On November 7, Binding Hook published an article by Sophie in ‘t Veld arguing—correctly, I might add—that spyware is a clear and present danger to our democracies. Having led the European Parliament’s yearlong investigation into spyware, in ‘t Veld is well acquainted with the tools and their impact on victims around the world, not to mention the vendors, the NGOs who expose them, and the actors who knowingly spread disinformation about their research.

In ‘t Veld says that the only upside to this spyware debacle “is that it is covered with the correct amount of urgency by some of the finest journalists in Europe.”

“With many parliaments unaware of the problem and courts too slow or unable to push back, much now depends on the Fourth Estate. It is up to the press to keep the fire burning until more politicians wake up to the danger”, she writes.

But the fire has been burning for over a decade and not much has been done to curb the threat, despite the efforts of numerous journalists, technologists, and security researchers. Few seem to be paying attention—the notable exceptions being in ‘t Veld and some of her colleagues in Europe, along with a team of US government officials in Washington.

Early signs

An early warning was sounded in 2009 when Chris Soghoian, then a graduate student at Indiana University, quietly recorded panels at a surveillance trade show and published the tapes on his blog. The Intelligence Support Systems World Conference—commonly known as ISS World—made its debut “in 2002 with less than 50 attendees”, according to a 2017 article by CyberScoop. Since then, the conference has expanded with events in all corners of the world, gathering “thousands of prominent spies, police, hackers and powerful bureaucrats together to spend money on some of the latest and greatest in retail spying kits.”

Soghoian, now Senior Advisor for Privacy and Cybersecurity in the Office of Senator Ron Wyden, wrote the audio revealed that a US telecommunications company had shared customer location data with law enforcement “8 million times between September 2008 and October 2009.” In publishing the recordings, Soghoian not only showed the need for surveillance oversight in the United States—a few years before the Snowden disclosures—but also made the public aware of ISS World and the companies that attend the events. ISS World even picked up the nickname ‘Wiretapper’s Ball’ among its critics. (Soghoian removed the files a couple of days later, writing on his blog that an executive at TeleStrategies, the firm organising ISS World, claimed he had violated copyright law.)

Two years later, when asked to comment for a Guardian article on ISS World and the sale of surveillance technology, Soghoian explained he believed “[t]he level of secrecy around the sale of such technology by [W]estern companies… is cause for alarm.” He’s not alone.

A rising tide of reporting

In 2012, Privacy International, the Guardian, and the Wall Street Journal published a database containing the names of all attendees at six ISS World events held in Washington, Prague, and Dubai between 2006 and 2009. Eric Kind (at the time, “Eric King”), then head of research at Privacy International, told the New Republic that “Western companies were going ‘out of their way’ to aid authoritarian regimes.” Trevor Timm, then with the Electronic Frontier Foundation, added that “it’s getting worse and the longer we wait to do something the worse it will get.”

The two digital rights organisations both called for government intervention, though with different approaches. While Privacy International argued for the need to regulate the export and sale of surveillance technology, the Electronic Frontier Foundation told the European Parliament that it should not regulate the technology itself, but how it was used by the customers. Other initiatives to use export controls to prevent the proliferation of commercial spyware have also arisen.

But the years passed, and the spyware abuse has continued unabated.

In 2013, Citizen Lab reported that FinFisher spyware from the Anglo-German company Gamma Group had been used against opposition members in Ethiopia. In 2014, Bahrain Watch detailed how the same tool had been used to target “some of the country’s most prominent lawyers, activists and politicians”. Several years later, in 2018, the Guardian reported that four victims had filed a lawsuit against the company, arguing that Gamma Group knew the authorities in Bahrain would use the software “to crack down on protests during the Arab spring.” The case is slowly making its way through the UK court system. In 2016, Amnesty International revealed that spyware from the Italian company Hacking Team had been used to target a citizen media project in Morocco four years earlier.

MIT Tech Review reported in 2021 that senior executives at French Amesys had “been indicted for the company’s sale of surveillance software to authoritarian regimes in Libya and Egypt that resulted in the torture and disappearance of dissidents.” The charges came ten years after the Wall Street Journal published evidence that the company’s surveillance technology had been used against Libyans. While some charges were dropped last year, the investigation into the executives is ongoing.

And then there’s NSO Group and Intellexa, two other companies whose spyware, Pegasus and Predator respectively, have been used to target hundreds of members of civil society for years. Citizen Lab, which has researched cyber mercenaries for over a decade, disclosed the first known victim of Pegasus spyware in 2016 when it detailed the targeting of human rights defender Ahmed Mansoor. The New York Times reported in 2019 that Mansoor had also been targeted with spyware from FinFisher, Hacking Team, and DarkMatter. Mansoor is not the only person to have been targeted with spyware from different vendors.

Where do we go from here?

Human rights defenders and policymakers keep calling for a moratorium on the sale of spyware. Researchers still analyse infected devices and expose attacks around the world. Apple, which last year launched an opt-in feature called Lockdown Mode to defend against sophisticated spyware, still notifies individuals whose iPhones may have been targeted by state-sponsored actors.

Meanwhile, ISS World persists in parading well-known vendors like Candiru and Memento Labs—the reborn Hacking Team—and, yes, NSO Group and Intellexa at convention centres worldwide. While ISS World in Washington just wrapped up on November 9, the companies will next showcase their surveillance tools in Dubai in February, followed by Prague in June—this time with NSO as the lead sponsor.

The fire is still burning, and journalists and NGOs are doing everything in their power to sound the alarm at every turn. How long until politicians wake up?