Italy’s journalists aren’t taking spyware lying down. In February, the Italian National Press Federation and the Order of Journalists announced they’d filed a criminal complaint after the country’s far-right government blocked parliamentary questions about the state’s illegal use of spyware.

The move came amid damning evidence the state has used spyware to put activists and journalists under surveillance. The WhatsApp of Francesco Cancellato, editor-in-chief of the Fanpage investigative news site, was hacked with Graphite spyware, produced by Israeli company Paragon. Fanpage had previously published an undercover investigation that exposed support for fascism among the ruling party’s youth wing. The implication is that Cancellato was targeted out of political hostility rather than legitimate security concerns.

Cancellato is not alone. The government has confirmed that at least seven phones have been infected with Graphite. Among the targets are activists Luca Casarini and Giuseppe Caccia, founders of Mediterranea Saving Humans, a civil society organisation that helps people in trouble on the migration route across the Mediterranean Sea. Others who’ve worked with the organisation have made police complaints about spyware, including Father Mattia Ferrari, chaplain on the rescue ship.

The pattern seems clear: Italy’s government appears to be systematically spying on those who criticise its aggressive anti-migrant policies. In 2017, Italy made a deal with the Libyan government, paying it to intercept people and hold them in Libya, where they’re detained in appalling conditions. Humam El Gomati, a Sweden-based Libyan activist who highlights human rights abuses in Libyan detention centres, is among the spyware targets. Activist David Yambio, who supplied the International Criminal Court with evidence of violations of migrants’ rights in Libya, also reported being subject to a spyware attack. The people detained in Libya are denied a voice; now the government seems determined to undermine those who try to speak up for them.

The government has ordered the National Cybersecurity Agency to investigate, denying any involvement, although this line was contradicted by an official who said the government had approved the use of spyware against Casarini and Caccia. In a move campaigners condemned as a cover-up, the president of parliament, Lorenzo Fontana, decreed that state security rules mean any further information can’t be disclosed in response to parliamentary questions.

The use of spyware – along with intensifying protest restrictions – has prompted Italy’s inclusion on the latest CIVICUS Monitor Watchlist, which highlights countries experiencing a serious decline in respect for civic space. On top of current restrictions, a new security law in the process of approval threatens to further expand state surveillance powers, alongside increasing punishments for protesting.

WhatsApp confirmed in January that globally, close to 100 of its users in civil society and the media had been targeted by Paragon’s spyware. Paragon’s terms of service supposedly rule out use of this kind, and in February the company reportedly terminated its relationship with the Italian government. But some 35 governments are reported to be Paragon customers, including Australia, Canada, Cyprus and Denmark, all long-established democracies. More broadly, the use of spyware against civil society and the media has been reported on every inhabited continent – including in countries as diverse as El Salvador, Lithuania, Morocco and Togo.

The Pegasus problem

As this suggests, the problem stretches much further than Italy, and far beyond Paragon’s spyware. So far, most global attention has focused on Pegasus, a spyware package that, like Graphite, is produced by an Israeli company, NSO, and sold only to governments. Both are zero-click exploits: unlike many viruses, they don’t need someone to click on a link or download something. This makes them virtually undetectable and extraordinarily invasive. They give the user full access to a phone – including its camera, microphone, data and geolocation.

The scale of Pegasus’ use is staggering. In 2020, the Pegasus Project, a collaboration between civil society and media organisations, revealed governments had used it against almost 50,000 targets in 24 countries. Targets included civil society activists, journalists, opposition politicians and businesspeople, even though the software is supposed to only be used to help prevent serious crimes, including terrorism – something that clearly doesn’t cover civil society’s legitimate actions.

Five years after these shocking revelations, it’s clear the problems continue, with fresh evidence that numerous states are still using spyware with impunity.

Jordan is among the latest states revealed to be using Pegasus against activists. Research by international civil society group Access Now found the authorities have targeted at least 35 people, although experts believe the real number may be much higher. Activists, journalists and lawyers have been targeted. The Jordanian government’s use of spyware comes as part of an intensifying state crackdown, combined with tactics such as the arrest and detention of activists, journalists and union members for protesting or posting critical comments online. Most recently the authorities have criminalised people for protesting or speaking out in solidarity with Palestine.

Meanwhile, authoritarian Rwanda has reportedly targeted 3,500 people with Pegasus, among them several exiles, showing how spyware can be used as a tool of transnational repression. The government has effectively weaponised the technology to monitor and intimidate critics both at home and abroad.

The impacts of surveillance can fall particularly heavily on members of excluded groups. In Thailand, at least 35 phones were infected with Pegasus in response to mass protests for democracy and against royal power in 2020 and 2021. Women and LGBTQI+ people were particularly targeted, raising fears that phone hacks could lead to blackmail and harassment.

Other states are guilty of gender-based targeting. Last year it was reported that the Polish Internal Security Agency had targeted Krystyna Suchanow, leader of the All-Poland Women’s Strike, with Pegasus. The state did so at the height of mass protests in 2020 against the imposition of a near-total abortion ban. In a rare example of accountability, the government that came to power in 2023 committed to investigating its predecessor’s abuse of spyware. Its investigation revealed that from 2017 to 2022 the state targeted 578 people, including activists, journalists and political opponents.

Even after spyware use is exposed, there’s a huge challenge in holding states to account. There’s at least some hope of justice in Spain, where last year, the Spanish High Court reopened an investigation into the use of Pegasus against high-profile politicians, including Prime Minister Pedro Sánchez. Revelations in 2022 that journalists, lawyers and politicians linked to the Catalonia separatist movement were targeted caused a political scandal.

But if justice eventually comes in Spain, it will be an exception. Poland’s new government may be trying to turn the page, but Hungary remains under right-wing nationalist rule, which means there’ve been few repercussions following the revelations the state used Pegasus against journalists and critics of hardline leader Viktor Orbán. There seem scant prospects for redress in Thailand too. Last November a court dismissed a lawsuit against NSO brought by democracy activist Jatupat Boonpattararaksa. The court said there was insufficient evidence to prove his device had been infected.

A powerful industry

States may claim legitimate reasons for using spyware, such as tackling organised crime and thwarting terrorist plots. But as case after case demonstrates, many are using this as an excuse, while others may have started out with legitimate motivations, but can’t be trusted not to misuse the technology once they have it. The technology’s extraordinary power makes abuse almost inevitable without robust, independent oversight – something many states that have bought spyware lack.

One of the challenges in holding these states to account is the often-complex web of vendors, brokers and resellers that can make it hard to track how spyware is being sold and used. Last year, for example, a Luxembourg company, Q Cyber Technologies SARL, was exposed as being part of the supply chain that sold Pegasus to Indonesia.

In 2023, the European Public Prosecutor’s Office placed the Greek government under investigation over allegations it granted illegal export licences for another spyware package, Predator, to African and Asia states. This development came after investigations revealed the Greek government had used Predator against numerous journalists and politicians, prompting a political scandal and a no-confidence vote that the government survived. One troubling aspect of this case is the implication that European Union (EU) member states may be facilitating the spread of surveillance technology to countries with poor human rights records.

The known cases of spyware abuses may well be the tip of the iceberg, and there are other spyware programs beyond Graphite, Pegasus and Predator. The industry is rapidly evolving, with other companies likely trying to develop yet more intrusive software, as there will always be states willing to buy improved packages. The government of India, for example, was reported in 2023 to be looking for alternatives to Pegasus after its use of the software against activists was exposed. Rather than abandoning surveillance after being caught out, states may seek more covert options.

Israel’s role should come under particular scrutiny. Israeli tech companies are at the heart of the global spyware trade and they’re closely linked to the state: it’s common for ex-military people to work in Israel’s tech sector. Almost every NSO researcher, for example, has served in Israel’s military intelligence agency.

This revolving door helps ensure Israel’s military has access to the latest technology, and it uses Palestine as its laboratory, a testing bed for surveillance technologies that are sold to the wider world. The Israeli government has used Pegasus to hack the devices of Palestinian human rights activists, putting their safety at risk. Spyware comes as part of Israel’s pattern of systemic surveillance of Palestinians, which includes increasing use of facial recognition cameras and wiretaps.

NSO won’t sell to a government without the approval of the Israeli state, which decides whether to grant export licences for spyware and can use this for diplomatic leverage. Its sale to Middle East nations such as Saudi Arabia and the United Arab Emirates may, at least prior to Israel’s current assault on Palestine and Lebanon, have helped thaw relations.

Under the Biden administration, the US government placed NSO and other Israeli spyware companies on a blacklist, preventing them trading with US businesses, and announced it would deny visas to people involved in the misuse of commercial spyware. The current administration should commit to maintaining these safeguards.

Regulation needed

Given current uncertainties, including about who and how many people are being targeted and the opaque nature of state structures that use spyware, it’s surely time for a global moratorium on the supply and use of spyware. Democratic states should lead the way here.

Regulation is clearly needed, at the national and global levels, and civil society, as a frequent target, must be enabled to play a full role in helping shape it. But so far the picture has been at best mixed. Regulatory attempts have tended to be piecemeal, reactive and easily circumvented.

The Global Digital Compact, agreed at last year’s United Nations (UN) Summit of the Future, failed to break new ground. Under the compact, states committed to ensure surveillance technologies comply with international law. However, the text says less about cybersecurity than civil society had hoped, and makes no explicit mention of the specific challenges presented by spyware.

Another 2024 development threatens to increase rather than curb surveillance. The UN Cybercrime Convention, adopted last December, is the brainchild of repressive states, led by Russia. Civil society and more democratic states worked hard to alleviate the worst excesses of a draft treaty that would have given authoritarian powers more tools to suppress online expression on the pretext of combating cybercrime. But the treaty in its final form still lacks clear, specific and enforceable human rights protections, including on the right to privacy, leaving this up to domestic law. It gives wide scope for international cooperation in data collection and sharing, offering disturbing potential for states to expand surveillance powers.

A potentially more positive step last year came with the adoption of the European Media Freedom Act. Among other things, the law largely protects journalists against surveillance, including spyware, with the aim of protecting the privacy of journalists’ sources. However, as a media law, its protection only extends to journalists, leaving others vulnerable.

The new law also leaves important exceptions, including to allow surveillance with prior judicial authorisation or in relation to ‘serious crimes’. It may also be possible for states to use covert surveillance for national security reasons and outsource surveillance to private contractors. In the EU’s least democratic states, such as Hungary, this opens up scope for the state to define legitimate scrutiny as a threat to national security or dissent as a serious crime, and capitalise on executive control over the judiciary.

Civil society advocacy succeeded in heading off even more regressive exceptions, but there’s an ongoing need, with both the European Media Freedom Act and the Cybercrimes Convention, to scrutinise how new rules are implemented and monitor and expose state abuses.

Civil society groups such as Access Now, Amnesty International and Citizen Lab have worked tirelessly to investigate and expose spyware. States shouldn’t obstruct civil society in doing this vital work. Those that call themselves democracies, such as Italy, should have nothing to fear from civil society acting as a check on state power. They should welcome the scrutiny and ensure justice when illegal uses of spyware are exposed.

For interviews or more information, please contact research@civicus.org