UK and France push for international agreement on spyware

The UK and France are hosting diplomats, big tech companies and civil society groups, in a two-day conference in London targeting the proliferation of spyware tools and ‘hackers for hire’

Bill Goodwin,
Computer Weekly

Published: 06 Feb 2024 13:45

The UK and France are urging countries to sign an international agreement governing the use of commercial spyware and surveillance tools.

At a two-day conference in London, delegates from 35 countries will discuss ways to address the proliferation of commercial cyber intrusion tools and services.

Leaders from business and big tech companies, including Apple, BAE Systems, Google and Microsoft, along with human rights groups and legal experts and suppliers, will attend the discussions London’s Lancaster House.

The gathering, opened by deputy prime minister Oliver Dowden, will launch an international declaration, called the Pall Mall process, that will commit countries and businesses to develop safeguards and oversight for spyware and other commercially intrusive technologies.

Dowden said: “As the threat from malicious use of cyber tools grows, working with like-minded partners is essential to tackle an issue which does not respect borders.”

The meeting in London has parallels with the UK’s Bletchley Park Summit on AI safety last year, and is expected to lead to further international conferences.

It coincides with an announcement by the White House to clamp down on spyware by imposing global visa restrictions on individuals involved in misusing the technology.

Spyware threat to privacy

The Cabinet Office said in a statement that while cyber intrusion tools have a legitimate role in supporting national security and law enforcement, there was a need to “discourage irresponsible behaviour” and to “improve accountability and oversight” of commercial surveillance tools.

Spyware can be used access victims’ devices, listen to calls, obtain photos, remotely operate a camera and microphone, and can infect devices without users being aware. Thousands of individuals, including journalists and activists, are affected by spyware each year, according to estimates by GCHQ.

Other threats to be discussed at the Lancaster House event include hackers-for-hire carrying out corporate espionage and services and tools being accessed by hostile states and individuals who threaten UK national security.

The UK’s National Cyber Security Centre, part of GCHQ, warned last year that 80 countries have purchased cyber intrusion software such as Pegasus, sold by the Israeli firm NSO Group, which have been used by states to target activists, dissidents, foreign states, journalists and political opponents.

International action against spyware

France and the UK agreed to co-operate on a joint initiative to tackle the threat from commercial spyware, at a 2023 prime ministerial summit.

The UK and France hosted a number of diplomatic events on spyware throughout 2023, including a UN Working group in July, and the Paris Peace Forum in November.

The UK signed up a joint statement with Australia, Canada, Costa Rica, Denmark, France, New Zealand, Norway, Sweden, Switzerland and the US, in March 2023, to counter the misuse of commercial spyware.

Spyware liked to human rights abuses

The US secretary of state Antony Blinken said in a statement yesterday that the US remains concerned with the growing misuse of commercial spyware around the world to “facilitate repression, restrict the free flow of information, and enable human rights abuses”.

He said that targeting of individuals by spyware has been linked to arbitrary detentions, forced disappearances, and extrajudicial killings.

President Biden issued an executive order last year prohibiting the US government from using commercial spyware that poses risks to national security. It followed a decision by the US to place Israeli firm NSO – which produces the Pegasus spyware, which has been used against journalists, campaigners and dissidents – on a blacklist.

The Israeli spyware company Candiru, along with two companies in Russian and in Singapore, was also blacklisted.

Journalists and activists targeted in Jordon

An investigation by Access Now and the Citizen Lab this month found that Pegasus was widely used by Jordon, and that at least 35 journalists, activists, human rights lawyers, and civil society members have been targeted with Pegasus between 2019 and 2023.

France is due to host a second meeting on spyware in 2025 following the London conference.

NCSC director of operations Paul Chichester said: “The proliferation of commercially available cyber intrusion tools is an enduring issue, with demand for capability to conduct malicious cyber operations growing all the time.”

He said that there was a need to improve oversight and transparency of how cyber intrusion tools were being developed, sold and used.