About the author: Susan Ariel Aaronson is research professor of international affairs and the director of the Digital Trade and Data Governance Hub at the George Washington University. She is also Senior Fellow at CIGI, in Waterloo, Canada.
Almost every day we get a reminder that the Internet is both wondrous and a dark and scary place. An important one came on on Wednesday, when we learned that a judge in the United Kingdom found that the ruler of Dubai hacked the phone of his ex-wife and her lawyers in an unlawful abuse of power.
We must respond with a call to action.
Researchers from the University of Toronto’s Citizen Lab have made researching and exposing online corporate malfeasance their mission. They have documented the rise of firms that create and export products and services that hack and surveil individuals without their knowledge or consent, perpetuate disinformation, and create cyber-insecurity. The U.N. has described some of the firms producing such goods and services as cyber mercenaries, a 21st-century update of an old business model. Because the products and services these firms provide undermine human rights, democracy, encryption and online trust, they are a threat to us all.
Some of these firms have created and exported spyware, a form of malware. Malware can be defined as malicious code that causes computers to do things that their users would not want, such as erasing files, taking remote control of computers, or damaging physical equipment. Because malware is relatively cheap to develop and deploy, developers continue to create ever more malicious and insidious products and services.
In October 2018, Citizen Lab reported that government officials in 30 countries purchased a form of malware called Pegasus, created by an Israeli firm called the NSO Group. The researchers found these governments used Pegasus to spy on human rights activists, journalists, and political opponents. But it was not until 3 years later that the world paid attention. In July 2021, the Pegasus project, a journalistic consortium, revealed details of some 50,000 phone numbers of individuals allegedly selected as candidates for possible surveillance by NSO’s government clients, including Saudi Arabia, the United Arab Emirates and Hungary. The list included the phone numbers of 14 heads of state, including French President Emmanuel Macron, as well as journalists, policymakers, human rights activists and business executives.
The NSO Group has denied both the 2018 and 2021 allegations, saying that Pegasus is designed to help governments fight terrorism and organized crime. The firm says its products are subject to strict export controls, and its governmental clients must show they will use the product for those purposes alone. Moreover, NSO notes that the government of Israel considers the human rights practices of these governments when it decides whether to approve the export of the company’s software.
Nonetheless, the company has acknowledged that in some instances, its clients have used NSO tools to monitor individuals who fall outside the scope of what the company has deemed appropriate use—legal surveillance of criminals, including terrorists. But as Citizen Lab and others have shown, once a country has gotten a license for or obtained NSO’s products, that nation can largely use the product how it wishes, as long as it is in accordance with the country’s own laws governing surveillance. Unfortunately, some states have no such rules or minimal enforcement of such rules.
Citizen Lab has also documented that many other firms from G-7 nations operate in this lucrative and expanding space. In its 2021 threat report, Facebook noted that demand for disinformation manufactured by private firms is growing because these firms provide both deniability and greater visibility. In 2020, researchers at the Oxford Internet Institute estimated that some 65 firms deployed computational propaganda on behalf of a political actor in 48 countries. They also estimated that some “$60 million was spent on hiring these firms since 2009.”
Meanwhile, Moody’s sees disinformation and malware as a growth market worth approximately $12 billion. It notes that firms like NSO provide essential services for some governments. Moreover, these firms are likely to find a whole new vector for their services in the internet of things, such as “wearables,” a sector expected to surpass $77 billion by 2025. When we use smart watches, smart clothes and other such items, we provide even more opportunities for surveillance.
Given these reports, our data-driven future looks dismal. But there are things that collectively you, and I, and other users can do to reduce the footprint of modern-day mercenaries. First, policymakers need to do more to educate the public that just as their privacy may be breached online, they are at risk from dangerous malware. Second, they also need to do a better job of monitoring which governments buy and which firms sell these surveillance products. Third, users and civil society groups can sue these companies for the damage to human rights.
Policymakers should also use trade agreements to ban trade in cyber mercenary services. Trade agreements already regulate spam; trade negotiators could use them to ban cross-border disinformation services and the use of bots to send disinformation across borders. Individual nations can also create clearer rules to govern the export of these services. For example, the U.S. Department of State has issued guidance on how sales of surveillance products should be regulated. The Department suggests that firms should carefully review “whether the foreign government end user’s laws, regulations, and policies that implicate products and services with surveillance capabilities are consistent with the Universal Declaration on Human Rights.”
The data-driven economy should not be ruled by the law of the jungle but by man-made rules. Citizen Lab has brought sunshine to the markets for malicious information flows. Now we need to act.
Guest commentaries like this one are written by authors outside the Barron’s and MarketWatch newsroom. They reflect the perspective and opinions of the authors. Submit commentary proposals and other feedback to firstname.lastname@example.org.