heise PlusAbo

IGF25: Dictators and democrats in the global South as customers of spyware

Spyware such as Pegasus from the NSO Group is increasingly becoming a political problem. This was one of the findings of the Internet Governance Forum in Norway

listen Print view
Highly distorted image of a finger on a keyboard, with a digital exclamation mark in the foreground

(Image: janews/Shutterstock.com)

7 min. read
By
  • Monika Ermert
Contents

Years ago, WhatsApp boss Will Cathcart described the NSO attacks as a wake-up call for the tech industry, governments and users. Legal proceedings followed, and in May 2025 the first instance awarded Meta 168 million US dollars in damages. Nevertheless, the spyware industry continues to grow, warned non-governmental organizations from Latin America and Africa at the 20th edition of the United Nations Internet Governance Forum (IGF). The event took place this week in Lillestrøm, Norway, near Oslo.

Over 500 companies distribute spyware to at least 65 governments worldwide – and business is booming, said Nighat Dad, organizer of an IGF panel on the topic. In industrialized countries, ethics, better supervision and legislative steps have been discussed since the Pegasus shock, said the founder of Pakistan's Digital Rights Foundation.

"In the global South, the spyware industry is flourishing and is encountering inadequate legal protection, an authoritarian impetus and the targeted restriction of public spaces," warns the lawyer.

Spyware against the opposition, public prosecutors and journalists

Dealing with NSO activities is not enough, emphasized Apar Gupta, founder of the Indian Internet Freedom Foundation (IFF), Ana Gaita from the Mexican civil rights organization Red en Defensa de los Derechos Digitales (R3D) and Mohamed Najem from SMEX, which operates from Lebanon for the Arab region.

SMEX is now seeing a real boom in spyware start-ups following major investments in the NSO by the Gulf States. According to Najem, spyware is being supplied from the United Arab Emirates to the warring Rapid Support Forces in Sudan, for example.

Counter-defense according to the state: Softlaw

The widespread proliferation of hacking tools also worries governments in the global North. The threats "to our civil servants, infrastructure, businesses and citizens are growing", said Elizabeth Davies from the British Foreign Commenwealth and Development Office. Together with France, the UK has therefore presented guidelines for the use of commercial spyware in the so-called Pall-Mall process.

Both the focus on commercial spyware – to the exclusion of state hacks – and the voluntary nature of the Pall Mall guidelines have been criticized by experts. The central promise of the code made by the 24 Pall Mall signatories is a rule-based, responsible use of espionage tools that is only aimed at clearly defined targets. The signatories, including Germany, also advocate better control of use by their authorities and more transparency in procurement and export licenses.

Davis assured that the next step in the Pall Mall process would be to address individual issues in working groups, particularly export control regimes. She also promised more involvement from other stakeholders.

Activists and lawyers: baby steps only

Civil rights activists see the governments' Pall-Mall process as a first step at best. In view of the rapid development of supply and demand, IFF founder Gupta advises a moratorium on commercial spyware "until there is intergovernmental agreement on the legal basis, necessity, appropriateness and export control rules". The umbrella organization of European civil rights organizations EDRi is also calling for a complete ban on the distribution of spyware in the EU instead of the further promotion of state hacking as part of the Going Dark considerations.

Voluntary agreements such as the Pall Mall Declaration are good, says US legal scholar David Kaye, but believes that "we should move from soft law to binding standards very quickly." He referred to barriers recently proposed by the Venice Commission of the Council of Europe for the use of spyware by law enforcement officers.

Kaye, former UN Special Representative for Freedom of Expression, is a member of the Venice Commission, which works for 62 participating states. In the short term, he expects the most from lawsuits, especially claims for damages against black sheep, he says. It is not yet clear whether the millions in damages against the NSO in the Meta proceedings will be upheld. "But such proceedings increase the pressure," he said in Oslo.

At the same time, it is regrettable that the European Union's media freedom law provides for exceptions to the use of spyware against journalists. "We live in an era in which states drive trucks through the smallest loopholes they have created to do what they want to do," warned Kaye. Gupta and Kaye emphasized that lawsuits, be it in the constitutional courts or claims for damages such as Meta's, are currently one of the most promising measures.

Rima Amin, responsible for community defense at Meta, held out the prospect of passing on the money that the court awards Meta as compensation to organizations that help the victims. Money for civil rights activists is already available from the Spyware Accountability Initiative.

Videos by heise

Familiar arguments

It is no longer just political opponents who are being spied on. "Many governments in Latin America have used the unstable security situation to present more surveillance as being without alternative." Without restricting confidentiality, there is no more security, so the argument goes.

This argument is also used in African countries, as Wairagala Wakabi, Executive Director of the organization Collaboration on International ICT Policy for East and Southern Africa (CIPESA), explains in an interview with heise online. Unmoved by the activists and politicians affected by the Pegasus spying operations in many African countries, the organization is working on "more security" for citizens. Since the beginning of the year, for example, chips that monitor the location data and routes of cars have been a mandatory part of car license plates in the Ugandan capital Kampala.

According to Wakabi, the devices are supplied by the Russian company Joint Stock Global Security Company. Together with the smart city developed by Huawei in Kampala, "based on the Chinese model with video cameras and facial recognition everywhere", a fully monitored public space is being created. Total surveillance is increasingly becoming a problem for dissidents and activists.

Wakabi also looks to Europe for help. The USA has been surprisingly active when it comes to spyware companies. "Europe, as the other region that has a big stick, should also use it."

Read also

(nie)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten