Illustration: Aïda Amer/Axios
An announcement this week by a major spyware vendor that it aims to embrace human rights is forcing the industry, governments and civil society groups to consider whether the concepts of "human rights" and "spyware" can ever be reconciled.
The big picture: Government-grade spyware has always been abused. In June, David Kaye, the UN special rapporteur on freedom of opinion and expression, determined that commercial spyware had become so vast a problem that the world needs a moratorium on it, for companies and governments to figure out how to protect human rights.
- Spyware from NSO Group, the Israel-based firm that announced the human rights initiative, was allegedly used by Saudi Arabia to spy on U.S.-based reporter Jamal Khashoggi, who was later killed by Saudi agents. Mexico also used NSO spyware to surveil government employees and researchers who backed a tax on soda.
- But even well before NSO group became a major spyware player, other products — including Gamma's FinFisher and Hacking Team's Da Vinci and Galileo products — have been embroiled in human rights debates. Ethiopia allegedly used spyware to surveil journalists, Uganda allegedly targeted opposition political figures, and Morocco allegedly targeted activists.
- Many other clients of spyware vendors have poor human rights records, including Azerbaijan, Venezuela, Uzbekistan and Sudan.
Yes, but: It's tough to prevent abuse without oversight. Spyware vendors are loath to surveil their own clients, meaning that reporting about potential human rights abuses either comes from victims lucky enough to figure out they were being watched or from the countries themselves.
- "If they don't have a mechanism of looking over governments’ shoulders, I don’t see how this has any teeth," John Scott-Railton, a senior researcher at the University of Toronto's Citizen Lab, which has done much of the research on NSO's alleged human rights abuses, told Axios.
- Without that oversight, Scott-Railton isn't confident that any spyware could be safe for human rights. "If the question is, 'Is it possible to sell cyber weapons and assure they won’t be used for abuse,' I think it’s a contradiction in terms," he said.
Amnesty International has been a persistent thorn in NSO's side, even assisting a lawsuit to force Israel to ban NSO from exporting products. But Amnesty deputy program director Danna Ingleton is optimistic that there is a way for spyware companies to align with human rights.
- "I think it must be possible," she said.
- That doesn't mean NSO's current plan passed Ingleton's muster, yet (see item 2). But through due diligence before making sales to regimes, honest accounting of past actions, export rules that are more transparent and engagement with civil society groups, she believes a company like NSO could get ahead of the human rights issue.
- NSO would have to be more open about its internal capabilities to flag human rights abuses as they happen. And governments would need to take an active role in restricting sales to dangerous countries.
- "The onus is on the companies. If they can't protect human rights, they need to enact safeguards," she said. "And if it's an industry that can never be in line with human rights, it's up to the state to do what it needs to do."
The bottom line: The commercial spyware industry is not going to vanish — it's too ingrained in global intelligence and law enforcement. That might mean the only way to protect human rights is to adopt rules like those NSO has announced and make them work.