Jennifer Brody
Twenty-five
governments have agreed to a promising new initiative to combat the
irresponsible use of commercial cyber intrusion capabilities, including
commercial spyware. Civil society should hold them accountable to their
commitments.
Earlier this
year, members of an Italian migrants-rights group and a local journalist
received text-messaged warnings that their phones had been targeted with
spyware. Reports later emerged that an Italian official had admitted that the
intelligence services authorized the technology’s use against some of the
targets. The revelations shook Italian civil society, underscoring the reality
that they too could be targeted with spyware that allows covert and remote
access to their personal contacts, messages, photographs, and more.
The abuse of
commercial spyware—spyware that a government purchases, rather than develops
itself—threatens fundamental freedoms by facilitating improper surveillance
that violates privacy rights, encourages self-censorship, and harms freedom of
expression. According to Freedom on the Net, Freedom House’s annual report on
internet freedom, 49 governments are suspected of having access to
sophisticated spyware or data-extraction technologies, including in Morocco,
Uganda, Saudi Arabia, India, and Mexico. At least 19 of the 48 governments
Freedom House has identified as perpetrators of transnational repression—where
governments target exiled dissidents and refugees in other countries to silence
dissent—are users of commercial spyware.
Spyware abuse
also threatens national security. Government officials around the world,
including members of the European Parliament, a Polish politician, UK
officials, and US diplomats and elected officials, have all been surveilled
with spyware—leaving sensitive information about contacts, meetings, and
location vulnerable to collection and misuse.
Code of
practice for states launched
Recognizing the
severe threats posed by commercial spyware and similar technologies, in 2024
the UK and French governments launched the Pall Mall Process, a
multistakeholder initiative to address the proliferation and irresponsible use
of commercial cyber intrusion capabilities (CCICs)—a group of technologies that
includes commercial spyware. In April, those governments announced the Pall
Mall Process Code of Practice for States, which aims to establish best
practices for CCIC use. Twenty-five governments signed on to the nonbinding
code, including the United States.
There are
several positive aspects of the Code of Practice. For one, it explicitly calls
for governments to hold accountable individuals and entities that misuse CCICs,
including by pursuing financial restrictions, travel restrictions, or criminal
charges. The US government has taken several exemplary steps in this regard.
Last year, the US Treasury Department issued financial sanctions that targeted
two individuals and five entities affiliated with the commercial spyware
consortium Intellexa, saying they had developed, operated, and distributed
spyware that was used to target government officials and journalists. The State
Department created a new visa restriction policy targeting individuals involved
in or financially benefitting from the misuse of commercial spyware, and their
immediate family members.
Second, the
Code of Practice notes the importance of creating formal processes that prevent
CCIC vendors that have engaged in irresponsible practices from bidding for
government contracts. This text is similar to a US government executive order
that essentially banned the federal government’s procurement of commercial
spyware that poses a threat to US national security or foreign policy
priorities. Again, the United States provided a clear roadmap for other
governments to emulate.
While the Code
of Practice is a step in the right direction, it contains shortcomings.
Notably, while it includes some references to international human rights law
standards regarding “decisions to use CCICs,” these references are tempered
with qualifiers and gray areas. For example, it encourages states to ensure
that CCICs are deployed based on vague “nationally determined principles,”
offering proportionality, necessity, and nondiscrimination as examples states
“could include.” And while it notes the irresponsible use of CCICs “in
connection with internal repression,” it neglects to acknowledge that these
technologies are also misused to carry out acts of transnational repression.
Holding states
accountable
Civil society
and academia have an important role to play in holding Code of Practice
signatory states accountable. For example, they should convene with relevant
authorities each quarter to evaluate states’ efforts to fulfill their
commitments and measure progress. States can assist with these efforts by
developing their own national implementation trackers.
Additionally,
governments rely on civil society and academic research that exposes the abuse
of commercial spyware. To facilitate greater information sharing, civil society
groups should release reporting on CCIC-facilitated human rights violations,
with information presented in a way that is tailored to government audiences.
This helps provide decision-makers with the information they require (including
supplier and procurer mapping) to pursue meaningful accountability
measures—such as financial sanctions, visa restrictions, procurement
restrictions, and export-control actions. Importantly, it also helps government
officials pursue accountability measures in a coordinated fashion, making it
more challenging for spyware firms to evade the “sticks.”
In sum, while
the Pall Mall Process Code of Practice for States is a step in the right
direction, it falls short in some areas, and robust implementation will require
oversight. Civil society will play a critical role in holding governments
accountable to their commitments, and in providing the required information for
states to take action that curbs the harmful misuse of commercial spyware.
No comments:
Post a Comment