While the EU has so far failed to take appropriate action against the most invasive forms of spyware, the Corporate Sustainability Due Diligence Directive (CSDDD) could offer a crucial opportunity for the EU to rein in the rampant human rights abuses of the surveillance technology sector, argues Hannah Storey.
Hannah Storey is policy advisor on business and human rights at Amnesty International.
In 2021, the Pegasus Project exposed how governments across the globe have used NSO Group’s highly invasive Pegasus spyware to unlawfully spy on human rights activists, political leaders, journalists and lawyers. Pegasus spyware was weaponised to intimidate and attempt to silence courageous people around the world.
High-profile journalist Nuria Piera described the feeling of being targeted with the technology: “It’s like being in quicksand. It really affects your sense of freedom, how free you feel to speak up.” Digital forensics have confirmed that journalists have been targeted with Pegasus in at least 18 countries, but the actual scale of this abuse of surveillance technology is likely to be much higher.
Two years later, an investigation by European Investigative Collaborations (EIC) — a partnership of over a dozen media organizations which was assisted by Amnesty International’s Security Lab — dubbed the ‘Predator Files’ has revealed that a suite of surveillance technologies created and sold by the EU-based Intellexa alliance, including a highly invasive surveillance technology called ‘Predator’, is being traded worldwide on a near industrial scale.
Predator spyware can silently infect nearby devices or be delivered through a malicious link. Once a targeted infection occurs, Predator can, like Pegasus before it, access unchecked amounts of data on the target’s device. Reading messages, accessing the microphone, documents, photos, contacts, and call records. You name it, Predator can probably access it, all while the user is entirely unaware of its presence.
EIC and Amnesty International’s Predator Files investigation has revealed that Predator has been used to target EU officials, including the President of the European Parliament, Roberta Metsola, and EU-based activists and academics. In total, 50 social media accounts belonging to 27 individuals and 23 institutions from around the world were found to have been targeted between February and June 2023.
Not only does this misuse of spyware harm the rights of the individuals targeted but, in the words of the European Parliament’s PEGA committee (Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware), “the abuse of spyware is a severe violation of all the values of the European Union, and it is testing the resilience of the democratic rule of law in Europe.”
Since the Pegasus Project revelations broke, civil society has been calling for governments to ban the most invasive forms of spyware and regulate the surveillance sector. And yet, the Predator Files clearly demonstrate that the EU has failed to take appropriate action.
Worse still, the Intellexa alliance advertises itself as “EU-based and regulated”. Many of the companies in the alliance are based in EU member states, and despite export controls that are meant to regulate the sale of these technologies, Intellexa alliance’s products have been found in at least 25 countries across Europe, Asia, the Middle East and Africa. These companies remain free to operate in the shadows without oversight or genuine accountability.
There is, however, one ray of hope for accountability: the Corporate Sustainability Due Diligence Directive, which offers a crucial opportunity for the EU to rein in the rampant human rights abuses of the surveillance technology sector.
Currently being finalised by EU policymakers, the directive will create new human rights rules for businesses, requiring companies operating in the EU to identify and then address human rights risks related to their operations. It will also provide a new way to hold companies to account in European courts if they have contributed to human rights abuses around the world.
And yet the Council of the European Union wants spyware to be excluded from these new rules. Last year, when the Council reached their position on the due diligence directive, it suggested that all products subject to export control be exempted.
Such a position might be defensible if such products were already adequately regulated under other laws, but as the Predator Files investigation has revealed, highly invasive spyware continues to be sold despite existing export checks. As the Pegasus Project exposed, and the Predator Files have now underscored, export controls alone are not sufficient to address the harm inflicted by these technologies.
The due diligence directive offers a chance for the EU to ensure that surveillance technology companies are no longer able to ignore the serious human rights implications of their technologies.
If they were included in the directive, the surveillance sector would be required to introduce human rights safeguards. And if they failed to do so, they could be held to account.
This matters more than ever because we are seeing time and again how companies contribute to human rights abuses around the world. Whether that is targeting journalists with highly invasive spyware, forcibly evicting communities to make way for cobalt mines in the DRC, or failing to clean up oil spills in Nigeria.
As EU policymakers enter final negotiations on the corporate sustainability due diligence directive, they should keep the Predator Files and Pegasus Project revelations in mind. The opportunity to restrain the growing impact of the surveillance technology sector on human rights should not be missed. To protect people both inside and outside the EU, spyware must not be excluded from new corporate due diligence rules.