A Privacy Nightmarе: Understanding Spyware, a new book by SHARE Foundation
SHARE Foundation’s new book ‘A Privacy Nightmare: Understanding Spyware’ examines spyware through technical, legal, and practical lenses, offering a systemic understanding of its threats and reinforcing the call for a global ban.
How the case of NoviSpy inspired a systemic approach to understanding spyware
Implications of spyware use in Serbia appeared sporadically throughout the last decade. However, in the context of increased proliferation of spyware on a global scale and increased repression of the Serbian regime as a response to civil unrest, especially in light of the ongoing mass student-led protests, spyware has become one of the main tools of digital dictatorship in Serbia.
After the first cases of suspected use of Pegasus against members of civil society in Serbia, SHARE Foundation, in collaboration with Amnesty International, discovered widespread use of a new type of state-developed spyware called NoviSpy. The investigation also revealed the misuse of digital forensic tools by police and security services to target activists, journalists, and even students. After the report was published, SHARE continued to document new cases of spyware use, such as two additional suspected Pegasus attacks against investigative journalists.
In response to its growing use, SHARE recognised an urgent need to better understand this intrusive technology, its implications for human rights, and the pressing question of its legality. The book ‘A Privacy Nightmare: Understanding Spyware’ brings together existing research, expert insight, and SHARE’s direct experience with NoviSpy to examine spyware through three critical lenses: technical, legal, and practical.
The key conclusion reinforces the long-standing advocacy goals of digital rights organisations: that spyware, regardless of the company that creates it, the state that deploys it, or the individual it targets, is fundamentally incompatible with human rights standards and democratic principles. As such, it should be banned outright.
Spyware: A multi-layered threat
The book consists of three parts: technical, legal and practical, and explains what spyware is and how it operates. It alsooffers a comprehensive comparative legal analysis across 13 countries, and explores its consequences for human rights, democratic processes, and everyday life.
The technical section traces the evolution of spyware from the rudimentary chat-interception malware of the 1990s to today’s sophisticated systems capable of compromising phones and computers without a detectable footprint. Using examples such as Pegasus, Predator, and NoviSpy, the book illustrates how these tools have far surpassed traditional surveillance methods – bypassing encrypted communications and exploiting hidden vulnerabilities in devices. It illustrates that the danger of spyware lies in its design.
The legal analysis shows that spyware exists in a grey area of the law. No national or international framework explicitly regulates its use, and some states are seeking to normalise it under the guise of national security or crime prevention. However, the absence of clear regulation does not suggest that the solution lies in creating one. At its core, spyware is fundamentally incompatible with the rights to privacy and freedom of expression, as well as with key democratic principles such as legality, necessity, and proportionality.
Across nearly every jurisdiction examined, there is already a strong legal foundation for banning spyware and protecting fundamental rights and freedoms. For this reason, spyware should not be treated as a technology to be managed or regulated, but as a practice that must be categorically rejected and prohibited.
The practical section of the book examines the human rights impact of spyware across multiple regimes, drawing on case studies from more than twenty countries. It also explores the global spyware industry and the rising use of these tools in private and commercial contexts. The analysis underscores the urgent need to challenge narratives that normalise surveillance and downplay the importance of privacy.
The situation in Serbia offers a stark example of the risks posed by state-developed spyware. Serbia is the only known hybrid regime to deploy domestically produced spyware, with possible links to Russian or Chinese technical support, raising serious concerns about foreign involvement. The Serbian case serves as an early warning that without a global ban, state-developed spyware has the potential to cross borders and threaten human rights and democratic safeguards across the EU and beyond.
Towards a Spyware Ban
While the central aim of the book is to reaffirm existing advocacy positions within EDRi and beyond, and to provide a renewed push for a full ban on all types of spyware, it also seeks to spark a wider conversation about the kind of world civil society organisations are working to defend. The book challenges readers to reflect not only on the threats posed by intrusive technologies, but also on the values and principles that underpin democratic life.
Rather than offering a traditional conclusion, the book re-examines the shared commitment of civil society to fundamental rights and democratic principles, confronting the difficult question of how to balance security with liberty. It highlights the dangers of pursuing security without restraint, showing how such approaches erode trust, weaken institutions, and disproportionately harm the very communities civil society seeks to protect. In doing so, the book underscores that defending human rights is not an abstract ideal, it is a practical necessity for the resilience and health of society as a whole.
Contribution by: EDRi member, SHARE Foundation