Back to main site

    Commercial surveillance

    Module 2: Digital attacks and Online Gender-Based Violence

    Overview

    • Commercial surveillance: This involves the collection, processing, monitoring, analysis, and storage of their data relying on technological tools developed by the private surveillance industry but could ultimately be conducted by either state or non-state actors.(1)
    • Tools and technology: In recent years, a powerful, profitable, and growing private surveillance industry has emerged driven by the demand by state entities for the services and products of private technology companies. Many of these tools have been procured and used by states specifically to target journalists, activists, opposition figures and others critical of the state.(2) Commercial surveillance tools and technologies “ultimately [serve] as a means of intimidation, increasing the risks faced by journalists and their sources and undercutting critical reporting.”(3)
    • Calls for action: This targeting of journalists has led to calls from civil society for an immediate moratorium on the sale and transfer of these tools while appropriate human rights safeguards can be put in place.(4) Privacy International has noted the various transparency, public procurement, accountability, oversight, and redress challenges of public-private surveillance partnerships.(5)

    International law and standards

    As noted above, surveillance implicates several rights under international human rights law, including privacy, dignity, freedom of expression, and media freedom. In the context of commercial surveillance important considerations around business and human rights come to the fore:

    While states are primary duty-bearers under international human rights law, the endorsement of the UN Guiding Principles on Business and Human Rights by the UNHRC in its Resolution 17/4 solidified that business entities also have responsibilities for respecting and promoting human rights.(6) This includes:

    • respecting human rights;
    • mitigating human rights impacts of their operations; and
    • providing remedies for human rights violations.(7)

    As part of this responsibility, companies should “conduct due diligence and impact assessment[s] to prevent or mitigate any adverse impact on human rights resulting from their operations, products, or services, including attacks on journalists and the erosion of media freedom.”(8)

    Guidelines for tech companies

    In 2011, the UN established the Working Group on the Issue of Human Rights and Transnational Corporations and Other Business Enterprises, which has encouraged technology companies to “commit to the confidentiality of digital communications, including encryption and anonymity” and urged tech companies to remind states that the surveillance of individuals, including journalists, “may only be conducted on a targeted basis, and only when there is reasonable suspicion that someone is engaging, or planning to engage, in serious criminal offences, based on principles of necessity and proportionality, and with judicial supervision.”(9)

    National laws

    Generally, in the SSA region, the commercial surveillance infrastructure remains obscured from public view, with public-private surveillance agreements frequently being negotiated in private with little public oversight.(10)

    As such, the use of litigation as a course of action to remedy unlawful or arbitrary commercial surveillance is challenging, with the UNSR on FreeEx noting that victims of targeted surveillance have frequently had little success in the courts and that at the domestic level, there is a lack of judicial oversight, remedies, and enforcement.(11)

    Litigation on Spyware Targeting Journalists: NSO Group

    In 2021, the Pegasus Project revealed that more than 180 journalists across 20 countries have been potentially targeted for surveillance by governments relying on spyware produced by NSO Group Technologies. Pegasus, NSO’s premier spyware tool, breaks encryption protections for communications devices before proceeding to infect the devices with spyware to monitor communications.(12) NSO Group sells this software on a subscription basis to law enforcement and intelligence agencies around the world.(13)

    Legal action has been taken against NSO Group by several actors with varying legal bases. In 2020, Amnesty International unsuccessfully approached an Israeli District Court seeking to have NGO Groups’ export license revoked.(14) In India, the Supreme Court ordered an investigation in 2021 into the government’s alleged use of the spyware to illegally surveil journalists, activists, and political opponents.(15) In 2022, the committee concluded its investigation but did not release its findings publicly beyond noting that the Indian authorities “did not cooperate” with the investigators, and new incidents of the use of technology to spy on journalists continue to be revealed.(16)

    Footnotes

    1. UNHRC, ‘Resolution on the Right to Privacy in the Digital Age,’ (2019) (accessible at https://undocs.org/Home/Mobile?FinalSymbol=A/HRC/RES/42/15&Language=E&DeviceType=Desktop&LangRequested=False). Back
    2. UNHRC, ‘Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression on Surveillance and human rights ’(2019) (accessible at https://ap.ohchr.org/documents/dpage_e.aspx?si=A/HRC/41/35) (UNSR on FreeEx Report on Surveillance and human rights) and OHCHR, ‘Digital surveillance treats “journalists as criminals”’ (2022) (accessible at https://www.ohchr.org/en/stories/2022/05/digital-surveillance-treats-journalists-criminals). Back
    3. UNSR on FreeEx Report on the safety of journalists in the digital age above n 128. Back
    4. ARTICLE 19 Eastern Africa, ‘Unseen Eyes, Unheard Stories’ (2021) (accessible at https://www.article19.org/resources/unseen-eyes-unheard-stories-documentaries-on-the-experiences-of-surveillance-in-kenya-and-uganda/). Back
    5. Privacy International, ‘Safeguards for Public-Private Surveillance Partnerships’ (2021) (accessible at https://privacyinternational.org/sites/default/files/2021-12/PI PPP Safeguards [FINAL DRAFT 07.12.21].pdf). Seea also Privacy International, ‘PI’s Guide to International Law and Surveillance’ (2021) (accessible at https://www.privacyinternational.org/sites/default/files/2022-01/2021 GILS version 3.0_0.pdf). Back
    6. UNHRC, ‘Human rights and transnational corporations and other business enterprises’ (2011) (accessible at https://ap.ohchr.org/documents/dpage_e.aspx?si=A/HRC/RES/17/4). Back
    7. UN Guiding Principles on Business and Human Rights above n 47. See also OHCHR, The Corporate Responsibility to Respect Human Rights an Interpretive Guide’ (2012) (accessible at https://www.ohchr.org/sites/default/files/Documents/Publications/HR.PUB.12.2_En.pdf). See further APC, ‘Why cybersecurity is a human rights issue, and it is time to start treating it like one’ (2019) (accessible at https://www.apc.org/en/news/why-cybersecurity-human-rights-issue-and-it-time-start-treating-it-one#:~:text=However, when it comes to cybersecurity, international human,under the rubric of international security and disarmament). Back
    8. UNSR on FreeEx Report on the safety of journalists in the digital age above n 128. Back
    9. UNHRC, ‘The Guiding Principles on Business and Human Rights: guidance on ensuring respect for human rights defenders’, (2021) (accessible at https://www.ohchr.org/en/documents/thematic-reports/ahrc4739add2-guiding-principles-business-and-human-rights-guidance). Back
    10. Privacy International, ‘Safeguards for Public-Private Surveillance Partnerships’, December 2021 (accessible at https://privacyinternational.org/sites/default/files/2021-12/PI PPP Safeguards [FINAL DRAFT 07.12.21].pdf). Back
    11. UNHRC, ‘Surveillance and human rights – Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression’, 28 May 2019 (accessible at https://ap.ohchr.org/documents/dpage_e.aspx?si=A/HRC/41/35). Back
    12. ARTICLE 19, ‘Rwanda: Surveillance revelations opportunity to reform legal and encryption environment’, 26 July 2021 (accessible at https://www.article19.org/resources/rwanda-surveillance-revelations-opportunity-to-reform-legal/). Back
    13. Ronen Bergman & Mark Mazzetti, ‘The Battle for the World’s Most Powerful Cyberweapon’, 28 January 2022 (accessible at https://www.nytimes.com/2022/01/28/magazine/nso-group-israel-spyware.html). Back
    14. Amnesty International, ‘Israel: Court rejects bid to revoke notorious spyware firm NSO Group’s export licence,’ (2020) (accessible at https://www.amnesty.org/en/latest/news/2020/07/israel-court-notorious-spyware-firm-nso/). Back
    15. The Guardian, ‘Indian supreme court orders inquiry into state’s use of Pegasus spyware,’ (2021) (accessible at https://www.theguardian.com/news/2021/oct/27/indian-supreme-court-orders-inquiry-into-states-use-of-pegasus-spyware). Back
    16. Amnesty International, ‘India: Damning new forensic investigation reveals repeated use of Pegasus spyware to target high-profile journalists,’ (2023) (accessible at https://www.amnesty.org/en/latest/news/2023/12/india-damning-new-forensic-investigation-reveals-repeated-use-of-pegasus-spyware-to-target-high-profile-journalists/). Back