The different types of surveillance technologies need to be regulated differently, you said in the hearing 21 June, but how specifically is that going to be implemented?

While the European Parliament’s inquiry was spurred by revelations concerning the use of Pegasus spyware, for its final report to have a substantial impact it’s important that it addresses the full scope of technologies that are on the market. This includes spyware used to target devices similar to Pegasus, but also concerns technology for things like intercepting mobile communications, tapping phone networks, conducting forensics on devices, monitoring internet traffic at a network level, conducting facial recognition, or tracking people’s location; all of these can present clear threats to the privacy and other rights of people around the world similar to Pegasus, including in Europe.

There is no one law that can begin to regulate this full spectrum because of the different ways they work and the different threats they pose; while some techniques like the use of mass, untargeted surveillance or live facial recognition in public spaces present such grave risks that it calls for a ban, others like systems that tap specific conversations could be lawful if there are sufficient protections in place. And while some could be better regulated through things like technical standards, codes of conduct, or export restrictions, others can not.

The principles of international law are still the best guide we have for determining what should and shouldn’t be acceptable in a democracy and what kind of protections need to be in place. Privacy International also has a guide on interpreting the many judgments, resolutions, and reports on international law and surveillance, available here, and a study on the protections that would be required for the lawful use of spyware of the type sold by NSO Group, available here.

It’s worth noting that such spyware presents such a clear and dangerous threat that its use may never meet these requirements, but also that there’s still only a handful of countries that have even tried to pass laws specific to government hacking – and many of these still fall short.

You talked about a „spyware“ ecosystem and named, for example, mSpy, NSO Group, Zerodium, BlackCube or Welund. What is the difference between these companies?

NSO Group and the likes sell malware apparently exclusively to governments and for surveillance purposes. With that comes a whole technical infrastructure that’s used to control the malware and disguise the government operator, software that acts as a user interface, training, updates and technical support. It’s a package that’s designed to allow anyone to be able to hack into devices.

But you also have companies that will just hire already-trained government hackers to do it as a service, government-linked groups which are hacking activists and other targets, and private intelligence companies which may also use hacking techniques to get intelligence for clients.

Then you also have companies such as Zerodium are different again because they trade in software exploits that can be used to infiltrate devices and provide access – their customers could be to government agencies such as NSA directly or to spyware companies.

Another major threat are companies such which sell commercial malware (aka stalkerware) to anyone including for example abusive partners allowing them do things like track a device’s location and read messages.

Again this is important because each one presents a different type of threat which you need to respond to differently. For example, while elements of data protection regulation may be applicable to the types of activities carried out by private investigators, they are less applicable to the activities of spyware companies. While under certain circumstances export restrictions on some technical infrastructure used to deploy spyware may work, similar restrictions on exploits are without exposing IT security researchers around the world to legal action and ultimately undermining the security of devices and networks, so it’s important to know what kind of actor you’re trying and able to regulate.

How does it make a difference if they are based in countries like Israel, the United States or the European Union?

Each jurisdiction has different regulations in place and even across the EU there are differences in implementation of relevant legislation. For example, some countries may take into account human rights considerations when it comes to approving exports more seriously than others and be more transparent about the exports they do approve; a number of EU countries provide information on approved exports of surveillance, whereas authorities such as those in Israel refuse to provide any transparency. Data protection rand computer hacking regulations which may apply to companies such as private intelligence companies also vary across jurisdictions. So knowing where a company is based and exports from is incredibly important. .

You also said that there should be a distinction in possible regulation between companies that sell hardware and those that only sell spyware, and then there are those that get paid for hacking. Who are these companies?

As outlined in a recent briefing by Privacy International, there are unknown likely thousands of companies ranging from private investigators to “reputation management” firms which carry out surveillance as a service, predominantly for companies and rich individuals for example involved in litigation. London-based BlackCube, for example, was reported to be using false identities to befriend women after being contracted by Harvey Weinstein to stop the publication of news articles detailing sexual misconduct allegations, while two of its employees were sentenced in Romania for attempting to hack into the emails of the country’s head of anticorruption (now the European Chief Prosecutor) at the behest of a former senior intelligence official. Companies like Hakluyt and Welund have been reported to spy on environmental activists.

These types of companies don’t provide tools for targeting devices in the way NSO Group does, but they pose no less of a risk. Particularly if for example you’re an environmental activist or a politician working on legislation opposed by powerful industrial groups, they may even pose a bigger threat.

There have also been successes, such as the companies Hacking Team from Italy and FinFisher and DigiTask from Germany had to stop working. How did this come about in your opinion?

Prior to their demise, Hacking Team was stripped of a general export license and there was legal investigation into FinFisher’s failure to get export licensing approval brought by activists and journalists in Germany. The fact that both of them were hacked undoubtedly also played a key role because it exposed a lot more about their operations, which made it very hard for them to maintain secrecy and the pretence that they were simply helping cops hunt bad guys.

As with NSO, which looks like it’s in serious trouble due to the export blacklisting in the US and other reasons, the common factor is that they were all high profile and considerable energy was expended by activists and journalists in exposing their operations and trying different avenues to get accountability and better regulate their operations. It’s an example of where difficult and risky work by researchers, activists and journalists can lead to policy change and impact.

What’s worrying is that there are companies out there who we basically know nothing about or indeed that they even exist which is why we need systematic solutions.

What effective sanctioning options do you think the EU has, and how could they be used? You think that the Commission can already control the procurement of mercenary spyware?

They could use the human rights based sanctions available to the EU, as outlined in our Joint Letter „Urging EU Targeted Sanctions Against NSO Group“ with more than 80 other human rights groups. There is scope for working on something that provides transparency and community input into the procurement of surveillance at EU level – perhaps something similar to some of the local legislation in the US, see a proposal by ACLU for this. In December we published possible „Safeguards for Public-Private Surveillance Partnerships“ which includes a description of the kind of measures on procurement that would be extremely helpful.

What new laws could be enacted, and what should be included in the final report of the inquiry? For example, you call for EU member states to have to report on their exports to third countries. To whom should this be reported?

The recast of the Dual Use regulation which regulates surveillance exports – after a decade of debate following the Arab Spring– means that member states should report such exports to the Commission which will make them public, but there are very wide-ranging exemptions. As this will be the first year we could see this data, it will be important to see which countries actually publish and which ones rely on invoking these exemptions to shield transparency. If EU member states are serious about mitigating the threat posed by the industry they should start publishing this data as it is a crucial source of information and allows citizens, oversight bodies and parliamentarians to see whether policies are actually being followed.

Another priority for the EU should be stopping and reforming the aid it provides to third countries for surveillance. As we’ve documented at Privacy International, aid and other programmes are used by EU member states and institutions to train, equip and finance surveillance operations around the world, including in authoritarian countries for things like stopping migration towards Europe. Stopping programmes which present a risk to human rights and tying others to their protection is a necessity; without reforming this it is inevitable these kinds of powers will proliferate not only endangering people in the EU but undermining its own interests in promoting democratic reforms, rule of law and human rights. We have some more detailed proposals on this in another open letter.

Aren’t sales within the EU also a problem? The malware is used illegitimately there as well….

Of course: no authority should procure any technology without protections in place. Any such acquisition of any surveillance must be prescribed by law and there need to be assessments made to ensure that any use is necessary to achieve a defined goal and that it is proportionate. Any such acquisition should also be transparent, subject to independent oversight, allow avenues for those affected to seek redress and include mechanisms which enable third parties to scrutinise and challenge consequences.

Export restrictions should also apply to intra-EU exports given that some EU members have shocking rule of law and human rights records.

In the coming weeks, the EU Commission will present the proposal for a Cyber Resilience Act, could measures for hardening also against mercenary spyware be anchored there?

Absolutely, particularly by for example ensuring that device manufacturers provide long-term support for security and by ensuring that they explicitly announce their end-of-life date for software support on packaging, as described in our „Best Before date policy brief“ on device sustainability.

Thanks for the interview Edin!