Regulating International Trade in Commercial Spyware

Siena Anstis, Ronald J. Deibert, and John Scott-Railton of Citizen Lab published an editorial calling for regulating the international trade in commercial surveillance systems until we can figure out how to curb human rights abuses.

Any regime of rigorous human rights safeguards that would make a meaningful change to this marketplace would require many elements, for instance, compliance with the U.N. Guiding Principles on Business and Human Rights. Corporate tokenism in this space is unacceptable; companies will have to affirmatively choose human rights concerns over growing profits and hiding behind the veneer of national security. Considering the lies that have emerged from within the surveillance industry, self-reported compliance is insufficient; compliance will have to be independently audited and verified and accept robust measures of outside scrutiny.

The purchase of surveillance technology by law enforcement in any state must be transparent and subject to public debate. Further, its use must comply with frameworks setting out the lawful scope of interference with fundamental rights under international human rights law and applicable national laws, such as the “Necessary and Proportionate” principles on the application of human rights to surveillance. Spyware companies like NSO Group have relied on rubber stamp approvals by government agencies whose permission is required to export their technologies abroad. To prevent abuse, export control systems must instead prioritize a reform agenda that focuses on minimizing the negative human rights impacts of surveillance technology and that ensures—with clear and immediate consequences for those who fail—that companies operate in an accountable and transparent environment.

Finally, and critically, states must fulfill their duty to protect individuals against third-party interference with their fundamental rights. With the growth of digital authoritarianism and the alarming consequences that it may hold for the protection of civil liberties around the world, rights-respecting countries need to establish legal regimes that hold companies and states accountable for the deployment of surveillance technology within their borders. Law enforcement and other organizations that seek to protect refugees or other vulnerable persons coming from abroad will also need to take digital threats seriously.

Posted on August 5, 2019 at 9:14 AM12 Comments


danny August 5, 2019 9:33 AM

Too late. The technology is so inexpensive that one with zero knowledge can learn basics of electronics to make a tiny camera with wi-fi capabilities in matter of weeks.

Yuri Orlov August 5, 2019 10:18 AM

On paper firearms like the AKM system and the AR-15 platform are illegal in Mexico. And yet the country is flooded with these rifles. Ponder that…

The internet is a global network. While I can appreciate the desire for cyber arms control, and one could argue its merits academically, the idea is pleasant fiction in practice.

The cyber arms market is only going to get bigger. Any attempt to limit it will be squashed by the defense industry and their proxies (political leaders) who claim they want to protect us. Not to mention that software is much easier to smuggle and employ than kinetic weaponry.

Our only hope is to harden technology and raise the barrier to exploitation.

bcs August 5, 2019 10:59 AM

While I sort of like the overt goal here, the odds that no legal jurisdiction in this dilemma will chose to defect is effectively zero. And that’s the nice bit of all this.

For a less nice bit of it: The actors I’d be most concerned about getting access to such wares are the ones that are least likely to be concerned with the “legitimacy” of the people they are doing business with.

Regulating spyware is going to be about as easy as regulating ransomware.

Wilhelm Tell August 5, 2019 11:32 AM

calling for regulating the international
trade in commercial surveillance systems

— Do the trade regulations concern also the governments?
— Is the intention just to promote US government in using spyware by denying spyware from others?
— Would US sign such a “agreement” unless it gets one-sided benefit from it.

These calls for “human rights” do actually nothing to do with human rights. They are just expressions of opinion bought by the highest bidder.

Clive Robinson August 5, 2019 11:59 AM

@ Yuri Orlov,

Our only hope is to harden technology and raise the barrier to exploitation.

I’m comming to the conclusion that is not going to happen in anything other than a DIY sense.

Firstly you’ve got the free market tail spin argument that there is no profit in providing the quality of physical product that security would allow.

Secondly you’ve got the issue that as with the physical product the OS and Applications will not have the quality that would allow security. Worse the suppliers of such software will actively fight against it as they see money in telemetry or more correctly the strip mining of privacy for profit.

Thirdly as you note the politicos would rather prevaricate and stuff their accounts with lobby and dark money than act in their voters interests.

Fourthly various IC and LEO entities will use any lie to get their way to more power. J.Edgar Hover was a fairly evil person his legacy is more than alive and well and thriving in these entities. For them honesty and obayance of laws and regulations are something to be at best “worked around” at worst used to greate illegal situations where they know innocent people will have a high probability of injury or death.

But at the end of the day the majority of people realy don’t care as long as they get their virtual fix in a nice convenient little package.

They don’t see nor do they want to see the net that is closing around them if you point it out to then, they will turn on you and blaim you…

Snarki, child of Loki August 5, 2019 12:37 PM

Want to regulate spyware? Just make sure that most spyware has embedded slow-release ransomware/virus/halt-and-catch-fire-ware.

Cassandra August 5, 2019 2:40 PM

The horse has long since bolted on spyware.

What is needed are regulations to make open hardware and software available to individuals, and to make it illegal to discriminate against people using open hardware and running open software. Hardware backdoors, DRM and the ‘Trusted Computing’ infrastructure enables untrammelled spying on individuals’ information processing. What is needed is some way of rowing back from the terrible position we find ourselves in.
Of course, any method that allows people privacy also allows people to engage in unwholesome activities. ‘Think of the children’ and ‘anti-terror’ arguments make it very difficult to campaign for privacy enabling technologies. Unfortunately, such arguments act as trump cards, and I fear that, by default, people choose the less free option so as to be seen to be ‘doing the right thing’.

There is a phrase that is usually attributed to H.L. Mencken which makes the point concisely:

The trouble with fighting for human freedom is that one spends most of one’s time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all.

I cannot find when in his voluminous output H.L. Mencken wrote or spoke this. It may be a spurious attribution.


gordo August 5, 2019 2:58 PM

I’m surprised that Peter Thiel has not chimed in on this subject, but then it wouldn’t be the first time we’ve heard of patriotic hacking/hackers, just between friends, etc.

What’s Hacking Team been doing?

I suppose that mercenaries working in this space are “commercial spies” using “commercial spyware”? Nah.

Sok Puppette August 5, 2019 7:20 PM

Want to help a little bit? I’m not claiming it’s a lot. But it still might be more than you’d get with trade regulations…

Many of the people reading this blog make hiring decisions. Many of the jobs involved are the sorts of things that share skillsets with the work they do in places like the NSO group. You can assume that now and then you’ll get an application from one of them.

Don’t hire them. And be on the lookout for signs that people have left things like that out of their resumes.

Beyond that, whether you hire or not… don’t work with them. Refuse to trade with companies that DO hire them. Don’t talk to them at conferences. Don’t work with them on standards. Spread their names and shun them.

Make any individual who has ever worked at one of those places persona non grata in any part of the legitimate, above ground security industry.

Petre Peter August 5, 2019 7:55 PM

Regulated commercial surveillance? Who decides how much of our lives should be surveilled?

vas pup August 7, 2019 1:29 PM

@Wilhelm Tell • August 5, 2019 11:32 AM and other respected bloggers.

International Law/regulation could be workable if and only if all countries follow all established standard. It could not be like cherry picking: appeal to International Law when it is violated by others, but consider it is not important/biding when You(your country) violates it. It’s all or neither.

I’ll compare it to traffic rules when ALL participants regardless of their weight and/or size of the car (big truck and ‘Smart’) respect and follow the same rules. Otherwise, it is not law, but rather rules of the jungle on international scale.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.