By: Kyoolee Park*

A recent New York Times article describes a lawsuit filed in late October by WhatsApp against the NSO Group, which alleges that the Israeli company’s spyware compromised roughly 1,400 mobile devices of WhatsApp users. The article also alleges that the Israeli Government has stood behind the company despite numerous reports of illegitimate use of the spyware. Frustrated by Israeli’s unwillingness take any regulatory action, Amnesty International sued the Israeli Ministry of Defense in May, demanding that the Ministry revoke NSO Group’s export license. As of today, the NSO Group’s export license still stands (it would appear) and the company continues to enjoy ability to sell spyware to governments worldwide, exposing human rights defenders, journalist, politicians, and others to illegitimate surveillance and other potentially grave human rights violations.

The June 2019 report by the Special Rapporteur on freedom of expression observed such relationships between surveillance technology companies and governments. While the exact contours of these relationships remain unclear due to limited information available to the public, investigations indicate that the partnership between private actors in the industry and governments can be illustrated in two ways.

First, companies maintain close ties with the State where the business is located. Such partnerships may be rooted in the profitability of the surveillance market; as the demand for highly sophisticated surveillance tools continues to increase across the world, governments may want to capitalize on these lucrative business opportunities. According to one report, the United Kingdom has sold weapons and other equipment including “intrusion software” worth £7.3 billion ($9.9 billion) to the UAE alone in the past decade.  The report explains that the U.K. government recently pledged £22 million ($30 million) in funding for a new cyber business park next to its surveillance agency (Government Communications Headquarters) in Cheltenham, stating that “the park will act as a ‘honeypot’ for cyber security and high tech supply chain businesses.” The proximity of this new hub to the GCHQ is telling. The plan suggests the government’s close connection to surveillance technology companies, and its intention of continuing the mutually beneficial relationship.

The U.K. government is hardly alone in its efforts to reap profits from the growing demand for surveillance tools. Some States, like China, are much more aggressive and proactive in creating, as this Forbes article put it, “an integrated web of collaboration between government-sponsored surveillance companies.” In China, the government sponsorships, (intentionally) lax export controls, access to closed state procurements, and preferential tax treatments enable companies to improve technologies and to export their products at lower costs in attempt to dominate the global market. Thus, the government of China, like many others, has taken a role of a supporter rather than a regulator of the industry.

On the other hand, the relationship that companies have with their customers, i.e. the government end-users, also transcends mere supplier-buyer interactions and extends to long-lasting service arrangements or other forms of partnership where private actors become deeply involved with government operations. For example, as this Washington Post article found, Saudi political activist Omar Abdelaziz alleged that Cyber Technologies, an affiliate the NSO Group, continued to service the Saudi government officials even after the sale of its spyware Pegasus, “helping [the government] solve problems that arose with cyber-monitoring systems.” As another example, two lawsuits filed by a Qatari citizen and a group of journalists and human rights defenders in August 2018 alleged that an affiliate of NSO Group made attempts to spy on foreign government officials and recorded the calls of a journalist on behalf of the UAE government, which has been the company’s customer since 2013. 

Partnership between governments and private companies, which exists in many other industries, is generally accepted as a common business practice. Similarly, in the context of surveillance technology, such partnership is not condemnable in and of itself.  For instance, the sellers of digital surveillance technology may have legitimate intensions, and they are entitled to market their products and engage with customers including government end-users. States are free to support or maintain relationship with certain industries, particularly if they are extremely lucrative and beneficial for the economy. As for the purchasers of these products, States are also permitted under international human right law to obtain tools to conduct lawful interception of communications to the extent that the surveillance activities are provided by law, have a legitimate aim, and are necessary and proportional to the harm (see the June 2019 report).

Yet dangers arise when businesses get too close to governments, especially when there is weak regulatory and legal oversight governing the industry. This problem is aggravated by the lack of transparency around State regulatory decisions and company practices, which in turn diminishes accountability of the actors in the space. Sometimes the risk also entails a “revolving door” between government and business, through which employees glide from government jobs to private-sector jobs, carrying the techniques and training they obtained from classified government operations to the private sector. In other cases, civil society organizations have reported on how governments grant export licenses without subjecting companies to rigorous human rights due diligence or reporting requirements. In light of these revelations, States and companies must be reminded of the inadequacy of the current regulatory frameworks and their responsibilities to protect freedom of expression and privacy of individuals under the human rights law. As more States jump into the digital surveillance technology arms race and as surveillance technology becomes increasingly sophisticated, the risks to human rights will only grow. It is imperative that States implement comprehensive export controls with human rights considerations to mitigate the threats, and companies bring their policies and practices in line with the UN Guiding Principles on Business and Human Rights. In addition, as per Special Rapporteur’s report, co-regulatory initiatives with meaningful participation from civil society such as activists, technologies, academics, and victims are highly desirable, given the private companies’ inherent involvement with State functions.

*Kyoolee Park is currently an Advanced Clinic student at UCI Law International Justice Clinic 

Private Surveillance, Technology, Companies and States