Using export controls to tackle the proliferation and misuse of spyware and cyber-surveillance tools

The use of spyware and other cyber-surveillance tools in connection with human rights violations became a topic of international attention in the wake of the 2011 Arab Spring uprisings. These concerns expanded in 2020s following widespread reports of spyware being used to intimidate journalists and political opponents.

Since 2012, states have used export controls to gain oversight over the international trade in cyber-surveillance tools and prevent transfers that pose human rights and national security risks. Further expansions in the use of export controls to tackle these challenges have been encouraged by recent multilateral initiatives, particularly the Export Controls and Human Rights Initiative (ECHRI), the Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware, and the Pall Mall Process. 

The Wassenaar Arrangement, which sets widely-respected standards on arms and dual-use export controls, has been central to these efforts, adding five categories of cyber-surveillance tools to its scope since 2012. However, the geopolitical tensions created by Russia’s invasion of Ukraine have limited the ability of the Wassenaar Arrangement to adopt new controls. The United States has also been at the forefront of using export controls to target spyware manufacturers and promote multilateral action in this area. However, under the Trump administration, Washington appears less interested in engaging with multilateral export control processes. 

Taking these processes forward may require new forums and leadership and a focus on connecting export controls with other regulatory frameworks to promote a more comprehensive approach to preventing the misuse of spyware and other cyber-surveillance tools.

A new policy paper from the Stockholm International Peace Research Institute (SIPRI), by these authors, contributes to this debate by detailing the export controls that have been applied to spyware and other cyber-surveillance tools, mapping what proportion of the global market they capture, and outlining recommendations for how states could harmonise, strengthen, and expand these measures.

The scope of export controls

Export controls are used by states to require companies to obtain licences before transferring military equipment and dual-use items identified in control lists. The Wassenaar Arrangement, the primary multilateral forum for agreeing the content of these controls, directly or indirectly captures seven cyber-surveillance tools in its dual-use list: lawful interception systems, data retention systems, network surveillance systems,  monitoring centres, mobile phone interception equipment, digital forensics systems, and spyware. 

The European Union has established its own dual-use regulation, which applies the Wassenaar dual-use list but also commits member states to assess the risk that exported items, including non-listed cybersurveillance tools, may be used in connection with human rights and international humanitarian law violations. 

US export controls also go beyond the scope of the Wassenaar controls. For instance, the US can impose licence requirements on exports to specific individuals or companies by adding them to the Department of Commerce’s ‘Entity List’. Since 2021, the US has added several manufacturers of commercial spyware to the list.

Export controls have played a key role in identifying spyware and other cyber-surveillance tools that should be subject to control and developing standards for regulating their trade. However, they only apply in countries that have integrated them into their national laws and regulations. This makes it important to identify where the main producers and exporters of cyber-surveillance tools are located and map the extent to which they are based in states that have adopted these controls.

Export control coverage

A mapping exercise conducted by SIPRI sought to locate the companies that produce cyber-surveillance tools subject to export controls. 

Producers of spyware and other cyber-surveillance tools can be broadly divided into two categories. The first includes those that produce tools associated with processes of lawful interception and data retention, through which telecommunications network operators can be required by states to share or collect user data. The second category includes those that produce tools associated with device compromise, which allow direct or remote access to a target individual’s mobile phone or computer, such as spyware. 

The mapping indicates that the production of cyber-surveillance tools is highly concentrated. It identified 188 companies located in 31 states. Of these, 51% are in 19 states in Europe, with another 22% in three states in the Americas. Forty-three companies in 18 states manufacture spyware. This sector is more concentrated than for other cyber-surveillance tools – over half of these companies (58%) are in three states: India, Israel, and Italy.

This baseline estimate of the size and scope of the cyber-surveillance industry indicates the potential for export control measures to enhance oversight, transparency, and restraint.

The potential impact of export controls

At least 64 states apply the Wassenaar Arrangement dual-use list through their national export controls. These states are home to 95% of the companies that manufacture spyware and other cyber-surveillance tools identified in the mapping exercise. Forty-three states have committed to using export controls to prevent transfers of different categories of cyber-surveillance tools that might be used to enable violations of human rights and international humanitarian law by virtue of being EU member states or signatories to the ECHRI Code of Conduct, the Joint Statement on Spyware, or the Pall Mall Process Code of Practice. These states are home to 68% of the companies mapped by SIPRI. 

Export controls create records of where items are being exported and by whom. This can increase transparency and government oversight of the trade in cyber-surveillance items. Export controls can also be used to prevent transfers of cyber-surveillance tools and impose constraints on how exported items are used. However, implementing these controls effectively requires an understanding of how to assess risks of misuse and an ability to manage the complexities of implementation and enforcement.

Available guidelines on assessing the risks associated with transfers of dual-use items do not consider human rights- or international humanitarian law-related risks raised by cyber-surveillance tools. There is a need to develop standards that detail how these risks should be assessed when states are exporting these items. 

Additionally, some cyber-surveillance tools are  ‘intangible’ products, like software. The implementation of controls on intangible transfers would benefit from more detailed standard-setting and effective enforcement, which smaller states may not have the capacity for.  

Ways forward

If the scope for further action from the Wassenaar Arrangement and US leadership remains limited, then supporters of the Pall Mall Process and the EU are well-placed to advance discussions about using export controls to tackle the proliferation and misuse of cyber-surveillance tools. 

The Pall Mall Process is focused on spyware. With that narrower remit it could enable detailed conversations on standard-setting for export controls and establish new mechanisms of inter-governmental information sharing. 

The EU’s broader remit includes all cyber-surveillance tools. As such, the EU could explore new controls on additional categories of cyber-surveillance tools – for instance, facial recognition software and other biometric tools –  that are not covered by the Wassenaar Arrangement. The European Commission, working with EU member states, could also develop guidelines and training programmes for national officials on the implementation of controls on intangible items. 

Effectively addressing the proliferation and misuse of spyware and other cyber-surveillance tools requires the use of a range of hard and soft law instruments, such as industry standards, legal actions, and the full implementation of international human rights law. Export controls are an essential piece of this puzzle that can both limit the proliferation and misuse of spyware and other cyber-surveillance tools and support other regulatory instruments and initiatives.

For more information, see Export controls and spyware: Enhancing oversight, transparency and restraint by Mark Bromley and Giovanna Maletta.