Three years have passed since the Pegasus scandal first broke. Yet we still haven’t fixed the surveillance industry. In fact, the spyware problem is getting worse.
It is in this light that a group of civil society organizations have open letter on Tuesday 3 September, calling on EU regulators to take stronger action against the threats posed by spyware. For the experts, it is non-negotiable – the EU Commission should propose a legal framework that includes “an EU-wide ban on the production, export, sale, import, acquisition, transfer, servicing and use of spyware”.
A ban, that’s right. Spyware tools are inherently incompatible with the concept of privacy. The only thing the software is programmed to do is to infringe on this human right, with abuse largely negating the benefits. Anyone can be a target – our phones as the front door to the most private side of our lives.
Should spyware be a legitimate market?
Spyware refers to a type of malware (or malicious software) that is installed on a digital device without the user’s knowledge. Although software capabilities may vary, these tools aim to collect all sorts of sensitive information. Details can range from your location, camera and microphone data, to all the messages you send/receive, websites you visit, banking information and passwords.
The power – and danger – of spyware lies in the fact that these tools are very difficult to detect, yet relatively easy to inject. Pegasus is a perfect example, as it harvests zero-click attacks and leaves minimal traces on the infected device. This means that even security software such as the best VPN or antivirus apps cannot fully protect you from this growing threat.
At this point, we could argue that spyware could be a crucial tool in the hands of governments for national security purposes. However, there is a longer list of authorities abusing it so far.
Did you know?
Developed by the Intellexa Alliance – a group of companies, many of which are based in the EU – Predator spyware is a highly invasive phone hacking software, designed to access all stored and shared data without leaving any traces on the target device. It can infiltrate a smartphone via a malicious link or via tactical attacks performed on unsafe networks by nearby devices.
Let’s take a look at how the Pegasus scandal unfolded. Mexico was reportedly the first customer from Israeli cyber intelligence firm NSO Group to acquire the company’s powerful technology in 2011 to support its fight against drug trafficking. In 2017However, researchers found traces of Pegasus on the phones of several Mexican journalists and activists.
Pandora’s box was finally opened in 2021: more than 50,000 phones were compromised worldwide. Among them was the phone of the journalist Jamal Khashoggimurdered in the Saudi Arabian consulate in Istanbul in 2018. The investigation would later reveal that more than 46 countries worldwide have acquired this very drastic tool, including at least 14 EU countries.
Two years later, new research into the use of the so-called Predator spyware revealed that the EU spyware problem is worse than previously thought. This is largely because this time, the tool was not only used in the EU to spy on politicians, journalists and activists, but was developed, sold and exported by EU-based companies operating mainly in France, Ireland and Greece to at least 25 countries worldwide.
It’s hard to imagine how the spyware industry can still be a legitimate business – and a very productive one, indeed. Even Google is concerned about “growing threats to freedom of speech, the press, and the integrity of elections around the world.”
The Big Tech giant tracked about 40 Commercial Surveillance Vendors (CSVs) operating globally. Some companies focus on probing device vulnerabilities to develop and sell attack exploits, while others are responsible for creating spyware products. All in all, the proliferation of spyware is causing “real harm in the real world,” experts said.
Governments are not the only ones using (and abusing) these tools to track down criminals, politicians, journalists and activists.
For example, companies have increasingly turned to what’s known as bossware to better monitor their remote workers. While implementation details vary by country, productivity monitoring apps are perfectly legal. However, the scope for abuse remains wide open.
Spyware can be a very dangerous tool in the hands of hackers, stalkers, and criminals. The ease with which people with no technical skills can carry out these attacks makes us all vulnerable. Think of what an abusive partner can do by using such an app.
All of this is especially concerning when you consider that security firm Avast found that mobile stalkerware usage has increased 329% since 2020.
Regulating spyware use is not enough
We can argue that all technology can be harmful if used incorrectly – think social media platforms or AI software – and that we just need stricter regulation. Well, the truth when it comes to spyware is more complex than that.
Legislators have so far failed to develop a legal framework that can limit the social harm of spyware. While most governments recognize the risks, it seems that no one is willing to give up these unprecedented surveillance capabilities.
We’ve already mentioned how the EU found itself in the middle of the spyware mess. But when the bloc had the chance to take a strong stand against this technology to protect the free press, it simply didn’t. Under the EU Media Freedom ActSpyware is still allowed on a “case-by-case basis” and “subject to prior approval by a legal authority” when investigating crimes punishable by at least three years’ imprisonment.
🚨 Today, CDT Europe and 30 civil society and journalist organisations take a stand against the omnipresent threat of spyware. We call on the new EU institutions to take decisive action in the new term #StopSpyware 🧵https://t.co/Yh408k7ydN pic.twitter.com/vG7kpQHpnLSeptember 3, 2024
A New York Times investigation It also appears that even though the Biden administration has banned the use of hacking tools from the Israeli company NSO, the government is still trying to find a legal way to use them.
On February 6, 2024, the United Kingdom and France entered into a new international joint agreement to address human rights abuses caused by spyware and to develop policies to use these intrusive cyber tools in a “legal and responsible manner.” However, given these premises, it is difficult to see how regulation can be sufficient to prevent harm.
As stated by the European Data Protection Supervisor (EDPS) In 2022, the unprecedented level of intrusiveness of modern spyware “threatens the very essence of the right to privacy, as spyware is able to interfere in the most intimate aspects of our daily lives.” According to the EDPS, such intrusive technology is de facto incompatible with EU law.
How can you then regulate the use of software that is inherently in conflict with current privacy legislation? It simply cannot be done. That is why a spyware ban is the only solution if we want to save what is left of our privacy.
As Natalia Krapiva, Technology Legal Advisor at Access Now, put it: “This sinister technology that has been abused and misused by governments around the world is not safe in any hands and its use can never be justified. Discussions are not enough. We expect action.”