What's In Blue

Posted Tue 14 Jan 2025
  • Print
  • Share

Arria-formula Meeting on “Commercial Spyware and the Maintenance of International Peace and Security”

This afternoon (14 January), the US will convene an Arria-formula meeting on the implications of the proliferation and misuse of commercial spyware for the maintenance of international peace and security. The meeting is being co-sponsored by Council members France, the Republic of Korea (ROK), and the UK, together with Australia, Austria, Canada, Estonia, Finland, Japan, Latvia, Lithuania, the Netherlands, Norway, Poland, and Sweden. Briefings are expected from John Scott-Railton, senior researcher at the Citizen Lab at the University of Toronto, which investigates digital espionage targeting civil society, among other issues; Shane Huntley, senior director at Google’s Threat Analysis Group, which focuses on detecting, analysing, and disrupting government-backed threats against Google and its users; and Julia Gavarrete, a Salvadoran journalist specialising in political issues, migration, and human rights, who has been the target of spyware attacks.

The meeting, which will begin at 3 pm EST and take place in the ECOSOC Chamber, will be broadcast on UNTV.

The concept note prepared by the US says that the meeting aims to provide member states with an opportunity to advance global dialogue on the challenges posed by commercial spyware and explore strategies to mitigate the risks associated with its use in the context of peace and security. It highlights spyware tools capable of providing “zero-click” access to all data stored on internet-connected devices, such as mobile phones and laptops—including emails, photos, messages—and of gaining access to the microphone. Furthermore, the concept note warns that governments are using such spyware to “surveil, intimidate, imprison, track, or target individuals without proper legal authorisation, safeguards, or oversight”.

The concept note further maintains that the misuse of commercial spyware presents serious and immediate threats to international security, endangering the safety of government and UN personnel and compromising critical information systems. It provides several examples of spyware abuse. It notes, for instance, that in May 2023, independent researchers revealed that public figures and officials—including journalists and human rights defenders—were targeted with spyware during the Nagorno-Karabakh conflict between October 2020 and December 2022. The Rapid Support Forces (RSF) in Sudan also allegedly imported commercial spyware for use in the ongoing conflict in the country. Additional reports have confirmed the use of commercial spyware against individuals in regions and conflicts where UN peacekeeping missions are active, according to the concept note.

The concept note poses several questions to help guide the discussion, including:

  • How could member states govern the proliferation and use of commercial spyware?
  • What additional steps can member states take to discourage investment in and the export of commercial spyware products that are routinely misused in ways that undermine international peace and security, as well as fundamental human rights?
  • What steps can member states take to ensure appropriate safeguards are implemented to mitigate potential risks associated with the use of commercial spyware in conflicts?

Human rights experts have been raising concerns about the use of spyware for years. In 2019, David Kaye, the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression at the time, published a report highlighting the impact of surveillance technology on human rights. He recommended an immediate moratorium on the sale and transfer of such technology until international regulations with human rights safeguards were implemented.

In recent years, several non-governmental organisations have sought to tackle the challenges posed by the spyware market and its effects on individuals. In July 2021, Forbidden Stories (an investigative journalism consortium), with support from Amnesty International, released findings about the use of the Pegasus spyware, which is sold by the Israeli cyber-intelligence firm NSO. These findings brought global attention to the widespread use of hacking tools for targeted and covert surveillance of digital devices.

The latest report on the right to privacy in the digital age, published by the Office of the UN High Commissioner for Human Rights (OHCHR) on 4 August 2022, stressed that tools such as Pegasus—which can turn most smartphones into “24-hour surveillance devices”—could “affect the essence of the right to privacy and interfere with the absolute rights to freedom of thought and opinion”. It adds that: “while purportedly being deployed for combating terrorism and crime, such spyware tools have often been used for illegitimate reasons, including to clamp down on critical or dissenting views and on those who express them, including journalists, opposition political figures and human rights defenders”. The report emphasises that urgent steps are needed to address the spread of spyware.

The UN General Assembly and the Human Rights Council (HRC) have consistently emphasised that member states should refrain from unlawful or arbitrary surveillance, including hacking. In October 2023, several member states—including Security Council members Denmark, France, Greece, the ROK, Slovenia, the UK, and the US—issued a joint statement highlighting the increased risks posed by surveillance technologies and the critical need for safeguards in their use. On 11 October 2024, the HRC adopted  resolution 57/29 on the promotion, protection and enjoyment of human rights on the internet, its first resolution containing language expressing concern over commercial spyware and other surveillance technologies.

Member states have launched multiple initiatives to tackle commercial spyware. On 30 March 2023, during the second Summit for Democracy, a group of 11 member states issued a joint statement on efforts to combat the proliferation and misuse of commercial spyware. By 22 September 2024, 22 countries—including Council members Denmark, France, the ROK, the UK, and the US—had endorsed this statement. Signatories committed to implementing strict safeguards to ensure government use of commercial spyware aligns with human rights, the rule of law, and civil liberties; restricting exports to end-users likely to engage in malicious cyber activities; and cooperating with industry partners and civil society.

In February 2024, France and the UK launched the Pall Mall Process, a state-led, multistakeholder initiative aimed at developing guiding principles and policy options to address the threats posed by the widespread availability of advanced commercial Information and Communication Technology (ICT) intrusion tools to both state and non-state actors. Between August and October 2024, the UK and France invited views on good practice relating to commercial cyber intrusion capabilities. The responses were collated into a summary report.

At today’s meeting, Council members are expected to express support for efforts to mitigate the risks of commercial spyware, including through multilateral discussions within the UN system. Some members may advocate for ensuring the lawful and responsible use of these technologies in line with domestic laws and international obligations. They may urge governments to establish safeguards for the collection, handling, and disclosure of personal data obtained through these tools to protect human rights and uphold the rule of law. Emphasis may also be placed on promoting transparency, oversight, and accountability as well as addressing unlawful or unintended bias in governments’ use of these tools. Several Council members may also encourage cooperation with industry partners, civil society, and other stakeholders to inform approaches and foster responsible practices in this sector.

Council members are expected to present diverging views on the Security Council’s role in addressing spyware. Some may question its relevance to the Council’s mandate, advocating for broader discussions in the General Assembly and specialised forums to avoid duplication.

Russia is likely to question the motives for convening today’s meeting. During a May 2023 Arria-formula meeting titled “Responsibility and Responsiveness of States to Cyberattacks on Critical Infrastructure”, Russia accused US intelligence agencies of having established “a global system for the use of spyware and the interception of personal data”. Similarly, at the Open-ended Working Group (OEWG) on security of and in the use of information and communication technologies, Russia circulated a non-paper on “spyware and its use by US intelligence services”, accusing the US of using surveillance programmes “uncontrollably” and encouraging their development.

Sign up for What's In Blue emails

Subscribe to receive SCR publications