To Protect Democracy, Policymakers Must Protect Journalists from Spyware

As 2024 drew to a close, a spate of headlines ran in December detailing the use of spyware against journalists in Serbia. In a year that witnessed reports every few months of high-powered spyware tools hacking journalists’ devices in Jordan, Mexico, Turkey, India, and Togo, news of Serbia as another spyware hub capped an alarming year. When Amnesty International issued its report on the digital surveillance of journalists in Serbia, an anonymous activist described spyware as “an incredibly effective way to completely discourage communication between people. Anything that you say could be used against you, which is paralyzing at both personal and professional levels.”

What will 2025 bring to journalists? More spyware.

Spyware is cheap, difficult to trace, and effective. Moreover, the proliferation of AI and spyware technologies has made them more accessible. As more and more become aware of the nature of spyware and its perils, 2025 will likely continue the phenomenon of governments and bad actors targeting journalists through digital surveillance. Spyware deepens a global crisis in acts of harm against media professionals and independent media. Policymakers in the US and European Union have wrestled with the threat spyware poses to journalists with varying results. As other countries ponder introducing domestic anti-surveillance laws to safeguard journalists from spyware and digital surveillance, here’s what policymakers should consider from European Union and US policy efforts.

Spyware targets journalists and violates their rights

Spyware is a form of malware or surveillance technology that the Committee to Protect Journalists (CPJ) describes as enabling “secret, unauthorized access to an electronic device without detection.” Spyware can collect personal data, like credit card numbers and passwords, track activity, access devices, intercept communication, and watch virtually anything within view of the phone camera. Numerous

forms of spyware, such as Predator, are now available, but Pegasus is the most potent. Pegasus is a no-touch install spyware capable of stealing passwords, private data, contacts, and photos without the user’s knowledge and can turn into a 24-hour surveillance device. Attackers deploy Pegasus to deep dive into mobile devices, gathering precious personal data like end-to-end encrypted messages and GPS location. Three dozen countries, such as Armenia, China, Mexico, Saudi Arabia, South Africa, and 14 in the EU, are known Pegasus users.

Journalists are prime and frequent targets for spyware by the nature of what they do. Journalists are essential links in democracies. They are also outspoken. They expose government and corporate corruption. Journalists collect and disseminate information, enabling people to make choices, vote, etc. Journalists also rely indispensably on their mobiles to conduct interviews, gather information, communicate with sources and colleagues, and transmit their work. These factors make them vulnerable to spyware. A 2021 Center for International Media Assistance report found that “governments acquire spyware technologies to monitor journalists, silence independent journalism, and control the flow of information.” Spyware allows governments to surveil journalists' activities and newsgathering practices, such as interviews with confidential sources, messages to their colleagues, and images shot without their knowledge or consent. Spyware also exposes journalists’ sources, colleagues, friends, and family members.

The first known case of Pegasus occurred against prominent human rights defender Ahmed Mansoor from the United Arab Emirates (UAE). In 2016, Mansoor received texts that promised details about detainees tortured in UAE prisons after clicking on a provided link. Mansoor forwarded the messages to the University of Toronto’s Citizen Lab, which identified the links as spyware exploits. Since then, Pegasus and other forms of spyware have hit scores of journalists from all corners of the world. Independent reporting initiative Pegasus Project found Pegasus on more than 50,000 phones, many belonging to those in the media.

Importantly, journalists reporting from outside of their borders are frequent targets. These journalists in exile have had to flee their homelands due to conflict or political repression. These journalists must grapple with potential reprisals from their home governments, learn to operate in a foreign country, and face many challenges. A groundbreaking report from the digital civil rights organization Access Now and the Citizen Lab found that an unknown source had placed Pegasus into the devices of media workers living in exile. Novaya Gazeta Europe CEO Maria Epifanova was among them. Authorities believe someone hacked Epifanova’s device following an interview with a Belarussian leader. Baltic Weekly producer Evgeny Erlikh was also named in the report, as was Evgeny Pavlov, a Latvian journalist and former correspondent for Novaya Gazeta Baltija.

Spyware has the potential to violate numerous journalists’ rights. First and foremost, it impacts the individual right to privacy. Spyware infringes the right to freedom of expression and undermines journalists’ right to freedom of association. It can potentially violate journalists’ right to data protection. Relatedly, it can have a detrimental impact on journalistic sources.

Digital surveillance technologies are in demand

Despite growing concerns about spyware’s harms, incidents appear to be on the rise. A 2023 Carnegie Endowment for International Peace report identified at least 74 governments engaged with commercial firms to acquire spyware of digital surveillance technologies. The report cited an ongoing demand for high-powered digital technology forensics as a leading reason. In addition to the most powerful spyware sellers, such as the NSO Group and Cytrox, secondary-tier firms have flourished alongside a corresponding increase in open-source, commercially available, and affordable spyware.

AI and spyware travel well together

The mushrooming of AI-powered surveillance systems has already empowered governments with tools to support illiberal democracies. AI-powered spyware is an effective tool for political oppression and digital transnational repression. This reality places more significant pressure on governments and international bodies to consider the ethical frameworks of AI-powered surveillance. Rumela Sen and Nusraat Farooq highlight that integrating AI technologies into spyware could power more sophisticated surveillance. These factors suggest that spyware incidents could continue and may even rise.

Spyware technologies exemplify broadening harms against journalists

It's tempting to think that spyware is limited to the machinations of illiberal governments, but that’s simply not the case. Spyware against journalists is a global problem that liberal and illiberal governments around the world have deployed to suppress journalists and independent media. Take the European Union (EU) member states as an example. Despite the EU’s reputation as a vanguard for independent media, that didn’t prevent the Greek government from surveilling journalists Thanassis Koukakis and Stravos Michaloudis in a case that scandalized Greece. Greece has also seen an uptick in violence against journalists. Hungary and Poland similarly deployed spyware against journalists domestically. Journalists in Central and South America are also being targeted by digital surveillance. In Digital Surveillance in Southern Africa: Policies, Politics and Practices, authors Allen Munoriyarwa and Admire Mare meticulously document that surveillance affects African journalists across multiple Southern African states.

Research increasingly recognizes the connection between digital harm and physical harm. It is not by accident that physical attacks and violence against journalists have spiked in recent years. Reporters Sans Frontiers (RSF) documented that 54 journalists were killed in 2024, including 31 in conflict zones, with 550 detained, 55 held hostage, and 95 gone missing.

Spyware negatively impacts democracies

Spyware can lead to serious consequences for journalists. A 2022 report from the CPJ titled Zero Click Spyware: Enemy of the Press found the threat of spyware and its discovery impacts newsrooms and journalists by undermining editorial planning, discouraging journalists from carrying out sensitive investigative reporting, and undermining their sense of security. CPJ advocacy and communications director Gypsy Guillén Kaiser importantly pointed out, “Spyware brings another layer of risk to reporting that extends to the personal sphere when journalists’ families and associates are also targeted.”

Few, if any, have ever wondered what it might be like to have their phone infected or the associated dangers. Those who do should look no further than Galina Timchenko. Timchenko leads the powerful and influential Russian exiled media organization Meduza and has been a victim of Pegasus. Timchenko said this to CPJ about the experience, “I felt like I was dirty or stripped in the street. Perhaps the most widely recognized illustration of spyware’s perils is the murder and dismemberment of exiled Saudi journalist and prominent Saudi critic Jamal Khashoggi. A columnist for the Washington Post, Khashoggi authored several opinion pieces critical of the Saudi government. The Pegasus Project later reported that Pegasus spyware infected the devices of Khashoggi and Khashoggi’s fiancée. Many believe spyware contributed to Khashoggi’s murder.

Not surprisingly, many journalists and journalists in exile have voiced their fears and wariness about continuing as journalists. Munoriyarwa and Mare extrapolate that some fear using their phones. Press freedom organizations have raised concerns over self-censorship and a slow abandonment of investigative journalism necessary for a functioning society.

Existing legislative efforts to address spyware against journalists fall short

The European Media Freedom Act (‘Media Freedom Act’) takes an unprecedented step to address intrusive surveillance software used against those in the media. The Media Freedom Act establishes the importance of journalistic activity in a democracy in its opening paragraphs. The initial paragraphs establish the importance of journalists carrying out their duties without undue interference from surveillance technologies. Article 4 safeguards journalistic sources by banning state authorities from deploying surveillance tools against journalists, barring exceptional circumstances, and calls on member states to ensure that journalistic sources and sensitive communications are sufficiently protected. Accordingly, Article 4 Para. 3(a) bars member states from pressuring media organizations to divulge sources or obliging someone to disclose the information due to their affiliation with a media organization. Article 4 Para. 3(b) prohibits member states from detaining, sanctioning, intercepting, or subjecting media organizations or their editorial staff from surveillance or search and seizure to collect sensitive information. Article 4 Para. 3(c) forbids the deployment of intrusive surveillance software on devices that journalists or media organizations use. Exceptions are made on a case-by-case basis on national security grounds and must follow Article 52 (1) of the European Union Charter and other European Union laws.

Despite the intent of the law, irregularities persist. Cybersecurity companies exploiting regulatory fragmentation in the European Union further impede efforts at protecting the human rights of journalists. The Carnegie report noted that cybersecurity firms establish subsidiaries where implementation of export controls is often lax. The report gives the example of the NSO group establishing subsidiaries in Bulgaria and Cyprus. As another example, the report also notes that Intellexa, which owns Cytrox and Circles, is setting up operations in Cyprus, Greece, and Malta. Regulatory fragmentation prevents the full force of the law from protecting journalists against digital surveillance.

Furthermore, specific provisions – especially national security – call for further clarification. Jan Erik Kermer writes that the EU Agency for Fundamental Rights defines national security as “major threats to public safety and including cyber-attacks on critical infrastructures.” Kermer further notes that Article 4 does not address the outsourcing question, i.e., outsourcing surveillance to private entities. Absent from the final text is any mention of addressing instances when national governments assign spyware to non-state actors. Kermer deftly observes that this oft-used tactic absolves the state from responsibility while simultaneously undermining independent journalism.

Other countries have also considered surveillance laws against journalists but have failed. The US is an obvious example. The Protect Reporters from Exploitive State Spying (PRESS) Act is a federal shield law that would have protected journalists against government surveillance and forced disclosure of their confidential sources. The PRESS Act would have limited federal law enforcement surveillance of journalists and codified regulations the Department of Justice put in place under President Joe Biden. Several media freedom organizations, including the Electronic Frontier Foundation, RSF, and CPJ, supported the popular bill. However, shortly after the 2024 election, then-President-elect Donald Trump called on House Republicans to block the measure, terminating any hope of the US Senate clearing the legislation. For those who want to expand their cybersecurity businesses, President Trump’s moves to block important legislation and roll back cybersecurity laws are a boon. For everyone else, the chipping away at journalists’ rights portends a Kafkaesque future in the near term.

Protecting journalists’ cybersecurity marks a battle worth waging

Lost in much of this is the security of journalists. Their work can be dangerous and highly sensitive. Without ensuring their security, many may self-censor or abandon the field. The problem also extends beyond spyware. Other surveillance tools, including geolocation tracking, facial recognition, and other AI-enhanced surveillance tools, can further intimidate journalists.

Journalism is indispensable to democracy. Policymakers should take the safety of journalists more seriously and devise policies that protect them. Since journalists and members of the media face unprecedented digital and physical harm, there has never been a better time.