Full Text | 'When US Govt Entered the Chat, It Transformed Talk on Spyware Threatening Democracy'

The Citizen Lab’s John Scott-Railton says the US government’s executive order disincentivising spyware is important, but there are many concerns that remain over the ability of authoritarian governments to deploy spyware and damage democracy.

The second Summit for Democracy event, showcased by the US administration as a big one for its ‘pro-democracy agenda’ was co-hosted by the Republic of Korea, the Republic of Zambia, Costa Rica, and the Netherlands, and it covered many subjects. But a highlight was the intersection of technology and democracy. Broadly, on how surveillance technologies have been used by authoritarian governments to undermine democracies.

On Monday, the US released a new executive order on commercial spyware. This tries to disincentivise manufacturing spyware —if spyware vendors sell to repressive governments or has been used against US citizens, that vendor will no longer be allowed to receive federal contracts. John Scott-Railton of Citizen Lab, which has been at the forefront of revealing details of how military-grade software like Pegasus works, has said that the new Order by the US is “the first comprehensive action by any government on spyware,” although he added several caveats. This new Order carries forward other actions, such as the addition of foreign spyware companies, most notably Israel’s NSO Group, to a government blacklist

Yesterday the Financial Times reported that unmindful of the risks to democracy by the alleged use of Pegasus in India, but concerned by a “PR problem”, the Narendra Modi government is reported to be looking to spend up to $120 million (over Rs 986 crores) on new spyware sold by firms less exposed than Israel’s NSO Group which sells Pegasus.

In 2021, The Wire, along with an international consortium of news outlets led by French media non-profit Forbidden Stories, broke the story on how journalists’, opposition leaders’, government critics’ and activists’ phone numbers were on a list of presumed Pegasus targets accessed by Forbidden Stories. 

In a discussion on repressive technologies, moderated  International Policy Director at the Cyber Policy Center and International Policy Fellow at the Institute for Human-Centered Artificial Intelligence at Stanford University, Marietje Schaake and featuring Citizens’ Lab Senior researcher John Scott-Railton, US Director of National Intelligence Avril Haines, and YouTube CEO Neal Mohan, this is what John Scott-Railton had to say:

I am a stand-in for Director Ron Deibert, who has written a really interesting article, not long ago, in foreign policy, on the topic of the sort of exploding proliferation of mercenary spyware and commercial surveillance. I highly recommend you read it. That said, sitting in the green room, just before coming in here, listening to the talk given by DNI, I was reflecting on how many of the things that you evoked are things that civil society has been saying for a decade, and feeling mostly in the wilderness about it.

For a decade, civil society groups and researchers have been finding evidence of the abuse of commercial spyware, mercenary spyware technology against civil society. And we have been sounding the alarm until we are hoarse. And unfortunately, for many of those years, I think people saw this issue as a human rights problem. Something bad, something regrettable. Most governments didn’t want to talk about it. 

The reason, national security. Sort of like the arms market, before this was something not to be talked about. But things began to change. They changed not just because of the mountain of abuses that researchers, like us, Amnesty International, Access Now, and many other groups around the world have found. They changed because of the pace of proliferation, which was so fast and dramatic that it began harming US companies, big platforms, and their interests. And they moved from a posture of technical mitigation to a posture of legal engagement to try to block the proliferation of mercenary spyware. But it didn’t stop there. Somehow, not long ago in 2021, the government, the US government, entered the chat. And that really was the third leg of the stool of the problem, after civil society and tech. 

And the first thing that the US government did was put the NSO group [the company that sold Pegasus], and 3 other commercial spyware founders, on the entity list. Now, at the time I remember thinking, “The entity list. This doesn’t feel like a very meaty sanction. What does this really mean?”.

Read: The Wire’s coverage as part of the Pegasus Project and subsequent developments

What’s interesting though is that it had an outsize impact on the industry, because suddenly companies that had been gauged in this really reckless proliferation were beginning to wonder if the music was going to stop, and more recently, in fact this week, we’ve seen a remarkable set of actions by the US government. And then today, a series of actions by a joint group of governments around the world. Great! I think what’s remarkable is that it took us so long to get here.

It took us so long for civil society sounding the alarm, but at the end of the day, it really required the recognition that the problem of mercenary surveillance was one that cut across considerations of our communities and of your communities; tech and government. 

So all good, right? Well, sort of. We’re in a period where the interests of these different groups have aligned. And it’s remarkable, and we are seeing change. But there are still major gaps. For example, the executive order, a remarkable document, in many ways that I think is going to pump the brakes on proliferation, has gaps in how it talks about how the US government would use spyware and mercenaries renounce tools, and around transparency, and how technology is imported, and how technology is exported.

To me, that’s a key gap and it reminds me of why civil society is so important, which is we say the uncomfortable things. Not only about the abuses, but about what we need in order to move further. And often what we need is more transparency and clarity.

I’m just going to flag this, which is today, there was this joint statement. And the thing that most heartened me about it was actually some of the first bullet points, which actually pointed out that a group of governments are going to commit to being more accountable in how they use commercial and mercenary spyware. Great! I hope that counts for the United States too. Thanks. 

You can watch the entire discussion here.