A special report from   |  With support from

Ron Deibert

Professor of Political Science and Director of the Citizen Lab at the Munk School of Global Affairs and Public Policy, University of Toronto

Stéphane Duguin

Chief Executive Officer of the CyberPeace Institute

Patrolling the Dark Alleys of the Spyware Market

Why global governance must pull offensive cyber capabilities out of the shadows

In August 2016, researchers at the Citizen Lab discovered NSO Group’s Pegasus spyware deployed to target the device of Ahmed Mansoor, a prominent UAE-based human rights defender now in prison for “insults to the regime.” Civil society and academia have repeatedly expressed concern about countries that abuse highly intrusive offensive cyber capabilities (OCCs)  to target dissidents, political opposition figures, journalists, lawyers, international investigators and other members of civil society. The misuse of OCCs infringes on fundamental human rights, including privacy and freedom of expression, and threatens peace and human security by exposing individuals to persecution.

A growing international and highly lucrative market for OCCs has emerged. Companies create and market tools that exploit identified software vulnerabilities in everyday applications, platforms and devices. They may claim that their products and services are sold strictly to government agencies to fight crime and terrorism in the name of “national security,” but in reality, driven by profit, they enter into agreements with customers with known records of serious human rights abuses. 

In the case of the murdered Washington Post journalist Jamal Khashoggi, several of his close confidants, including his fiancée Hatice Cengiz, had their personal phones hacked by Saudi intelligence using Pegasus, and Jaafar Al Hasabi, a British-Bahraini captured and extensively tortured in Bahrain in 2010, had been subjected to lengthy  surveillance using FinFisher spyware produced by Gamma International. These cases show how the misuse and abuse of OCCs can violate fundamental human rights.

The misuse of offensive cyber capabilities infringes fundamental human rights, including privacy and freedom of expression, and threatens peace and human security by exposing individuals to persecution. 

Despite the efforts of civil society to expose these abuses, there are numerous reasons why such exploitation will continue. The surveillance industry thrives in a shadowy market. Contracts between OCC vendors and their government customers are rarely disclosed publicly in the name of “national security.” The OCC market is further obfuscated by the corporate shell games that vendors routinely use. The enterprise structure between vendors, investors and customers is complex, constantly mutating and cuts across jurisdictions, making the application of regulations more difficult. Front companies, tax havens and other corporate arrangements disguise core business operations, preventing investigators from discovering the truth. This arrangement is convenient for both parties: Vendors can shield themselves from the scrutiny that arises from selling to repressive regimes, while governments can avoid public accountability for their surveillance operations. By using proxies, governments escape the application of international law and create a situation of plausible deniability for the use of OCCs.

Bringing accountability to this market is not straightforward. International regulation or global governance should be an answer. The EU has attempted to regulate the export of OCCs, but there is significant room for improvement to better protect human rights. Another avenue for accountability includes non-binding norms such as the UN Guiding Principles on Business and Human Rights and the OECD Due Diligence Guidelines. Unfortunately, their voluntary nature combined with the lack of transparency of operating models make them nearly impossible to leverage. It is up to governments to implement and codify these norms, but only a few have an interest in opening up to scrutiny a Pandora’s box of OCCs from which they benefit. All in all, this makes negotiations at the international level extremely difficult, although still an important arena for action.

Litigation, on the other hand, may bring short-term relief and some changes. In June 2021, four executives from OCC vendors Amesys and Nexa Technologies were indicted for complicity in torture, and the NSO Group faces multiple lawsuits by civil society and corporate plaintiffs in various countries. Should these cases succeed in bringing serious penalties to the companies, this would contribute to exposing an industry that has been described by former UN Special Rapporteur David Kaye as a “Wild West.”

The impact of the sale and use of OCCs has shown that it’s not just a question of national security; human lives are at stake. Civil society actors led by the Citizen Lab and Amnesty International are relentlessly exposing how much this industry costs to human rights. They are joined by a growing community, including the CyberPeace Institute, some of whom are calling for a global moratorium on the sale and transfer of surveillance technology until rigorous human rights safeguards are adopted to regulate such practices and guarantee that governments and nonstate actors don’t abuse these capabilities.

Ron Deibert is professor of political science and the founder and director of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs and Public Policy. The Citizen Lab undertakes interdisciplinary research at the intersection of global security, information and communication technologies, and human rights. The research outputs of the Citizen Lab are routinely covered in global media, including over two dozen reports receiving front-page coverage in The New York Times, Washington Post, Financial Times, and other publications.

Deibert is the author of “Black Code: Surveillance, Privacy, and the Dark Side of the Internet” (2013), “Reset: Reclaiming the Internet for Civil Society” (2020), as well as numerous books, chapters, articles and reports on internet censorship, surveillance and cybersecurity. In 2013, he was appointed to the Order of Ontario and awarded the Queen Elizabeth II Diamond Jubilee medal for being “among the first to recognize and take measures to mitigate growing threats to communications rights, openness and security worldwide.”

Read More

Stéphane Duguin has spent two decades analyzing how technology is weaponized against vulnerable communities. In particular, he has investigated multiple instances of the use of disruptive technologies, such as artificial intelligence, in the context of counterterrorism, cybercrime, cyber operations, hybrid threats and the online use of disinformation techniques. He leads the CyberPeace Institute with the aim of holding malicious actors to account for the harm they cause. His mission is to coordinate a collective response to decrease the frequency, impact and scale of cyberattacks by sophisticated actors.

Prior to this position, Duguin was a senior manager and innovation coordinator at Europol. He led key operational projects to counter both cybercrime and online terrorism, such as the European Cybercrime Centre, the Europol Innovation Lab, and the European Internet Referral Unit. He is a thought leader in digital transformation and convergence of disruptive technologies. With his work published in major media, his expertise is regularly sought in high-level panels where he focuses on the implementation of innovative responses to counter new criminal models and large-scale abuse of cyberspace.

Read More

A special report from   |  With support from