Main Logo Expert commentary on tech and security

The EU’s Human Rights Sanction Regime could target malicious spyware vendors

Mailyn Fidler 12 July 2024
Share On:
The European Union has a powerful and underutilised tool at its disposal to counteract human rights abuses linked to commercial spyware
Main Top Image
Image created with the assistance of Midjourney

Europe has a substantial spyware problem. Despite regulating dual-use technology (ie, spyware) exports, countries have continued to grant export licenses for the sale of spyware to repressive governments. For example, the Greek government has acknowledged granting export licenses to the company Intellexa to sell its Predator spyware to the Sudanese government. A European Parliament report lists more instances. 

Europe’s spyware problem

Human rights abuses of this technology come from inside Europe’s borders, too: Greece, Spain, Hungary, and Poland, all EU member states, have used spyware on domestic political opposition groups, a shocking departure for democratic states. 

In response to this problem, the European Parliament established the PEGA Committee of Inquiry to “investigate alleged infringement or maladministration in the application of EU law in relation to the use of Pegasus” and similar software. PEGA’s final report called for a multitude of responses, including coordinated action at the European Union level and better enforcement of existing legislation, such as export control regimes. However, better enforcement is difficult since it is largely left up to individual member states. 

The Global Human Rights Sanction Regime

A tool which the PEGA report did not mention, the EU’s Global Human Rights Sanction Regime, offers another way to target bad actor spyware vendors. 

Adopted in 2020 and currently extended until 2026, the Regime provides for financial sanctions and travel restrictions on those “responsible for, providing support to or otherwise involved in serious human rights violations or abuses.” It mirrors the US Magnitsky Act. Seven other countries have adopted similar measures. 

The Regime has been applied to 67 natural and legal persons and 20 entities. Sanctioned individuals include a member of the Russian FSB accused of torturing a detained journalist, the acting Taliban Minister for Higher Education, several people involved in abuses against Uyghurs in China, and torture, extrajudicial, summary or arbitrary executions and killings in South Sudan and Eritrea

Sanctions apply not only to those responsible for abuses, but also to those providing “financial, technical, or material support for, or are otherwise involved in”  designated acts, “including by planning, directing, ordering, assisting, preparing, facilitating, or encouraging such acts.”

However, most of the sanctioned individuals have been high-level officials plausibly “responsible” for human rights abuses. The closest the Regime has come to designating someone as a “supporter” is its 2023 sanction of nine Russian judges that sentenced a Kremlin critic to 25 years imprisonment; the judges were alleged only to have participated in a judicial system that has been “systematically” used to violate human rights. 

Adapting the Regime for spyware

The European Union should not shy away from designating malicious actors as supporters of human rights abuses. The US, whose Magnitsky Act contains similar language, has done so multiple times. The EU Regime allows it, and the gravity of the offences the Regime has responded to so far certainly merit punishing supporters as well as primary violators.  

Spyware companies whose products have been used in human rights abuses would fall under this category. Consider the example of the NSO Group. The Israeli company made spyware called Pegasus, which was linked to human rights abuses, including offences against political dissidents, human rights activists, and other protesters

The NSO Group does not use information obtained from its spyware to determine targets or carry out abuses, but it can still be considered as “providing support to” the abusing entities because it provided a technological tool that made those abuses possible. The Regime could classify the company and key employees as violators, subjecting them to financial sanctions and travel restrictions within the EU. 

The NSO Group is far from the only entity possibly subject to designation. The United States has already placed on its sanctions list Intellexa, a consortium of spyware companies that has been linked to rights abuses, and Candiru, another Israeli spyware firm implicated in the targeting of politicians in Catalonia. 

The United States has adopted a strict liability standard. By contrast, in Europe, it is unclear what degree of knowledge a spyware company must have about the use of its products to be liable, and many spyware companies disclaim knowledge of misuse. Adopting a strict liability standard would encourage actual know-your-customer policies. 

Benefits and complications 

One drawback of the Regime is that it requires unanimity to impose sanctions. Some EU countries may be customers of the companies under consideration, so they would be unwilling to impose sanctions on them. However, vetoing the designation of a vendor as notorious as the NSO Group at the European Union Council level would risk exposure and public condemnation for that government. 

Although the unanimity rule may make it harder for the EU to agree to designate an entity as a violator, once designated, a company would be subject to sanctions from 27 states, the EU members. Even if several countries failed to enforce the Regime, other EU states’ enforcement would still affect the targeted country. To illustrate, let’s say one state refuses to enforce the Regime; companies would still be subject to sanction in the remaining 96% of countries. In contrast, under the dual-use export control regulations, if one country refuses to enforce, an offending company has 100% access to their target market. Essentially, the default consequences of underenforcement are reversed under the Regime compared to dual-use regulations.

Export controls on dual-use technologies have been the primary approach to combating spyware abuses in the last ten years. However, there is room for substantially more regulatory creativity. The Regime is a key component of diversifying and strengthening regulation to limit the proliferation of spyware, now. 

avatar
Mailyn Fidler

Related

Featured image
Binding Edge
When tech markets fail, lemons prevail
Nils Brinker 7 August 2024
Read more arrow
Featured image
Binding Edge
Masculinity can influence cyber strategy
James Shires / Katharine Millar 28 June 2024
Read more arrow
Featured image
Binding Edge
How to turn your research into an op-ed
Katerina Fytatzi 2 February 2024
Read more arrow

Terms & Conditions

Lorem ipsum odor amet, consectetuer adipiscing elit. Integer vestibulum massa; habitasse molestie velit tincidunt commodo. Blandit class sollicitudin in natoque fusce tincidunt maecenas tempor potenti. Turpis velit elit pulvinar aliquet sociosqu pharetra eleifend montes? Arcu sed ultricies gravida, tincidunt cubilia lobortis elementum elit. Lectus aptent suscipit auctor ultricies facilisi ultrices. Etiam pellentesque elementum lacinia morbi ac nulla fermentum primis. Eleifend scelerisque phasellus finibus nulla nisl. Dapibus nec accumsan scelerisque fringilla, tempus duis odio.

Duis odio urna mattis sociosqu ornare ligula torquent. Ornare tempus velit euismod nisi eu duis. Interdum torquent libero finibus porta sem ornare sit mauris. Facilisi consequat semper enim torquent nisl penatibus metus quis etiam. Habitant pharetra bibendum rutrum inceptos fermentum volutpat. Vulputate montes dis adipiscing himenaeos nascetur. Erat amet mus ipsum ultricies non aenean. Arcu penatibus primis platea primis tempus non dignissim convallis.

Arcu diam ante est varius pellentesque litora a vivamus? In dis purus tellus commodo semper egestas mattis adipiscing. Mi dis sapien, nisl morbi viverra dictum. Sociosqu lacinia consequat per vivamus elit. Torquent facilisi velit porttitor nunc phasellus facilisis tempor bibendum class. Integer nascetur neque ligula eget consequat lobortis neque ligula. Quisque maecenas a diam viverra senectus feugiat. Consectetur dignissim ut vivamus magna lorem malesuada turpis vitae.

Orci fusce efficitur libero porta porta ante euismod. Diam viverra malesuada integer, dictumst finibus ultricies! Dis turpis sociosqu montes cras arcu. Donec nulla et suspendisse elit accumsan duis tempus. Amet pellentesque lobortis dapibus fusce elementum nisi. Quam ultrices primis pellentesque ante dictumst? Dis rhoncus eros ipsum egestas, senectus potenti. Iaculis pellentesque habitasse vitae sociosqu vivamus lorem ex turpis tortor.

Elit ridiculus ut mollis neque dis. Vel class arcu duis varius fusce metus. Phasellus finibus pellentesque laoreet fusce lacus primis molestie. Ut cras risus arcu tincidunt ante, molestie maximus taciti. Etiam aliquam molestie; justo cubilia integer aenean. Curabitur curabitur suspendisse aliquet eu senectus. Tempus per eget dictum; id tristique velit vulputate pharetra iaculis. Cubilia nisi congue ligula iaculis luctus.