From the USA, a Warning for Democracies

This article originally appeared in Formiche and has been reprinted with permission.

President Biden’s recent Executive Order (EO), which prohibits the use of foreign commercial spyware in the U.S. federal government, has catapulted the approximately $12 billion industry into the spotlight. The urgency to address the proliferation of commercial spyware was further underscored at the March 2023 Summit for Democracy, where President Biden’s EO helped drive conversations about “Countering the Misuse of Technology and the Rise of Digital Authoritarianism.”

Importantly, the EO served as a call-to-action for other democracies to establish guardrails around surveillance technology. In a joint statement, countries such as Canada, Costa Rica, France, and the United Kingdom emphasized the need to collectively protect human rights and national security interests from the risks posed by commercial spyware technologies both domestically and abroad. They also invited other countries to adopt similar principles, and collaborate with both industry and civil society to curb misuse globally.

The rallying of democracies around limiting commercial spyware is significant for several reasons, including the stated willingness to share information and coordinate on export controls as journalists, activists, and politicians continue to be targeted.

Although autocracies are more likely to purchase commercial spyware technologies, democracies have also contributed to market demand. The most notable example is Israel, which continues to be the leading exporter of commercial spyware technologies, even after clamping down on the number of countries that can purchase its cyber technologies. Israeli spyware–particularly NSO Group’s Pegasus Project–has been deployed in democracies such as Germany and Italy. The United States is also not immune to the commercial spyware industry, despite blacklisting NSO Group in 2021. In fact, while President Biden’s commercial spyware EO is already impacting the industry, the United States remains the world’s most profitable market for surveillance technologies. Companies in the United States, as well as in other Western nations such as France and Canada, have exported these technologies to illiberal governments.

Though NSO Group has suffered financially over the years, such that it was deemed “valueless” by its private equity backers, actions to date against the commercial spyware industry are far from decisive. Democracies must now proactively ensure that new vendors do not try to fill the void left by NSO Group and other large companies, especially as key partners such as India begin to seek alternative spyware capabilities.

While Summit for Democracy discussions were a good first step, democracies must now ensure international guardrails are established and upheld by creating an investor engagement strategy and educating the public about commercial spyware risks.

First, democracies must create an investor engagement strategy. While democracies can target specific companies or model the United States’ approach to limiting federal use of commercial spyware technologies, there are bound to be gaps, particularly as demand and supplier financial incentives persist. However, new vendors would likely struggle to enter the space without the backing of investors who help develop their tools. Consequently, governments should directly engage investors to shape parameters for responsible technology development, including scoping legitimate use cases, if any, and vetting companies for intentions to export commercial spyware to illiberal regimes.

Second, democracies must educate the public of the risks of commercial spyware. Since commercial spyware is often “zero-click”--meaning it is executed without prompting–individuals do not necessarily know when they are being surveilled. This has led to high profile incidents, such as when the phones of 50 U.S. government officials were potentially, or confirmed to be, infected by commercial spyware, which was a larger number than previously known. Since the general public can be targeted too, democracies can play an important role in educating the general public about commercial spyware risks, leading to better cybersecurity practices and reducing demand for spyware tools in the long-run.

With new threats posed by commercial spyware uncovered by the day, democracies cannot wait to respond. Now is the time to work together and limit authoritarian use of spyware tools.

Read more from Formiche.