It’s time for democracies to protect dissidents from spyware
the TechCrunch Global Business Project examines the increasingly intertwined relationship between the tech sector and global politics.
Governments that buy spyware tend to share a common pretext: the need to fight terrorism and other threats to public safety. But we know that when autocratic regimes acquire cutting edge surveillance technology, they also intend to use it against militants, journalists, academics and any other dissenting voices they see as a threat. Spyware – used to infect phones and other hardware without the owner’s knowledge in order to track movement and steal information – are tools of law enforcement just as surely as guns.
There have been too many well-documented cases to ignore this fundamental 21st century reality. Yet companies continue to sell their spyware to despotic governments, in some cases claiming to ignore what is likely to happen next. This trend has rocked the community of political dissidents across the globe and placed them at increased risk of arrest and much worse.
We know this because this technology has been used on us. As a naturalized American from Saudi Arabia and a British scholar, we count ourselves and many colleagues among the victims.
One of us, Ali Al-Ahmed, saw the saudi government steal his personal data on Twitter, then use it to track down, imprison and torture his Twitter followers.
The other of us, Matthew Hedges, was a graduate student on a research trip to the United Arab Emirates when he found out authorities had pirate his phone even before his arrival in the country. He was arrested in 2018, charged with espionage and initially sentenced to life in prison. Eventually detained for six months, he was kept handcuffed and fed on debilitating drugs.
While these experiences continue to be painful for us, we live relatively safe in the United States and Britain. But our experiences are too common. They highlight the continuing systemic abuses that authoritarian regimes inflict on people every day, in violation of international law and all human rights principles.
By allowing bullies to follow every move of citizens, spyware vendors make this kind of abuse possible. Dissenters around the world will have targets on their backs until democratic governments crack down on companies that turn a blind eye to this use of their goods.
The time has come for decisive action by democratic countries, including the United States, to curb these abuses. The leaders of Western democracies speak of the need to master Big Tech. And yet, in the never-ending standoff between government regulation and tech companies, “users have become the main victims,” ââas the new report of Freedom House, a watchdog organization, said so. Too often, ordinary online citizens are vulnerable to predation by their own governments.
China and Russia get the lion’s share of global public attention for state-sponsored hacking and crackdowns for the scale of their operations. But U.S. allies like Saudi Arabia are often among the worst offenders.
For example, some of the Middle East’s most ruthless dissent suppressors, including Saudi Arabia, the United Arab Emirates, and Bahrain, are buying spyware from Israeli firm NSO Group. These governments have used NSO’s Pegasus software to hack the phones of many human rights activists and critics, often far beyond their own borders.
Sometimes the autocrats who run these regimes have purely personal motives, as in the case of the ruler of Dubai, Sheikh Mohammed bin Rashid Al Maktoum. A british court find that he used Pegasus to spy on his ex-wife and several of his children.
The public only learned about this because an NSO group official called a prominent British lawyer late at night to brief them about the surveillance. As serious as the Sheikh’s abuse of Pegasus was, what was most alarming was that NSO Group knew he was using its technology for illicit purposes. In this case, senior executives felt exposed enough to speak out, but the firm did not disclose what it may know about other abuses by its clients.
Nor is the NSO Group the only one selling spyware to law enforcement and intelligence agencies known for their human rights abuses. Israeli companies Candiru and Cyberbit are in the same company. German company products Sinner and the Italian firm Hacking team (now renamed Memento Labs after a 2015 scandal) have also been linked to abuse.
NSO reportedly terminated its contracts with Saudi Arabia and the United Arab Emirates, saying they abused Pegasus. But corporate self-enforcement is not enough. Democratic governments must send a clear message to these companies: that they will face export bans and that senior company executives will face penalties if their products are used to violate human rights.
Another important step would be for the US Department of Commerce and its counterparts in the UK, Europe and other democracies to expand the use of blacklists that restrict trade with companies that allow abuse. The Ministry of Commerce already understand NSO Group, Candiru, Russian company Positive Technologies, and Singaporean company Computer Security Initiative Consultancy on its âentity list,â which means these companies cannot purchase components from US vendors without a special license. But such a broader global campaign could go further.
Finally, democratic countries should establish transparent and uniform rules for the use of spyware. Last week, the White House hosted a Virtual Summit for Democracy of World Leaders for the express purpose of fighting authoritarianism and promoting human rights. As this coalition gets to work, spyware should be high on its agenda.
Clearly, we have entered a new era of electronic espionage and digital repression. It is only by adopting stronger regulatory and legal protections that democracies can ensure their survival, allow freedom of expression to flourish, and protect the well-being of their citizens.