A coalition of 11 countries committed on Thursday to counter the misuse of commercial spyware, a step toward building an international agreement to curb technology deployed by authoritarian countries to spy on dissidents and journalists.
In a statement released as part of the Summit for Democracy, the governments of Australia, Canada, Costa Rica, Denmark, France, New Zealand, Norway, Sweden, Switzerland, the United Kingdom and the United States agreed to establish more robust guardrails and guidelines for commercial spyware tools.
The signatories also committed to preventing the export of surveillance software to countries that use it maliciously, sharing information on spyware proliferation and misuse, working with industry and civil society on information sharing and standard-setting mechanisms and reforming export controls to prevent spyware misuse.
Thursday’s spyware agreement came as officials convened in Washington for the second day of the Summit for Democracy, which was focused on the role of technology in advancing democracy.
“We are focused on using technology to try to make our democracies a little bit healthier, a little bit more prosperous, a little more inclusive,” Secretary of State Anthony Blinked said in opening Thursday’s summit. “We have to do better at addressing some of the risks that come with the open internet,” he added
The statement on spyware also illustrates how far Washington has to go in building agreement around curbing the use of commercial spyware. The signatories do not include the most prolific exporters of surveillance technology — most notably Israel — and while the U.S. has sanctioned some of the worst offenders in the spyware industry, the growing number of companies offering surveillance tools makes it increasingly difficult to regulate the technology’s use.
These tools offer law enforcement and intelligence agencies highly capable surveillance gathering technologies that once were the remit of only the most well resourced countries.
Between 2011 and 2023, at least 74 governments, most of them autocracies, purchased commercial spyware software, and even as democratic states are beginning to crack down on this technology, there exists “a burgeoning secondary tier of suppliers composed of boutique spyware firms, hacker-by-night operations, exploit brokers, and similar groups” supplying governments with advanced spyware, according to a study by the Carnegie Endowment for International Peace released earlier this month.
Nonetheless, security researchers were encouraged by Thursday’s statement. “The number of signatories in the joint statement is not as significant as the statement’s new focus on government end-use, shifting away from a dialogue that has primarily focused on irresponsible companies and spyware as a technology,” said Winnona DeSombre, a fellow at the Atlantic Council. “Eleven countries are actively creating norms in this space, particularly around creating proper guardrails.”
Alongside the statement on spyware, the 36 countries of the Freedom Online Coalition — and an additional six countries not part of the coalition — signed onto a set of guiding principles on government use of surveillance technology. The principles include appropriate legal protection, nondiscrimination, oversight and accountability, transparency, limitations on data scope and collection, respect for human rights and secure post-collection handling of data.
The spyware agreement comes on the heels of an executive order earlier this week in which President Biden prohibited U.S. agencies from using spyware that presents a threat to U.S. national security or is implicated in human rights abuses.
Rep. Jim Himes, D-Conn. the ranking member of the House Intelligence Committee, said on Thursday that he welcomed the executive order as a good first step in regulating the use of spyware but said the U.S. has much further to go in establishing rules of the road in using these tools.
“I will be the last person to tell you that the United States isn’t capable of misusing technology in ways that compromise our values,” Himes said, pointing out that the executive order fails to provide adequate guidance on how state and local governments use spyware.