Countering transnational dissident cyber espionage

Surveillance of dissidents is increasing, but international law lacks clear pathways to curb the practice
Main Top Image
This image was created with the assistance of Midjourney

In 2018, Ghanem Al-Masarir, a Saudi human rights activist and satirist, was granted asylum in the United Kingdom (UK). Al-Masarir is the creator of a popular YouTube channel called the “Ghanem Show”, where he has gained significant publicity for his overt criticisms of the Saudi royal family. 

Unsurprisingly, Al-Masarir’s show has not been popular back in Saudi Arabia. The activist became the target of an act of what I call “transnational dissident cyber espionage.” His phone was infected with a highly intrusive form of mercenary spyware called Pegasus. Al-Masarir was also attacked by two men in London, with footage of the assault appearing on social media accounts linked to the Saudi government. He was warned by the police that there was a credible threat against his life. These events shattered Al-Masarir’s “appetite to do anything.”

Al-Masarir’s situation is just one example among many of the risks posed to dissidents and activists by the rise of transnational dissident cyber espionage.

What is transnational dissident cyber espionage?

Transnational dissident cyber espionage occurs when countries engage in cross-border intelligence activities (espionage) targeting diaspora communities, refugees, political dissidents, human rights defenders, or regime critics who have sought safety outside the perpetrating country. This practice appears to have grown over the past few years, with multiple new cases reported.

These intelligence collection activities take place using cyber capabilities that provide remote access to targeted devices like computers or phones. Mercenary spyware is a particularly invasive item on the menu of technologies used in dissident cyber espionage, which the European Data Protection Supervisor has described as posing “unprecedented risks”. Israeli company NSO Group developed Pegasus spyware—the spyware used on Al-Masarir—which grants the operator almost complete access to the targeted device. This includes the contents of encrypted applications like Signal and WhatsApp, and use of the device’s microphone and camera. Pegasus has been discovered on the devices of many human rights defenders and dissidents around the world. And Pegasus is only one version of this type of tool.

Although comprehensive regulatory solutions are elusive, governments have more recently started paying attention to the unchecked proliferation of such cyber capabilities—likely due as much to national security concerns as their human rights impact. For example, the United States issued an Executive Order in March 2023 prohibiting federal government agencies from using commercial spyware that poses a risk to national security or that has been misused by foreign actors to enable rights abuses. Measures like this suggest an opportunity to leverage states’ national security concerns to address transnational dissident cyber espionage as one of the pernicious harms wrought by this technology. 

An absence of international norms

Despite the negative impacts of transnational dissident cyber espionage for rule of law, democracy, and human rights, no clear international norms condemn such cross-border activities. As a general issue, governments treat cyber espionage with caution. Few are willing to advocate for clear international restrictions on the types of cross-border cyber targeting that states can engage in. 

Even if we accept that core international law and norms apply to digital, cross-border activities, this does little to provide states with guardrails to prevent such abusive targeting. For example, the experts who drafted the Tallinn Manual 2.0 agreed that the international law principles of sovereignty and non-intervention apply in cyberspace. They even went so far as to articulate that some situations lead to clear violations of the sovereignty principle. However, the experts could not achieve consensus “as to whether, and if so, when, a cyber operation that results in neither physical damage nor the loss of functionality amounts to a violation of sovereignty.” With respect to cyber espionage, they noted that “one must look to the underlying acts to determine whether the operation in question violates international law.” It appears that the legality of dissident cyber espionage remains unclear under international law.

Dissident cyber espionage also appears to violate international human rights law, including its provisions regarding the right to privacy. Yet, adjudicating these cases is not straightforward. While targeting journalists, human rights defenders, or activists with mercenary spyware is broadly acknowledged to lead to human rights violations, it raises the spectre of extraterritoriality and the jurisdictions of relevant international human rights law treaties. For example, the International Covenant on Civil and Political Rights requires all rights enshrined within it to be respected and guaranteed “to all individuals within its territory and subject to its jurisdiction”. The question is whether states owe an obligation under international human rights treaties to respect the fundamental rights (such as the right to privacy) of individuals outside their territorial borders.   

The European Court of Human Rights recently addressed extraterritorial surveillance and the human rights obligations of states under the European Convention on Human Rights. The court concluded that, even though the applicants were located abroad when their communications were allegedly intercepted, interference with the applicants’ rights under Article 8 of the Convention still “took place within the United Kingdom and therefore fell within the territorial jurisdiction of the respondent state.” In other words, the UK owed human rights obligations to the applicants despite where the applicants happened to be.

In short, we find ourselves in a normative and legal vacuum. This void facilitates (and perhaps encourages) states to engage in transnational dissident cyber espionage knowing there will be few, if any, real repercussions.   

Next steps: closing the gap 

So how do we go about closing an egregious gap in international norms and law? One option is to have international human rights law embrace a notion of extraterritoriality where states must respect the right to privacy of individuals outside their borders. The likelihood of state practice edging in this direction anytime soon seems low. 

Another solution is to use the growing interest of countries like the United States and other concerned governments to regulate mercenary spyware. As part of this effort, states should begin working towards an international treaty. Ratifying states would agree to refrain from engaging in transnational dissident cyber espionage. They would also implement different mechanisms in domestic law contributing to accountability in states where targeted persons reside. 

These methods could include amending domestic law to expressly allow for lawsuits against foreign governments who engage in such activities, providing technical and financial support to targeted persons and undertaking to share information to identify and address such attacks. The UK made such a lawsuit possible, and in 2019, Al-Masarir was able to allege that the Saudi authorities were responsible for the spyware infection and other actions taken against him in the UK. In the past, countries like the United States have blocked  prior litigation because of foreign state immunity protections, making such an amendment to domestic law even more important.   

Such an international treaty could also help align various countries’ policies and practices regarding the export and sale of surveillance technologies. Right now, the United States’ recent moves towards regulating the spyware industry need to be coordinated with the implementation of more robust human rights protections in EU dual-use export law. This will be critical in making it more challenging for states to acquire sophisticated surveillance equipment to spy on dissidents. Done right, an international treaty could help transform a promising but piecemeal response to the spyware industry into a robust international legal framework.

This is certainly not a perfect solution, as many authoritarian states will likely continue to engage in this behaviour, regardless of whether they sign on for symbolic or other reasons. However, these small steps may start to raise the international costs of engaging in transnational dissident cyber espionage.