Now is the time to stop spyware profiteering
Why EU regulations on spyware may harm people across the globe
The US and the European Union seem currently to be the most active regulators of spyware. Yet, their bureaucratic and legislative processes aim to rule the ways in which these powers can profit from and control the market of this dangerous weapon, which is mainly dominated by Israeli companies and technology. At this stage, it is crucial that we organize pressure to stop the EU from marketing Israeli and other spyware in order to protect communities across the globe.
The U.S. seems to have taken the leadership in combating the proliferation of dangerous spyware technology, but behind grand statements about protecting the privacy and civil rights of citizens from invasive surveillance, U.S. authorities continued to purchase spyware. In the meantime the European Union, which has failed so far to even attempt to protect its own citizens from the dangers of spyware, has become a hub for export of spyware to the rest of the world.
Spyware is a military-grade technology that inherently violates human rights as it exploits vulnerabilities in phones and other devices, in order to surveil people, track their location and turn their devices into surveillance tools by opening the microphone and camera without the owner’s knowledge to spy on the surroundings. Spyware also sidesteps peer-to-peer encryption by hacking into the entire device including email, messaging services (such as Signal and WhatsApp) and allows spies to download the entire communication history of a hacked device or use apps to spread disinformation.
Edward Snowden called to ban spyware and warned that it gives unlimited power to its users, going beyond the limits that court orders could impose on normal police surveillance. Describing spyware manufacturers, Snowden said, “They don’t make vaccines – the only thing they sell is the virus.”
Israeli spyware companies were the first to turn this weapon technology into a commercial product. Once they let the genie out of the bottle, it became a race to the bottom for control over it. After serving in intelligence units which employed spyware against Palestinian civilians as part of the enforcement of the Israeli apartheid regime, Israeli intelligence officers set up private companies, and with approval and support of the Israeli ministry of defense proceeded to sell spyware to Europe, the US and the rest of the globe, including to some of the world’s worst authoritarian regimes, to be used against journalists, lawyers and human rights activists. For the Israeli government, spyware became a currency with which to buy diplomatic favor around the world.
U.S. President Biden followed the July 2021 exposé of Forbidden Stories, Citizen Lab and Amnesty International about the proliferation of Israeli spyware by blacklisting two of the offending Israeli companies: NSO Group and Candiru. NSO Group proceeded immediately to establish a front company in order to continue to sell to the U.S. government. In March this year Biden signed an executive order to ban the commercial trade in spyware in the U.S. altogether, but even this executive order is not being enforced.
The European Union has since the beginning shown more interest in and cooperation with Israeli spyware companies. Unlike in the U.S., Israeli spyware companies have no qualms about directly infecting the phones of European officials and high-ranking politicians, and spyware scandals erupted in 14 EU member states.
The two most important Israeli spyware companies, NSO Group and Intellexa, have established their headquarters in the EU: in Luxembourg and in Cyprus, respectively. Israeli companies rely on the complicity of the EU with Israeli colonial crimes and know that they will not be subject to the same scrutiny which non-Israeli companies may expect. Already, rather than defining spyware as a dangerous weapon (as even the Israeli government defines it!), the EU chose to define it as a “dual-use item.”
Even the investigative committee set up by the European Parliament, called the PEGA committee, was so poorly funded that it did not even have access to Hebrew-speaking researchers in order to translate information on the Israeli spyware companies. The recommendations of the PEGA committee on how to protect European citizens were submitted to the European Parliament and will be put to a vote in late June.
Simultaneously, the EU Trade Directorate is eager to finalize regulations on the exports of spyware. It is willing to subject the rest of the world to the violation of privacy and human rights from which the PEGA committee is trying to protect European Union citizens.
Until June 9th, the EU Trade Directorate has opened a process for individuals and organizations from across the world to submit their contributions here: Take action now
As a first step in mobilizing global pressure to stop the EU from selling spyware, please fill in the form and demand a total ban on spyware exports. The EU should never profit from Israeli apartheid and human rights violations across the globe.
Both the U.S. and EU regulation policies are nothing more than attempts to control spyware in order to keep the profits, and the power of surveillance, to themselves. Neither the U.S. nor the EU has shown a true concern about the abuse of human rights in the Global South by spyware. The U.S. moved forward only when spyware in Uganda affected its own diplomatic staff, and the EU only as spyware in Rwanda affected European legislators and spyware in Morocco infected phones in the French presidency.
If you don’t think that surveillance can harm your quality of life even if you are not engaged in any illegal activity, ask Palestinians how surveillance is ruining the lives of thousands.
The pattern which emerges is clear. Apartheid Israel uses spyware against Palestinians and then exports it for profit. The EU is next - the profits of spyware companies are more important than people’s rights. Without coordinated action on a global level, this pattern will continue.
Whether in the Global South or the Global North, as Israeli spyware companies have chosen to shift their focus to the EU, we need to stop the EU from becoming the export hub for spyware weaponry. Every human being has a stake in this.
The EU Directorate-General for Trade must ban the export of cyber surveillance technology, or spyware, given the irrefutable evidence that it is enabling authoritarian governments, corrupt law-enforcement agencies, greedy corporations and even private individuals to violate international law and human rights principles. Spyware enables repression of human rights advocacy, breach of privacy and civil rights, undermining the confidentiality lawyers require in their work, and the ability of journalists to protect their sources, among others. The EU must not be complicit in those crimes.
The companies that produce this technology exploit vulnerabilities in our devices to turn them against us, and they must be punished, not allowed to turn this into a for-profit business. If an immediate spyware export ban is not attainable, civil society should push for at the very least a clear, binding and effective EU regulation that includes:
1) Prohibiting mobile phone manufacturers from intentionally selling devices with security vulnerabilities and holding them criminally liable if they do;
2) Preventing law enforcement agencies’ access to technology that allows for a more extensive surveillance than what is permitted by legal warrants;
3) Prohibiting the use of the technology in surveilling innocent bystanders; and
4) Holding the manufacturers and operators of spyware technology accountable at all times for end-user misuse of this military-grade espionage technology.
The EU decision on how to regulate the export of dual-use cyber surveillance technologies affects the rest of the world. As the European Parliament debates motions presented by the PEGA Committee in the coming weeks, it is unacceptable that European Union citizens will enjoy more protection than the citizens of other countries around the world from the very same Israeli spyware companies that are registered in Europe and use it as a base to export spyware to the rest of the world. Any regulation of spyware short of a complete ban is not enough to guarantee that the technology will not be used illegally to enable grave human rights and civil rights violations.