In 2011, the NSO Group introduced Pegasus into the market to “help[] government agencies prevent and investigate terrorism and crime to save thousands of lives around the globe.”[1] Pegasus is a spyware that “consistently and reliably crack[s] the encrypted communications of any smartphone” using zero-click exploits.[2] When installed onto a phone, Pegasus gains access to everything on it; it can film using the phone’s camera, activate the phone’s microphone to record conversations, and harvest personal and location data without a user’s knowledge.[3]
The NSO Group has licensed Pegasus to several governments around the world. It is just one among several technology firms that create such spyware.[4] Commercial spyware has grown into an industry worth approximately 12 billion dollars.[5]
Despite its growth, and the advantages it poses for governments, the commercial spyware industry has become very controversial, partially because it remains largely unregulated.[6] Amnesty International and Forbidden Stories conducted investigations revealing the presence of spyware on journalists’, politicians’, activists’, and dissidents’ phones. Pegasus, and similar commercial spyware, is not simply used to fight crime and terrorism, but is commonly used as “the weapon of choice for repressive governments”[7] to facilitate pervasive mental and physical harms towards their own people or towards others around the world.
In light of such flagrant abuse, and in an effort to emphasize a dire need for regulation, this post explores whether commercial spyware is legal under one human rights framework: Article 17 of the International Covenant on Civil and Political Rights (ICCPR). [8]
Article 17 of the ICCPR codifies the guarantee of the right to privacy:
- No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home, or correspondence, not to unlawful attacks on his honor and reputation.
- Everyone has the right to the protection of the law against such interference or attacks.[9]
Although human rights bodies have not formulated an exhaustive definition of the right to privacy, they exercise a broad interpretation of privacy.[10] According to the Human Rights Council (HRC), state-sponsored collection of confidential information online and the interception of cyberspace communications can constitute an interference with the right to privacy.[11]
However, the right to privacy is not absolute; it can be restricted.[12] As Article 17 of the ICCPR says, only “arbitrary or unlawful” interferences are prohibited. The HRC uses three criteria to determine the legality of restrictions to the right to privacy: the measure must be “(1) in accordance with the law; (2) necessary to achieve a legitimate aim; (3) and proportionate to that aim.”[13]
Of the three-pronged analysis of legality, necessity, and proportionality, commercial spyware, according to David Kaye,[14] may fail to meet the third prong of proportionality. Spyware like Pegasus, according to Kaye, enables a bad actor to gain access to the entirety of one’s digital life. Unlike other, more traditional surveillance tools, Kaye writes that spyware is not “containable in its aim both by judicial warrant and technology…its intrusiveness is difficult to constrain.” Put differently, he argues that it is difficult for a state to “demonstrate its use of spyware for narrow purposes and without ‘collaterally’ sweeping in personal data having no relevance to a legitimate government purpose.”
Although he does not immediately endorse the prospect of a ban, Kaye goes on to consider the possibility that spyware like Pegasus presents a risk of surveillance in violation of fundamental human rights standards. Efforts toward regulation, he writes, “might be better directed toward a ban, or at least a moratorium on development, transfer, and use.”
However, although Kaye seems to consider governments’ use of Pegasus and similar spyware to be largely unsupported by international human rights law as per the proportionality requirement in Article 17, the HRC does delineate circumstances in which the use of spyware is necessary and proportional, and as such, is not per se illegal under the ICCPR. A recent report published by the OHCHR stated: “The far-reaching adverse impacts of hacking require a particularly cautious approach to its use, limiting it to the most exceptional circumstances, in strict adherence with the requirements of international human rights law.”[15] (emphasis added). The report then highlights some states have “enacted legal frameworks that would comply with international human rights law” with “clear, precise, and publicly available laws that govern hacking operations.” In other words, by recognizing limitations on the use of spyware, along with the adequacy of certain statutory frameworks, the OHCHR implicitly recognizes the per se legality of spyware and its ability to distinguish between certain lawful and unlawful uses.
The OHCHR presents a specific circumstance in which the use of spyware would pass Article 17’s necessity and proportionality requirements. Using commercial spyware is necessary and proportional…
“Where it would serve to prevent or investigate a specific serious crime or act amounting to a grave threat to national security. Its use should be narrowly targeted to an investigation of the person or persons suspected of committing or having committed such acts. This should be a last resort…all less intrusive measures should have been exhausted or have been shown to be futile and should be strictly limited in scope and duration. Only relevant data should be accessed and collected. The measures should also be subjected to rigorous independent oversight; prior approval by a judicial body is essential.”[16] (emphasis added).
The ambiguity on whether commercial spyware is per se legal under Article 17 of the ICCPR is one illustration of an absence of a robust regulatory framework. Assuming Pegasus is per se legal, this ambiguity underscores “the urgent need to better regulate the sale, transfer, and use of surveillance technologies and ensure strict oversight and authorization.”[17]
[1] Ronen Bergman and Mark Mazzetti, The Battle for the World’s Most Powerful Cyberweapon, The New York Times (Jan. 31, 2022), https://www.nytimes.com/2022/01/28/magazine/nso-group-israel-spyware.html; NSO Group, https://www.nsogroup.com/ (last visited Dec. 9, 2022).
[2] NSO Group, https://www.nsogroup.com/ (last visited Dec. 9, 2022); Zero-day exploits are “vulnerabilities that the vendor is not aware of, and therefore, there are no patches or fixes available or underway.” Unlike common hacking software, Pegasus does not require users to click on a malicious attachment or link for the spyware to take hold; no user interaction is required to trigger an infection. For example, Pegasus can be installed with a message that produces no notification or a missed call on WhatsApp that is later deleted from the call log, making it impossible for the phone’s owner to know anything ever happened. Pegasus spyware and its impacts on human rights, The Council of Europe (June 20, 2022), https://www.coe.int/en/web/freedom-expression/-/pegasus-spyware-and-its-impacts-on-human-rights.
[3] Pegasus spyware and its impacts on human rights, The Council of Europe (June 20, 2022), https://www.coe.int/en/web/freedom-expression/-/pegasus-spyware-and-its-impacts-on-human-rights.
[4] Other technology firms and software include Finfisher, Hacking Team, Grayshift, Cellebrite, Blue Coat, Huawei, Iskratel, and Verint. This 2020 dataset developed by Steven Feldstein, with information compiled from Citizen Lab, EFF, PI, Freedom of the Net, CFR, and various news media outlets contains a list.
[5] Ronan Farrow, How Democracies Spy on their Citizens, The New Yorker (Apr. 18, 2022), https://www.newyorker.com/magazine/2022/04/25/how-democracies-spy-on-their-citizens.
[6] Id.
[7] Massive data leak reveals Israeli NSO Group’s spyware used to target activists, journalists, and political leaders globally, Amnesty International (Jul. 19, 2021), https://www.amnesty.org/en/latest/news/2021/07/the-pegasus-project/.
[8] Given international human rights law does not apply to non-state actors, this paper will not explore potential legal liability for the NSO Group (the NSO Group has been sued in domestic courts by civil society organizations and big tech companies). Perhaps the most promising potential for rebuke under an international human rights framework comes from The United Nations Principles on Business and Human Rights (the Ruggie principles, named after John Ruggie). However, these principles are non-binding, and will likely have little to no legal force.
[9] UN General Assembly, International Covenant on Civil and Political Rights, 16 December 1966, United Nations, Treaty Series, vol. 999, p. 171, available at: https://www.refworld.org/docid/3ae6b3aa0.html [accessed 9 December 2022]
[10] Russell Buchan, Cyber Espionage and International Human Rights Law, in Cyber Espionage and International Law 95–121, 105 (Oxford: Hart Publishing 2019). Retrieved December 9, 2022, from http://dx.doi.org.prx.law.columbia.edu/10.5040/9781782257370.ch-005.
[11] UN Human Rights Committee (HRC), CCPR General Comment No. 16: Article 17 (Right to Privacy), The Right to Respect of Privacy, Family, Home and Correspondence, and Protection of Honor and Reputation, 8 April 1988, available at: https://www.refworld.org/docid/453883f922.html [accessed 9 December 2022]; Russell Buchan, Cyber Espionage and International Human Rights Law, in Cyber Espionage and International Law 95–121, 106, (Oxford: Hart Publishing 2019). Retrieved December 9, 2022, from http://dx.doi.org.prx.law.columbia.edu/10.5040/9781782257370.ch-005.
[12] Russell Buchan, Cyber Espionage and International Human Rights Law, in Cyber Espionage and International Law 95–121, 109 (Oxford: Hart Publishing 2019). Retrieved December 9, 2022, from http://dx.doi.org.prx.law.columbia.edu/10.5040/9781782257370.ch-005; these restrictions are often referred to as “clawbacks.”
[13] Id.
[14] David Kaye was the United Nations special rapporteur on the promotion and protection of the right to freedom of opinion and expression.
[15] See A/HRC/51/17 (Aug. 2022), pages 5-6.
[16] See A/HRC/51/17 (Aug. 2022), pages 5-6.
[17] Pegasus: Human rights-compliant laws needed to regulate spyware, UN News (July 19, 2021), https://news.un.org/en/story/2021/07/1096142.