The Pegasus Problem: Why spyware exports need to be regulated

Cyber surveillance technologies (CSTs) have been heralded as tools essential for law-enforcement and counter-terrorism efforts in the Twenty-First Century. However, in practice they are all too often sold to States that use them to violate fundamental human rights. In 2021, a consortium of news organizations reported that multiple States used the spyware “Pegasus”, purchased from the Israeli company NSO Group, to target political dissidents, activists, and other public figures across the world. Infection with the spyware procured highly intrusive access to a device, including to private communications, GPS location, camera, and microphone. This was exploited to violate the fundamental rights of targeted persons, resulting in infringements of their privacy and –in some cases– their persecution, arbitrary detention, and even killing.

Although little is known about the clients of NSO Group, Saudi Arabia and the United Arab Emirates are implicated in the targeting of associates of Jamal Khashoggi with “Pegasus”, which led to his detention, torture, and brutal killing in the Saudi consulate in Istanbul. States including India, the United States, Israel, Poland, Hungary, Spain, and Germany have also reportedly purchased “Pegasus”. Moreover, EU-based companies have been criticised for selling spyware to authoritarian governments during the Arab Spring as well as entities with links to the Chinese surveillance apparatus. This shows that “Pegasus” is just the tip of the iceberg: the private market for cyber surveillance technologies is booming, both in democratic and authoritarian States.

Against this backdrop, recent years have seen the amendment of export control regimes on dual-use goods and technologies. For example, the EU Dual-use regulation (EUDUR) was recast in 2021 to include, inter alia, an extended catch-all control clause for unlisted CSTs and novel, human rights-related due diligence obligations on exporters. Do these amendments signal a shift towards human rights focused export controls, or do they merely pay lip service to stronger human rights protection?

This blog post argues that a precondition for integrating stronger human rights protection into CST export control is rethinking how we talk about spyware regulation. In particular, two terms in the discourse on CST export control need to be questioned: (i) “dual-use,” and (ii) “human security”. While these terms prima facie appear to help articulate the risks posed by CSTs, they accommodate different export control agendas and can be co-opted by actors to steer the discourse on spyware regulation towards considerations of national security, power, or profit rather than human rights.

Time to Question Two Terms

1) Dual-use

The meaning of the term “dual-use” remains – to some extent – ambiguous. The Recast EUDUR simply refers to “dual-use items” as those that can be used for both “military” and “civil” purposes. Juxtaposing civilian and military uses may give the impression that the rationale for regulating CSTs relates solely to the risks posed by such technologies in the military context. This is misleading. While there may very well be significant risks of using spyware during armed conflict, most reported targeting with “Pegasus” occurred during peacetime. Thus, there is as much, if not more, potential for abuse of CSTs for non-military, civilian purposes. Others define “dual-use” technologies as those that can be used for “good” and “bad” or “legitimate” and “illegitimate” purposes. The term “dual-use” hence presupposes the legitimacy of certain spyware uses, which enables it to be co-opted by actors who have little interest in stronger consideration of human rights in CST export control.

2) Human security

Advocates of “human security” celebrate the term for shifting security discourses away from the focus on the sovereign State as the primary beneficiary towards the protection of human dignity. The EU took a “human security” approach to recasting the EUDUR, framing it as way to address the human rights risks of CSTs. However, there is no legally agreed definition of the term. The Coalition Against Unlawful Surveillance Exports has warned of the potential unintended negative effects of infusing the discourse on spyware regulation with “human security”; its ambiguity makes the term malleable to different export control agendas, including those pursuing narrower rather than stronger human rights protection. Positing “human security” as a vehicle for increasing human rights protection without acknowledging this is misleading.

Conclusion

As the magnitude and scope of States’ use of spyware to violate fundamental human rights shows, there is no time to waste in integrating stronger human rights protection into CST export control. To do so, we need to rethink how we talk about spyware regulation. Recognizing the capacity of the terms (i) “dual-use" and (ii) “human security” to be co-opted by actors with different export control agendas, including those with little desire for stronger human rights protection, is a first step in the right direction.

This blog post is based on a paper by the author for the Surveillance, Democracy, and the Rule of Law Conference at the European University Institute, Florence.