In this digital age, we are flooded with online communications, including spam e-mails and text messages from unknown sources, often accompanied by enticements to “click here!” In June 2018, an Amnesty International staffer received such a message, baiting them to click on a link that purported to offer details about a protest outside the Saudi Arabian embassy in Washington, DC. The staff member worked on human rights issues in Saudi Arabia, and the message was sent at a time when Amnesty was campaigning for the release of jailed Saudi women activists. Wary of the message, the staffer did not click on the link. Had they done so, it would have triggered the covert installation of malicious digital surveillance software produced by the Israeli company NSO Group (NSO). The software, known as Pegasus, can secretly harvest all of the data on a phone and deploy the microphone and camera, effectively turning it into a pocket spy, capable of monitoring and recording the targeted user’s every move and message.
The attempted hack of the Amnesty researcher’s phone with so-called “spyware” is not an isolated incident. Digital surveillance attacks against civil society have emerged as a powerful and dangerous government strategy to suppress dissent across the globe. Human rights defenders, journalists, and political dissidents have been targeted and hacked with malicious spyware in at least 45 countries, including Mexico, the United Arab Emirates and Saudi Arabia. The Citizen Lab, an interdisciplinary research group based at the University of Toronto’s Munk School of Global Affairs and Public Policy, has investigated digital espionage of civil society and documented evidence that devices were targeted—and in at least one instance, infected—with Pegasus, the same sophisticated spyware used to target the Amnesty staff member.
Yesterday, members and supporters of Amnesty International Israel filed suit in an Israeli court to curb the misuse of Pegasus against human rights defenders, such as the Amnesty staffer. The case seeks a court order requiring the Israeli Ministry of Defense (MOD) to revoke NSO’s export license, following the MOD’s failure to act on previous reports of abuse. In authorizing exports by NSO—a company reported to have sold its invasive software products to governments known to abuse human rights—the MOD has failed in its human rights law obligations to protect the rights to privacy, freedom of expression and freedom of opinion. The lawsuit is supported by the Surveillance Strategic Litigation initiative, a joint project between Amnesty Tech, New York University (NYU) School of Law’s Bernstein Institute for Human Rights and the NYU Global Justice Clinic (where the authors work and study, respectively).
The Secretive Industry that Generates Billions
“Spyware” refers to software that enables an operator to remotely and covertly collect data from an infected digital device, such as a cell phone or computer. Spyware has been floating around the Internet since the mid-1990s, and government security and intelligence agencies are alleged to have been producing and deploying software capable of intercepting digital communications for years. Commercial spyware firms are relatively new, however, and the software they produce has become increasingly sophisticated and invasive. Today, some spyware tools allow real-time, remote capture of audio and visual inputs and communications, enabling the operator of the infected device to spy on the target and those in their vicinity. Companies such as NSO Group in Israel, Finfisher in the UK and Germany, and Hacking Team in Italy are key players in a booming industry shrouded in secrecy. Early this year, NSO reportedly sold for $1 billion, and Moody’s estimates the spyware industry to be a staggering $12 billion market.
Ostensibly authorized for use only by law enforcement and military agencies to combat crime and terrorism, spyware is subject to the same type of export restrictions and licensing requirements applicable to military-grade weapons and national security systems.
The broad capabilities of commercial spyware tools, like NSO’s Pegasus, make them attractive to many governments, including the United States, which has expressed interest in purchasing spyware from NSO and other firms, as reported on Just Security last year. According to media reports, Pegasus allows an operator to remotely and clandestinely install software on a user’s phone or other digital device that can secretly access a user’s data and monitor all of their activity.
Pegasus does far more than track metadata like usage statistics or call logs; it provides access to all existing data on the phone, GPS monitoring, real-time audio and visual recording through the camera and microphone, and more. Newer versions of Pegasus reportedly do not even require the target to click on a link to install the spyware—the “zero click” technology permits an operator to infect a phone simply by using the target’s phone number. On Monday, new evidence came to light confirming this capability: using a security flaw in the messaging service WhatsApp, NSO spyware could covertly install surveillance software, simply by placing a call to a target’s phone, even if they did not pick up. Because Pegasus installation leaves no traces detectable to an average user, obtaining evidence of infection requires digital forensics by trained technologists, such as those on staff at Citizen Lab and Amnesty International.
Targeting Human Rights Defenders with Spyware is Unlawful
Despite the rapid growth of the spyware industry, the legal regime in which it operates is murky. Technology has outpaced law and policy in multiple domains, and the digital surveillance industry is no exception. National and international regulatory frameworks have yet to catch up to the rapidly evolving nature and surreptitious deployment of malicious software. While the legality of spyware is far from black and white, there is no grey zone when it comes to digital surveillance of human rights defenders, like the Amnesty staffer, on the basis of their opinions or work: such targeting is plainly illegal under human rights law.
Electronically stored personal information and digital communications are recognized zones of privacy. As the Office of the High Commissioner for Human Rights emphasized in its report on the right to privacy in the digital age, the state is permitted to invade privacy only if doing so furthers a legitimate government aim, is based in domestic law, and is necessary and proportional to that aim. Targeting a human rights defender with spyware on the basis of their opinions or work is never a legitimate government aim, as it violates the freedom of opinion—a non-derogable right. According to the Human Rights Committee (HRC), the UN body responsible for monitoring implementation of the International Covenant on Civil and Political Rights (ICCPR), “any form of effort to coerce an individual to hold or not hold an opinion is prohibited,” making the digital targeting of a human rights defender based on their opinion a violation of international law, whether or not spyware is successfully installed.
Digital surveillance can threaten, discredit or intimidate human rights defenders. Whether or not a device is successfully infected, targeting an individual with spyware generates a reasonable fear on the part of the targeted person that she is now or will be subject to surveillance. This fear has a chilling effect on human rights defenders’ communicative activities, including the ability to hold and express opinions without interference, and to freely seek, receive and impart information and ideas—rights guaranteed under Article 19 of the ICCPR.
States and Companies Shirk International Obligations
States that deploy spyware clearly have a duty not to use it unlawfully to surveil human rights defenders and other civil society actors because of their work or opinions. But state obligations do not stop there. Given the foreseeable risk that spyware will be abused, states where surveillance companies are domiciled or operate, including those states that license the commercial sale and export of spyware, have a duty to protect against those private entities causing or contributing to human rights violations. As the HRC has repeatedly explained, Article 2(1) of the ICCPR requires state parties to take affirmative steps to protect against violations by both public and private actors, such as corporations, including through the enactment of adequate regulations and oversight. And Article 2(3), which requires states to ensure that individuals whose rights are violated have access to remedy, is equally applicable to violations of the rights to privacy, opinion, and expression in the digital age.
The HRC has also recently recognized in its General Comment on the right to life, that a state’s obligations under the ICCPR extend to “activities taken by corporate entities based in their territory or subject to their jurisdiction” that have a “direct and reasonably foreseeable impact on the right to life of individuals outside their territory.” This General Comment builds on HRC jurisprudence holding that a state’s duty to protect applies to foreseeable violations of other Covenant rights that occur outside the state’s jurisdiction, as explained in Yassin v. Canada. Extending this reasoning to the rights to privacy, freedom of opinion and expression, all of which are foreseeably jeopardized by the misuse of spyware, home states of surveillance companies, such as Israel, arguably have a duty to ensure that those companies take reasonable measures to safeguard against the use of their products to violate human rights, whether inside or outside the state’s jurisdiction.
Businesses, too, must do their part. As outlined in the UN Guiding Principles on Business and Human Rights, surveillance companies have a responsibility to undertake robust due diligence procedures to prevent the use of their products to violate human rights, and to mitigate and remedy any such abuses that come to light.
To date, however, neither domestic legal frameworks governing the sale and deployment of spyware, nor industry self-regulation, is effectively preventing or addressing abuses. The unchecked, continued sale of surveillance systems to states with demonstrated records of repressing human rights defenders or misusing the spyware against civil society actors engaged in protected expressive activity doesn’t just cut against the responsibilities of businesses, it breaches state obligations.
Lack of Transparency Impedes Accountability
The lack of transparency across the surveillance sector impedes accountability and complicates efforts to safeguard against future abuses or to remedy past wrongs. Spyware companies are notoriously non-transparent, with minimal public knowledge about the industry’s global ecosystem, the web of actors involved, the money they earn, or the due diligence safeguards they have in place, if any. Spyware companies frequently hide behind purported law enforcement and national security considerations (that may be pretextual) or contractual confidentiality provisions.
There is also scant public reporting on export licensing regimes. Information on which governments have purchased spyware technologies, and against whom they are using the technology, has only recently—and sporadically—come to light through investigations by civil society groups and journalists.
The limited information that has surfaced in the media regarding the internal operations of commercial spyware vendors is drawn largely from company statements that remain, for the most part, vague and unverified. For example, NSO has repeatedly stated that it relies on a Business Ethics Committee to review transactions, but it has neither provided any details regarding the standards the company applies before supplying a given government, nor cited any examples of spyware sales declined or contracts revoked on human rights grounds. When questioned about their sales to repressive regimes, spyware companies have frequently maintained that they comply with all regulations governing export regimes.
But those export regimes remain a black box. For example, the Israeli government has refused to comment on NSO’s export license, arguing that it is not required to publicly disclose any information on the existence of specific licenses or their compliance with the applicable regulatory regime. Israel is not alone in denying requests for greater transparency over export licensing. In 2017, an investigation into the export of surveillance software was stymied by the refusal of 11 EU states to furnish information regarding spyware exports. As detailed in Privacy International’s Open Source Guide to Researching Surveillance Transfers, most countries do not disclose export control data “in sufficient detail to be able to understand what type of equipment is being exported.”
Demanding Accountability
The legal action filed yesterday in Israel demands that the Israeli government revoke NSO’s export license. This action is part of a growing transnational effort to increase accountability for the abuse of digital surveillance technology. That effort involves other lawsuits filed in the past year, including a complaint in Israel by Saudi activist Omar Abdulaziz, alleging that NSO allowed the Saudi government to hack his phone and spy on his communications with Jamal Khashoggi, and two lawsuits seeking civil remedies in Israel and Cyprus on behalf of five Mexican activists and one Qatari activist allegedly targeted with NSO’s software. Concerned civil society groups also sent open letters in February and April 2019 to Novalpina Capital, the UK-based private investment company that recently acquired a majority holding in NSO.
These efforts have been met with considerable resistance. For one, governments and companies have sought and obtained gag orders in some cases, including a 2016 suit that sought Israel’s revocation of NSO’s export permit after news broke that the company’s software was used to surveille journalists and activists in Mexico. A gag order has likewise been imposed on all details of a case that prompted the Israeli government to revoke the export license of Ability Security Systems, another company that sells technology to intercept digital communications, in March of this year. And the Mexican government reportedly blocked efforts by a privacy watchdog to investigate the targeting of civil society actors with spyware.
Companies have also reportedly resorted to extra-legal intimidation tactics. In one instance, undercover operatives–private spies linked to the notorious Israeli intelligence company Black Cube—targeted researchers who have brought abuses of NSO’s spyware to light, as well as lawyers and critics of NSO, luring them into meetings with fake cover stories in an attempt to pry information from and discredit them.
Past Time for the Law to Catch Up
The mounting evidence that spyware has been misused against human rights defenders, such as the Amnesty staff member whose targeting prompted the lawsuit filed in Israeli court yesterday, confirm that the law needs to catch up with surveillance in the digital age. A Just Security article by Steven Feldstein and David Sullivan, published in July 2018, addressed how the international community could better protect civilians from cyberattacks and safeguard human rights online. At a minimum, states licensing spyware sales must require—and the companies carrying out those sales must undertake—due diligence to ensure that a government purchasing surveillance software has in place a legal framework regulating the deployment of spyware to uphold its human rights obligations. This framework must adhere to the principles of legality, proportionality, and necessity, and provide mechanisms for redress, including remedy and judicial review, in cases of attempted or completed targeted surveillance.
Without meaningful action to stop unlawful targeting of human rights defenders and combat impunity in the spyware industry, everyone’s rights are at risk. The future of dissent depends on the international community securing transparency, accountability, and remedy from surveillance companies and the states that facilitate their lucrative trade.