It is time for “all lawyers and the ABA to stand up and take notice” of the abuses of spyware, said Danna Ingleton, deputy director of Amnesty Tech in Ottawa, Ontario
It’s an issue playing out in parliaments and palaces around the world, Judge Delissa A. Ridgway of the U.S. Court of International Trade said. Both were panelists on the Showcase program “Is that Pegasus in Your Pocket?: Smartphones, Spyware and the Greatest Emerging Threat to Civil Liberties and Human Rights Around the Globe” on Aug. 5 at the ABA Annual Meeting in Chicago.
Spyware is “zero-click” technology that allows attackers to easily infect smartphones without any action on the part of the targets, controlling everything about the devices — even encrypted communications. It has now become the go-to method for surveillance and harassment among cybercriminals.
Ridgway noted that last month the U.S. House of Representatives held hearings on the proliferation of foreign commercial spyware, a few weeks after the first anniversary of the publication of the Pegasus Project, an international investigative journalism initiative that revealed governments’ spying on journalists, political opponents, human rights activists and others using Pegasus spyware.
“Intrusive, lawless, mercenary, abusive” are some of the words that describe spyware, said David Kaye, a professor at the University of California-Irvine School of Law and former U.N. special rapporteur on the promotion and protection of the right to freedom of opinion and expression. He was the first to sound the alarm on spyware in a 2019 report and called for “a moratorium on the export, sale, use, transfer and servicing of such tools until a human rights-compliant regime could be put in place.”
“Lawyers have a responsibility and an opportunity to identify the violations, seek remedies … and catalog the steps that can be taken to deal with this industry,” Kaye said.
Among the violations, he said, are:
- The right to freedom of opinion and expression
- The right to association
- The right to privacy
It’s time to consider a ban on spyware, Kaye said. But in the meantime, we need tighter export controls, strict regimes of export approval, and transparent reporting systems.
Bill Marczak, senior researcher at the Citizen Lab at the University of Toronto, provided a historical perspective on the abuse of surveillance technology.
Years ago, if you wanted to spy on someone you had to physically tap their phone, he said, but early in the 2010s technologists started building spyware systems to remotely, nonconsentually and silently install software on targeted devices. The technology circumvented encryption and could see everything on the phone: texts, photos, passwords, GPS history, emails and calls.
“Perhaps predictably,” he said, dictators became the first big customers of spyware and paid big money for it.
Indeed, Pegasus, a powerful, military-grade spyware developed by NSO Group Technologies in Israel, was ostensibly only sold to governments for use solely by law enforcement to combat terrorism and major crime. But, Marczak said, it’s being used to spy on human rights lawyers, journalists, academics, opposition leaders and activists.
Spyware has been used in the UK, Turkey, Mexico, Spain, Thailand and even the United States, and the targets have included Boris Johnson, Jeff Bezos, Emmanuel Macron and the wife and fiancée of Jamal Khashoggi.
Peter Micek, general counsel of Access Now in New York, emphasized that “without strong encryption and without strong regulation of tools like Pegasus, there is no client confidentiality.”
“Your ethical duty becomes impossible to fulfill,” he said to the gathering of lawyers, and “you will have zero confidence in the privacy of your communications.”
Micek said he was happy to see legal teams at Apple and What’s App taking action in support of human rights by suing NSO Group in Northern California District Court. “This is Big Tech putting Big Law and big money where their big mouths are,” he said.
In addition to putting out patches on software, Big Tech is also offering “bug bounties” and incentives to come to them first “with these exploits,” which helps disrupt the supply chain of spyware developers.
Although Apple has committed $10 million to “forensic and digital security research,” Micek said there’s more they can do, like being more transparent and responsive when groups like Access Now bring claims and requests from their digital security hotlines.
We also “need public law declaring spyware outside the bounds of what’s acceptable in a democratic society,” he said
Carina Kanimba, a human rights activist and the daughter of Rwandan massacre hero Paul Rusesabagina, described being a target of Pegasus in 2021, after her father was arrested, tortured and sentenced to jail after a sham trial. “Unless there are consequences, none of us is safe,” she said.
The program was presented by the ABA United Nations Representatives and Observers and co-sponsored by the International Law Section, the Section of Civil Rights and Social Justice, the Center for Human Rights, the Criminal Justice Section and the Senior Lawyers Division.