Civil Rights Defenders Demands Action Against Surveillance Technology in Joint Open Letter

In this joint open letter, 146 civil society organizations and 28 independent experts worldwide call on states to implement an immediate moratorium on the sale, transfer and use of surveillance technology. Alarmed by the Pegasus Project revelations that NSO Group’s spyware has been used to facilitate human rights violations around the world on a massive scale, the undersigned highlight the key human rights implications of this major exposé and issue a series of recommendations to states, as well as states that export surveillance technology.

Joint Open Letter

We, the undersigned civil society organizations and independent experts, are alarmed at the media revelations that NSO Group’s spyware has been used to facilitate human rights violations around the world on a massive scale.

These revelations are a result of the Pegasus Project and are based on the leak of 50,000 phone numbers of potential surveillance targets. The project is a collaboration of more than 80 journalists from 16 media organizations in 10 countries coordinated by Forbidden Stories, a Paris-based media non-profit, with the technical support of Amnesty International, who conducted forensic tests on mobile phones to identify traces of the Pegasus spyware.

The Pegasus Project’s revelations prove wrong any claims by NSO that such attacks are rare or anomalous, or arising from rogue use of their technology. While the company asserts its spyware is only used for legitimate criminal and terror investigations, it has become clear that its technology facilitates systemic abuse. As the UN High Commissioner for Human Rights said, “if the recent allegations about the use of Pegasus are even partly true, then that red line has been crossed again and again with total impunity.”

From the leaked data and their investigations, Forbidden Stories and its media partners identified potential NSO clients in 11 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates (UAE). NSO claims it only sells it to government clients.

The investigation has so far also identified at least 180 journalists in 20 countries who were selected for potential targeting with NSO spyware between 2016 to June 2021. Deeply concerning details that have emerged include evidence that family members of Saudi journalist Jamal Khashoggi were targeted with Pegasus software before and after his murder in Istanbul on 2 October 2018 by Saudi operatives, despite repeated denials from NSO Group that its products were used to target Khashoggi or his family members.

The revelations are only a tip of the iceberg. The private surveillance industry has been allowed to operate unchecked. States have failed not only in their obligations to protect people from these human rights violations, but have themselves failed in their own human rights obligations, clearly letting these invasive weapons loose on people worldwide for no other reason than exercising their human rights. Additionally, the targeting may in fact reveal only part of the picture of human rights violations that they signify. This is because violations of the right to privacy impact on numerous other human rights and show the real-world harm caused by surveillance that is inconsistent with international norms.

In Mexico, journalist Cecilio Pineda‘s phone was selected for targeting just weeks before his killing in 2017. Pegasus has been used in Azerbaijan, a country where only a few independent media outlets remain. Amnesty International’s Security Lab found the phone of Sevinc Vaqifqizi, a freelance journalist for independent media outlet Meydan TV, was infected over a two-year period until May 2021. In India, at least 40 journalists from major media outlets in the country were selected as potential targets between 2017-2021. Forensic tests revealed the phones of Siddharth Varadarajan and MK Venu, co-founders of independent online outlet The Wire, were infected with Pegasus spyware as recently as June 2021. Amidst this revelation, Moroccan journalist and human rights activist Omar Radi was sentenced to six years in prison. Radi’s phone had previously been forensically examined by Amnesty International in 2020 and was determined to be targeted by Pegasus. In Morocco, of the 34 other journalists whose phones were selected for potential targeting by Pegasus, two are imprisoned. The investigation also identified journalists working for major international media including the Associated Press, CNN, The New York Times and Reuters as potential targets. One of the highest profile journalists was Roula Khalaf, the editor of the Financial Times. These targets represent only a small part of the revelations and the full picture is yet to emerge.

This is not the first time NSO’s Pegasus software has been linked to human rights violations. Researchers, journalists, activists and others have uncovered significant evidence over the years of the use of NSO Group’s surveillance technology to target individuals. Previous research by Citizen Lab exposed how Ahmed Mansoor, a human rights defender imprisoned in the United Arab Emirates, was targeted with NSO Group technology in 2016. In Mexico, journalists, lawyers, and public health experts have also been previously targeted.

Where surveillance is operated without adequate legal frameworks, oversight, safeguards and transparency, its harms have an impact far beyond those who may have actually been targeted. In the face of opacity and inadequate safeguards, and especially in situations where surveillance is known or suspected to be carried out in unlawful ways, human rights defenders and journalists are forced to self-censor out of fear of being persecuted for their work, even where such surveillance may in fact not be taking place. Indeed, in the immediate aftermath of revelations journalists and activists are already noting the chilling effect on their work.

Importantly, the use of targeted digital surveillance tools such as Pegasus infringe the right to privacy and many other rights. Pegasus impacts the right to privacy by design: it is surreptitious, deployed without the knowledge of the rights holder, and has the capacity to collect and deliver an unlimited selection of personal, private data (along with data of any contacts with which a target interacts). Moreover, as noted above, a violation of the right to privacy can have cascading effects on other rights, including the rights to freedom of expression, association, and peaceful assembly. It is evident from these disclosures that these uses of the tool are abusive and arbitrary, and do not constitute a permissible interference with the right to privacy. Further, states’ unchecked deployment of these tools does not meet the tests of necessity, proportionality, and legitimate aim as outlined under international standards.

A culture of impunity specific to targeted digital surveillance has developed that must be urgently countered. These disclosures show just how states’ use of the targeted digital surveillance tools supplied by one of the industry’s most prominent participants is utterly out of control, destabilizing, and threatening to individuals’ human rights, including physical safety. The revelations shine a light on an unaccountable industry, and an unaccountable sphere of state practice, that must not continue to operate in their current forms. Our rights and the security of the digital ecosystem as a whole depend on it.

We back the call of the UN High Commissioner that “Governments should immediately cease their own use of surveillance technologies in ways that violate human rights, and should take concrete actions to protect against such invasions of privacy by regulating the distribution, use and export of surveillance technology created by others.”

Thus, we urge all states to urgently take the following steps:

To all states:

a. Immediately put in place a moratorium on the sale, transfer, and use of surveillance technology. Given the breadth and scale of these findings, there is an urgent need to halt surveillance technology enabled activities of all states and companies, until human rights regulatory efforts catch up.

b. Conduct an immediate, independent, transparent and impartial investigation into cases of targeted surveillance. Further, investigate export licenses granted for targeted surveillance technology, and revoke all marketing and export licenses in situations where human rights are put at risk.

c. Adopt and enforce a legal framework requiring private surveillance companies and their investors to conduct human rights due diligence in their global operations, supply chains and in relation to the end use of their products and services. Under this legislation, private surveillance companies should be compelled to identify, prevent, and mitigate the human rights-related risks of their activities and business relationships.

d. Adopt and enforce a legal framework requiring transparency by private surveillance companies, including information on self-identification/registration; products and services offered; the results of regular due diligence including details of how they addressed identified risks and actual impacts; and sales made as well as potential clients rejected for failing to meet standards of human rights or good governance. States should make this information available in public registries.

e. Ensure that all surveillance companies domiciled in their countries, including sales intermediaries, affiliates, holding companies, and private equity owners, are required to act responsibly and are held liable for their negative human rights impacts. They must require by law that these companies undertake human rights due diligence measures in respect of their global operations. This should include liability for harm caused and access to remedy in the home states of the companies, for affected individuals and communities. Governments should therefore initiate or support domestic proposals for corporate accountability legislation.

f. Disclose information about all previous, current and future contracts with private surveillance companies by responding to requests for information or by making proactive disclosures.

g. As a condition to continued operation of surveillance companies, demand immediate establishment of independent, multi-stakeholder oversight bodies for NSO Group and all other private surveillance companies. This should include human rights groups and other civil society actors.

h. Establish community public oversight boards to oversee and approve the acquisition or use of new surveillance technologies, with powers to approve or reject based on the states’ human rights obligations, provisions for public notice and reporting.

i. Reform existing laws that pose barriers to remedy for victims of unlawful surveillance and ensure that both judicial and non-judicial paths to remedy are available in practice.

j. Furthermore, states must, at a minimum, implement the below recommendations if the moratorium on the sale and transfer of surveillance equipment is to be lifted:

  • Implement domestic legislation that imposes safeguards against human rights violations and abuses through digital surveillance and establishes accountability mechanisms designed to provide victims of surveillance abuses a pathway to remedy.
  • Implement procurement standards restricting government contracts for surveillance technology and services to only those companies which demonstrate that they respect human rights in line with the UN Guiding Principles and have not serviced clients engaging in surveillance abuses.
  • Participate in key multilateral efforts to develop robust human rights standards that govern the development, sale and transfer of surveillance equipment, and identify impermissible targets of digital surveillance

k. Inform securities exchanges and financial regulators of the harms associated with private surveillance technology companies, and require strict, regular scrutiny in law and regulation of disclosures and applications by those companies and their owners, including before any major events (public listings, mergers, acquisitions, etc.)

l. Protect and promote strong encryption, one of the best defenses against invasive surveillance.

We urge Israel, Bulgaria, Cyprus and any other states in which NSO has corporate presence:

a. Exporting States, including Israel, Bulgaria and Cyprus, must immediately revoke all marketing and export licenses issued to NSO Group and its entities, and conduct an independent, impartial, transparent investigation to determine the extent of unlawful targeting, to culminate in a public statement on results of efforts and steps to prevent future harm.

Read the Open Letter in Full With Links and Signatories (pdf)