By Ethan Burk
A padlock on a laptop in front of the word spyware Reuters
On October 8th, 2023, a team of European journalists (referred to as the European Investigative Collaboration) obtained highly sensitive documents entailing the ownership and use of a spyware program called Predator. These documents demonstrated how quickly spyware technology has advanced since the use of Pegasus in 2021. What the documents also showcased was something more complex than simply the use of spyware of high-value targets, the journalists uncovered an international business alliance to sell powerful surveillance technologies at an industrial scale to different governments while circumventing exportation laws in their home countries. This partnership was called the Intellexa alliance, and its surveillance software has been linked to spying campaigns in Vietnam, Greece, and Turkey. Their software has also been linked to espionage on US government officials, EU officials, journalists, and human rights activists in different countries.
One of the most peculiar aspects of the Intellexa alliance is that its key members, the Intellexa group, brands itself as an “EU-based and regulated company.” In that statement they specify that their company is primarily based in EU member nations and that it is currently regulating its business practices to legally operate within those countries. While it is legal to export software such as Predator from EU member countries, the exporting company must obtain a dual-band exportation license. This license is used to regulate the sale of cyber-surveillance technologies that have been used for or involved with human rights abuses. What is concerning about the Intellexa alliance, however, is that through the use of corporate maneuvering and the creative restructuring of their subsidiaries, the companies in the alliance have managed to obtain a dual band exportation license despite their spyware’s involvement in human rights abuses in countries such as Angola, Egypt, and Libya.
The EU’s response to the discovery of the Intellexa Alliance and the Predator spyware has been somewhat stagnant. This hesitancy could be due to a myriad of reasons involving the EU’s shared and exclusive competencies of power that make it more difficult for the organization to address issues quickly as the Union needs to balance the wants and needs of its several member states. Another factor that complicates the EU’s ability to sanction or indict the companies that are part of the Intellexa alliance is the fact that several EU members have purchased their services and products before. France, Germany, and Austria have been found to have bought cyber surveillance products from companies in the Intellexa alliance (though it is unknown whether they have bought the Predator mobile Spyware specifically), and Greek officials have been connected to spyware campaigns using the Predator spyware to target high ranking employees at Facebook. While the organization did implement the dual band exportation license system in the wake of the project Pegasus disclosure, there has been little consensus since then regarding how the organization should regulate the spyware market. This hesitancy comes into contrast with the US’s policy on foreign cyber-surveillance which has been more proactive.
One of the biggest critics of the use of commercial spyware, like Predator, is the United States government. In March 2023, President Biden created an executive order banning the operational use of commercial spyware that has posed a risk to national security, has been used by foreign nations to violate human rights, or has been used to target American citizens. In July of 2023, the US Government’s Bureau of Industry and Security placed several key members of the Intellexa alliance on its entities list for malicious cyber activities. Congress has also given the director of national intelligence the power to cancel any spyware contracts in the US intelligence community, with the legislation receiving bipartisan praise and support. The Biden administration has urged other countries to follow this model of cyber-surveillance policy. At the 2023 Summit for Democracy, President Biden discussed how this executive order was part of a larger initiative titled “Advancing Technology for Democracy”. This initiative is a new diplomatic strategy that is focused on countering mass censorship, misinformation, and surveillance in authoritarian and democratic countries.
This initiative also follows a trend in US economic, security, and legal policy to reduce the amount of foreign goods that could be used to spy on US officials. While these policies are mainly implemented on products and companies that originate in countries that are adversarial to the US there has also been a trend in the US to further regulate the international cyber surveillance industry in democratic nations. The initiative has been picked up by other countries such as Denmark, Sweden and Australia who have committed to a joint statement on limiting the proliferation and exportation of commercial spyware. This international effort marks the beginning of a precedent that integrates human rights into surveillance and intelligence programs internationally.
References