Regulating Commercial Spyware Through Export Controls

Author’s Note: This article is based on a white paper entitled “Managing Commercial Spyware Through Export Controls: Lessons Learned from the Wassenaar Experience,” published by the Center for Long-Term Cybersecurity at UC Berkeley in 2025.

In 2013, revelations of spyware-enabled human rights violations in the aftermath of the Arab Spring prompted multilateral efforts to combat the misuse of this powerful technology. States and nongovernmental stakeholders have subsequently sought to address the human rights harms—and more recently nonproliferation risks—associated with spyware. The most significant of these multilateral efforts has been the use of multilateral export controls under the Wassenaar Arrangement.

Wassenaar participating states placed a specific set of commercial spyware technologies on the Wassenaar dual-use control list in 2013. These changes—which represented the first international effort to directly regulate commercial spyware technologies—proved highly controversial, particularly in the United States. Consequently, international regulation efforts faced an impasse for several years.

Wassenaar controls—and, in particular, their implementation in the EU and the U.S.—offer three lessons. These lessons provide valuable insights for stakeholders seeking to improve existing export controls and explore other policy levers to address the proliferation and misuse of commercial spyware technologies. Recent initiatives, including the Pall Mall Process, indicate renewed interest and political momentum among states to tackle commercial spyware. These initiatives would benefit from reflecting on the lessons learned from prior regulatory efforts.

What Is the Wassenaar Arrangement?

The Wassenaar Arrangement, formally known as the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, is an important part of the multilateral export control system that contains separate regulations for weapons of mass destruction and their delivery systems. As the arrangement’s name suggests, its focus is on controlling the spread of conventional weapons and dual-use items by harmonizing and coordinating individual states’ export control policies. Thus, the Wassenaar Arrangement targets only the transfer of certain items, and not their development, production, possession, or use. The arrangement maintains two control lists: the Munitions List, which covers conventional weaponry, and the List of Dual-Use Goods and Technologies. The control lists are reviewed and updated regularly, and any decisions regarding listed items are made by consensus.

Notably, once the membership of the arrangement decides to place a certain item on one of its control lists, implementation is left to participating states. Changes must be implemented and applied on a national level to become effective, and a great deal of discretion is left to individual states. As of 2025, Wassenaar’s membership extends to 42 states, covering mainly Organization for Economic Cooperation and Development member states, as well as Ukraine, the Russian Federation, and India. Although this includes most major industrialized nations and leaders in technological innovation, the arrangement currently excludes a number of important states, such as Israel and China.

A limited set of commercial spyware technologies were added to the Wassenaar dual-use control list in 2013. This move followed a string of revelations in the aftermath of the Arab Spring in the early 2010s. Human rights abuses aided by the provision of commercial spyware technologies from Western companies such as Gamma International, Amesys, and Hacking Team surfaced. A human rights campaign followed, calling for the international regulation of these technologies, particularly through restrictions on their sale and export.

In response, Wassenaar participating states added two items: IP network surveillance systems and items related to intrusion software. While IP network surveillance systems covered a narrow set of technologies and were widely accepted, the controls on items related to intrusion software proved controversial, particularly with U.S. industry players and cybersecurity communities.

Implementation of Wassenaar Controls in the U.S. and the EU

Examining the national implementation of Wassenaar controls in the European Union and the U.S. reveals important differences. Whereas the EU has embraced the Wassenaar changes and a human rights-oriented approach in its export control regime, initial implementation in the U.S. was fraught with difficulties, delaying U.S. commitment in this area and contributing to a perception of Wassenaar controls as a contentious policy instrument.

European Union

The EU moved to implement the 2013 changes relatively quickly. The EU had a large base of companies providing surveillance technologies, with several implicated in the spyware-enabled human rights abuses that were uncovered following the Arab Spring. Thus, the bloc was keen to address human rights abuses and actively sought to expand controls on surveillance technologies, incorporating human rights considerations into the export control process. Following the update to EU control lists, attention shifted to questions of uniformity and consistency in the national application of controls, since licensing decisions are still made by individual member states.

Additionally, human rights concerns and controls on commercial spyware tools played a prominent role in the broader reform of the EU export control regime that had been underway from 2011 to 2021. The result—the “recast” Dual-Use Regulation (Regulation 2021/821)—has been described as “rights-based export controls.” Though the recast Dual-Use Regulation did not embrace human rights considerations to the extent that some of the reform proposals had sought, controversy centered not around whether human rights should play a role in regulating export controls of commercial spyware tools but, rather, on the extent to which they should be strengthened in the export control process.

Despite these efforts, the proliferation and misuse of commercial spyware technologies has remained an acute policy issue for the bloc. In 2021, the Pegasus Project revealed that several EU member states had purportedly used NSO Group’s products without triggering export control frameworks. In response, the European Parliament established a committee of inquiry, the PEGA Committee (the Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware), to investigate any alleged misuse of commercial spyware in the EU. As part of its 2023 report, the PEGA Committee found that several EU (and non-EU) states had used Pegasus spyware in violation of EU Law, suggesting a need for stronger institutional and legal safeguards, including regulation on commercial spyware in the EU market.

United States

The U.S. sought to implement the Wassenaar controls on surveillance and intrusion tools in 2015. The U.S. Department of Commerce proposed guidance that was criticized by industry, security researchers, and nongovernmental organizations for being overly broad. As a result—and in contrast to developments in the EU—the U.S. government announced its decision not to go through with the proposed implementation the same year. Instead, it returned to Wassenaar negotiations in following years, seeking to amend the original additions of 2013. This effort resulted in changes to Wassenaar’s language in 2016 and 2017 that carved out exemptions for vulnerability disclosure and cybersecurity incident response activities. Only in 2021—several years after the initial Wassenaar provisions were introduced—did the U.S. implement the amended controls in its national dual-use control regulations.

Criticism of the proposed U.S. implementation of Wassenaar controls focused on the controls on intrusion software, which proved extremely controversial (while the provisions regarding IP surveillance systems did not seem problematic). A broad coalition of stakeholders argued that the proposed rule would negatively affect cybersecurity business and research. While controls on items related to intrusion software were aimed at tools used in connection with human rights violations, many argued that such controls could unintentionally undermine everyday activities involved in the defense of networks and devices, such as penetration testing or vulnerability disclosure (research involving vulnerabilities and exploits was a particularly controversial issue).

Following the delayed implementation of Wassenaar controls, the U.S. enacted a number of other policy measures to address commercial spyware proliferation and misuse, including the imposition of sanctions on spyware companies by the U.S. Department of the Treasury, visa restrictions for individuals involved in the commercial spyware market, and the creation of the Export Controls and Human Rights Initiative to consider human rights criteria in export control policies and practices.

Lastly, similar to the European Union, the U.S. export control regime has been undergoing a review and reform process since 2009. In 2018, Congress enacted the U.S. Export Control Reform Act (ECRA), which, among other policies, creates controls on a new category of “emerging and foundational technologies.” This could enable the U.S. control of commercial spyware technologies beyond those that have been added to the Wassenaar Arrangement’s dual-use control list. However, it is important to note that the U.S. reform efforts have been driven by increasing economic and geopolitical competition between the U.S. and China, in contrast to the human rights emphasis of EU reforms. 

Lessons Learned

Analyzing the implementation of Wassenaar export controls in the EU and the U.S. reveals a divergence in U.S. and EU policies beginning in 2013 that lasted for several years. In the U.S., implementation has been fraught with difficulties and delays that have had a lasting impact. The European Union, in contrast, moved to implement the changes relatively quickly, and attention thus shifted to questions of uniformity and consistency in the national application of controls. This resulted in a gap in the implementation of the 2013 controls on commercial spyware between the two jurisdictions, limiting or delaying the potential impact of Wassenaar’s provisions for several years.

The experience of Wassenaar export controls offers valuable insights for states’ national and international efforts to regulate commercial spyware technologies. The following observations seek to highlight three lessons, based on a comparative analysis of the implementation of Wassenaar controls in the U.S. and the EU. First, new equities and considerations have emerged and need to be addressed by export control regimes and other regulatory efforts. Second, Wassenaar export controls have proved to be a contentious tool. Third, Wassenaar export controls and their effectiveness are inherently limited. Collectively, these observations help assess the utility of export controls, and in particular the Wassenaar Arrangement, as a multilateral tool to regulate commercial spyware tools.

Lesson 1: Export Controls and New Equities

Traditionally, export control regimes have sought to reconcile two competing interests or equities: the economic benefit from the sale and international distribution of items, and the national or international security interest in restricting the spread of capabilities to certain actors. The experience of controlling certain commercial spyware technologies through export controls has complicated this balance by adding two new equities.

First, the implementation efforts in the United States have shown the importance of cybersecurity activities. Industry representatives and security researchers argued that cyber tools can be used for both offensive and defensive purposes. Separating tools that are essential for defensive security from tools used in surveillance or intrusion tools through a workable definition proved challenging. As a result, controls on items related to intrusion software have illustrated the potential for unintended consequences that can affect legitimate third interests, including efforts to secure and defend information and communication networks nationally and internationally.

Second, export control efforts have grown more complex due to the increasing relevance of human rights considerations. In this regard, the 2013 additions to the Wassenaar Arrangement set “a precedent by introducing human rights considerations” into the arrangement. While the European Union seems to actively embrace a more prominent role for human rights considerations in its export control framework, other countries may be more reluctant to use the particular instrument of export controls to address human rights concerns.

As a result, export control decisions have been complicated by the need to balance new equities. This multitude of considerations requires individual states to wrestle with their own policy priorities among these equities in order to effectively engage in and shape export controls, as well as other international regulation efforts.

Lesson 2: The Contentious Nature of Wassenaar Controls

The 2013 Wassenaar controls generated considerable controversy over the use of export controls to regulate dual-use commercial spyware items.

While EU member states had embraced the Wassenaar export controls approach and had sought to address the issue of cyber surveillance technology and human rights concerns during the reform of the EU export control regime, the failed implementation in the U.S. in 2015 challenged this rationale. Private-sector entities and the cybersecurity research community took issue with the use of export controls to regulate even a subset of commercial spyware tools. These groups were able to mount an impressive opposition, which ultimately led to a change of policy by the U.S. government and its subsequent efforts to amend the original 2013 Wassenaar language.

At least in the U.S. context, the original human rights concerns were muted for several years compared to prominently voiced cybersecurity-related concerns. According to skeptics of the Wassenaar additions, export controls were ill-equipped to regulate intangible technology, particularly without impacting tools, activities, and processes related to cybersecurity defense. The utility of export controls was hotly contested and resulted in significant controversy and an impasse in implementation for several years.

Conversely, the delayed implementation in the U.S. also had a disruptive effect on the functioning of the Wassenaar Arrangement. As one commentator observed, “While the updates to Wassenaar have been closely reflected in the equivalent mechanisms at national and regional levels, the addition of cyber surveillance technology has changed this narrative of broad acceptance and impact.”

As a result, the controversy surrounding export controls had a lasting effect on the Wassenaar Arrangement and its members, impeding international progress on the issue for several years. The case of the U.S. highlights the need for stakeholders to pursue a multitude of national and international measures to address commercial spyware rather than focus all efforts on one regulatory mechanism. This, in turn, requires systematic mapping and assessment of potential policy levers nationally and internationally.

Lesson 3: Inherent Limitations to Wassenaar Controls

There are inherent limitations to Wassenaar controls, and to export controls more generally, that need to be identified and acknowledged in order to assess the utility of export controls. Given that the Wassenaar controls target only a very small subset of commercial spyware technologies, the effectiveness of export controls to address the burgeoning market of such technologies is naturally limited.

Further, the limited membership of the Wassenaar Arrangement restricts the regulatory reach of the arrangement. Wassenaar’s membership is confined to select nations. By definition, export controls adopted by members of the Wassenaar Arrangement do not extend to non-members. And although Wassenaar includes most major industrialized countries, the controls on commercial spyware do not cover all countries with relevant industry. Israel is a notable example in this regard; it has a thriving tech sector yet is not a member of the Wassenaar Arrangement. Although Israel has generally adopted controls similar to those of Wassenaar through domestic legislation, the controls on intrusion software are less stringent than those agreed to in Wassenaar in 2013. Companies can easily circumvent licensing requirements by moving offices and operations elsewhere, in what some observers have termed “jurisdictional arbitrage.” As a result, the effect of controls adopted within Wassenaar is limited if significant industry actors are distributed across states that do not participate in the Wassenaar Arrangement and do not voluntarily follow its policies.

Lastly, as described above, the implementation of Wassenaar controls is left to individual states. This means that the effectiveness of Wassenaar controls ultimately depends on the uniformity of national implementations. A systematic assessment of national practices and licensing decisions is needed to identify differences that further limit the effectiveness of controls. The Wassenaar experience provides an opportunity to assess and improve the efficacy of controls, but to conduct such assessments, data regarding export applications, approvals, and denials needs to be systematically gathered, collated, made accessible, and analyzed.

***

The international market for commercial spyware technologies has gained considerable notoriety in the past 15 years. Coordinated and sustained civil society campaigns have highlighted the detrimental effects the misuse of this powerful technology can have, prompting international regulatory action. The inclusion of two types of commercial spyware technologies in Wassenaar’s dual-use export control list represents the most concrete attempt at regulating commercial spyware to date. However, this approach has not been without contention in the U.S., resulting in the “most controversial addition to [the Wassenaar dual-use] list since its adoption in 1996”.

The lessons learned from Wassenaar can feed into efforts such as the Pall Mall Process, part of a growing push to tackle the question of commercial spyware and its international regulation. A detailed look at the Wassenaar experience is a crucial first step for moving the international regulation debate constructively and effectively forward—not only for improving upon existing export controls but also for approaching and designing additional multilateral measures and frameworks.