The Washington Post has started running an investigative series, called the Pegasus Project, that describes the expanded use of digital surveillance by governments worldwide. The reports expose how powerful software provided by the Israeli firm NSO Group has been used by states to hack into citizens’ smartphones, track their communications, and acquire incriminating information, sometimes as a prelude to assassination.

This is not a new story—for those of us who follow these issues closely, the proliferation of spyware has been an ongoing problem for years. But the Pegasus Project helps us better understand just how prevalent these practices are. Approximately 50,000 phone numbers appear on a surveillance hacking list containing business executives, human rights activists, journalists, politicians, and government officials. These individuals come from at least fifty countries.

Steven Feldstein
Steven Feldstein is a senior fellow in Carnegie’s Democracy, Conflict, and Governance Program, where he focuses on issues of democracy, technology, human rights, U.S. foreign policy, and Africa.
More >

While NSO Group insists that its products are primarily used by law enforcement for legitimate crime-fighting purposes, the information revealed by the newspaper’s investigation shows that NSO Group’s technology frequently targets individuals who have little to do with crime or terrorism. It has become clear that the human rights costs of NSO Group’s spyware far outweigh national security considerations.

Three Lessons for Policymakers

What can we make of these developments and what steps should policymakers take in response?

First, the proliferation of spyware is a widespread problem that democracies have manifestly failed to take seriously. The repercussions from supplying powerful surveillance tools to authoritarian governments are high—citizen security has been compromised, activists have been jailed, and journalists have been killed because of this spyware. Yet, Israel and other democratic countries, including the United States, have not only turned a blind eye to spyware use but have also tacitly supported these sales by approving export licenses. When it comes to the private surveillance industry, NSO Group’s transactions represent the tip of the iceberg. As I’ve written in my book, The Rise of Digital Repression, and documented in a publicly available global spyware database, at least sixty-five governments worldwide, from Chile to Vietnam, have acquired commercial spyware surveillance tools (for a few examples, see table 1). Relevant companies, such as Cellebrite, FinFisher, Blue Coat, Hacking Team, CyberPoint, L3 Technologies, Verint, and NSO Group, are headquartered in the most democratic countries in the world, including the United States, Italy, France, Germany, and Israel.

Country Regime Type Commercial Spyware Vendor(s) Description
Hungary EA Hacking Team, Black Cube, NSO Group/Pegasus Black Cube involvement in a campaign to discredit nongovernmental organizations ahead of Hungary’s April election; more than 300 phone numbers for journalists, lawyers, business executives, and activists found on the Pegasus spying list
India ED NSO Group/Pegasus Spyware targeting hundreds of journalists, activists, opposition politicians, government officials, and business executives
Iran EA Blue Coat Numerous high-profile incidents of surveillance and targeted malware attacks
Mexico ED Hacking Team, NSO Group/Pegasus, FinFisher, NSO Group/Circles Malware to track civil society, opposition, groups, and journalists
Morocco CA Hacking Team, NSO Group/Pegasus, FinFisher, Decision Group, NSO Group/Circles Abusive use of spyware to target civil society
Rwanda EA NSO Group/Pegasus Security officials authorized to tap online communications; Pegasus software targeting Rwandan dissidents at the behest of the government
Saudi Arabia CA Hacking Team, NSO Group/Pegasus, FinFisher Extensive documented abuse of spyware to target political opponents and civil society
Spain LD NSO Group Catalan politicians targeted by government
Thailand CA Hacking Team, Blue Coat, NSO Group/Circles Targeted surveillance against civil society and regime opponents
Turkey EA Hacking Team, FinFisher, NSO Group Extensive spyware links; most forms of telecommunication tapped and intercepted
Source: Steven Feldstein, “Commercial Spyware Global Inventory,” version 2, Mendeley Data, December 22, 2020, DOI: 10.17632/csvhpkt8tm.2, https://data.mendeley.com/datasets/csvhpkt8tm/2.

Note: The regime types listed here refer to close autocracy (CA), electoral autocracy (EA), electoral democracy (ED), and liberal democracy (LD).

Second, the Pegasus Project illustrates the high cost of doing business with authoritarian leaders. By turning a blind eye to the effects of spyware produced in democratic nations and sold to autocrats, the United States and its allies have undermined the cause of human rights worldwide. Some experts argue that under U.S. President Joe Biden, the United States has erred in pushing a foreign policy doctrine that “unnecessarily divides the world into good guys and bad guys” and that Biden should refrain from drawing a “bright line between dictators and democrats.” But the Pegasus Project tells us that new technology is amplifying the costs of doing business with autocrats. While the United States must be realistic about cooperating with authoritarian regimes on certain issues, this does not mean that U.S. decisionmakers should refrain from emphasizing human rights issues in these relationships. If we have learned one thing from the stumbles of former president Donald Trump’s administration, it is that when the United States dispenses with supporting democratic values, authoritarians take it as a signal that they can act with greater impunity. The result is emboldened bad behavior and diminished U.S. credibility and influence. The NSO Group spyware story reinforces just how nasty the world can be—particularly the degree to which autocrats will adopt unsavory measures to consolidate their power.

Third, the Pegasus Project illustrates a foreign policy misconception: that China is largely responsible for exporting authoritarian technology to bad actors. While China bears substantial responsibility for modeling to other states how digital technology can be used to control their citizens, and while Chinese companies have supplied a considerable share of exports to abusive regimes, Chinese firms are far from the only ones providing repressive tools to autocrats. They face stiff competition from companies based in democracies. Recent examples include the Canadian company Sandvine, which provided censorship technology to Belarus and Egypt; the French firm Nexa Technologies, which sold internet surveillance equipment to Libya and Egypt; and the U.S.-based company Oracle, which provided surveillance products in China. Western companies have a long track record of selling powerful tools to bad governments.

What Can Be Done?

As David Kaye and Marietje Schaake smartly suggest, a first step to stem the tide of spyware technology would be for democracies to implement an immediate moratorium on the sale or transfer of private surveillance equipment until accountable rules are drawn up and agreed upon. Given the scale of harms, there appears to be little justification to continue permitting such sales without undertaking a wholesale review and establishing basic human rights safeguards.

Coming out of such a review, the United States should consider adopting a binding and enforceable export controls regime to stop the spread of dangerous surveillance tools to bad actors. The Wassenaar Arrangement, a group of forty-two advanced economies that coordinates export restrictions for conventional arms and dual-use technology, could be one place to bolster limitations. In 2013, the group added surveillance software to its list of technologies necessitating further controls—but because the arrangement is nonbinding and “lacks an enforcement mechanism,” it has been ineffectual in constraining surveillance abuses. The bottom line is that certain countries have shown such an egregious pattern of harm that there is little justification for permitting future sales. In those situations, the United States, joined by other democratic countries—especially Israel—should enact permanent restrictions of surveillance products.

Short of formal export controls, there are other creative ways to mitigate spyware harms. The UN Guiding Principles on Business and Human Rights, for example, is a useful multistakeholder template for corporate accountability requiring human rights due diligence, regular reviews, and remediation measures (although like the Wassenaar Arrangement, corporate adherence is voluntary). Another option, as Kaye and Schaake mention, would be for private surveillance companies to agree to a binding code of conduct, similar to the framework adopted by the private security contractors (a series of high-profile scandals compelled security companies to voluntarily put in place a code of conduct lest they face serious restrictions by fed-up governments).

Making Tough Calls

Democracies should use the growing public outrage against surveillance spyware as an opportunity to build a global norm against the technology’s use. Biden’s upcoming Summit for Democracy represents an excellent opportunity to convince participating countries, including the United States, to commit to not deploying or exporting spyware except under narrow, exceptional, and proportional circumstances. This would mean that anticipated participants in the summit—such as Indonesia, Mexico, South Africa, and Spain—will have to make tough calls about whether they are willing to reform their practices.

At its root, the NSO Group exposé presents democracies with a basic choice: Should they continue tolerating abusive surveillance practices that put innumerable lives at risk? Or should they crack down on powerful tools that are incompatible with fundamental democratic values and principles?