Unchecked Spyware Industry Enables Abuses: HRW

2021-07-31, 1:20pm Human rights

people-march-in-budapest-hungary-during-a-july-26-2021-protest-against-the-hungarian-government-over-reports-that-it-has-used-pegasus-spyware-bfba3620ad7c2d5e66691bef86b0136d1627716005.jpg

People march in Budapest, Hungary during a July 26, 2021 protest against the Hungarian government over reports that it has used Pegasus spyware. © 2021 Marton Monus-Reuters

New York – Recent reports that NSO Group’s Pegasus spyware has been used for surveillance of dozens of journalists, human rights activists, and others demonstrate the urgent need for governments to suspend the trade in surveillance technology until rights-protecting regulatory frameworks are in place, Human Rights Watch said today. Governments should immediately cease their own use of surveillance technologies in ways that violate human rights.

Pegasus is privately developed and sold by NSO Group, which is based in Israel. Numerous media outlets have recently reported that Pegasus software was used to infiltrate the devices of activists and journalists, and people close to them. The reporting by the Pegasus Project was based on a leak of a list of 50,000 phone numbers, which media have reported are concentrated in countries known to engage in unlawful and arbitrary surveillance of their citizens and also known to have been clients of NSO Group.

“Disturbing reports about Pegasus again highlight the harm this opaque industry causes when spyware ends up in the hands of governments that abuse it,” said Deborah Brown, senior digital rights researcher and advocate at Human Rights Watch. “NSO Group and its competitors cannot regulate themselves, and governments should urgently suspend sales and transfers of surveillance technology while they investigate and regulate this industry.”

NSO Group has repeatedly denied the news reports, claimed that the reporting is “erroneous and false,” and said it “will no longer be responding to media inquiries on this matter.” Previously the company claimed that the reporting was based on “wrong assumptions and uncorroborated theories.” However, none of the Pegasus Project partners have retracted their reporting.

For years, human rights organizations have been raising the alarm about the proliferation and abuse of commercial spyware and the need for stronger regulations to control the export of such technology that ensure compliance with international human rights standards. Human Rights Watch reporting has linked the use of NSO Group’s spyware, as revealed by Citizen Lab, to government efforts to crack down on journalists, activists, and independent thinkers in multiple countries.

The Pegasus Project is a collaboration of more than 80 journalists from 16 media organizations in 10 countries coordinated by Forbidden Stories, a Paris-based nonprofit media organization, with the technical support of Amnesty International, which conducted forensic tests on mobile phones to identify traces of the Pegasus spyware.

Forbidden Stories and its media partners identified potential NSO clients in 11 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates (UAE). NSO has said it only sells the technology to government clients.

The number of people targeted for this surveillance may be much larger than the dozens of confirmed cases and could be massive in scale. Human Rights Watch is working to confirm whether Pegasus was installed or attempted to be installed on the devices of its staff members whose numbers appear on the list.

Israel’s Defense Ministry is responsible for issuing export licenses for NSO’s spyware. The Ministry has stated that Israel approves the export of cyber products “exclusively to governmental entities, for lawful use, and only for the purpose of preventing and investigating crime and counter terrorism” and “[i]n cases where exported items are used in violation of export licenses or end use certificates, appropriate measures are taken.” However, this has not prevented Pegasus from ending up in the hands of governments that have abused it.

There has been some progress in strengthening the European Union's export control regime. And senior executives at the French spyware firm Nexa Technology (formerly Amesys) have recently been indicted for the company’s sale of surveillance software to the governments of Libya and Egypt, which the complainants say could have resulted in the torture and enforced disappearance of dissidents. However, the industry as a whole is still unaccountable and does not carry out sufficient human rights due diligence to prevent or mitigate the adverse human rights impacts linked to their products or services. The Pegasus Project revelations should be a wake-up call for governments around the world, Human Rights Watch said.

“Commercial spyware has been repeatedly used to target activists and journalists, and when left to their own devices, companies continue to sell these technologies to governments known to engage in abuses, including arbitrary surveillance, against perceived opponents,” Brown said. “These allegations need to be investigated and companies need to be held accountable for human rights violations they facilitated by selling their spyware to governments likely to abuse it.”

NSO Group has recognized that it has a responsibility to respect human rights under the UN Guiding Principles on Business and Human Rights through its own human rights policy. However, companies in this sector, including NSO, have failed to effectively regulate themselves. Many sell these products to governments that offer little to no transparency or oversight over their use and few, if any, privacy or procedural safeguards, and where victims have no meaningful access to a remedy. In such contexts these highly invasive technologies are easily misused to violate the rights of journalists, activists, and government critics, as evidenced by the growing volume of reporting.

Pegasus is surreptitiously introduced on people’s mobile phones. It turns an infected device into a portable surveillance tool by gaining access to its camera, microphone, and text messages, enabling surveillance of the person targeted and their contacts. This surveillance not only affects those targeted directly, but also has a chilling effect on advocates or journalists who may self-censor out of fear of such surveillance and on sources, including victims of abuse, who fear the possibility of surveillance and loss of confidentiality if they share information with journalists and human rights organizations. Information obtained through arbitrary surveillance can be used to prosecute or detain human rights defenders or dissidents, and to monitor and harass those who might dare to stand in the way of government officials or powerful figures.

International human rights law establishes a right to privacy and bars arbitrary or unlawful infringements on the right. Restrictions on privacy are only permissible if they are necessary and proportionate to achieve a legitimate purpose, and provided for in law.

Pegasus spyware has been used to illegally or arbitrarily surveil activists or journalists, violating their rights to privacy, undermining free expression and association, and threatening their personal security and lives. The Pegasus Project’s reporting revealed evidence, for example, that the wife and the fiancée of the murdered Saudi journalist, Jamal Khashoggi, were targeted with Pegasus software before and after his murder in Istanbul on October 2, 2018 by Saudi operatives. Citizen Lab’s previous reporting showed that Saudi intelligence targeted a close confidant of Khashoggi, using Pegasus. NSO Group has repeatedly denied that its products were used to target Khashoggi or his family members.

Governments should heed the calls from a broad array of human rights organizations to regulate this trade and hold companies accountable for their sales and actions. Human Rights Watch joins other groups in urging that at a minimum:

Governments should immediately implement a moratorium on the sale, export, transfer, and use of surveillance technology until adequate human rights safeguards are in place. They should also disclose any existing contracts or use of such technology.

Any use of surveillance technology should be subject to domestic laws that only permit their use in accordance with the international human rights standards of legality, necessity, proportionality, and legitimacy of objectives. Governments should reform existing laws that pose barriers to effective remedies for victims of unlawful surveillance and ensure that both judicial and non-judicial paths are available for victims to seek remedy for the harm surveillance technology may have caused.

The sale, export, and transfer of surveillance technology should only be allowed to resume once governments put in place enforceable legal frameworks requiring human rights due diligence that prevents surveillance technology from reaching governments that do not have human rights safeguards in place. Governments that have demonstrated substantial disregard for human rights and a pattern of abusive use of technology should be on a “no sale” list.

Governments should also require private companies to disclose information on products and services offered, the results of their regular due diligence, and their sales and exports, and potential clients rejected for failing to meet standards of human rights or good governance. Governments should make this information available in public registries. The purchase of surveillance technology by law enforcement in any country should be transparent so that it can be subject to public debate.

To encourage accountability, the relevant experts associated with the United Nations and regional human rights mechanisms should monitor and investigate the use of spyware by governments and sales of spyware by companies, and report to member states on abuses involving the use of such spyware.

“The Pegasus revelations illustrate how the lack of control over the trade in and use of spyware has facilitated human rights violations,” Brown said. “Governments need to step in, put an end to these abuses, and remedy them.”