A FRAMEWORK FOR TRADE IN INTRUSIVE SOFTWARE: THE NEED OF THE HOUR


This article has been authored by Shruti Avinash, a second year student at NALSAR University of Law, Hyderabad.


Introduction


The revelation that the Pegasus Spyware (of Tel Aviv’s NSO Group) was used to snoop on the private devices of Journalists, Human Rights Defenders and opposition leaders has raised important questions on privacy and State surveillance. This imputation of State Surveillance has been denied by the Indian government, and it appears impossible to hold States accountable in the absence of admissions.


Pegasus was detected for the first time on the device of a Human Rights Defender in 2016, after which it continued to remain in the limelight for invasions of privacy. The Israeli start-up was sued by Facebook for reverse engineering its communications platforms. However, the organization continues to deny any allegations of wrongdoing, maintaining that it sells its spyware to governments and is not responsible for subsequent misuse/human rights violations. While the invasion of privacy is undoubtedly a legal issue in need of address, this article analyses the provisions which enable the sale and purchase of spyware.


Spyware


Spyware is defined as a software application which is installed without consent on a person’s device and logs private data about the end user. The spyware collects data like browsing activity, keystrokes, email messages, credit card information and passwords. The Spyware developed by the NSO group is advanced enough that it collects microphone and camera inputs once deployed. Intermediaries and communications platforms understand the producers of such Spyware as Private Sector Offensive Actors or ‘PSOAs’. The Spyware, when sold to governments, is used on targets’ computers, phones, network infrastructure and internet-connected devices. Service providers believe that such technologies translate into cyberweapons and act as an affront to the rights of civilians. The usage of such technologies is indubitably construed as a human rights violation on part of Governments. The issue of governments using Spyware to hack into the devices of journalists and dissidents, as proved in the case of Saudi Arabia and the United Arab Emirates is contrary to the idea of a free cyberspace and eventually paves the way for more egregious human rights violations.


Quite ironically, the Snowden expose of the USA in 2013 appears to have had some kind of paradoxical reaction. Rather than leading to condemnation, the revelations of State surveillance hiked the demand for Spyware. John Scott Railton, Senior Researcher at the Citizen Lab (Toronto) maintains that following the Snowden revelations, the demand for surveillance capabilities experienced a big boost. Governments and intelligence agencies began vying for similar surveillance technologies themselves. This, in turn, led to the burgeoning of the intrusive software industry, with numerous start-ups commissioning surveillance products.


Export of Surveillance tools


The issue of human rights abuses arising out of new technologies had been recognized by several International Human Rights Organizations, who then formed the Coalition Against Unlawful Surveillance Exports (CAUSE). The Coalition believes that Information and Communications Technology (ICT) Companies have a certain duty against providing surveillance tools, interception tools and monitoring tools to authoritarian governments. With a majority of such ICT Companies being situated in Europe, CAUSE documented that those countries with troubling human rights records, such as Bahrain, Saudi Arabia, Pakistan, and Oman, have purchased surveillance technology made in Germany, Italy, UK, and France. Hence, the coalition advocated for stronger regulation of surveillance technologies and updating of export controls.


The European Union updated their export controls on surveillance technologies in March 2021. However, these regulations were criticized as being so weak that they would only be effective if they were implemented rigorously. The laxity of the provisions is especially dispiriting since they were formulated after nearly a decade of deliberation. The export controls apply to intrusive and interception software, deep packet inspection and biometric surveillance. The regulations demand transparency and accountability inasmuch as the EU Commission is required to report on the number of such exports, the type of surveillance and the identities of purchasing member States. These regulations, only if rigorously implemented, may serve to prevent sale of surveillance technologies to authoritarian regimes.