Sanctions for Spyware

Spyware is a serious business, and the primary regulatory approach the U.S. has taken—export controls—has fallen short. The U.S. should turn to a broader range of sanctions to combat spyware. Where export controls place legal burdens on those seeking to export technology, sanctions place legal burdens on other key players in the spyware industry, including makers and certain users. A sanctions-base​​​d approach, built on the Magnitsky Act, better focuses on the harms perpetuated and on those who cause the harm rather than on the tech itself.

Background

Spyware is software that enables digital surveillance. A robust commercial market for spyware exists, estimated at $12 billion, with government and law enforcement agencies as prime customers. Spyware is a key destination for zero-day exploits; Google attributes over half of known zero-day exploits targeting its products to commercial spyware.

Its use is linked to human rights abuses. Spyware has been identified in efforts to monitor murdered Saudi dissident Jamal Khashoggi’s network, Egyptian opposition politician Ahmed Eltantawy, Mexican human rights advocates, Russian journalist Galina Timchenko, and Salvadoran journalist Carlos Dada, among others. The human rights harms perpetrated and risked by this technology have led multiple UN Rapporteurs to call for a moratorium on this technology’s sale and transfer.

This practice has not gone unchallenged. The U.S., both through its own laws and with other states, has pursued efforts to curb this trade. Export controls have been the primary policy approach taken toward spyware and related technologies in the past 10 years. Export controls restrict the circumstances under which an entity can export items. The main multilateral mechanism is the Wassenaar Arrangement, a voluntary mechanism through which states adopt harmonized export controls on dual-use technologies. The arrangement adopted controls on “intrusion technologies,” essentially delivery mechanisms for, among other things, spyware. The U.S. implemented domestic export controls in line with the Wassenaar controls.

Policy Failures

But export controls have largely failed to curb the commercial spyware market. My recent article, “Zero Progress on Zero Days: How the Last Ten Years Created the Modern Spyware Market,” probes these policy failures. Export controls were not destined to fail—I have supported their use—nor does their failure with spyware necessarily translate to other technology. Ultimately, though, for spyware, flawed decisions and some bad luck converged to limit the effectiveness of export controls.

First, both the Wassenaar and U.S. export controls were hobbled by intense debates about how to define the technology targeted by the controls. Concerns about defining the targeted technology in a way that would encompass harmful technology but not chill important research dogged the process. U.S. policymakers scuttled what little progress had been made when their initial implementation of the controls seemingly contradicted the broader Wassenaar definitions. This definitional brouhaha ultimately spawned U.S. efforts to renegotiate the Wassenaar controls to explicitly narrow definitions.

Second, U.S. export controls have a major technical loophole. Cloud-based use of software, rather than downloads, does not constitute an export of software. (However, the U.S. export control regime makes a distinction between “software” and “technology” and has left the door open to cloud-based transfers counting as exports of technology.) This leaves open the possibility that some bad actors may still be able to access relevant U.S. technology despite export controls.

Third, Western countries acted hypocritically with respect to spyware. The U.S. back-and-forth on the Wassenaar control definitions created a political visual of vacillating U.S. political support. More damagingly, Western countries continued to profit from spyware, or even use it against dissidents themselves. Greece, Spain, Hungary, and Poland, all members of the Wassenaar Arrangement, used spyware on domestic political opposition groups. Tolerating spyware’s domestic use while simultaneously supporting restrictions on its export to other countries for similar purposes undercuts the legitimacy of the Wassenaar Arrangement. Other countries granted export licenses for spyware companies or ignored their activities, acting only when scandal forced their hands.

Fourth, world politics changed. Russia, a member of the Wassenaar Arrangement, invaded Ukraine. Tensions with Russia mean it is unlikely to agree to any new Wassenaar consensus, undercutting the arrangement’s ability to be a productive site for future innovation on spyware controls. In addition, accompanying political dynamics have affected individual countries’ export control decisions. For example, Israel denied spyware export licenses to Ukraine and Estonia under Russian pressure. The escalating Israel-Hamas war may also leave some countries hesitant or, alternatively, more likely to sanction Israeli spyware activity. Export controls in this area have gotten even more difficult.

Toward a Comprehensive Sanctions Regime for Spyware

The U.S. should focus on a broader range of tools to combat spyware, which I group under the term “sanctions.” Whereas export controls, broadly speaking, regulate the flow of technology from the regulated country to prohibited recipients, sanctions employ a broader range of techniques to punish would-be recipients, makers of the technology, and more.

The Magnitsky Act should form the core of this sanctions approach. The act, and an accompanying executive order, collectively known as the Magnitsky Program, allows the U.S. to freeze the U.S. assets of certain individuals complicit in or responsible for certain human rights abuses as well as to restrict the ability to travel to the U.S. The U.S. can and should use this act to sanction spyware vendors, as a group of legislators has advocated. This approach can target the worst offenders, while its nontechnological nature leaves undisturbed researchers or cybersecurity professionals, or even companies considered to be following responsible vendor procedures.

Entities designated under the Magnitsky Program become ineligible for admission to the U.S. and face freezing of U.S. financial assets and transactions. The act was originally passed in response to the detention, abuse, and ultimate death of Russian anti-corruption whistleblower Sergei Magnitsky. The program seeks to punish actors for “gross violations of internationally recognized human rights.” That term is elsewhere defined in the U.S. Code to include “torture or cruel, inhuman, or degrading treatment or punishment, prolonged detention without charges and trial, causing the disappearance of persons by the abduction and clandestine detention of those persons, and other flagrant denial of the right to life, liberty, or the security of person.” The executive order uses the more expansive term “serious human rights abuse.”

So far, the Magnitsky Program has been used to sanction entities for activities such as using violence against protesters (Guinea), forced labor on fishing vessels (China), abuses of Uyghurs (People’s Republic of China), and physical abuse of prisoners (Iran). The program has not yet been used for spyware-related violations, although the Biden administration issued standalone visa restrictions on some actors involved in the spyware industry, and their immediate families, using the Immigration and Nationality Act. Although a good first step, and carrying the advantage of applying to family members, these restrictions do not carry the financial penalties or the same reputational harms of designation under the Magnitsky Program.

The Magnitsky Program allows for sanctions on those who have “materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of” human rights violators. This clause of the executive order is particularly important because it enables action against spyware vendors that sell to government actors that ultimately commit human rights violations. Vendors could, arguably, have materially assisted those violations, even if they do not perpetrate the violations themselves.

The act mandates a “credible evidence” standard and requires that the president consider information from congressional committees, other countries, and nongovernmental organizations. The act also appears to allow designations of material supporters on a strict liability standard. Based on information included in public reports to Congress since the program’s inception, I identified at least seven instances in 2019 (Atul Gupta and Salim Essa), 2020 (Satish Seemar, providing material support to another designee as his horse trainer), 2021 (Khalil Ahmed Hijazi and Luisa de Fatima Giovetty), and 2023 (Fuzhou Honglong Ocean Fishing Co., Ltd.) in which an individual or entity was designated as a material supporter with no additional details about their knowledge or conduct. Those designations usually take the following form: Person X was designated “for being a foreign person who has materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of” Person Y. Person Y is typically elsewhere designated themselves for having a stronger tie to the human rights abuse, whether through knowledge or commission. This strict liability standard encourages vendors to know their customers and increases the strength of the Magnitsky Program.

Let’s walk through what it would look like to designate a spyware vendor under the Magnitsky Program. The following steps would need to occur: First, a qualifying human rights violation would need to be established. Second, an entity would (likely) need to be deemed responsible for that violation, and that responsible entity would (likely) need to be designated as a human rights violator under the Magnitsky Program. The qualifier “likely” reflects the fact that, so far, no material supporter has been designated without a primary violator first being named. However, nothing in the Magnitsky Program itself requires that a material supporter be named only after a primary violator has been named. Third, a link between the responsible actor and the spyware vendor would need to be established. And last, the spyware vendor would need to qualify as a material supporter.

To give some context to these steps, consider the recent spyware use against Egyptian politician Ahmed Eltantawy. Eltantawy is a former member of parliament with presidential ambitions. Egypt arrested and detained friends and family of Eltantawy on suspicion of terrorist activity, but human rights groups have decried the arrests as politically motivated.

The arbitrariness of these arrests and detentions is similar to other actions that the Magnitsky Program has deemed human rights abuses. So, this scenario likely passes step 1. It also could pass step 2; the State Security Agency was responsible for these actions and could be designated as such under the Magnitsky Program.

For step 3, a link between a spyware vendor and the violation must be established. The Citizen Lab conducted forensic research that concluded Eltantawy was targeted with spyware by the Egyptian government on the basis of the nature of the attack and Egypt’s known status as a spyware client. The particular product was Cytrox Predator. Assuming the deployment of spyware against Eltantawy furthered the arrests, Cytrox’s provision of this product likely meets the definition of material support, since Cytrox provided “technological support … in service of human rights violations.”

Taken together, this scenario demonstrates how the Magnitsky Program could be used to designate Cytrox as a material supporter of human rights violations and subject the company to travel and financial sanctions. (On the export control side, the U.S. added Cytrox to the U.S. Entity List in 2024).

The Magnitsky Program carries advantages over traditional export controls as a way to curb the spyware trade. First, it allows countries to target bad actors while leaving other companies or researchers unaffected because it does not seek to control a particular technology. Rather, it responds to negative uses of a technology. Second, the financial and travel sanctions have more bite for software companies less affected by export controls than hardware companies. Last, these sanctions can apply even to companies using software-as-a-service models to elude export controls as currently constituted.

The primary difficulty with using the Magnitsky Act to sanction spyware companies is identifying a clear link between the primary rights violator and the target spyware company (steps 2 and 3, above). If ambiguity exists about who committed the primary human rights violation, or what actor deployed software in furtherance of a violation, it may not be possible to name a primary violator. This lack of a primary violator could potentially thwart formal designation of material supporters, given the Magnitsky Program’s current practice of naming supporters only after naming primary violators.

Moreover, the connection between spyware use and a violation can be tenuous. For instance, it might be possible to assert with certainty that a journalist was killed, and separately assert with certainty that the journalist was targeted with spyware, but clearly demonstrating that the spyware played a role in the killing, what actor directed or carried out the killing, and who used the spyware can remain uncertain. Depending on the level of certainty required by the Magnitsky Program’s administrators, unclear links could complicate the program’s use to target spyware vendors. In addition, the digital forensics required to substantiate these connections, let alone meet a burden of proof, are complicated and often indeterminate.

The other primary difficulty with the Magnitsky Program is a political one: Naming an entity a human rights violator can carry a range of political consequences. Egypt provides a clear example of these consequences: The Eltantawy case is amply deserving of sanction, but U.S.-Egypt relations complicate that decision. That said, if the U.S. is willing to designate material supporters without connecting them to a sanctioned primary violator—which I encourage—the Magnitsky Program can offer a powerful tool for sanctioning spyware vendors without running into the political problems surrounding naming a government entity a human rights violator.

Whether bad actors have financial assets in, or wish to travel to, the U.S. is also a limitation. But at least seven countries and the European Union have adopted similar legislation. The U.S. could engage these actors in a pledge to use this type of legislation against spyware vendors. The U.S. has already started leveraging coalitions on the spyware issue, issuing a joint statement of commitment and a voluntary code of conduct. Coordinated use of human rights sanctions could build on this initial effort.

None of these options is a panacea. Regulating this area is hard, because of both political and technical realities. But moving toward a comprehensive sanctions regime for spyware would enable a shift away from a status quo that has been drifting toward surveillance accountability theater.