The U.S. Department of Commerce’s recent announcement that NSO Group has been placed on its "Entity List" for malicious cyber activity is a seismic event in the world of digital surveillance. The announcement is a significant moment, a clear warning that change is coming to the surveillance and security industry.
NSO Group – and other surveillance companies who have flourished in a virtually unregulated industry – need to realize this decision shows that paying lip service to human rights will no longer be enough. The reckoning has begun.
A few years ago, I was speaking with Shoshana Zubroff about her book "The Age Of Surveillance Capitalism" when she made a point that has stuck with me ever since.
Essentially, she said that people feel an apathy towards regulating the surveillance industry because it feels too far gone, already too far out of control – but we need to remember that is exactly what people felt when they started unions to regulate the work force, when we started to regulate child labour, and mirrors the regulation of many other industries.
While many people fear technology, thinking it is almost a black magic that has a life of its own, and while they worry that invasions of our privacy are just too extensive to be reigned in, the reality is that the surveillance industry can be regulated just like any other – and it should.
The announcement by the U.S. Department of Commerce was no doubt influenced by years of research and advocacy by Amnesty International, Citizen Lab, Forensic Architecture, Access Now, Privacy International and many others, and was also evidently influenced by the ground-breaking revelations exposed by the Pegasus Project earlier this year, coordinated by Forbidden Stories and in which Amnesty International was the technical partner.
- Israel's shame: NSO and Pegasus are a danger to democracy around the world
- I was targeted by NSO spyware. Here's how Israel is helping Modi undermine India's democracy
- Bahrain used Israeli NSO spyware to target pro-democracy activists, report finds
- Israeli NSO was used to snoop on Orbán critic in Hungary, report reveals
The Department of Commerce’s statement said NSO Group (and another Israeli company Candiru) were added to the Entity List because they "…developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers."
Of course, NSO Group is only one player in a huge industry, and there remains much to be done to truly ensure that the surveillance industry starts to respect human rights and is held to account for human rights abuses. That said, the addition of NSO Group to this list is important for several reasons.
First, it proves what we at Amnesty International and many other civil society organizations have been saying for many years: that NSO Group’s Pegasus software is used as an unchecked tool of repression against civil society globally. NSO Group and others have been gaslighting not just civil society – but all of us.
They claim their tools are only used to fight serious crime and terror, while simultaneously claiming they have no visibility over how their client countries are using their tools. NSO Group claim to care about human rights and to have rigorous human rights standards in place, but these efforts have been criticized for missing the mark.
The designation by the U.S. Department of Commerce is an important step in recognizing the validity of security research exposing unlawful targeting, and signals to victims of unlawful surveillance that this is a human rights crisis that not all states are willing to turn a blind eye to.
The second reason this is important is that it reflects that this is a global problem that will only be solved with a combination of international, regional and national solutions.
Unlawful governmental surveillance is a multijurisdictional issue involving, at a minimum, the home states of surveillance companies, the client states and, often, the home or residential state of the victims of unlawful surveillance having fled repressive states. This means we need solutions at every level, so states using the tools and mechanisms at their disposal to put checks on this trade is a step in the right direction.
Just last month, at the behest of the United Kingdom government and calls from numerous civil society organizations, NSO Group was not permitted to hawk Pegasus spyware at the International Security Expo in London.
Following the Pegasus Project revelations, many of the implicated countries have started national investigations and parliamentary debates, and are also now engaging with both regional and international spaces like the European Union and the United Nations.
Thirdly, those holding the purse strings can also bring about change. We cannot ignore the impact this kind of designation will have on the investment landscape for NSO Group and other companies selling this kind of intrusive spyware. Investors are required to carry out human due diligence before getting involved with private firms like NSO Group.
How can any investor reasonably and with good ethics invest, or continue to invest, in firms like NSO Group when it has been shown how their activities are directly linked to human rights violations?
Make no mistake, the core of this designation is that the United States Government believes NSO Group’s activities and tools are “contrary to the foreign policy and national security interests of the United States.” Very soon, more U.S. federal departments and more governments around the world will likely be coming to similar conclusions.
Today, NSO Group, the other companies added to the Department of Commerce’s Entity List, and any other companies selling surveillance tools stand on shaky ground. This important step towards regulating the surveillance industry marks the beginning of a new phase in global and national regulatory efforts.
When the quakes subside, the landscape in which surveillance companies operate will hopefully be very different to the one we have now.
I hope it will be one where surveillance technologies are sold, purchased, exported and used in-line with International Human Rights Law; where domestic regulatory frameworks ensure transparency; and where victims of unlawful government surveillance have recourse for the violations against them.
Until that happens, we urgently need a global moratorium on the export, sale, transfer and use of surveillance technology to prevent further targeting of civil society.
If we are to create a world in which people are not afraid that their mobile phones are being weaponized against them, and where human rights are finally fully respected by the surveillance industry, we need regulation now.
Danna Ingleton is the Deputy Director of Amnesty Tech, leading its work on unlawful targeted surveillance of civil society. Twitter: @Ingleton