Defending Against Spyware: What Is Being Done To Protect Our Rights From Digital Threats?
Defending Against Spyware: What Is Being Done To Protect Our Rights From Digital Threats?
1. Surveillance Technology and Personal Privacy
Digital surveillance, using tools like GPS tracking, email monitoring, and data mining, seriously threatens privacy and human rights. It allows private and public entities to gather large amounts of personal data, often without consent, violating the right to privacy under Article 12 of the Universal Declaration of Human Rights. Cases like the Pegasus spyware scandal show how surveillance can target journalists and politicians, increasing the risks. In addition, surveillance can limit freedom of expression and association, creating self-censorship and fear. Moreover, misuse of digital IDs is capable of invading privacy by tracking people’s actions without their knowledge.1
Advanced surveillance technologies provide serious risks to personal privacy, even with encrypted devices. The large-scale collection and sharing of sensitive data, like health and location information, raise concerns about profiling, discrimination, and loss of control. Traditional methods of de-identifying data, such as anonymization and encryption, are becoming less effective in protecting privacy.2
Spyware like Pegasus has damaged trust in digital technologies, making users more cautious of surveillance and data breaches. This distrust can slow the adoption of digital services, especially in areas like finance and healthcare, limiting digital transformation and widening the digital divide. The normalization of surveillance by governments and organizations weakens privacy rights, as people get used to constant monitoring. This loss of privacy erodes legal protections and creates a chilling effect on free expression and association, as fear of surveillance leads to self-censorship and limits democratic participation.
2. Cybersecurity Vulnerabilities
Spyware, often installed through legitimate or clickwrap agreements, tracks and sends user data to third parties, usually for targeted marketing. While it can be used legally, spyware can also be exploited by malicious actors. This article looks at spyware’s functions, both legal and illegal, and discusses ways to prevent or remove it.3
Several methods are currently available to strengthen cybersecurity protocols. Key steps include using strong encryption to protect communications from being intercepted, and applying regular security updates to fix system vulnerabilities. In addition, AI-based behavioral analysis tools can detect unusual activities that suggest spyware. Lastly, multi-factor authentication (MFA) adds an extra layer of security to sensitive accounts. Educating users, especially about phishing and social engineering tactics, is crucial to reduce the risk of spyware attacks. These combined strategies improve digital privacy and security, defending against advanced spyware threats like Pegasus.4
In 2018, Apple attempted to correct vulnerabilities after UAE activist Ahmed Mansoor was targeted by Pegasus spyware. Despite claims that the issue was resolved in 2022, recent findings indicate traces of Pegasus infections were still found in Shutdown.log files.5 Apple’s attempt took the form of the Lockdown Mode. This addition blocks potentially dangerous message links, disables certain web browsing features, and restricts FaceTime calls from unknown numbers. It also stops accessory connections unless the device is unlocked. Although it is currently available to selected users, experts recommend broader use of this feature as global spyware threats continue to grow.6
3. Ethics of Surveillance Software Development
Spyware like Pegasus allows governments and private parties to take advantage of their access to secretive surveillance, which has led to the monitoring of many journalists, activists, politicians, and government officials by different countries.7 To this regard, should the owners of spyware take responsibility for the misuse of their products by others?
In a report released by the NSO Group, they stated that they focus on protecting multiple fundamental rights when it comes to others using their spyware. It is explained that this is done by choosing specific governments to license their product to guarantee against breaches of these rights.8 While this may work in theory, in actuality these attempts at protection have been, to put it lightly, a waste of time. This is shown through a complaint launched, on the 18th of September 2024, by the Global Legal Action Network (GLAN) “on behalf of four victims of Pegasus spyware”, who were all “human rights defenders” that were being targeted by various countries for their activism between the years of 2018 and 2020 through the “hacking of their phones”.9
This example of GLAN holding the NSO Group accountable for the actions of the governments that are using their product could urge companies like the NSO Group to create stricter criteria when it comes to deciding who gets access to their spyware. In order for this to be even more effective, other groups and individuals should also do the same.
4. Digital Forensics and Investigative Journalism
Another factor that could enforce and increase the accountability of these companies is investigative journalism by organizations like Citizen Lab and Amnesty International. These organizations have been monitoring the mishandling of Pegasus by governments and individuals.
The Pegasus Project is a successful effort created by Amnesty International that led to a domino effect of actions that were carried out by governments and individuals to end the misuse of spyware. In terms of governmental action, EU institutions have chosen to create a “committee of inquiry” that assesses the misuse of Pegasus by EU Member States. Similarly, the US Department of Commerce blacklisted the NSO Group for their actions in 2021.10 Relating to private parties, there have been multiple cases launched by victims of spyware in several countries. Also, Apple has taken legal action against the NSO Group.11
These organizations have also been using advanced technologies to detect spyware in devices, like the phones, of the victims. In an interview with the founder of Citizen Lab, the technology used was explained as finding “digital traces” to confirm the existence of spyware on the devices and then, “net mapping” to confirm that a device “has been hacked with Pegasus”.12 This technique of finding the traces left behind by spyware on devices is also used by Amnesty International for “Apple and IOS systems”.13
The coming together of these forensic technologies and investigative journalism exposes companies like the NSO Group for seemingly allowing these misuses of their product to take place. This could lead to the NSO Group making it more difficult to access their product, which will inevitably lead to fewer infringements of fundamental rights with the use of these products.
5. Impact on Free Speech and Journalism
Spyware greatly undermines journalistic source protection, causing journalists to use coded language, avoid saving contacts, and reduce communication through calls or messages. Many stop visiting familiar places or lose contact with sources entirely, limiting their access to crucial public interest information out of fear of exposure. The main threat lies in revealing their digital lives, work, and sources to hostile actors, often through a mix of digital and physical attacks. This creates constant uncertainty that erodes trust in journalism’s digital tools, source protection, and safety, ultimately leaving journalists vulnerable to psychological and systemic threats without clear detection.14
In his study ‘Dealing with the Black Box: European Journalists and the Threats of Spyware,’ Philip Di Salvo highlighted spyware’s psychological effects, focusing on the anxiety caused by uncertainty about surveillance and the inability to confirm attacks. Interviewees reported that both direct victims and those exposed to the threat suffer serious psychological consequences. They emphasized the need for the media to take these threats seriously, calling for better technical knowledge and systematic education for preparation and response. Relying on a small group of technologists isn’t enough as a broader approach is required to tackle the widespread challenges of spyware.15
Spyware worsens journalists’ working conditions, causing psychological, social, and political challenges. The fear of surveillance and the inability to confirm threats create a harmful environment. Its growing use worldwide signals the troubling normalization of digital authoritarian practices aimed at journalists.16
Bibliography
- Leith Jeroudi, ‘Surveillance and Human Rights’ Geneva Centre for Human Rights Advancement and Global Dialogue <https://gchragd.org/wp-content/uploads/2023/06/GCHRAGD-SURVEILLANCE-AND-HUMAN-RIGHTS-backgr ound-paper.pdf> accessed 11 October 2024.
- Omer Tene and Jules Polonetsky, ‘Privacy in the Age of Big Data: A Time for Big Decisions’ (2012) 64 Stanford Law Review <https://www.stanfordlawreview.org/online/privacy-paradox-privacy-and-big-data/> accessed 11 October 2024.
- Thomas Stafford and Andrew Urbaczewski, ‘Spyware: The Ghost in the Machine’ (2004) 14 CAIS 291 <https://aisel.aisnet.org/cgi/viewcontent.cgi?article=3274&context=cais> accessed 10 October 2024.
- Karwan Mustafa Kareem, ‘A Comprehensive Analysis of Pegasus Spyware and Its Implications for Digital Privacy and Security’ (2024) 12(3) IJISAE 1360, 1366 <https://arxiv.org/pdf/2404.19677> accessed 11 October 2024.
- Bill Marczak and others, ‘Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries’ (Citizen Lab Research Report No. 113, University of Toronto, 2018) 25.
- Sophie Webster, ‘Apple’s Lockdown Mode Feature is the Company’s Answer to Growing Spyware Threats’ (Tech Times, 10 July 2022).
- Network GLA, ‘New Criminal Complaint over Pegasus Spyware Hacking of Journalists and Activists in the UK’ (glan Global Legal Action Network, 19 September 2024) <https://www.glanlaw.org/single-post/new-criminal-complaint-over-pegasus-spyware-hacking-of-journalists-and-act ivists-in-the-uk> accessed 12 October 2024.
- NSO Group, Transparency and Responsibility Report (2023) rep <https://www.nsogroup.com/governance/transparency/> accessed 10 October 2024, pages 9 and 10.
- Network GLA, ‘NSO Spyware Hacking: Glan’ (glan Global Legal Action Network, 2024) <https://www.glanlaw.org/nso-spyware-hacking> accessed 12 October 2024.
- ‘The Pegasus Project’ (Amnesty International Security Lab, 18 April 2024) <https://securitylab.amnesty.org/case-study-the-pegasus-project/> accessed 12 October 2024.
- ‘The Pegasus Project’ (Amnesty International Security Lab, 18 April 2024) <https://securitylab.amnesty.org/case-study-the-pegasus-project/> accessed 12 October 2024.
- Interview with Tomasz Sawczuk and Ronald Deibert ‘Dyrektor Citizen Lab: Pegasus Został Wykorzystany Do Namierzania Opozycji w Polsce’ (Kultura Liberalna, 8 November 2022) <https://kulturaliberalna.pl/2022/11/08/pegasus-zostal-wykorzystany-do-namierzania-opozycji-w-polsce/> accessed 12 October 2024.
- Amnesty International’s Security Lab, Forensic Methodology Report: How to catch NSO Group’s Pegasus(Amnesty International 2021) rep <https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasu s/> accessed 11 October 2024.
- Sadia Jamil, ‘The Monitored Watchdogs: Journalists’ Surveillance and Its Repercussions for Their Professional and Personal Lives in Pakistan’ (2021) 22(7) Journalism Studies 878 <https://doi.org/10.1080/1461670X.2021.1904272> accessed 12 October 2024.
- Philip Di Salvo, ‘Dealing with the Black Box: European Journalists and the Threats of Spyware’ (2024) Digital Journalism <https://www.tandfonline.com/doi/full/10.1080/21670811.2024.2378122> accessed 12 October 2024. 16 Marlies Glasius and Marcus Michaelsen, ‘Illiberal and Authoritarian Practices in the Digital Sphere’ (2018) 12 IJoC 3795 <https://ijoc.org/index.php/ijoc/article/view/8899> accessed 12 October 2024.