Governments spying on citizens: Who is to blame, what can the EU do?

In recent years, revelations about governments’ use of spyware to target political opponents and civil society represenatitives has been rampant. These actors need to face accountability for their actions and a comprehensive approach involving international engagement is necessary to deal with spyware.

Silvia Lorenzo Perez is the programme director of security, surveillance and human rights at the Centre for Democracy and Technology Europe (CDT Europe) 

The Polish Ministry of Justice recently revealed nearly 600 individuals were targeted with Pegasus spyware during the previous administration. This announcement provides further evidence of the troubling reality the European Parliament’s PEGA committee uncovered: EU governments deploy spyware surveillance against their citizens for nefarious purposes unrelated to national security.  

Before the Pegasus revelations, debates on regulatory aspects of spyware had been confined to cybersecurity, trade, defence and foreign policy. That lens placed responsibility and potential criminal liability primarily on the private entities, known as cyber mercenaries, who developed or wielded the tools to conduct cyber intrusion operations that threatened states’ national security.

Governments evaded accountability for their actions, shielding themselves from guilt with the secrecy surrounding national security operations. However, the spotlight rightfully shines on the state as a key perpetrator after the Pegasus scandal.   

When attributing responsibility for spyware abuse, we should question whether placing all the responsibility on the private actors who develop and sell the tools will adequately address the problem.

The PEGA Committee’s findings indicate that governments are major customers and active participants in spyware development and deployment. States purchasing and developing spyware technologies for their intelligence or law enforcement agencies undeniably bear responsibility for the resulting human rights violations.

Spyware vendors flourish because their clients are governments willing to pay large sums for these tools.  

Governments wield considerable influence in the cyber realm and must face accountability for their actions. Society must ensure that governments cannot evade responsibility by hiding behind the secrecy privilege inherent to the field of intelligence. This approach promotes irresponsible behaviour in cyberspace and hinders the establishment of adequate mechanisms for accountability and redress for victims of unlawful surveillance.  

Under international and EU law, governments are responsible for upholding human rights even within national security operations. Impunity for human rights violations caused by spyware abuse undermines the rule of law and erodes society’s trust in governmental institutions. A comprehensive approach encompassing regulation, diplomatic efforts, research, and international engagement is essential to address evolving threats from state-sponsored spyware.

The European Parliament has urged the EU Commission to lead in establishing a robust framework with fundamental rights safeguards against spyware misuse. However, the EU Commission’s response to date has been underwhelming, and the Council of the EU has consistently shut down any opportunity to clarify its strategy for addressing the numerous instances of maladministration and abuse of power by the member states documented by the PEGA Committee.

Spyware victims and EU society still await an appropriate EU response to this threat to fundamental rights.   

In contrast, individual member states have engaged in the Pall Mall Process, an initiative kickstarted in February 2024 led by the French and British governments that brings together states, international organisations, private industry, academia, and civil society to address the proliferation and irresponsible use of commercial cyber intrusion tools and services.

Countries pledged to develop policy solutions based on accountability, precision, oversight, and transparency.  

Across the pond, the US administration is leading action against spyware vendors by imposing sanctions and rallying global commitment to develop and implement policies to combat the misuse of commercial spyware to safeguard universal human rights and the rule of law.

Many EU member states have endorsed these initiatives, which, although paradoxical considering their reluctance to do the same within the EU, can be interpreted as implicit recognition of the need for regulatory solutions. 

Compared to the lack of action by the EU Commission and Council, these initiatives spark mild optimism.

Combating the proliferation of spyware indeed calls for international cooperation and coordination, and EU member states must work together to share information and exchange best practices.

They also have to develop mechanisms for tackling these capabilities’ proliferation and irresponsible use, impose sanctions on commercial vendors, constrain their use of spyware, and establish effective avenues for victims to obtain redress.

These initiatives must not become missed opportunities to effectively and meaningfully address the big questions about protecting human rights and the rule of law

As these efforts progress, civil society has an essential role to play, not only as representatives of the public interest and defenders of the rule of law and human rights but also as stakeholders disproportionately impacted by unlawful surveillance due to their activities to hold governments accountable.

Organisations in Europe and the rest of the world must come together to lead the public debate, take their rightful place at the negotiating table, and demand measures to be taken to uphold human rights.