Legal and Policy Responses to Spyware: A Primer

On May 6, a federal jury in California determined that NSO Group, developer of the notorious Pegasus spyware, must pay Meta’s WhatsApp a total of $167,696,000 in punitive and compensatory damages for its use of WhatsApp systems while infecting targets’ devices. This may well represent the largest damages award yet made in a spyware case. However, as Indiana University School of Law professor Asaf Lubin argued in Lawfare, a close reading of the ruling against NSO Group, together with the fact that the plaintiff here (Meta) has uniquely deep pockets, “does little to establish a substantive precedent that could guide future spyware litigants or courts.”

In this context, reviewing the range of legal and policy avenues for combating spyware is helpful, as the battle against surreptitious surveillance software is far from over.

Delineating spyware

Some of the earliest kinds of software that were given the spyware moniker were nefarious marketing products that observed infected computers’ browser activity in order to serve ads, sometimes through pop-ups unrelated to the websites that the user was attempting to access (adware). While these are undoubtedly intrusive, they seem relatively innocuous on the contemporary internet, which is dominated by what Shoshana Zuboff has termed “surveillance capitalism.” Other first-generation spyware included keyloggers, which record every one of the user’s keystrokes and are commonly used to automatically search for credentials and gathered them for the software creators, and trojans, which establish access for the operation of botnets. These can be damaging to different degrees for the users, but they are often not used to obtain targeted information about specific individuals and their private conversations—though the FBI did use a keylogger to surveil a suspect as early as 1999.

The second main variety is stalkerware. These products are available to private individuals who can install them on devices they have access to, but where the device's primary user is unaware that the software is tracking their activity and/or location. Such tools are notably used in domestic abuse contexts, allowing the abusive partner to extend their control over their victim’s life.

A third kind is bossware, used by employers to keep tabs on employees and managed devices. These vary in the data that they collect, but the most intrusive varieties have access to device microphones and cameras. Related products, ostensibly intended to investigate theft and for varied kinds of harm prevention, have been used by schools on student laptops. These systems can be installed on organizational devices, or to monitor internet activity that passes through a private network through local connection or an organization’s VPN.

Finally, commercial spyware is made available to government agencies for law enforcement and intelligence activities. Pegasus and Predator are amongst the most famous of these, but they have a number of competitors. These products are typically installed on targets’ devices remotely, often through zero-click attacks. Not only suspected criminals have been identified as targets of these services, but also diplomats, journalists, opposition and foreign politicians, lawyers, business leaders, and activists, along with some of their family members.

In this article, the main focus will be on commercial spyware, though some of the legal and policy approaches described below could well be applicable for other categories of spyware. These distinctions are also not always clear: one famous case that came to UK family court was that of Sheikh Mohammed Al Maktoum, the ruler of Dubai. Unbeknownst to his ex-wife, Pegasus was installed on her phone as part of a campaign of domestic intimidation, even though the software was licensed to the UAE government.

There have been a number of international efforts to combat at least some aspects of the harms of commercial spyware. These include the US-led Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware and the Pall Mall Process, an ongoing multistakeholder undertaking focussed on this issue. So far, principles, norms, and calls for businesses to comply with the United Nations Guiding Principles on Business and Human Rights (UNGPs) have emerged, and Costa Rica has called for a full moratorium, but no well-orchestrated international action has been fully brought to fruition.

However, private companies and individuals, regulators, and national or regional governments have taken action, employing a wide range of legal and regulatory tools. Guidelines and proposals have also been articulated by governmental and non-governmental organizations, but we will focus here on measures that are existent and, at least in theory, enforceable. While some attempts at combating spyware, like WhatsApp’s, have been effective, others have not. Analyzing the strengths and weaknesses of each approach is beyond the scope of this article, and, considering the international nature of spyware, what fails in one jurisdiction may be successful in another.

1. Litigation and criminal law

Data protection, privacy, and human rights

General purpose privacy laws and can prohibit the use of certain types of spyware controlled by businesses or government agencies. Italy’s Data Protection Authority recently published a warning that the use of Graphite commercial spyware is against the country’s Privacy Code, except for valid national security or criminal activity purposes. Europe’s General Data Protection Regulation (GDPR) places limits on how employers can track the activities of employees. In the US, the Stored Communications Act limits both private and government access to private electronic communications without a warrant.

English common law also provides for privacy through the tort of intrusion upon seclusion. This was proposed as one of the counts in a suit brought against the NSO Group by a group of journalists from the publication El Faro, whose devices were monitored with Pegasus spyware.

Human rights law can also provide privacy protections. The European Court of Human Rights has ruled that specific British government mass surveillance efforts (though not dealing with targeted commercial spyware) violated Article 8 of the European Convention on Human Rights (ECHR, the right to respect for private and family life). It further held, with regard to a group of journalists who had joined the suit, that the government had violated Article 10 of the ECHR (the right to free expression). Journalists are unable to freely communicate with confidential sources if their communications may be compromised, thus creating a chilling effect on expression. A 2002 surveillance law—regarding communication interception “through the use of any means,” and so potentially applicable to spyware—was adjudicated as partially unconstitutional by the South African Constitutional Court, based on the right to privacy.

Contracts and business practices

The private suits against the NSO Group by both WhatsApp and Apple (which abandoned its case before judgement) included breach of contract as a key element of their claims. The platforms’ terms of service prohibit their use to cause various kinds of harm to the company or its users, and have several other relevant restrictions. The platforms argued that the NSO Group’s breach of these terms caused them economic damages, giving them standing to sue.

General commercial regulations, such as the US Federal Trade Commission Act, can also be of use. The Federal Trade Commission (FTC) has broad responsibilities to regulate businesses under the rubric of ‘‘unfair or deceptive acts or practices in or affecting commerce,” as prohibited by Section 5 of the Act. The FTC has brought this power to bear against marketing and stalkerware companies, and enunciated three principles regarding enforcement against spyware: installation should be the consumer’s choice, “buried disclosures of material information” are invalid, and consumers should be able to readily detect and uninstall unwanted software.

Apple’s suit against the NSO Group also cited California’s Unfair Competition Law, which has similarities with this section of the FTC Act, and allows claims brought by private parties as well as public prosecutors. Apple also made a claim under the common law principle of unjust enrichment, arguing that NSO Group “received a benefit by profiting from the personal data they wrongfully obtained from Apple’s users’ devices through the improper use of Apple’s servers.”

Dedicated laws

A number of US states passed specific legislation to combat early forms of spyware that were typically used for marketing and credential-harvesting purposes. In some cases, these laws may apply to other types of spyware that were not well-known at the time. Greece adopted an outright ban on the sale, possession or private use of spyware, in the wake of a scandal involving the surveillance of an opposition party leader.

Anti-hacking

Commercial spyware is essentially hacking software, and so laws that were designed to create liability for hacking may well have applicability. Under the federal Computer Fraud and Abuse Act (CFAA), violations can be prosecuted as criminal acts or raised in civil cases—as was done by Apple, WhatsApp, the widow of murdered dissident Jamal Khashoggi, and the El Faro journalists in their suits against the NSO Group. State analogs, the California Comprehensive Computer Data Access and Fraud Act and the Virginia Computer Crimes Act were also cited by WhatsApp and the journalists, and in the Khashoggi case, respectively. These laws differ from jurisdiction to jurisdiction, but they are very widespread: the Budapest Convention on Cybercrime requires its many signatory nations to have laws that prohibit hacking offenses and to cooperate internationally in countering these crimes.

Personal injury and negligence

The consequences of having spyware installed on your devices can include psychological or even physical injury. Hanan Elatr Khashoggi accused the NSO Group of intentional and negligent infliction of emotional distress in her suit, as well as a separate count of negligence. Notably, in the case of Ghanem Almasarir, a Saudi human rights activist, satirist and refugee who was allegedly targeted with Pegasus by the government of Saudi Arabia, a British court determined that foreign nations are not immune from claims regarding personal injury.

Trespass to chattels

The English common law tort of trespass to chattels holds people liable for interference with or damage to someone else’s (non-real estate) property. Not uncontroversially, this has been applied to some internet-based possible offenses, starting with spam and expanding from there to include activities such as web scraping. This has been tested with respect to marketing spyware and was also raised in the suits by WhatsApp and the El Faro journalists.

2. Executive measures

Restrictions on agency usage

There are long-standing principles regarding the limits to government surveillance powers, such as the US Constitution’s Fourth Amendment, protecting citizens against “unreasonable searches and seizures,” which has restricted unfettered data collection by law enforcement. The EU’s Directive 2016/680 gives data protection rules for personal information gathered during law enforcement investigations. But governments also put in place laws and directives specifically governing the purchase and use of surveillance technologies such as spyware, including oversight requirements. The Netherlands’ 2019 Computer Crime Act III, for example, explicitly permits law enforcement hacking, but it requires a warrant and the fulfillment of seriousness and urgency criteria. An overview of nine national frameworks (EU and non-EU) for the regulation of hacking for law enforcement purposes is provided by a 2017 European Parliament report.

These restrictions may be intended purely to protect (to some degree) the rights of suspects, or they may be designed to protect the country from security risks and deal a blow to the companies who produce the software in question, as is the case for the Biden administration’s executive order regarding commercial spyware. That order directed agencies to cease working with companies that provide services for repressive regimes, target US citizens and residents, or are controlled by entities that spy on the US. In 2022, Congress passed a law that empowers the Director of National Intelligence to prohibit US intelligence agencies from doing business with specified spyware companies.

Trade bans

If one accepts the premise that there are justifiable contexts for the use of spyware, it can be considered a “dual-use” technology with both acceptable and unacceptable uses. Countries establish systems for licensing the export of dual-use technologies based on criteria including the reputation of the recipient nation and stipulations about reselling the product. The EU’s Regulation 2021/821 states that licenses should not be granted for technology “for monitoring mobile phones and text messages and targeted surveillance of Internet use,” when that will be used “in connection with a violation of human rights, democratic principles or the freedom of expression.” (The EU Parliament’s 2023 recommendations on spyware, which do not appear to have led to any firm legislative plans thus far, make clear that this regulation is not sufficiently effective.)

The US has added spyware companies to its Entity List of trade-restricted companies and is in the process of making rules that will extend restrictions on exporting goods and services to countries under embargoes when they are for intelligence applications, rather than only military ones. (Recent reporting from the Washington Post suggests that the NSO Group has been unsuccessful in their lobbying of the Trump administration to be removed from the Entity List and to repeal the prohibitions on federal agencies using their services.)

Sanctions

While trade bans focus on exporting and importing spyware and former President Joe Biden’s executive order applied to purchasing spyware for domestic use, the US has also taken actions to target companies and individuals more broadly. There have been formal economic sanctions against companies and individuals that have produced spyware and some people have also been banned from receiving visas.

A report from the Atlantic Council explores one effectiveness consideration that is particularly relevant to company- or individual-specific measures, such as sanctions and some trade bans or bans on agency usage. It reveals the labyrinthine nature of the market, with shell companies and subsidiaries, producers and distributors, and serial entrepreneurs, and explains how this can greatly complicate the process of identifying actors to sanction. The authors make a series of policy recommendations to mitigate this obstacle.

Ongoing challenges

Given the global network of commercial spyware development and deployment, and evolving tactics and technologies, a multi-faceted and flexible approach will be required to effectively address its proliferation. The measures outlined here represent a portfolio of legal and policy options for policymakers, impacted individuals and businesses, and civil society organizations, but technological and public advocacy strategies may also play an important role in combating the scourge of commercial spyware. Citizens, platform executives, activists, technologists, legal professionals, and policymakers must continue to vigorously pursue a rights-inspired agenda if we are to enjoy modern communications that are free from snooping authoritarians, at home or abroad.

If you are concerned that you may be a target of spyware, review these resources on a clean device:

• For commercial spyware: Amnesty International Security Lab
• For stalkerware: Coalition Against Stalkerware

The author wishes to thank Greg Nojeim, Senior Counsel and Director of the Security and Surveillance Project at the Center for Democracy & Technology.