A coalition of dozens of countries including France, the United Kingdom and the United States, along with tech giants such as Google, Meta and Microsoft, have signed a joint agreement to combat the use of commercial spyware in ways that violate human rights.
The news comes a day after the United States announced a visa restriction policy for those he believes are abusing these tools.
Commercial spyware, such as Pegasus from the NSO group, is usually installed on iPhone or Android devices and can intercept phone calls; intercept messaging; take photos with cameras; exfiltrate app data, photos, and files; and take voice and video recordings. The tools usually make use zero-day exploit for initial access and sell for millions of dollars, meaning their target market tends to be global government customers and large commercial interests.
For their part, commercial spyware (CSV) vendors usually position themselves as legitimate companies that help law enforcement and other public sector entities apprehend criminals. Critics, on the other hand, argue that they simply sell cyber weapons to the highest bidders, including repressive regimes that seek to surveil members of civil society: political opponents, dissidents, journalists, activists and others. Victims are then targeted for further human rights abuses, many have said, including Google, which today issued a document Detailed report on the rapidly proliferating CSV market.
Pall Mall: Commercial spyware under scrutiny
In a speech today at the UK-France Cyber Proliferation Conference at Lancaster House in London, Britain’s Deputy Prime Minister Oliver Dowden announced the launch of the spyware initiativedubbed the “Pall Mall Process,” which will be a “multi-stakeholder initiative… to address the proliferation and irresponsible use of commercially available cyber intrusion capabilities,” he explained.
More specifically, the coalition will establish guidelines for the development, sale, facilitation, purchase and use of these types of tools and services, including defining irresponsible behavior and creating a framework for their transparent use Is responsable.
He also announced that the UK will invest £1 million in the non-profit organisation Shadowserver Foundationto “help them expand the access they provide to early warning systems and cyber resilience support for people affected by cyber attacks.”
Dowden noted, “The scope [of our efforts] must be broad, not only looking at spyware, but also considering the phenomenon of “hackers for hire”, the exploit market, together with the wider range of “off-the-shelf” intrusion capabilities, including tools with disruptive and destructive effects .
Ongoing government anti-spyware efforts
According to Recorded Future, 24 of the 35 states and organizations present at the Lancaster House conference signed the pledge, agreeing to “engage in ongoing and inclusive dialogue at the global level, complementary to other multilateral initiatives”, with a follow-up meeting set for next year. in France.
While a full account of attendees at the event has not been made public, Recorded Future reported that a number of countries – including Cyprus, Greece, Italy and Singapore – have all signed the pledge, while Hungary, Mexico, Spain and Thailand, among others, have not. Israel, which is home to many CSVs, including the NSO Group, did not participate in the event.
This is not the first attempt to combat malicious government use of commercial spyware; last march, the biden administration issued a executive order imposing restrictions on its use by federal agencies.
“The United States remains concerned about the growing misuse of commercial spyware around the world to facilitate repression, limit the free flow of information, and enable human rights violations [which] threatens privacy and freedoms of expression, peaceful assembly and association,” US Secretary of State Anthony Blinken said in yesterday’s announcement on visa restrictions. “Such attacks have been linked to arbitrary detentions, enforced disappearances and extrajudicial killings in most striking cases. cases”, probably referring to the Killing of Jamal Khashoggi in 2018.