Introduction

The international community is currently experiencing a global crisis of technological surveillance abuse, which has raised the attention of governmental agencies and international organizations worldwide. Those bodies are calling for the tightening of enforcement in this area, and specifically for the inclusion of human rights considerations within national export controls and regulatory frameworks.[1]

Originally designed to assist law enforcement and government agencies in protecting national security, capturing criminals, preventing terrorism, and saving human lives, spyware and cyber-surveillance technologies have instead been extensively used by governments and autocratic regimes around the world to spy on civilians and suppress dissent.

While many companies worldwide have products in this area, Israeli companies such as Candiru, NSO, Cellebrite and others[2] have recently “starred” in many reports that have been published around the world by the media, research bodies and human rights organizations. The reports allege that these intelligence infrastructure and surveillance technologies are very dangerous weapons in the hands of autocratic and internationally sanctioned countries like Venezuela and Saudi Arabia, that have used the technologies maliciously to target civilians, journalists, dissidents and ethnic minorities.[3]

One of the most recent cases involving these spyware technologies occurred in Mexico. According to a report by Citizen Lab[4], the Mexican government acquired spyware software and used it to spy on a well-known human rights activist in the country and journalists that regularly report on issues related to government corruption.[5] The report noted that the surveillance took place years after the first revelations of the use of the Pegasus spyware in Mexico, and after the president of Mexico assured the public that the government was no longer using digital surveillance technologies.[6]

These examples reveal the need for the regulatory frameworks governing the sale and export of spyware technologies to be updated to include human rights concerns in cyber-surveillance regulation. These updates are crucial in order to ensure the protection of civilians from the destructive consequences of spyware technologies falling into the wrong hands—whether governmental or private sector. Unfortunately, the incentives for governments to make these updates do not always exist. Thus, cyber-surveillance technologies that were originally designed to assist law enforcement and government agencies are increasingly abused by governments and autocratic regimes around the world. However, to date, governments of major technology exporting countries, such as Israel, have been slow to respond to these abuses.

The Current Regulatory Framework Governing Cybersurveillance Technologies

In recent decades, the need to regulate and monitor the development and distribution of cyber-surveillance technologies has been accepted worldwide. These technologies have been framed as “dual-use” technologies, since they may be used for civilian as well as defense purposes. The export of dual-use technologies is governed in many countries by the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (the ‘Wassenaar Arrangement’).[7] Designed to promote transparency and responsibility in the international transfer of arms and sensitive technologies, the Wassenaar multilateral export control regime facilitates information sharing among participating countries and aims to enhance the supervision of arms and dual-use exports. The main instruments that the Wassenaar Arrangement uses to achieve these aims are lists of items for which participating countries are to apply export controls. Although the Wassenaar Arrangement is not legally binding, governments that adopt the Wassenaar Arrangement control lists generally incorporate them into domestic legislation and require those who export items listed in the arrangement to obtain export licenses prior to export (considering factors such as the policies and level of security in the country of destination).[8]

       I.            European Union

As a participant in the Wassenaar arrangement, the EU applies a regime of authorizations and approvals that governs the export of certain dual-use items through the European Regulations for the Export of Dual-Use Products (the ‘Regulations’).[9] The regulations include export controls on intrusion software and communications surveillance systems. According to the Regulations, when the authorities of EU member states consider whether to approve or reject export applications they must take into account, inter alia, the member states’ obligations under sanctions imposed by the Council of Europe or by the Security Council of the United Nations, and considerations in relation to the end use of the exported items. Moreover, the upgraded Export Control Regulations that entered into force in the EU in September last year explicitly require that all exports respect, and comply with, human rights and humanitarian law.[10]

    II.            United States of America

The United States is a participant in the Wassenaar Arrangement[11] and the Bureau of Industry and Security (‘BIS’) of the U.S. Department of Commerce is responsible for regulating the export of dual-use items in the United States.[12] BIS operates a licensing system for the export of controlled items, determines the export policy of the controlled items, implements the enforcement policy in the U.S. and carries out extraterritorial enforcement.

In December 2021, the Biden administration recognized the ongoing threats that cyber-surveillance technologies pose and announced that the U.S. will fight against the use of cyber espionage and surveillance technologies to spy on dissidents and human rights activists around the world and put human rights at the center of U.S. foreign policy.[13] As part of this effort, the End-User Review Committee of the BIS decided to add four foreign entities, among them two Israeli companies, NSO Group and Candiru, to the Entity List.[14] The U.S. Export Administration Regulations (‘EAR’) impose additional license requirements for exports to listed entities, and limits the exceptions for exports, reexports, and transfers to such entities.[15]

However, it is not clear that the addition of the companies to the Entity List has prevented spyware sales, and there may be a need for greater scrutiny on the cyber-surveillance industry, of which the ultimate end-user and end-use are exceptionally hard to track and its misuse is hard to combat.[16] These considerations led the BIS in May last year to publish revised export regulations that impose new controls on cybersecurity items that could be used for espionage or other actions that disrupt the network or devices they are on.[17]

 III.            Israel

Although not a formal participant in the Wassenaar regime, Israel nonetheless gives it effect through national legislation, specifically the Israeli Defense Export Control Law- 2007[18] (‘the Law’), since compliance with the conditions of the Wassenaar Arrangement allows for the removal of barriers to trade in dual-use items.[19] The Law regulates exports of defense and dual-use equipment, services and know-how[20], includes the requirement to obtain an export license from the competent authority, and lays out the license holders’ obligations, such as inspection, record keeping and reporting responsibilities.[21]

Despite the fact that Israel closely supervises the export of defense and dual-use technologies such as spyware, its controls mainly are based on defense, national security and foreign relations considerations and generally ignore the implications of these technologies for human rights.[22] Even if human rights were to be taken into account by the regulator, it is likely that the promotion of Israel’s national security policy would prevail over their protection.[23] Significantly, decisions by the government in defense export licensing determinations are not subject to judicial review as evidenced by a precedential decision of the Israeli supreme court in 2022 in which it ruled that the policy that governs the sale of offensive cyber technologies to foreign countries is beyond the court’s jurisdiction and that the regulation of these technologies is the government’s prerogative due to its national security aspect. [24] This decision effectively shut down the legal channel to fight against defense exports to dictatorships and oppressive regimes.

Effectiveness of the Current Regulatory Framework

Despite the extensive regulatory regimes around the world and the emphasis that many countries put on the human rights impacts of spyware technologies, in Israel the consideration of human rights issues in the regulation of exports of these companies is not rigorous. Although the tightening of regulations in the EU and inclusion of Israeli spyware companies in the U.S. Entity List have had some effect on Israeli regulation[25] there hasn’t been truly effective change in the export control regime and licensing standards, and the focus of the Israeli regulator continues to be mainly on national security and diplomacy rather than on human rights.[26]

In recent years, the Israeli Ministry of Defense created a rapid approval procedure for the sale of offensive cyber technologies, which has greatly shortened the duration for obtaining an export license. The Ministry of Defense also reduced the restrictions on these systems, and now cyber offensive companies can get a license exemption for marketing and selling their products to certain countries.[27] This lenient policy has been criticized by the UN and human rights and privacy protection organizations around the world.[28]

While the extensive regulations of the U.S. and the EU have put some pressure on the Israeli regulator, Israel’s export control framework is still falling behind with respect to spyware technologies when it comes to human rights concerns.

Alternative Regulation Models

While the international community has made some effort to regulate the export and prevent the abuse of spyware technologies worldwide, the voluntary “soft-law” mechanism that the Wassenaar Arrangement offers is not sufficient to address the proliferation of these technologies by regimes that misuse them. This gap suggests that more must be done to ensure that the technologies are used solely in lawful ways and solely by licensed end-users.

There are generally three possible ways to tackle the accumulation and misuse of spyware technologies by regimes and governmental agencies worldwide. The first solution focuses on strengthening national export control regimes while putting an emphasis on human rights concerns. This approach might entail creating a new international legally binding treaty that includes sanctions in cases of misuse of the technologies. The second mechanism could involve placing the onus on the cyber-surveillance companies themselves to conduct due diligence and regulate the use of their technologies. This solution would rely on the negative business impact that the abuse of spyware technologies has on technology companies.

A third regulatory model, already employed today, involves private regulation by companies that have been directly harmed as a result of spyware technology abuses. This third model can shed light on the possible implications of the first two models identified above, and perhaps provide insight as to what the preferable regulatory regime would look like.

Regulation by Private Companies

Offensive cyber capabilities routinely exploit weaknesses found in the products developed by technology giants, in order to break into and take over the devices of their customers around the world. This fact caused the technology giants, such as Meta, Amazon, and Apple, to step into the regulatory vacuum left by the Israeli export control regime and enact private rules to deter the companies selling these capabilities.

In 2019 Facebook filed a complaint accusing NSO Group of exploiting a bug in its messaging application to install malware.[29] Apple also filed a lawsuit against NSO Group years after the initial reports that NSO was able to hack into its devices.[30] The spyware was used to attack several Apple users worldwide and Apple’s lawsuit sought to ban NSO Group from further harming individuals by using Apple’s products and services.[31] By the end of 2021, Facebook’s parent company, Meta Platforms Inc. began closing accounts attributed to Israeli cyberattack companies following claims of spying on human rights activists in Africa, politicians in Hong Kong, and journalists in Russia.[32]

Another big technology company, Amazon (AWS), also disconnected cloud accounts that were linked to NSO group following claims that NSO Group used one of the cloud services AWS provides[33] to deploy the NSO Group’s malware against targets. Following an inquiry from Amnesty International, an Amazon spokesperson stated that Amazon acted quickly to shut down the accounts related to the spyware company.[34]

These cases indicate that the technology giants, such as Meta, Apple, and Amazon, can act against cyber offensive companies by denying access to their products and by private lawsuits seeking to enjoin actions and recover damages when these actions are in line with their interests. These actions can be seen as part of a soft transnational enforcement mechanism, applied through networks that go beyond the state, which result in the enforcement of international standards.

This private enforcement against spyware companies is an ex-post enforcement tool utilized by the secondary victims, the technology giants. Through civil lawsuits and limiting the use of their systems, the tech giants force the cyber companies to feel the negative impact of their technologies in their pockets and make them internalize the costs of the violation of human rights. But while large technology may not hesitate to de-platform a product and to commence a lawsuit when it comes to the violation of human rights, it isn’t clear whether this private regulation is sufficient and whether it leads to desired outcomes.

Identifying the Suitable Regulatory Model

The prevailing notion in international law is that the state has the primary obligation to enforce international standards. The government is the main player in the international regulatory regime that is bound by international treaties and human rights standards[35], with regards to the export and sale of cyber-surveillance technologies.[36] The question is, should the burden of understanding the various international arrangements, internalizing them, and developing compliance capabilities accordingly fall on the shoulders of the exporters alone, or should these responsibilities be placed on the exporting state? Apart from the fact that private companies have different considerations and motivations than states, an error on their part can cause significant harm to the state’s security, economy, foreign affairs, and trade policy. Thus, a strong claim can be made against assigning the cost of non-enforcement on the cyber-surveillance companies, and in favor of placing it on the governmental regulator that has the responsibility to prohibit the export to sanctioned and dangerous regimes in the first place.

Additionally, a more extensive regulatory regime that includes human rights considerations and is more in line with international standards can instrumentally promote a country’s primary considerations when enforcing export controls, namely, its national security and diplomacy strategies. A deficient export control regime is more likely to prevent domestic entities from purchasing products from suppliers abroad and lead developed countries with extensive controls on dual-use items to avoid engaging in trade with a country that is portrayed as a main exporter of sensitive technologies to dangerous and controversial end-users. As a result, over time the domestic industry may lose access to advanced technologies, leading the high-tech sector to lose its comparative advantage in the field, the consequences of which may cause great economic and political damage to the country.

While private regulation by tech giants may have some efficiencies, it does not create a desired framework for countries to rely on. First, the motivations that drive these companies to action are often different from those of the country, as well as those of the main victims of cyber-surveillance systems (i.e., the people being spied on). Tech companies do not have the good of the public or national interests in mind when pursuing private regulation.  Rather they choose to speak out and act only when the lack of action on their part will harm them financially, or when raising attention to the ways they deal with the abuse of their products benefits them. In the same way, the regulatory framework should not place the main burden of compliance on private companies alone, it should also not rely on private bodies, which have a primary motivating goal of raising their profits, for enforcement.

Conclusion

Cyber-surveillance technologies are increasingly being abused, straying away from their original purpose to assist law enforcement and government agencies. Following developments in the international arena as well as in private sectors, the international considerations and regulations have changed, and many countries have upgraded their cyber-surveillance controls accordingly. However, the current regulatory framework in major dual-use technology exporting countries, such as Israel, is still missing several essential elements for the construction and operation of an effective and up-to-date export control regime.

In a world of rapid technological developments, it is of major importance to constantly review and update the regulatory framework governing spyware technologies. Export and licensing policies that are part of the framework need to be designed to take human rights considerations into account, especially by prime exporters of cyber-surveillance technologies, such as Israel. Such an approach would include enhancing cooperation and aligning its policy with other major exporter states such as the US and the EU and incorporating human rights considerations within export and licensing policies. Not only would this help to avoid abuses of these technologies by corrupt regimes, but it would also instrumentally promote the country’s economy, and its national and political interests.

The existing international and national frameworks regulating the export of sensitive spyware technologies lack the teeth necessary to deal with contemporary issues relating to the abuse of these technologies and the growing need for their enhanced supervision. This article offers alternative regulatory models to deal with this issue and suggests that putting the onus on the exporting states, perhaps through a new international legally binding framework, may be the preferred model.