Canada, the United States, France and the U.K. are among 25 countries, as well as groups representing nations, vowing today to take action on the abuse of commercial spyware by certain governments and law enforcement agencies.
What is called the Pall Mall Process — after the initial two-day meeting in London — promised to create principles for governments and the IT industry to oversee the development and use of these applications.
Also participating in the conference were IT giants such as Google, Microsoft and Meta. Also signing the declaration were the African Union, representing 55 countries, and the Gulf Co-operation Council, representing six countries including Saudi Arabia.
Among the weapons that countries with developers that create spyware could use are export controls that deny the selling of spyware to certain countries. Another could be rules limiting government departments’ or police departments’ use of spyware. For example, last year U.S. President Joe Biden issued an executive order limiting federal agencies from using commercial spyware unless they have approval from the White House.
Separate from the Pall Mall Process announcement, the U.S. announced on Monday that visa restrictions will be imposed on anyone trying to enter the country who is known to misuse commercial spyware.
Commercial spyware, typically installed surreptitiously on mobile devices through a victim clicking on a link or visiting an infected website, is often marketed as only to be sold and used by police departments or intelligence agencies for use against crooks or foreign spies. However, some countries use it to spy on activists and reporters.
Spyware aimed at consumers can also be found in mobile app stores, marketed as tools employers can use to snoop on staff, or a way a person can keep tabs on their partner.
Unspecified actions should be taken to hold states accountable whose activity is inconsistent with international human rights law, and to hold non-state actors to account in domestic systems, the Pall Mall Declaration says in part.
“The growing commercial market enabling the development, facilitation, purchase, and use of commercially available cyber intrusion capabilities raises questions and concerns over its impact on national security, human rights and fundamental freedoms, international peace and security, and a free, open, peaceful, stable, and secure cyberspace,” participants agreed in the declaration.
“Without international and meaningful multi-stakeholder action, the growth, diversification, and insufficient oversight of this market raises the likelihood of increased targeting for profit, or to compromise a wider range of targets, including journalists, activists, human rights defenders, and government officials,” the declaration says. “It also risks facilitating the spread of potentially destructive or disruptive cyber capabilities to a wider range of actors, including cyber criminals. Uncontrolled dissemination may increase the breadth of access to sophisticated capabilities and, as a consequence, the complexity of incidents for cyber defence to detect and mitigate. This trend risks contributing to unintentional escalation in cyberspace.
“We recognize that, across the breadth of this market, many of these tools and services can be used for legitimate purposes, but they should not be developed or used in ways that threaten the stability of cyberspace or human rights and fundamental freedoms, or in a manner inconsistent with applicable international law, including international humanitarian law and international human rights law. Nor should they be used without appropriate safeguards and oversight in place. We resolve to explore the parameters of both legitimate and responsible use.”
A follow-up conference will be held next year in France.
The conference comes after groups including the University of Toronto’s Citizen Lab published investigations into the use of software like Pegasus, presumably by governments.
In the latest report Citizen Lab and Access Now say iPhones of certain reporters and lawyers in Jordan were targeted or infected with Pegasus.
“Generally speaking, this process is a positive step, albeit incomplete,” Citizen Lab director Ron Deibert said in an email. “It is good that governments recognize the serious harms caused by the mercenary spyware and hack-for-hire industry and are pledging to take action to mitigate those harms. It is now important that governments translate those words into action. Many governments are still very much in the hacking business, and the agencies that employ these tools are notoriously shrouded in secrecy and lacking public accountability, including Canada.”
This isn’t the first action some governments have taken to try to rein in the use of spyware. Last March, 11 countries, including Canada and the U.S., issued a joint statement on the misuse of commercial spyware,