Main Logo Expert commentary on tech and security

The EU’s Human Rights Sanction Regime could target malicious spyware vendors

Mailyn Fidler 12 July 2024
Share On:
The European Union has a powerful and underutilised tool at its disposal to counteract human rights abuses linked to commercial spyware
Main Top Image
Image created with the assistance of Midjourney

Europe has a substantial spyware problem. Despite regulating dual-use technology (ie, spyware) exports, countries have continued to grant export licenses for the sale of spyware to repressive governments. For example, the Greek government has acknowledged granting export licenses to the company Intellexa to sell its Predator spyware to the Sudanese government. A European Parliament report lists more instances. 

Europe’s spyware problem

Human rights abuses of this technology come from inside Europe’s borders, too: Greece, Spain, Hungary, and Poland, all EU member states, have used spyware on domestic political opposition groups, a shocking departure for democratic states. 

In response to this problem, the European Parliament established the PEGA Committee of Inquiry to “investigate alleged infringement or maladministration in the application of EU law in relation to the use of Pegasus” and similar software. PEGA’s final report called for a multitude of responses, including coordinated action at the European Union level and better enforcement of existing legislation, such as export control regimes. However, better enforcement is difficult since it is largely left up to individual member states. 

The Global Human Rights Sanction Regime

A tool which the PEGA report did not mention, the EU’s Global Human Rights Sanction Regime, offers another way to target bad actor spyware vendors. 

Adopted in 2020 and currently extended until 2026, the Regime provides for financial sanctions and travel restrictions on those “responsible for, providing support to or otherwise involved in serious human rights violations or abuses.” It mirrors the US Magnitsky Act. Seven other countries have adopted similar measures. 

The Regime has been applied to 67 natural and legal persons and 20 entities. Sanctioned individuals include a member of the Russian FSB accused of torturing a detained journalist, the acting Taliban Minister for Higher Education, several people involved in abuses against Uyghurs in China, and torture, extrajudicial, summary or arbitrary executions and killings in South Sudan and Eritrea

Sanctions apply not only to those responsible for abuses, but also to those providing “financial, technical, or material support for, or are otherwise involved in”  designated acts, “including by planning, directing, ordering, assisting, preparing, facilitating, or encouraging such acts.”

However, most of the sanctioned individuals have been high-level officials plausibly “responsible” for human rights abuses. The closest the Regime has come to designating someone as a “supporter” is its 2023 sanction of nine Russian judges that sentenced a Kremlin critic to 25 years imprisonment; the judges were alleged only to have participated in a judicial system that has been “systematically” used to violate human rights. 

Adapting the Regime for spyware

The European Union should not shy away from designating malicious actors as supporters of human rights abuses. The US, whose Magnitsky Act contains similar language, has done so multiple times. The EU Regime allows it, and the gravity of the offences the Regime has responded to so far certainly merit punishing supporters as well as primary violators.  

Spyware companies whose products have been used in human rights abuses would fall under this category. Consider the example of the NSO Group. The Israeli company made spyware called Pegasus, which was linked to human rights abuses, including offences against political dissidents, human rights activists, and other protesters

The NSO Group does not use information obtained from its spyware to determine targets or carry out abuses, but it can still be considered as “providing support to” the abusing entities because it provided a technological tool that made those abuses possible. The Regime could classify the company and key employees as violators, subjecting them to financial sanctions and travel restrictions within the EU. 

The NSO Group is far from the only entity possibly subject to designation. The United States has already placed on its sanctions list Intellexa, a consortium of spyware companies that has been linked to rights abuses, and Candiru, another Israeli spyware firm implicated in the targeting of politicians in Catalonia. 

The United States has adopted a strict liability standard. By contrast, in Europe, it is unclear what degree of knowledge a spyware company must have about the use of its products to be liable, and many spyware companies disclaim knowledge of misuse. Adopting a strict liability standard would encourage actual know-your-customer policies. 

Benefits and complications 

One drawback of the Regime is that it requires unanimity to impose sanctions. Some EU countries may be customers of the companies under consideration, so they would be unwilling to impose sanctions on them. However, vetoing the designation of a vendor as notorious as the NSO Group at the European Union Council level would risk exposure and public condemnation for that government. 

Although the unanimity rule may make it harder for the EU to agree to designate an entity as a violator, once designated, a company would be subject to sanctions from 27 states, the EU members. Even if several countries failed to enforce the Regime, other EU states’ enforcement would still affect the targeted country. To illustrate, let’s say one state refuses to enforce the Regime; companies would still be subject to sanction in the remaining 96% of countries. In contrast, under the dual-use export control regulations, if one country refuses to enforce, an offending company has 100% access to their target market. Essentially, the default consequences of underenforcement are reversed under the Regime compared to dual-use regulations.

Export controls on dual-use technologies have been the primary approach to combating spyware abuses in the last ten years. However, there is room for substantially more regulatory creativity. The Regime is a key component of diversifying and strengthening regulation to limit the proliferation of spyware, now. 

avatar
Mailyn Fidler

Related

Featured image
Binding Edge
Countering transnational dissident cyber espionage
Siena Anstis 7 November 2023
Read more arrow
Featured image
Binding Edge
The Uncertainty Maschine
Gavin Wilde 8 February 2024
Read more arrow
Featured image
Binding Edge
Europe’s cyber rapid response teams should pivot to proactive missions
Taylor Grossman 1 March 2024
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.