Spyware and state abuse: The case for an EU-wide ban
EDRi’s position paper addresses the challenges posed by state use of spyware in the EU. It also tackles how spyware should be legally defined in a way that shields us from future harms, as well as the dangers of the proliferation of commercial spyware in Europe. After conducting a values-based analysis into spyware, the paper concludes that the only human-rights compliant approach is a full ban.
EU: Widespread spyware use, absent regulation
The term ‘spyware’ has increasingly entered the political and public lexicon after a series of scandals. Across the world, these scandals have unfolded due to the use of spyware tools by many state authorities for unlawful surveillance. Alongside the use of government-developed spyware in countries like Germany and Serbia, it is reported that at least 14 European Union (EU) countries have used commercial spyware. Although the reported use varies in intensity, it reveals a worrisome reality: the acquisition and deployment of commercial spyware tools have become widespread, and regulation remains almost entirely absent.
That is why EDRi is publishing a paper aimed to address the specific challenges posed by spyware use and its commercial proliferation. It complements EDRi’s 2022 position paper, State Access to Encrypted Data – A Digital Rights Perspective, which examined various forms of state hacking, including mandated encryption backdoors and compelled access to devices. In that paper, EDRi assessed important developments in EU legislation, policy debates and police operations from a fundamental rights perspective and as a result, found the use of spyware incompatible with standards of a democratic society based on the rule of law. Building on and developing that position, we’re calling for a full ban on spyware and on the commercial spyware market as a recommendation for EU lawmakers to act on.
Spyware threatens fundamental rights, democracy and collective security
The unregulated expansion of the commercial spyware market has enabled governments to access such tools with ease, despite their capacity to disproportionately limit people’s rights and cause serious harm. The situation is particularly concerning as spyware poses severe threats to the protection of fundamental rights, democratic stability and collective safety. As spyware implies a particularly serious interference with the rights to privacy and data protection , it also affects the exercise of other rights and freedoms, such as freedom of expression, association and assembly.
Civil society organisations and media outlets have repeatedly documented the use of spyware against journalists, activists, opposition figures and human rights defenders. In a wider context of shrinking civic space in Europe, this contributes to a chilling effect and therefore, constitutes a serious threat to European democratic rule-of-law systems. Furthermore, the targeting of high-ranking officials, such as the Prime Minister of Spain and the President of France, also raises issues of states’ essential security interests and potential democratic interference.
The EU is fuelling commercial spyware proliferation
The proliferation of commercial spyware systems such as Pegasus, Predator, Candiru or Graphite has highlighted the urgent need for comprehensive action at the European Union (EU) level. Despite growing evidence of systematic abuse, legislative responses have been slow and inadequate, allowing commercial spyware vendors to profit significantly from these human rights violations, in a market that accounted for over 12 billion dollars in 2023.
The EU’s permissiveness towards the commercial spyware market, and Member States’ unchecked use, affect not only the EU itself but also other regions. For example, this situation creates a legitimacy and a blueprint for the production and use of such tools in its areas of influence, such as candidate countries like Serbia, North Macedonia and other Western Balkan countries, as well as by other partners with close ties to the EU. Furthermore, by being established in the EU, private vendors gain marketing legitimacy to sell their products to non-EU states.
The EU institutions must act to ban spyware
EDRi’s call for the prohibition of the development, production, marketing, acquisition, sale, import, export, and use of spyware in EU Member States requires a clarification of the definition of what constitutes spyware. Furthermore, we believe that the growth of the spyware industry, the exponential rise in scandals of spyware use by states, and the impact of spyware on human rights and democracy have been such that they now require a more focused analysis from a holistic human rights viewpoint. In recent years, the commercial spyware market has expanded rapidly with the proliferation of spyware vendors and a lucrative vulnerabilities market, in which private actors exploit software flaws to illegally infiltrate devices.
First, our paper attempts to clarify the definition of spyware, as the lack of a precise, enforceable definition has so far hindered efforts to regulate its use. We advocate for spyware to be prohibited, defining spyware as any software that, mainly through vulnerabilities, covertly infiltrates a device, compromising its integrity and enabling remote monitoring, data gathering, data extraction, control, and/or manipulation.
Secondly, it analyses the role and growth of the commercial spyware market, arguing that it poses an inherent threat to our collective security, democracy, and human rights, and thus should be prohibited.
Thirdly, we examine the possibilities of remedies for victims of state use of spyware. We advocate for a comprehensive list of measures to offer reparation to all victims, across Europe and beyond, who so far have been denied justice and neglected by authorities.