In their nature, spywares are dual-use technologies by design. This type of malicious software (malware) is programmed to infiltrate devices that are connected to the internet – such as smartphones or personal computers –, record and store user’s different activities, and transmit data to a third party while remaining undetected. If put into effect with proper legal mandates by the military or by law enforcement agencies, spyware solutions can be effectively employed in a variety of way for security purposes, from scanning criminal activities, to monitoring terrorist organizations’ communications or ensuring children’s safety both online and offline.
Nonetheless, in the last couple of years, investigative journalists and watchdogs have been particularly engaged in tracking, documenting, and exposing the increasing deployment of cyber capabilities and surveillance tools devoted to politically motivated espionage. According to past inventories, in 2020 alone at least 10 different country cases of spyware misuses against the civil society, activists, opposition groups, businessmen and other categories were registered. Those incidents were recorded in Hungary, India, Iran, Mexico, Morocco, Rwanda, Saudi Arabia, Spain, Thailand, and Turkey; spanning from close autocracies to liberal democracies, the heterogeneous political nature (as well as the uneven degrees of individual freedom guaranteed by the authorities) characterising this cluster of countries are quite evident.
To date, one of the best-known controversies is the Pegasus project with its homonymous spying technology, developed by the Israeli NSO Group. According to international investigations, the company was allegedly selling its tool to unknown customers to stalk members of the government, journalists, diplomats, and politicians within the cyber domain, with cases involving, among others, member countries of the Alliance like France, Spain, and Poland. Furthermore, on November 2021 the Herzliya-based entity and its products were blacklisted by the United States since they are not aligned with “the foreign policy and national security interests of the US”.
But while the NSO Group is surely not the sole developer of spying technologies – for example Advanced Persistent Threats (APTs), i.e. state-sponsored hacker collectives, bring out their custom tools -, there is a worrying trend emerging within EU and NATO countries. As testified by the latest scandal that shook Greece and Athens’ government and intelligence services, spyware development activities have also become a European issue. According to the analyses carried out so far, the surveillance technology employed was released by Cytrox, a company founded in 2017 in North Macedonia that is now thought to be part of an intelligence company based in the Greek country. In addition, in June Google spotted out malicious behaviours on smartphones in Italy and Kazakhstan carried out through a spyware fabricated by an Italian vendor. In July, an Austrian hostile tool was detected by Microsoft hacking into law firms, banks and consultancies based in Austria, the UK and Panama.
This looming Orwellian-like scenario raises at least four open, tricky discussion points for the Euro-Atlantic institutions. On the technical side, the lack of clear and certain attribution of malicious activities is still a pivotal issue in the process of blaming those responsible for human rights violations and ensuring justice to the victim of privacy infringement. In this sense, enhanced cooperation between authorities and the private sector remains a fundamental driver.
From a legal point of view, adapting and extending the European General Data Protection Regulation (GDPR) – making it resilient to a wide range of digital abuses to protect EU citizens and defend both their online and offline identities – could represent efficient efforts. In particular, the existing legislation should be implemented by considering the concept of corporate social responsibility for small, medium, and large companies. On the supply side, tech vendors should meet stricter quality standards, as well as be pushed to sell their tools driven by strong ethical guidelines.
The third point concerns both the internal consensus issue and the possible risks of escalation. Given the rising social polarisation and citizens’ decreasing level of trust into politics and institutions in the Western world, the possible malicious adoption of digital surveillance instruments by governmental bodies cannot but feed scepticism, discontent, conspiracy theories, or even hate towards the elite, with likely large-scale consequences on public order. Moreover, an intensification in the use of this kind of technologies operated by institutional bodies could encourage retaliation of hostile actors like APTs or hacktivists groups, leading to an escalation in the deployment of cyber capabilities.
In conclusion, speaking about the international perspective, the Alliance could serve as an useful forum of discussion to share best practices and fair conduct among NATO countries and the EU could open a conversation especially in the domain of Home and Justice Affairs. This process involves confidence building measures, information sharing and the construction of mutual trust, as suggested by the Group of Governmental Experts (GGE) of the United Nations on advancing responsible State behaviour in cyberspace and the use of Information and Communication Technologies (ICTs). As a matter of fact, by dissolving the spectrum of digital authoritarianism, NATO could represent a precious added value in promoting the rule of law and individual freedom within the digital domain.
Federico Berger
Social Media Intelligence (SOCMINT) Analyst for the Italian cybersecurity firm TS-Way. Since 2021, he is listed among the Emerging Security Challenges Analysts of the NATO Defense College Foundation. He is currently enrolled in the 360/Digital Sherlocks training program of the Atlantic Council’s Digital Forensics Research Lab (DFRLab).