Submit your essay to the AI-Cybersecurity Essay Prize Competition by January 2, 2025.
The AI-Cybersecurity Essay Prize Competition
Read more
Main Logo Expert commentary on tech and security

Countering transnational dissident cyber espionage

Siena Anstis 7 November 2023
Share On:
Surveillance of dissidents is increasing, but international law lacks clear pathways to curb the practice
Main Top Image
This image was created with the assistance of Midjourney

In 2018, Ghanem Al-Masarir, a Saudi human rights activist and satirist, was granted asylum in the United Kingdom (UK). Al-Masarir is the creator of a popular YouTube channel called the “Ghanem Show”, where he has gained significant publicity for his overt criticisms of the Saudi royal family. 

Unsurprisingly, Al-Masarir’s show has not been popular back in Saudi Arabia. The activist became the target of an act of what I call “transnational dissident cyber espionage.” His phone was infected with a highly intrusive form of mercenary spyware called Pegasus. Al-Masarir was also attacked by two men in London, with footage of the assault appearing on social media accounts linked to the Saudi government. He was warned by the police that there was a credible threat against his life. These events shattered Al-Masarir’s “appetite to do anything.”

Al-Masarir’s situation is just one example among many of the risks posed to dissidents and activists by the rise of transnational dissident cyber espionage.

What is transnational dissident cyber espionage?

Transnational dissident cyber espionage occurs when countries engage in cross-border intelligence activities (espionage) targeting diaspora communities, refugees, political dissidents, human rights defenders, or regime critics who have sought safety outside the perpetrating country. This practice appears to have grown over the past few years, with multiple new cases reported.

These intelligence collection activities take place using cyber capabilities that provide remote access to targeted devices like computers or phones. Mercenary spyware is a particularly invasive item on the menu of technologies used in dissident cyber espionage, which the European Data Protection Supervisor has described as posing “unprecedented risks”. Israeli company NSO Group developed Pegasus spyware—the spyware used on Al-Masarir—which grants the operator almost complete access to the targeted device. This includes the contents of encrypted applications like Signal and WhatsApp, and use of the device’s microphone and camera. Pegasus has been discovered on the devices of many human rights defenders and dissidents around the world. And Pegasus is only one version of this type of tool.

Although comprehensive regulatory solutions are elusive, governments have more recently started paying attention to the unchecked proliferation of such cyber capabilities—likely due as much to national security concerns as their human rights impact. For example, the United States issued an Executive Order in March 2023 prohibiting federal government agencies from using commercial spyware that poses a risk to national security or that has been misused by foreign actors to enable rights abuses. Measures like this suggest an opportunity to leverage states’ national security concerns to address transnational dissident cyber espionage as one of the pernicious harms wrought by this technology. 

An absence of international norms

Despite the negative impacts of transnational dissident cyber espionage for rule of law, democracy, and human rights, no clear international norms condemn such cross-border activities. As a general issue, governments treat cyber espionage with caution. Few are willing to advocate for clear international restrictions on the types of cross-border cyber targeting that states can engage in. 

Even if we accept that core international law and norms apply to digital, cross-border activities, this does little to provide states with guardrails to prevent such abusive targeting. For example, the experts who drafted the Tallinn Manual 2.0 agreed that the international law principles of sovereignty and non-intervention apply in cyberspace. They even went so far as to articulate that some situations lead to clear violations of the sovereignty principle. However, the experts could not achieve consensus “as to whether, and if so, when, a cyber operation that results in neither physical damage nor the loss of functionality amounts to a violation of sovereignty.” With respect to cyber espionage, they noted that “one must look to the underlying acts to determine whether the operation in question violates international law.” It appears that the legality of dissident cyber espionage remains unclear under international law.

Dissident cyber espionage also appears to violate international human rights law, including its provisions regarding the right to privacy. Yet, adjudicating these cases is not straightforward. While targeting journalists, human rights defenders, or activists with mercenary spyware is broadly acknowledged to lead to human rights violations, it raises the spectre of extraterritoriality and the jurisdictions of relevant international human rights law treaties. For example, the International Covenant on Civil and Political Rights requires all rights enshrined within it to be respected and guaranteed “to all individuals within its territory and subject to its jurisdiction”. The question is whether states owe an obligation under international human rights treaties to respect the fundamental rights (such as the right to privacy) of individuals outside their territorial borders.   

The European Court of Human Rights recently addressed extraterritorial surveillance and the human rights obligations of states under the European Convention on Human Rights. The court concluded that, even though the applicants were located abroad when their communications were allegedly intercepted, interference with the applicants’ rights under Article 8 of the Convention still “took place within the United Kingdom and therefore fell within the territorial jurisdiction of the respondent state.” In other words, the UK owed human rights obligations to the applicants despite where the applicants happened to be.

In short, we find ourselves in a normative and legal vacuum. This void facilitates (and perhaps encourages) states to engage in transnational dissident cyber espionage knowing there will be few, if any, real repercussions.   

Next steps: closing the gap 

So how do we go about closing an egregious gap in international norms and law? One option is to have international human rights law embrace a notion of extraterritoriality where states must respect the right to privacy of individuals outside their borders. The likelihood of state practice edging in this direction anytime soon seems low. 

Another solution is to use the growing interest of countries like the United States and other concerned governments to regulate mercenary spyware. As part of this effort, states should begin working towards an international treaty. Ratifying states would agree to refrain from engaging in transnational dissident cyber espionage. They would also implement different mechanisms in domestic law contributing to accountability in states where targeted persons reside. 

These methods could include amending domestic law to expressly allow for lawsuits against foreign governments who engage in such activities, providing technical and financial support to targeted persons and undertaking to share information to identify and address such attacks. The UK made such a lawsuit possible, and in 2019, Al-Masarir was able to allege that the Saudi authorities were responsible for the spyware infection and other actions taken against him in the UK. In the past, countries like the United States have blocked  prior litigation because of foreign state immunity protections, making such an amendment to domestic law even more important.   

Such an international treaty could also help align various countries’ policies and practices regarding the export and sale of surveillance technologies. Right now, the United States’ recent moves towards regulating the spyware industry need to be coordinated with the implementation of more robust human rights protections in EU dual-use export law. This will be critical in making it more challenging for states to acquire sophisticated surveillance equipment to spy on dissidents. Done right, an international treaty could help transform a promising but piecemeal response to the spyware industry into a robust international legal framework.

This is certainly not a perfect solution, as many authoritarian states will likely continue to engage in this behaviour, regardless of whether they sign on for symbolic or other reasons. However, these small steps may start to raise the international costs of engaging in transnational dissident cyber espionage. 

avatar
Siena Anstis

Related

Featured image
Binding Edge
Europe’s cyber rapid response teams should pivot to proactive missions
Taylor Grossman 1 March 2024
Read more arrow
Featured image
Binding Edge
Responsible AI principles in an ‘apolitical’ industry
Cat Easdon 29 October 2024
Read more arrow
Featured image
Binding Edge
Why hostage negotiation tactics don’t work on ransomware
Max Smeets 28 November 2024
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.