France, the UK, the US, and others will work on a framework for the responsible use of tools like NSO Group's Pegasus, and Shadowserver Foundation gains £1 million investment.

A blue eye overlaid with scanning animation
Source: Robert Brown via Alamy Stock Photo

A coalition of dozens of countries including France, the UK, and the US, along with tech giants such as Google, Meta, and Microsoft, have signed a joint agreement to combat the use of commercial spyware in ways that violate human rights.

The news comes a day after the United States announced a visa restriction policy for those it deems to be abusing such tools.

Commercial spyware, such as NSO Group's Pegasus, is usually installed on iPhones or Android devices and can eavesdrop on phone calls; intercept messaging; take pictures with the cameras; exfiltrate app data, photos, and files; and take voice and video recordings. The tools usually make use of zero-day exploits for initial access and sell for millions of dollars, meaning that their target market tends to consist of global government clients and large commercial interests.

For their part, commercial spyware vendors (CSVs) usually position themselves as legitimate companies that aid law enforcement and other public-sector entities in apprehending criminals. Critics, on the other hand, argue that they simply sell cyber weapons to the highest bidders, including repressive regimes looking to surveil members of civil society — political opponents, dissidents, journalists, activists, and others. The victims are then targeted for further human-rights abuses, many have alleged, including Google, which today issued a detailed report on the rapidly proliferating CSV market.

Pall Mall: Commercial Spyware Under Scrutiny

At a speech at the UK-France Cyber Proliferation conference at Lancaster House in London today, UK Deputy Prime Minister Oliver Dowden announced the kickoff for the spyware initiative, dubbed the "Pall Mall Process," which will be a "multi-stakeholder initiative … to tackle the proliferation and irresponsible use of commercially available cyber-intrusion capabilities," he explained.

More specifically, the coalition will establish guidelines for developing, selling, facilitating, purchasing, and using these types of tools and services, including defining irresponsible behavior and creating a framework for their transparent and accountable use.

He also announced that the UK will invest £1 million into the nonprofit Shadowserver Foundation, to "help them expand the access they provide to early warning systems, and to cyber resilience support for those impacted by cyberattacks."

Dowden noted, "The scope [of our efforts] must be broad, not just looking at spyware, but also considering the 'hackers for hire' phenomenon, the exploit marketplace, alongside the broader range of 'off the shelf' intrusion capabilities, including tools for disruptive and destructive effect."

Ongoing Anti-Spyware Efforts by Government

According to Recorded Future, 24 of the 35 states and organizations attending the Lancaster House conference signed the pledge, agreeing to "engage in an ongoing and globally inclusive dialogue, complementary to other multilateral initiatives," with a follow-up meeting set for next year in France.

While the full accounting of attendees to the event has not been made public, Recorded Future reported that a range of countries — including Cyprus, Greece, Italy, and Singapore — all signed the pledge, while Hungary, Mexico, Spain, and Thailand, among others, did not. Israel, which is home to many CSVs, including NSO Group, did not attend the event.

This is not the first effort to combat malicious governmental use of commercial spyware; last March, the Biden administration issued an executive order imposing restrictions on its use by federal agencies.

"The United States remains concerned with the growing misuse of commercial spyware around the world to facilitate repression, restrict the free flow of information, and enable human rights abuses [which] threatens privacy and freedoms of expression, peaceful assembly, and association," US Secretary of State Anthony Blinken said in yesterday's announcement on the visa restrictions. "Such targeting has been linked to arbitrary detentions, forced disappearances, and extrajudicial killings in the most egregious of cases," likely referring to the Jamal Khashoggi killing in 2018.

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights