A Proposed Response to the Commercial Surveillance Emergency

Siena Anstis, Ronald J. Deibert, John Scott-Railton
Friday, July 19, 2019, 8:00 AM

The body of Jamal Khashoggi has yet to be found, and the case of his murder is littered with unanswered questions. There are a number of certainties about the gruesome crime, however, backed up by evidence, including that some of his most private communications were monitored by Saudi intelligence.

Deputy Crown Prince Mohammad Bin Salman at the Counter-ISIL Ministerial Plenary Session (Source: Wikimedia/U.S. State Department)

Published by The Lawfare Institute
in Cooperation With

The body of Jamal Khashoggi has yet to be found, and the case of his murder is littered with unanswered questions. There are a number of certainties about the gruesome crime, however, backed up by evidence, including that some of his most private communications were monitored by Saudi intelligence.

Khashoggi used encrypted chats to communicate with his closest associates. If he assumed that technology shielded his secrets, as it was programmed to do, he was mistaken. While the condition of Khashoggi’s own personal devices remains unclear, ultimately it does not matter if they had been compromised. The phone of a close confidant, Omar Abdulaziz, had been hacked by Saudi intelligence and his communications with Khashoggi were being silently monitored.

Abdulaziz lives in Canada. Neither his distance from the kingdom nor that hacking into his phone violated Canadian law presented the Saudis with much of an obstacle.

Abdulaziz's phone was hacked using Pegasus, a notorious piece of spyware developed by NSO Group, a cyberwarfare company based in Herzliya, Israel. Pegasus is among some of the most sophisticated spyware available on the market and can infiltrate both iOS and Android devices. It also allows an operator to read text messages, including those that are end-to-end encrypted; examine photos; and track a phone’s location. The technology can also silently enable microphones and cameras, turning the phone into a portable surveillance tool to overhear and observe conversations happening in the phone’s vicinity.

Using NSO Group’s technology, Saudi agents monitored Khashoggi and Abdulaziz as they planned a social media campaign against the Saudi regime. They cannot have missed the biting words the men shared about Saudi Crown Prince Mohammed bin Salman. In the eyes of the Saudi rulers, such criticism—even in private—is treasonous and worthy of a death sentence. Khashoggi’s murder was thus intimately tied to unlawful use of spyware technology, as Agnes Callamard, the U.N. special rapporteur on extrajudicial, summary or arbitrary executions, described in her June 2019 report to the Human Rights Council.

The Use of Surveillance Technology to Silence Dissent

This connection between spyware and the silencing of dissent is not an isolated incident.

Citizen Lab—along with organizations such as R3D, Privacy International, EFF and Amnesty International—has closely tracked the deployment of surveillance technology against political dissidents, lawyers, journalists and human rights defenders. In 2013, Citizen Lab started publishing technical reports on the deployment of spyware beginning with surveillance technology sold by FinFisher. It expanded to cover research on products developed by other companies, including Hacking Team; Cyberbit, a subsidiary of Elbit Systems; and, more recently, NSO Group. On NSO Group, Citizen Lab has identified a total of 27 individuals targeted with Pegasus spyware.

Amnesty International has also documented two cases of abusive targeting with Pegasus: one against an Amnesty International staff member who remains anonymous and another against Saudi activist Yahya Assiri. Other documented incidents of targeting include those against Ghanem al-Masarir, a Saudi dissident living in the United Kingdom, and a U.K.-based lawyer involved in litigation against NSO Group.

While the instances of unlawful targeting listed above have been publicly reported, there are likely numerous others that have not yet been discovered (and may never be, due to problems inherent in tracking such secretive technology). Consider that, in October 2018, Citizen Lab published a report identifying 45 countries where Pegasus is being deployed to conduct surveillance operations on behalf of as many as 30 governments; the specific targets of many of those surveillance operations are still a mystery to everyone except the secretive government agencies monitoring them. What is known to the public regarding the use of spyware technology like Pegasus is probably just the tip of the iceberg; Citizen Lab reporting on other companies, described above, shows that Pegasus is not a lone wolf in the market but, rather, a single representative of a growing marketplace.

This research has helped flesh out a disturbing trend: the growing abuse of surveillance technology by authoritarian and other rights-challenged regimes. More generally, it has drawn attention to how the availability and abuse of highly intrusive surveillance technology accelerates the already rapidly shrinking space in which vulnerable people can express dissent without facing repercussions such as torture, arbitrary imprisonment or killing.

It is necessary to underline here that none of the targets identified in Citizen Lab’s research are nefarious criminals or terrorists. They are political dissidents, human rights defenders and other members of civil society.

A Nontransparent Marketplace Without Restraints

In 2019, the European private equity fund, Novalpina Capital LLP, acquired a majority stake in NSO Group. At the time, Moody’s estimated that companies like NSO Group are operating in a largely underpenetrated market for mobile surveillance technology, which is worth around $12 billion. Moody’s noted that “cyber intelligence” would continue to “be a focus point for governments and security agencies, despite the constant strain on public budgets.” In other words, the appetite for these technologies is surging.

While lucrative, the business of hacking phones and computers is highly nontransparent. As David Kaye, U.N. special rapporteur on the promotion and protection of the right to freedom of opinion and expression, noted in his June 2019 report on the surveillance industry, it is primarily through published research by nongovernmental research institutes, journalists and others that we have only just begun to comprehend the nature and scale of the surveillance industry and its impact on human rights.

It is also a market that operates largely without restraints. As Kaye observed: “It is insufficient to say that a comprehensive system for control and use of targeted surveillance technologies is broken. It hardly exists.” There is simply no “framework to enforce limitations.” This “wild west” system means states purchasing spyware could be at liberty to abuse it with limited or no transparency or regulation and, in many countries, without legal ramifications. Companies that manufacture and sell such technologies enjoy the same unbridled freedom by thriving in a market where they can make significant profits without fear of criminal liability or concern for how their technology impacts human rights.

The Big Picture

States, technology manufacturers, private equity firms and other participants in the targeted surveillance industry now enjoy unconstrained freedom to profit. Meanwhile, there are significant consequences. As targeted surveillance technology becomes a mainstay of intelligence gathering and law enforcement among states lacking safeguards against abuse, our ability to express ourselves at liberty, in privacy and without the looming threat of repercussions will be dramatically threatened.

The impact of unregulated spyware on political dissidents who have fled authoritarian regimes and continue to advocate from abroad is particularly concerning. Facilitated by technologies like NSO Group’s Pegasus spyware—which works just as easily across as within borders—the rise of digital authoritarianism signals the expansion of autocratic regimes to reach those who believe they have fled their grasps. Political dissidents who have escaped torture and arbitrary detention in their countries of origin to engage in activism from a safe place in exile now face the reality that no such safety is ever guaranteed. Thanks to tools like Pegasus, despots thousands of miles away can reach into their pockets and silently inspect the dissidents’ every move.

Hunting political dissidents in exile is not a novel practice for authoritarian regimes. However, the emerging digital character of the exercise means it can occur at a greater scale and with little chance of the perpetrators being caught or facing consequences. Furthermore, companies can try to escape liability by pointing to difficulties inherent to attributing spyware infections to specific technologies or actors and relying on the challenging nature of digital forensic work in this space. Governments, meanwhile, may also be insulated from liability, protected by norms around state immunity that prevent prosecution of criminal offenses in foreign jurisdictions.

Finally, it is not only human rights and civil society actors who suffer the consequences of a digital surveillance marketplace without constraints. As the recent WhatsApp incident demonstrated—in which advances in NSO’s spyware enabled operators to take over a phone merely by calling the WhatsApp number—anyone who uses online platforms to communicate, share family pictures or write confidential messages is at risk of having their most private thoughts exploited.

Where Do We Go From Here?

Special rapporteurs Kaye and Camillard both called for a “moratorium” on the global sale and transfer of the tools of the private surveillance industry until rigorous human rights safeguards are in place to ensure such tools are used in legitimate ways. This urgent call is an appropriate starting point considering the scale and complexity of what the Khashoggi surveillance and murder—as well as numerous other documented cases of the abuse of commercial spyware—now clearly show.

Any regime of rigorous human rights safeguards that would make a meaningful change to this marketplace would require many elements, for instance, compliance with the U.N. Guiding Principles on Business and Human Rights. Corporate tokenism in this space is unacceptable; companies will have to affirmatively choose human rights concerns over growing profits and hiding behind the veneer of national security. Considering the lies that have emerged from within the surveillance industry, self-reported compliance is insufficient; compliance will have to be independently audited and verified and accept robust measures of outside scrutiny.

The purchase of surveillance technology by law enforcement in any state must be transparent and subject to public debate. Further, its use must comply with frameworks setting out the lawful scope of interference with fundamental rights under international human rights law and applicable national laws, such as the “Necessary and Proportionate” principles on the application of human rights to surveillance. Spyware companies like NSO Group have relied on rubber stamp approvals by government agencies whose permission is required to export their technologies abroad. To prevent abuse, export control systems must instead prioritize a reform agenda that focuses on minimizing the negative human rights impacts of surveillance technology and that ensures—with clear and immediate consequences for those who fail—that companies operate in an accountable and transparent environment.

Finally, and critically, states must fulfill their duty to protect individuals against third-party interference with their fundamental rights. With the growth of digital authoritarianism and the alarming consequences that it may hold for the protection of civil liberties around the world, rights-respecting countries need to establish legal regimes that hold companies and states accountable for the deployment of surveillance technology within their borders. Law enforcement and other organizations that seek to protect refugees or other vulnerable persons coming from abroad will also need to take digital threats seriously.

To be sure, these are all steep hills to climb. From a practical perspective, they will require a concerted effort among multiple stakeholders pressing for change, and likely a state, or coalition of states, to mount a dedicated political effort to tame what is now a “free-for-all” of unregulated use and abuse. So far, the will to do so appears to be lacking, with government spy agencies, companies and their investors preferring the status quo from which they are reaping the benefits. But the urgency is very real, and the lethal effects of spyware abuses are becoming more apparent to a growing number of concerned citizens. It is long past time for us all to recognize that the continued failure to address this growing emergency implicates the very core of liberal democracy.

Siena Anstis is a senior legal advisor with the Citizen Lab at the Munk School of Global Affairs and Public Policy (University of Toronto). Previously, she worked as a litigation associate at Morrison & Foerster in New York City and clerked at the Supreme Court of Canada.
Ron Deibert (O.C., OOnt) is the Director of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, where he is also Professor of Political Science.
John Scott-Railton is a Senior Researcher at The Citizen Lab (Munk Schook, University of Toronto). His work focuses on technological threats civil society, including targeted malware operations, cyber militias, and online disinformation. His personal research blog is johnscottrailton.com

Subscribe to Lawfare