Ali Al-Ahmed is the founder and director of the Institute for Gulf Affairs.
Dr. Matthew Hedges is a postdoctoral teaching assistant at the University of Exeter.
The TechCrunch Global Affairs Project examines the increasingly intertwined relationship between the tech sector and global politics.
Governments that purchase spyware tend to share a common pretext: the need to fight terrorist and other public safety threats. But we know that when autocratic regimes acquire state-of-the-art surveillance technology, they also intend to use it against activists, journalists, academics and any other dissenting voices they deem a threat. Spyware programs — used to infect phones and other hardware without the owner’s knowledge in order to track movements and steal information — are tools of repression just as surely as guns.
There have been too many well-documented cases to ignore this basic 21st century reality. Yet companies continue to sell their spyware to despotic governments, in some cases claiming ignorance about what is likely to happen next. This trend has rocked the community of political dissidents across the globe and has put them at greater risk of arrest and much worse.
We know because this technology has been used on us. As a naturalized American from Saudi Arabia and a British academic, we count ourselves and many colleagues among the victims.
One of us, Ali Al-Ahmed, saw the Saudi government steal his personal data from Twitter, then use it to track down, imprison and torture his Twitter followers.
The other one of us, Matthew Hedges, was a graduate student on a research trip to the United Arab Emirates when he discovered that authorities had hacked his phone even before he arrived in the country. He was arrested in 2018, charged with spying and initially sentenced to life in prison. Ultimately held for six months, he was kept in handcuffs and fed debilitating drugs.
Painful though these experiences continue to be for us, we are relatively safe living in the United States and Britain. But our experiences are all too common. They highlight the ongoing, systemic abuse that authoritarian regimes inflict on people every day, in violation of international law and all principles of human rights.
By enabling despots to track citizens’ every move, spyware vendors make this kind of maltreatment possible. Dissidents around the world will have targets on their backs until democratic governments crack down on companies that turn a blind eye to this use of their wares.
The time has come for decisive action from democratic countries, including the United States, to curb this abuse. Leaders in Western democracies talk about the need to rein in Big Tech. And yet, in the endless tug-of-war between government regulation and tech companies, “users have become the main casualties,” as a new report from Freedom House, a watchdog organization, put it. Too often, ordinary online citizens are vulnerable to predation by their own governments.
China and Russia get the lion’s share of global public attention for state-sponsored hacking and repression for the sheer scale of their operations. But U.S. allies like Saudi Arabia are often among the worst offenders.
For example, some of the Middle East’s most ruthless suppressors of dissent, including Saudi Arabia, the United Arab Emirates and Bahrain, buy spyware from the Israeli company NSO Group. These governments have used NSO’s Pegasus software to hack into the phones of numerous human rights activists and critics — often well beyond their own borders.
Sometimes the autocrats running these regimes have purely personal motives, as in the case of Dubai’s ruler Sheikh Mohammed bin Rashid Al Maktoum. A British court found that he used Pegasus to spy on his ex-wife and several of his children.
The public only learned of this because an NSO Group official called a prominent British lawyer late one night to tip her off about the surveillance. As bad as the sheikh’s abuse of Pegasus was, more alarming is that NSO Group knew he was using their technology for illicit ends. In this case, senior managers felt sufficiently exposed to blow the whistle, but the firm has not divulged what it may know about other abuses by its clients.
Nor is NSO Group alone in selling spyware to police forces and intelligence services known to abuse human rights. The Israeli firms Candiru and Cyberbit are in the same business. Products from the German company Finfisher and the Italian firm Hacking Team (now rebranded Memento Labs after a 2015 scandal) have also been linked to abuses.
NSO has reportedly terminated its contracts with Saudi Arabia and the United Arab Emirates, saying they misused Pegasus. But corporate self-enforcement is not enough. Democratic governments must send a clear message to these companies: that they will face export bans, and senior company staff will face sanctions if their products are used to violate human rights.
Another important step would be for the U.S. Commerce Department and its counterparts in Britain, the European Union and other democracies to expand the use of blacklists that restrict trade with companies enabling abuse. The Commerce Department already includes NSO Group, Candiru, Russian company Positive Technologies and the Singaporean firm Computer Security Initiative Consultancy on its “Entity List,” meaning that those outfits can’t buy components from U.S. sellers without a special license. But a broader global campaign of this kind could go further.
Finally, democratic countries should establish transparent, uniform rules for using spyware. This past week, the White House hosted a virtual Summit for Democracy of global leaders with the express purpose of fighting authoritarianism and promoting human rights. As this coalition gets to work, spyware should be at the top of its agenda.
Clearly, we have entered a new era of electronic espionage and digital repression. Only by enacting stronger regulatory and legal protections can democracies ensure their survival, enable free speech to flourish and safeguard their citizens’ well-being.