Pegasus spyware: 'Time to regulate cyber surveillance market', says expert

by Umberto Bacchi | @UmbertoBacchi | Thomson Reuters Foundation
Monday, 19 July 2021 17:13 GMT

FILE PHOTO: People pose in front of a display showing the word 'cyber' in binary code, in this picture illustration taken in Zenica December 27, 2014. Picture taken December 27, 2014. REUTERS/Dado Ruvic/File Photo

Image Caption and Rights Information

Media investigation alleges malware developed by Israel-based NSO Group used to hack smartphones belonging to journalists, rights activists and lawyers

By Umberto Bacchi

TBILISI, July 19 (Thomson Reuters Foundation) - Governments should restrict the use and sale of surveillance software to prevent rights abuses, a leading cyber policy expert said after reports that Israeli-made spyware was deployed to target activists and journalists around the world.

An investigation by 17 media organizations published on Sunday said spyware developed by Israel-based NSO Group was used in attempted and successful hacks of 37 smartphones belonging to journalists, public officials and rights activists. 

NSO has denied the reports, saying it sells technology only to law enforcement and intelligence agencies of vetted governments in order to fight terrorism and crime.

The investigation focused on a list of about 50,000 phone numbers that it said were of interest to NSO's clients, which include governments from Saudi Arabia to Azerbaijan. It did not reveal who attempted the hacks or why.

NSO's Pegasus software infects smartphones to enable the extraction of messages, photos and emails, as well as allowing calls to be recorded and microphones secretly activated.   

Former EU lawmaker Marietje Schaake, who is international policy director at Stanford University's Cyber Policy Center, told the Thomson Reuters Foundation the reports should act as a wake-up call for democratic nations to regulate the spyware market:

    

What can we learn from the media investigation?

The fact that these spyware surveillance systems have been sold and used to violate human rights or go after dissidents and journalists has been known for a long time.

What was revealed is the scope, with new names and new victims. And of course, the investigation shows how vast the spectrum of operations of this technology is.

So, the real question is, when are democratic governments going to put an end to this toxic market?

    

What is the background?

The way these highly intrusive surveillance and spyware technologies come about is often through people that have been trained in intelligence services who go on to found private firms. The same goes for NSO Group.

What has been uncovered by investigative journalists and rights organisations is telling us anecdotally that this sector has grown into a multi-billion dollar market, with companies operating from the European Union, Israel and other parts of the world.

The lack of transparency is probably one reason why it's hard to know exactly who is selling what to whom.

   

What is at stake?

Democracies have a commitment to universal human rights, you will often hear democratic governments condemning human rights violations, attacks on the free press and emphasize the need to respect the freedom of assembly or freedom of expression.

And this very technology, which is often made in democratic societies goes directly against those foreign policy goals - and it hurts people. That combination is obviously the reason why it needs to be reined in.

Only the EU has put forward some restrictions on the export of these types of systems.

       

What type of restrictions should be considered?

I think it's perfectly legitimate to ask ourselves whether some of these systems should be banned, as is happening with facial recognition.

Technologies that go directly against the right to privacy should already be illegal in the EU, because the right to privacy means nothing if you can invisibly and unknowingly enter into people's devices.

But short of a full ban, you want to prevent these systems from spreading around the world and falling into the wrong hands, as governments, especially dictatorships, abuse the argument of crime fighting to silence critical voices.

A much firmer independent oversight over this sector is needed, with stronger requirements in terms of due diligence, "know your customer", licensing and transparency over who asks for a licence and whether it's granted.

Governments should leverage their power through procurement rules towards strict requirements against proliferation, as well as higher human rights standards.

It is really high time that democratic societies, including Israel, draw a line to stop these technologies from undermining human rights and democracy worldwide.

   

Related stories:

Dance off: Why are Black TikTok creators going on strike?

Eswatini: Internet restored in African nation amid court challenge

'Racist' facial recognition sparks ethical concerns in Russia

Our Standards: The Thomson Reuters Trust Principles.

Themes