Three years have passed since the Pegasus scandal first broke into the public. Yet, we still haven't fixed the surveillance industry. Quite the opposite, actually: the spyware problem keeps getting bigger.
It's in this light that a group of civil societies wrote an open letter on Tuesday, September 3, calling on EU regulators to take more decisive action against the threats posed by the use of spyware. For the experts it isn't negotiable – the EU Commission should propose a legal framework that includes "an EU-wide ban on the production, export, sale, import, acquisition, transfer, servicing and use of spyware."
A ban, that's right. For its very nature, in fact, spyware tools are incompatible with the concept of privacy. All the software is programmed to do is exactly infringe on this human right, with abuses largely overcoming the advantages. Everybody can be a target – our phones as the front door into the most private side of our lives.
Should spyware be a legit market?
Spyware refers to a type of malware (or malicious software) installed on a digital device without the user knowing it. While software capabilities may differ, these tools aim to collect all sorts of sensitive information. Details can span from your location, camera, and microphone data to all messages you send/receive, websites you visit, banking information, and passwords.
The strength – and danger – of spyware lies in the fact that these tools can be very difficult to detect, yet fairly easy to inject. Pegasus is a perfect example as it harvests zero-click attacks while leaving minimum trace on the infected device. This means that not even security software like the best VPN or antivirus apps can fully protect you against this increasing threat.
At this point, we could argue that spyware may be a crucial tool in the hands of governments for national security purposes. So far, however, there's been a longer list of authorities abusing its use.
Developed by the Intellexa Alliance – a group of companies among which many are EU-based – Predator spyware is a highly invasive phone hacking software, designed to access all stored and shared data while leaving no trace on the target device. It can infiltrate a smartphone via a malicious link or through tactical attacks launched on unsecure networks by nearby devices.
Let's look at how the Pegasus scandal unfolded. Mexico was reportedly the first customer of Israeli cyber-intelligence firm NSO Group to purchase its powerful technology in 2011 to support its fight against narco-trafficking. In 2017, however, investigators found traces of Pegasus on the phones of several Mexican journalists and activists.
The Pandora's box finally opened up in 2021 – over 50,000 phones around the world had been compromised. Among these was the phone of the journalist Jamal Khashoggi, assassinated inside the Saudi Arabia consulate in Istanbul in 2018. The investigation would later uncover that over 46 countries worldwide purchased this very invasive tool, including at least 14 EU nations.
Two years later, a new investigation into the use of so-called Predator spyware revealed how the EU spyware problem is worse than previously thought. This is largely because the tool wasn't just used across the EU to spy on politicians, journalists, and activists this time, but was developed, sold, and exported by EU-based firms mainly operating across France, Ireland, and Greece to at least 25 countries worldwide.
It's hard to think how the spyware industry is still allowed to be a legit business – a very prolific one, indeed. Even Google is worried about its "growing threats to free speech, the free press, and the integrity of elections worldwide."
The Big Tech giant tracked around 40 Commercial Surveillance Vendors (CSVs) operating worldwide. Some companies are focused on researching device vulnerabilities to develop and sell attack exploits, while others are responsible for making spyware products. All in all, the proliferation of spyware "causes real-world harm," said experts.
Governments aren't the only ones to be using (and abusing) these tools to track criminals, politicians, journalists, or activists.
For instance, companies have increasingly turned to what's known as bossware to better monitor their remote employees. While the implementation details depend on the country, work productivity monitoring apps are perfectly legal. Yet, the room for abuse remains wide open.
Spyware can be a very dangerous tool in the hands of hackers, stalkers, and criminals, too. The ease at which people without any particular technical skills can launch these attacks makes every one of us vulnerable. Think what an abusive partner can do by using such an app.
All this is especially worrying considering that, as security firm Avast found out, mobile stalkerware usage has increased 329% since 2020.
Regulating spyware use isn't enough
We can argue that all technology can be harmful if improperly used – think of the likes of social media platforms or AI software, for instance – and all we need is stronger regulations. Well, the truth when it comes to spyware is more complex than that.
Lawmakers have failed so far to develop a legal framework able to mitigate the societal harm posed by spyware. If on one side most governments recognize the risks, it looks like no one is ready to renounce these unprecedented surveillance capabilities.
We already mentioned how the EU got caught up right in the middle of the spyware mess. Yet, when the block had the chance to take a strong stance against this tech to protect the free press, it simply didn't. Under the EU Media Freedom Act, spyware is still allowed on a "case-by-case basis" and "subject to prior authorization by a juridical authority" investigating crimes punishable by a custodial sentence of at least three years.
🚨 Today, CDT Europe and 30 civil society & journalists' organisations are taking a stance against the pervasive threat of spyware. We're calling on the incoming EU institutions to take decisive action in the new legislative term #StopSpyware 🧵https://t.co/Yh408k7ydN pic.twitter.com/vG7kpQHpnLSeptember 3, 2024
A New York Times investigation also reveals that, while the Biden administration banned the use of hacking tools made by the Israeli firm NSO, the government is still trying to find a legal way to use them.
On February 6, 2024, the UK and France led a new international joint agreement to curb spyware's human rights abuses and develop policies to use these intrusive cyber tools in a "legal and responsible manner." Yet, looking at these premises, it's difficult to see how regulations can be enough to prevent harm.
As pointed out by the European Data Protection Supervisor (EDPS) in 2022, the unprecedented level of intrusiveness of modern spyware "threatens the essence of the right to privacy, as the spyware is able to interfere with the most intimate aspects of our daily lives." According to the EDPS, such intrusive technology is de-facto incompatible with EU law.
How can you then regulate the use of software that, by nature, goes against today's privacy laws? You simply cannot. That's why a spyware ban is the only solution if we want to save what remains of our privacy.
As Natalia Krapiva, Tech legal counsel at Access Now, put it: "This sinister technology that has been misused and abused by governments around the world is not safe in any hands, and its use can never be justified. Discussions do not suffice. We expect action."