Micah Winters
It’s been less than four years since a journalistic coalition dubbed “the Pegasus Project” upended the preexisting global paradigm of digital rights and surveillance technology by documenting the incredible and chilling scope of remotely-directed state surveillance of the devices of journalists, activists, and political dissidents via a novel commercial technology, spyware.[1] The use of spyware has enabled, and continues to enable, malign actors’ violation of a panoply of fundamental—and often non-derogable—human rights, such as the prohibitions on torture,[2] arbitrary detention,[3] and enforced disappearances.[4]
Commercial spyware has therefore established itself as a leading concern in the digital rights space, all the more so because of the distinct absence of regulation to rein in the abusive capabilities of this technology.[5] All the while, states continue in emboldened and brazen use of spyware, as recent revelations from Italy have demonstrated.[6]
The right to privacy is enshrined in Article 12 of the Universal Declaration on Human Rights (UDHR), which prohibits any “arbitrary interference” with one’s “privacy, family, home or correspondence” and guarantees the “protection of the law” in upholding this right.[7] The International Covenant on Civil and Political Rights (ICCPR) duplicates this language,[8] and the European Convention on Human Rights (ECHR)[9] and American Convention on Human Rights (ACHR)[10] reproduce it with slight variation. Limitations on this right are permissible only if a given limitation is (a) prescribed by law, (b) in pursuit of a legitimate aim, and (c) proportionately calibrated vis-à-vis that aim.[11] States are therefore legally obligated to justify their utilization of surveillance technologies such as spyware, which represent prima facie violations of treaty-based rights to privacy, within this framework.
Europe has been the site of the most talked-about transnational spyware regulation, most notably with initiatives such as the EU’s PEGA Committee[12] and the Pall Mall Process, a global multilateral undertaking led by France and the United Kingdom. [13] These initiatives represent the international community’s first chance to establish standards for the permissible state use of spyware capabilities, if any. Civil society organizations and international human rights experts have called for the states involved in these processes to center the already-extant international human rights legal obligations these states are subject to, warning against the risk that states will regressively establish soft law standards below their obligations.[14]
The ever-present tension between state security concerns and human rights protections makes effective regulation of such a powerful digital surveillance tool a hard sell to even the most multilateralism-inclined and (rhetorically) human rights-conscious states. As the international community looks forward to the possibility of regulatory proposals in this space, it remains essential to platform the concerns of the civil society actors who stand to suffer the most harm from the abuse of spyware technology. And states are not without incentives to listen to these concerns: in the wrong hands, spyware has just as much capability to undermine national security as it does to defend it.[15]
As democratic backsliding slips towards democratic freefall in the U.S., it is essential that states committed to the norms and principles of international human rights law take a forceful lead in reaffirming treaty-based international legal obligations and enshrining strong norms disfavoring the extra-legal abuse of invasive digital surveillance. Privacy and freedom of expression around the world frankly depend upon it.
[1] Phineas Rueckert, Pegasus: The New Global Weapon for Silencing Journalists, Forbidden Stories (July 18, 2021), https://forbiddenstories.org/pegasus-the-new-global-weapon-for-silencing-journalists/.
[2] Patrick Howell O’Neill, French Spyware Bosses Indicted for Their Role in the Torture of Dissidents, MIT Tech. Rev. (June 22, 2021), https://www.technologyreview.com/2021/06/22/1026777/france-spyware-amesys-nexa-crimes-against-humanity-libya-egypt/l.
[3] Committee on Legal Affairs and Human Rights, Parliamentary Assembly Council of Europe, Hearing on the Implications of the Pegasus Spyware, UN OHCHR (Sep. 14, 2021), https://www.ohchr.org/en/statements-and-speeches/2021/09/committee-legal-affairs-and-human-rights-parliamentary-assembly.
[4] Siena Anstis et al., Submission of the Citizen Lab (Munk School of Global Affairs, University of Toronto) to the United Nations Working Group on Enforced or Involuntary Disappearances, Citizen Lab (June 18, 2022), https://citizenlab.ca/wp-content/uploads/2022/07/Submission-of-the-Citizen-Lab-Munk-School-of-Global-Affairs-University-of-Toronto-to-the-United-Nations-Working-Group-on-Enforced-or-Involuntary-Disappearances.pdf.
[5] Ronnie Rosen Zvi, Managing Risky Business – The International Regulatory Framework of Spyware Companies: Where it is Lacking and Where it is Heading, Georgetown L. Ctr. on Transnat’l Bus. & the Law (Jan. 30, 2023), https://www.law.georgetown.edu/ctbl/blog/managing-risky-business-the-international-regulatory-framework-of-spyware-companies-where-it-is-lacking-and-where-it-is-heading/.
[6] Angela Giuffrida & Stephanie Kirchgaessner, Italian Government Approved Use of Spyware on Members of Refugee NGO, MPs Told, Guardian (Mar. 27, 2025), https://www.theguardian.com/world/2025/mar/27/italian-government-approved-use-of-spyware-on-members-of-refugee-ngo-mps-told.
[7] G.A. Res. 217 (III) A, Universal Declaration of Human Rights, at art. 12 (Dec. 10, 1948).
[8] International Covenant on Civil and Political Rights, art. 17, Dec. 19, 1966, 999 U.N.T.S. 171.
[9] Convention for the Protection of Human Rights and Fundamental Freedoms, art. 8, Nov. 4, 1950, 213 U.N.T.S. 221, E.T.S. No. 5.
[10] Organization of American States, American Convention on Human Rights, art. 11, Nov. 22, 1969, O.A.S.T.S. No. 36, 1144 U.N.T.S. 123.
[11] Int’l Comm’n of Jurists, Siracusa Principles on the Limitation and Derogation Provisions in the International Covenant on Civil and Political Rights (Apr.1985).
[12] Eugenia Lostri, PEGA Committee Votes on Spyware Recommendations, Lawfare (May 17, 2023), https://www.lawfaremedia.org/article/pega-committee-votes-on-spyware-recommendations.
[13] The Pall Mall Process: Tackling the Proliferation and Irresponsible Use of Commercial Cyber Intrusion Capabilities, UK Foreign, Commonwealth, & Dev. Office (Feb. 6, 2024), https://www.gov.uk/government/publications/the-pall-mall-process-declaration-tackling-proliferation-and-irresponsible-use-of-commercial-cyber-intrusion-capabilities/the-pall-mall-process-tackling-the-proliferation-and-irresponsible-use-of-commercial-cyber-intrusion-capabilities.
[14] EU: Final Vote on Spyware Inquiry Must Lead to Stronger Regulation, Amnesty Int’l (June 15, 2023), https://www.amnesty.org/en/latest/news/2023/06/eu-final-vote-on-spyware-inquiry-must-lead-to-stronger-regulation/; Joint Statement: States Must Take Immediate Action to Stop Spyware Threatening Press Freedom, Access Now (May 3, 2023), https://www.accessnow.org/press-release/spyware-press-freedom-statement/; Civil Society Joint Statement on the Use of Surveillance Spyware in the EU and Beyond, Ctr. for Democracy & Tech. (Sep. 3, 2024), https://cdt.org/insights/civil-society-joint-statement-on-the-use-of-surveillance-spyware-in-the-eu-and-beyond/.
[15] Mike Sexton, Unregulated Spyware’s Threat to National Security, Third Way (June 22, 2023), https://www.thirdway.org/memo/unregulated-spywares-threat-to-national-security.