Regulating Commercial Spyware

The rapid evolution of spyware technologies and their abuse by both democratic and autocratic governments has been the subject of increased international scrutiny. Spyware has been used to target the computers and phones of world leaders, human rights advocates, journalists and attorneys uncovering corruption, and political dissidents. As these sophisticated tools become more pervasive and intrusive, the potential for misuse and infringement of individual rights is only exacerbated. 

To address this problem a set of traditional legal and policy tools have been employed: (a) industry self-regulation, (b) ad hoc public enforcement and sanctions, (c) private litigation by victims, (d) moratoriums and tech bans, and (e) international cooperation. As I discuss in this paper, each of these solutions—and the ways they have been structured—have suffered from significant limitations. These limitations reduce the effectiveness of each of the measures in deterring and preventing human rights violations.

In March, the United States and two-dozen other countries adopted a Code of Conduct for the regulation of spyware. The state parties to this code made clear that they are committed to developing a new multilateral approach to the regulation of spyware and will work together to develop a future framework. This paper sets the building blocks for a new binding multi-stakeholder framework: the Commercial Spyware Accreditation System (or CSAS). I hope CSAS could serve to structure some of the discussion among the members of this growing consortium of states concerned about the future of spyware regulation.