It's been three years since the Pegasus scandal became public. Yet we still haven't solved the problem of surveillance. Quite the contrary: the spyware problem continues to grow.
In this regard, a group of civil society organisations wrote an open letter on Tuesday 3 September calling on EU regulators to take more decisive action against the threats posed by the use of spyware. For experts, it is non-negotiable: the European Commission should propose a legal framework that includes “an EU-wide ban on the production, export, sale, import, acquisition, transfer, maintenance and use of spyware.”
A ban, yes. By their very nature, spyware tools are incompatible with the concept of privacy. All the software is programmed to do is precisely violate this human right, and the abuses far outweigh the benefits. Everyone can be a target: our phones are the gateway to the most private side of our lives.
Should spyware be a legitimate market?
The term spyware refers to a type of malware (or malicious software) that is installed on a digital device without the user's knowledge. While the software's capabilities may vary, these tools aim to collect all kinds of sensitive information. Details can range from your location, camera and microphone data to all the messages you send or receive, the websites you visit, banking information and passwords.
The strength (and danger) of spyware lies in the fact that these tools can be very difficult to detect, but quite easy to inject. Pegasus is a perfect example, as it harvests clickless attacks and leaves a minimal trace on the infected device. This means that not even security software like the best VPN or antivirus apps can fully protect you against this growing threat.
At this point, we could argue that spyware can be a crucial tool in the hands of governments for national security purposes. However, there has been a longer list of authorities abusing its use so far.
Did you know?
Powered by Intellexa Alliance – a group of companies, many of which are based in the EU – Predatory Spyware is a highly invasive phone hacking software, designed to access all stored and shared data without leaving a trace on the target device. It can infiltrate a smartphone through a malicious link or through tactical attacks launched on unsecured networks by nearby devices.
Let’s look at how the Pegasus scandal unfolded. Mexico was reportedly the first client of Israeli cyber intelligence firm NSO Group to acquire its powerful technology in 2011 to support its fight against drug trafficking. However, in 2017, investigators found traces of Pegasus on the phones of several Mexican journalists and activists.
In 2021, Pandora's box was finally opened: more than 50,000 phones around the world had been hacked. Among them, the phone of journalist Jamal Khashoggi, who was murdered in the Saudi consulate in Istanbul in 2018. The investigation would later reveal that more than 46 countries around the world had purchased this highly invasive tool, including at least 14 EU countries.
Two years later, a new investigation into the use of spyware dubbed Predator has revealed that the EU’s spyware problem is worse than previously thought. This is largely because this time the tool was not just used across the EU to spy on politicians, journalists and activists, but was developed, sold and exported by EU-based companies operating mainly in France, Ireland and Greece to at least 25 countries around the world.
It is hard to imagine how the spyware industry can be allowed to remain a legitimate, and very prolific, business. Even Google is concerned about its “growing threats to freedom of expression, freedom of the press, and the integrity of elections around the world.”
The tech giant has tracked down around 40 commercial surveillance vendors (CSV) operating around the world. Some companies focus on researching device vulnerabilities to develop and sell attack exploits, while others are responsible for making spyware products. Overall, the proliferation of spyware “causes real-world harm,” experts say.
Governments are not the only ones using (and abusing) these tools to track criminals, politicians, journalists or activists.
For example, companies are increasingly turning to what is known as bossware to better monitor their remote employees. While the details of implementation depend on the country, work productivity monitoring apps are perfectly legal. However, the scope for abuse remains wide open.
Spyware can be a very dangerous tool in the hands of hackers, stalkers and criminals. The ease with which people without particular technical knowledge can launch these attacks makes us all vulnerable. Think of what an abusive partner can do using such an app.
This is especially worrying considering that, as security firm Avast found, mobile stalkerware usage has increased by 329% since 2020.
Regulating the use of spyware is not enough
We can argue that all technology can be harmful if misused (think, for example, social media platforms or artificial intelligence software) and that all we need is stricter regulations. But the truth when it comes to spyware is more complex than that.
So far, lawmakers have failed to develop a legal framework capable of mitigating the social harm posed by spyware. While most governments acknowledge the risks, it seems that no one is willing to give up on these unprecedented surveillance capabilities.
We've already mentioned how the EU got caught up in the spyware chaos. However, when the bloc had the opportunity to take a firm stance against this technology to protect the free press, it simply didn't do so. Under the EU Press Freedom Act, spyware is still allowed on a “case-by-case” basis and “subject to prior authorisation by a judicial authority” to investigate offences punishable by a prison sentence of at least three years.
🚨 Today, CDT Europe and 30 civil society organisations and journalists are taking a stand against the widespread threat of spyware. We call on the new EU institutions to take decisive action in the new legislature #StopSpyware 🧵 pic.twitter.com/vG7kpQHpnLSeptember 3, 2024
A New York Times investigation also reveals that while the Biden administration has banned the use of hacking tools created by Israeli firm NSO, the government is still trying to find a legal way to use them.
On 6 February 2024, the UK and France spearheaded a new joint international agreement to curb human rights abuses caused by spyware and develop policies to use these intrusive cyber tools in a “lawful and responsible manner”. Given these premises, however, it is difficult to see how regulations can be sufficient to prevent harm.
As the European Data Protection Supervisor (EDPS) noted in 2022, the unprecedented level of intrusiveness of modern spyware “threatens the very essence of the right to privacy, as spyware can interfere with the most intimate aspects of our daily lives.” According to the EDPS, this intrusive technology is de facto incompatible with EU law.
So how can we regulate the use of software that, by its very nature, violates current privacy laws? We simply cannot. That is why banning spyware is the only solution if we want to save what remains of our privacy.
As Natalia Krapiva, technology legal counsel at Access Now, put it: “This sinister technology, which has been misused and abused by governments around the world, is not safe in any hands and its use can never be justified. Discussions are not enough. We hope that action will be taken.”