The Key Challenges of Governing Commercial Spyware

The use, or rather misuse, of commercially available spyware technologies has been featured in national and international media accounts, investigations, and research reports for well over 15 years. Widespread reports first appeared in the wake of the Arab Spring in the early 2010s, detailing the use of spyware technologies to target and surveil the communications of journalists, opposition leaders, human rights activists, and others.

Over the years, human rights abuse and harm connected to, or resulting from, the misuse of commercial spyware have been well documented. High-profile incidents have implicated the use of commercial spyware in countries as varied as Greece, Mexico, and Kazakhstan. In 2016, a suspicious text sent to the iPhone of United Arab Emirates dissident Ahmed Mansoor led to an emergency software update issued by Apple to patch the first zero-day vulnerability in the iOS operating system found in the wild. In 2021, the Pegasus Project, a global collaboration of investigative journalists, exposed the misuse of Pegasus software by governments worldwide to target journalists, activists, as well as high-level politicians, based on a leaked list of 50,000 phone numbers.

In addition to human rights harms, states have recently highlighted threats to national security and digital security as the spyware market “vastly expands the potential pool of state and non-state actors with access to commercially available cyber intrusion capabilities and increases the opportunity for malicious and irresponsible use.”

The maker of Pegasus software, Israeli-based company NSO Group, has become somewhat synonymous with the global commercial spyware industry. However, despite its notoriety, NSO Group is only one of many companies developing and offering their products and services on the commercial market. While the companies at the center of early revelations, such as FinFisher (formerly Gamma International) or Hacking Team, have gone out of business, others have taken their place—and the commercial spyware market has not only persisted but turned into a burgeoning industry. According to a 2023 intelligence assessment by the United Kingdom’s National Cyber Security Centre, over 80 countries had purchased spyware over the previous decade.

Between human rights harms, threats to national security, and malicious use, the unconstrained proliferation of commercial spyware technologies poses a “global policy problem” and has been identified and acknowledged as such by a broad swath of governmental and nongovernmental stakeholders. Numerous efforts by governments and nongovernmental stakeholders to tackle the issue have failed to provide effective or comprehensive governance responses. Recent initiatives, including the Pall Mall Process, are bound to yield limited progress as well, unless three fundamental challenges to regulation are acknowledged and addressed. Doing so will require significant policy changes and leadership on the part of states. Otherwise, efforts will fail to bring fundamental breakthroughs in governance and will continue to result in marginal adjustments of the kind we have seen thus far.

Fundamental Challenges to Regulation

Addressing the increasing proliferation and long-standing misuse of commercial spyware technologies has proved to be a thorny issue. Despite a number of governmental and nongovernmental initiatives and increased political momentum in recent years, international progress has been limited thus far. This is in large part a function of fundamental challenges to regulation that need to be addressed. Three issues in particular stand out.

First, the commercial spyware market is characterized by a high degree of opacity. While a few companies such as NSO Group had or have gained notoriety, the vast majority of companies operating in this field are not widely known nor publicized. Additionally, many appear to be privately held companies, and thus any publicly available information about their business is extremely limited. As a result, even the annual revenue generated by this industry is unknown and subject to much speculation. Whatever the exact figure, the market size appears to be nontrivial with an increasing number of states purchasing spyware on the commercial market.

The lack of transparency in the commercial spyware market permeates all its elements: vendors, purchasers, users, as well as decisions regarding transfer and export licenses. This means that policy action geared toward mitigating human rights harms and nonproliferation risks of commercial spyware is based on limited data about the market. Formulating effective policy advice, as well as evaluating existing policies, becomes inherently challenging.

Second, governments play a central role in all aspects of the product life cycle of commercial spyware technologies, with critical implications for regulation. As others have observed:

[G]overnments are often fundamental sources of the proliferation and irresponsible utilization of cyber intrusion capabilities. When governments choose to buy cyber intrusion capabilities from private companies, they create and maintain an industry that perhaps would not exist without well-funded government contracts.

What is more, governments are not just purchasers and users of commercial spyware technologies; they are a key actor at all stages of a commercial spyware product life cycle. They are the home countries of spyware companies that develop and produce such technologies, and they can shape the business and investment environment in critical ways. National states are also regulating authorities, in charge of regulating their own government behavior and use of spyware technologies, as well as granting or denying export licenses for companies seeking to sell these technologies to foreign entities. The key role of governments in the commercial spyware market, coupled with their conflicting roles as both users and regulators, generates tensions that create undeniable challenges for establishing national and international restrictions on commercial spyware.

Third, and closely related, commercial spyware technologies address a need that states have or at least purportedly have for technologies that can “access and manipulate a digital device, system, or network remotely without authorization.” As a result, states emphasize that “many of these tools and services can be developed or used for legitimate purposes.” The Code of Practice for States developed under the Pall Mall Process specifically mentions the use of technologies for “lawful purposes, such as in the context of legal frameworks pertaining to national security and defence, or the investigation and prevention of serious crime or for cybersecurity activities.”

Observers have argued that this need is fueled in part by the challenges that technological advances have created for states as the proliferation and diversification of online messaging services with default end-to-end encryption has rendered traditional intelligence-gathering and interception methods increasingly ineffective (also referred to as the “going dark” problem). While states have sought to establish regulatory frameworks to enable and guarantee access to data for government entities under certain conditions and for certain purposes—including through lawful interception—they have also pursued surveillance capabilities that would ensure government access to relevant communication data. While many states have built these capabilities in house, an increasing number of governments have turned to the private sector for surveillance capabilities.

Be that as it may, the recognition of legitimate uses of commercial spyware and other technologies for law enforcement, intelligence, and defense purposes complicates governance efforts, effectively precluding the use of straightforward bans or moratoriums on such technologies. Such an exception also requires an understanding of what constitutes a legitimate use and what does not. The Pall Mall Process has sought to move the conversation toward “responsible” versus “irresponsible” use of commercial cyber intrusion capabilities. However, while the Code of Practice for States lays out some parameters for “irresponsible” use, the concept remains ill defined and “open to interpretation.” Further, it is used in addition to other qualifiers such as “lawful,” “legal,” and “legitimate,” without much clarity regarding the relationship between these standards and any potential conflicts among them.

Further, with states emphasizing the legitimate use of spyware technologies, efforts to curtail the spread of commercial spyware capabilities run the risk of being framed in terms of “have” versus “have not” states. Such efforts would, after all, affect smaller, technologically less capable states that lack the resources and/or talent to develop commercial spyware capabilities in house. As a result, the case for legitimate uses and the enduring demand for access to the commercial market are difficult to reconcile with efforts to curtail further capabilities.

Limited Progress So Far

The fundamental challenges outlined above help explain the limited international progress that has been achieved thus far, despite a plethora of efforts by governmental and nongovernmental stakeholders. Various proposals, policies, and mechanisms have been advanced over the years. And while the proliferation of commercial spyware technologies and their misuse has not been comprehensively or effectively constrained, several efforts are worth highlighting.

On the part of nongovernmental actors, civil society and research groups have greatly contributed to raising commercial spyware proliferation as a global policy problem in need of regulation through digital-forensic work, assistance to victims, as well as reporting and documenting misuse cases. Over the years, civil society groups, including Access Now, Amnesty International, and Citizen Lab, have continuously raised awareness of this issue and have called for various national and international measures to be implemented. Among other things, civil society groups have repeatedly called for bans or moratoriums on the development and sale of commercial spyware technologies. In 2021, dozens of civil society organizations and experts issued a joint letter calling on states “to implement an immediate moratorium on the sale, transfer and use of surveillance technology.” Similarly, the UN Special Rapporteur on the promotion and protection of the right to freedom of expression called for an international moratorium until international regulations are established that would guarantee compliance with international human rights law.

Private-sector companies, including Microsoft and Meta, have also contributed and issued a wide range of policy recommendations as their products, services, or platforms are targeted and exploited by commercial spyware. These recommendations include measures to increase transparency; develop restrictions on government procurement, use, and testing of technologies; and partner with civil society to help protect users targeted with commercial spyware.

Further, earlier in 2025, the use of litigation to hold commercial spyware companies accountable for their conduct proved successful. In May 2025, a U.S. court ordered NSO Group to pay WhatsApp almost $170 million in punitive damages (though this sum has since been reduced to $4 million). Both Apple and WhatsApp (a subsidiary of Meta) had sued Israeli company NSO Group in high-profile litigation cases for violating their terms of use. While Apple decided to drop the lawsuit, WhatsApp’s case resulted in a landmark victory. These cases were in addition to dozens of cases filed by individuals in connection with the use of commercial spyware in numerous jurisdictions, including the U.S., the U.K., and Israel.

On the part of governments, several national and multilateral efforts have been advanced. In the aftermath of the Arab Spring, states participating in the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies imposed export controls in 2013. Though this approach has not been without controversy and comes with important limitations (discussed earlier in Lawfare), it represented the first multilateral attempt to directly regulate commercial spyware technologies. Since then, export controls have evolved into one of the major policy levers available to states in seeking to constrain commercial spyware technologies.

More recently, and prominently, the governments of France and the United Kingdom initiated the Pall Mall Process, a global multistakeholder response to counter the proliferation and irresponsible use of commercial cyber intrusion capabilities. It is important to note that this initiative is broader in its scope, covering not only commercial spyware technologies but also commercial cyber intrusion capabilities, which according to the organizers include hackers-for-hire and vulnerability and exploit marketplaces, among others. The Pall Mall Process represents a significant development in the international governance debate in recent years and has injected long missing political attention and newfound momentum into discussions.

However, it remains to be seen what concrete results the process can yield and whether its ambitious potential can be realized. Thus far, two conferences, held in London and Paris, respectively, have produced a Pall Mall Declaration and a voluntary Code of Practice for States, with work currently underway for a Code of Practice for Industry. The Code of Practice for States, agreed to in April 2025, provides a number of guidelines for the governance of commercial cyber intrusion capabilities and introduces the standard of “responsibility” to the spyware debate. The Code of Practice seeks to set out what “responsible” and “irresponsible” use of commercial cyber intrusion capabilities looks like by establishing practices for the development, facilitation, purchase, transfer, and use of such capabilities. Examples include the commitment by states to develop policy surrounding government use of cyber intrusion capabilities, or to assess vendors with regard to national and international cybersecurity standards and respect for applicable international law (including international human rights law).

Overall, the Pall Mall initiative has been welcomed as a positive first step toward greater governance of commercial spyware technologies and other intrusion capabilities. However, many nongovernmental stakeholders have voiced criticism of the Code of Practice for States, arguing that state commitments to governance remain below expectations, are voluntary in nature, and lack enforcement mechanisms. Be that as it may, the Pall Mall Process has reinvigorated governance debates and even introduced the issue to the broader cybersecurity discussions in the UN Open-Ended Working Group discussing international cybersecurity issues.

Looking Ahead

While a number of efforts have been proposed or advanced to address the harm stemming from the misuse of commercial spyware technologies, the various initiatives have been limited and piecemeal in nature, failing to comprehensively or effectively govern commercial spyware technologies. The Pall Mall Process has so far represented the most ambitious initiative, but its incremental progress has illustrated that substantial breakthroughs are still a long way off—due in large part to the fundamental challenges to regulation outlined above.

Looking ahead, stakeholders should nevertheless use the current political momentum to advance governance conversations on both national and international levels. However, to do so, the three challenges outlined above need to be addressed: transparency in the market for commercial spyware and other intrusion capabilities needs to be enhanced, states need to view increased governance of the market for commercial spyware (including their own use of these technologies) as beneficial, and legitimate use cases need to be more clearly defined and distinguished from unacceptable practices. Until these issues are addressed, efforts in this area are bound to result in superficial adjustments rather than fundamental breakthroughs in governance.

Addressing these challenges will obviously require significant policy changes and leadership on the part of states (as well as the commercial spyware industry). In the short term, it will require states to consider the use (and non-use) of these technologies and to formulate tailored national policies that balance various equities in this field, including national security, business interests, human rights, and digital security. In the long term, it also raises the question of whether a comprehensive, binding, multilateral framework will ultimately be needed to provide a vehicle for effective international coordination, harmonization, as well as enforcement and accountability. Does the market for commercial spyware technologies need to evolve into an internationally regulated industry akin to finance, aviation, or pharmaceuticals to effectively and comprehensively address the human rights, nonproliferation, and digital security risks of commercial spyware technologies? Others have previously argued that “only a binding multistakeholder legal framework can effectively regulate a legitimate and efficiently controlled market for spyware.”

While prospects for a binding international framework appear slim given the current geopolitical environment, stakeholders can nevertheless work to drive international conversations forward. First, they must assess existing policy levers, including export control regulations, to make them as effective as possible. Second, they can promote a research agenda that provides much needed systemic analysis of existing and potential policy levers to lay the groundwork for discussions of possible multilateral frameworks in the future. In tandem, these commitments could pave a path forward for regulating these powerful new technologies while states confront the fundamental governance challenges outlined above.