U.S. State Department’s new spyware report: a big step forward

Access Now, Committee to Protect Journalists, Freedom House, and Human Rights First applaud the U.S. Congress for passing legislation that directs the U.S. State Department to develop a list of spyware purveyors with whom the Department should avoid doing business because of their poor human rights records. Included in the National Defense Authorization Act, this provision could provide greater transparency on invasive surveillance technologies, such as NSO Group’s Pegasus spyware, that are used against activists and journalists.

The law mandates that the State Department submit the spyware company list annually to Congress for a period of five years. This report should inform inter-agency coordination, especially to ensure that the Commerce Department continues to add human rights-violating spyware firms to the Entity List. (In November, the Department added NSO Group and Candiru to the List.) It also sends a strong message to the spyware industry and their investors that their days of operating in the shadows with impunity are over.

“For over a decade, the U.S. State Department has trumpeted internet freedom and human rights online, all while U.S. companies sold powerful surveillance technologies to the enemies of those cherished ideals,” said Jennifer Brody, U.S. Advocacy Manager at Access Now. “If leveraged to its full potential, the Department’s new spyware report will help to protect at-risk activists and journalists and safeguard freedom of expression in the most repressive environments. The U.S. must finally own its role in the global trade of these cyber weapons.”

Spyware has been used to illegally or arbitrarily surveil activists and journalists, violating their rights to privacy, undermining free expression and association, and threatening their personal security and lives. One of the most egregious spyware technologies, Pegasus, which is produced and sold by Israel-based NSO Group, has been deployed by repressive governments around the world to surveil human rights activists, journalists, and opposition politicians, as documented by the Pegasus Project. In November 2021, Front Line Defenders, which protects human rights defenders at risk, revealed that NSO Group’s Pegasus spyware was used to hack the devices of six Palestinian human rights activists. The technology was also used to hack U.S. diplomats’ phones. But NSO is just one firm in a rapidly expanding surveillance technology industry

“The secret surveillance of journalists and their sources poses a severe threat to press freedom and the free exchange of information,” said Michael De Dora, Washington Advocacy Manager at the Committee to Protect Journalists. “This new law will help shed further light on firms developing and selling spyware technology to abusers, and inform efforts to hold them accountable. It is an important step forward in addressing the largely unregulated market on spyware and its wrongful use.”

The coalition of civil society organizations urges the State Department to fully embrace this new reporting requirement. It is a critical mechanism to protect the exercise of human rights. The coalition also welcomes the opportunity to provide evidence of human rights abuses facilitated by cyber intrusion tools, and urges the Department to formally invite stakeholders to inform its annual spyware report. Relatedly, the group encourages the development of the multilateral Export Controls and Human Rights Initiative, recently launched at the U.S. Summit for Democracy, and looks forward to consultation.