'Selling Surveillance' (Indiana Legal Studies Research Paper No. 495) by Asaf Lubin comments
There is a vast and growing network of private companies selling spyware—tools and services that provide their clients with unprecedented access to smartphones, laptops, and other internet-connected devices. Investigative reporting and work by civil society have now repeatedly confirmed the systematic abuses of these technologies by government actors to target human rights activists, journalists, and dissidents around the world.
A large group of UN human rights special rapporteurs, civil society organizations, and members of the European Parliament have recently called for an immediate and global moratorium on the sale, transfer, and use of spyware technologies. The paper argues that such calls are not only impractical, but they are also hypocritical and pose a danger to public safety and the future integrity of our information and telecommunication technologies. Ad hoc litigation and ex post blacklisting and sanctions are similarly inapt in generating sufficient deterrence.
As an alternative to these flawed approaches, this paper makes the case for an international system to standardize the commercial spyware industry, which I call the “Commercial Spyware Accreditation System” (CSAS). The paper first explains the limits of existing domestic and international regulation—including international export control law, international human rights law, and corporate social responsibility—in constraining the negative externalities of the commercial spyware trade. The CSAS model responds to these limitations by proposing a multistakeholder forum with a set of binding controls, enforced through governmental licensing and contracting, that could mitigate the harms produced by these technologies. The control spans the five stages of the spyware lifecycle: (1) development and investment; (2) marketing and sale; (3) client management; (4) spyware diplomacy; and (5) client and product/service termination.
Policy makers both in the United States and across the Atlantic are engaging in an ongoing dialogue to develop new international instruments that effectively respond to threat of spyware. This paper aims to provide these regulators with a set of innovative tools that have not been considered before in the literature.