and does not give us a roadmap to accountability and remedy for victims of spyware abuses. The Pall Mall Code must be treated as floor—not a ceiling. Because this is an iterative process, States still have the opportunity to tighten their commitments, insist on the full application of international law, focus on limiting (not expanding) this dangerous market, and provide remedy and accountability to the thousands of spyware victims across the globe.
