A FRAMEWORK FOR TRADE IN INTRUSIVE SOFTWARE: THE NEED OF THE HOUR

This article has been authored by Shruti Avinash, a second year student at NALSAR University of Law, Hyderabad.

Introduction

The revelation that the Pegasus Spyware (of Tel Aviv’s NSO Group) was used to snoop on the private devices of Journalists, Human Rights Defenders and opposition leaders has raised important questions on privacy and State surveillance. This imputation of State Surveillance has been denied by the Indian government, and it appears impossible to hold States accountable in the absence of admissions.

Pegasus was detected for the first time on the device of a Human Rights Defender in 2016, after which it continued to remain in the limelight for invasions of privacy. The Israeli start-up was sued by Facebook for reverse engineering its communications platforms. However, the organization continues to deny any allegations of wrongdoing, maintaining that it sells its spyware to governments and is not responsible for subsequent misuse/human rights violations. While the invasion of privacy is undoubtedly a legal issue in need of address, this article analyses the provisions which enable the sale and purchase of spyware.

Spyware

Spyware is defined as a software application which is installed without consent on a person’s device and logs private data about the end user. The spyware collects data like browsing activity, keystrokes, email messages, credit card information and passwords. The Spyware developed by the NSO group is advanced enough that it collects microphone and camera inputs once deployed. Intermediaries and communications platforms understand the producers of such Spyware as Private Sector Offensive Actors or ‘PSOAs’. The Spyware, when sold to governments, is used on targets’ computers, phones, network infrastructure and internet-connected devices. Service providers believe that such technologies translate into cyberweapons and act as an affront to the rights of civilians. The usage of such technologies is indubitably construed as a human rights violation on part of Governments. The issue of governments using Spyware to hack into the devices of journalists and dissidents, as proved in the case of Saudi Arabia and the United Arab Emirates is contrary to the idea of a free cyberspace and eventually paves the way for more egregious human rights violations.

Quite ironically, the Snowden expose of the USA in 2013 appears to have had some kind of paradoxical reaction. Rather than leading to condemnation, the revelations of State surveillance hiked the demand for Spyware. John Scott Railton, Senior Researcher at the Citizen Lab (Toronto) maintains that following the Snowden revelations, the demand for surveillance capabilities experienced a big boost. Governments and intelligence agencies began vying for similar surveillance technologies themselves. This, in turn, led to the burgeoning of the intrusive software industry, with numerous start-ups commissioning surveillance products.

Export of Surveillance tools

The issue of human rights abuses arising out of new technologies had been recognized by several International Human Rights Organizations, who then formed the Coalition Against Unlawful Surveillance Exports (CAUSE). The Coalition believes that Information and Communications Technology (ICT) Companies have a certain duty against providing surveillance tools, interception tools and monitoring tools to authoritarian governments. With a majority of such ICT Companies being situated in Europe, CAUSE documented that those countries with troubling human rights records, such as Bahrain, Saudi Arabia, Pakistan, and Oman, have purchased surveillance technology made in Germany, Italy, UK, and France. Hence, the coalition advocated for stronger regulation of surveillance technologies and updating of export controls.

The European Union updated their export controls on surveillance technologies in March 2021. However, these regulations were criticized as being so weak that they would only be effective if they were implemented rigorously. The laxity of the provisions is especially dispiriting since they were formulated after nearly a decade of deliberation. The export controls apply to intrusive and interception software, deep packet inspection and biometric surveillance. The regulations demand transparency and accountability inasmuch as the EU Commission is required to report on the number of such exports, the type of surveillance and the identities of purchasing member States. These regulations, only if rigorously implemented, may serve to prevent sale of surveillance technologies to authoritarian regimes.

However, the cognizance of human rights violations as a result of State surveillance has not been taken in other parts of the world. It follows that PSOAs like the NSO group find themselves making a profitable business of selling Spyware and other Cyber Weapons to ‘vetted governments’ while escaping all liability. Such latitude is especially menacing for human rights considering that over 36 governments across the world are believed to be customers of the NSO group. At present, it appears that several high-profile world leaders were also on the leaked database as targets of the Spyware. This implies that the Pegasus Spyware was not being used to monitor civilians alone. Persons in High-Office may have been monitored by government clients in other countries. Therefore, it is important for governments to collectively rise and condemn the sale of such cyber weapons as being in derogation of human rights and being a threat to National Security.

Legal Frameworks

The NSO group claims that it makes all ethical considerations while making the sale of spyware to client governments. The organization has claimed that all exports are governed by the export control regime of Israel, Cyprus and Bulgaria. However, the NSO group has unscrupulously sold its Spyware to repressive and authoritarian regimes such as Saudi Arabia, the United Arab Emirates and Azerbaijan. Although the company says that it only sells its products to vetted governments for the prevention of serious terrorism and crime, it virtually has no oversight on the abuse of its technologies.

In a 2019 report, the UN Special Rapporteur on the Freedom of Expression, David Kaye specifically condemned the fact that the surveillance industry enables State suppression and human rights violations. He called for a moratorium on the sales of all such Spyware until international controls were put in place. The NSO group is just one of hundreds of companies which are unrestrained and unethical in their sale of surveillance technologies to governments.

The Wassenaar Agreement, which governs the trade of conventional arms and dual-use weapon technologies does not cover the trade of Spyware technologies which may be potentially used for the violation of Human Rights. The framework must be expanded to include within its scope the usage of militarized Spyware.

Somewhat counterintuitively, since 2013, the nations of the Wassenaar agreement believed that the definitions in the arms control framework could be used to control unethical exports of spying tools, research into spying tools and security tools. Strikingly, their moves only envisaged export controls on organizations and did not make any provisions for sanctions against governments misusing surveillance technologies. Whereas a provision for sanctions may have caused governments considerable qualms about deploying such technologies against civilians.

However, the process of extracting data related to the opaque ‘intrusive software’ industry is easier said than done. Such information is usually approximated by academia and other Non-Governmental Organizations, making it difficult to use such data as authoritatively as needed for legal claims. It is impossible to uphold human rights in refusing to devolve responsibility on parties to qualify State surveillance/the abuse of information harvested through State surveillance. It is the need of the hour to create a stringent, transparent and expeditious framework for the prevention and punishment of resultant human rights violations.

Conclusion

Since the users of surveillance technologies are most commonly governments themselves, it is disappointing that international law has little to say upon the matter. The absence of a uniform framework governing the sale and use of Spyware makes the benefits of such surveillance extremely high when weighed against the marginal costs. The staggering might of State actors when situated against hapless citizens is alarming for democracies such as India to the extent that it enables false implication, State-sponsored killings and electoral imbalances.

It is important to hold governments accountable for the use and abuse of surveillance technologies. Admittedly, it is far more expedient to remedy the problem at the root by regulating the malicious development and unsupervised sale of such technologies to authoritarian governments. The hazards of spyware are such that it is impossible to create liability once the technology has been passed to non-transparent and unaccountable governments. Here, the best contender in terms of policy would be a stringent international framework for the controlled export of intrusive software.