State-Sponsored Digital Surveillance and Privacy Threats through Covert Software
A Visible Challenge to Privacy
DOI:
https://doi.org/10.26512/lstr.v18i2.59311Palabras clave:
Spyware. State. Surveillance. Rule of Law. Accountability.Resumen
[Purpose] This study investigates the global proliferation of privacy-infringing commercial surveillance technologies, such as Pegasus spyware, and examines the resulting concerns over state-sponsored privacy violations, abuse of telecommunications infrastructure, and breaches of international legal norms. It aims to clarify the legal responsibilities of states for facilitating or using spyware and to highlight the gaps in existing international law governing cross-border digital surveillance.
[Methodology/Approach/Design] Using a doctrinal qualitative methodology, the paper analyses treaties, customary international law, UN Human Rights Committee interpretations, state practices, jurisprudence, and scholarly commentary. It focuses on issues of state responsibility, digital sovereignty, attribution, due diligence, and extraterritorial liability in the context of cyber surveillance and spyware deployment.
[Findings] The research demonstrates that international law remains ambiguous and weak in regulating spyware markets and determining state liability. It highlights the failure of mechanisms such as the Wassenaar Arrangement and export control regimes to prevent misuse by both authoritarian and democratic states. National-level legal accountability remains inconsistent, with significant implications for judicial independence, rule of law, and privacy protection.
[Practical Implications] The paper underscores the urgent need for a robust multilateral framework to regulate state surveillance practices, ensure accountability within the spyware industry, and strengthen international enforcement tools to uphold privacy and human rights in the digital age.
[Originality/Value] This study offers a comprehensive analysis of state responsibility for spyware-facilitated surveillance, bridging doctrinal legal research with contemporary concerns about digital sovereignty and privacy rights. By critically examining the misuse of Pegasus spyware and existing regulatory gaps, it contributes to policy discourse, comparative legal scholarship, and the development of actionable international norms.
Descargas
Citas
Ahmed, A., & Perlroth, N. (2017, June 19). Using texts as lures, government spyware targets Mexican journalists and their families. The New York Times. https://www.nytimes.com/2017/06/19/world/americas/mexico-spyware-anticrime.html
Alexander, A., & Krishna, T. (2022). Pegasus Project: Re Questioning the legality of the cyber surveillance mechanism. Laws, 11(6), 85. https://doi.org/10.3390/laws11060085
Al Skeini and Others v. United Kingdom, App. No. 55721/07, Grand Chamber, European Court of Human Rights, Judgement delivered July 7, 2011.
Alubaidi, A. (2023). Challenges to implementing the international digital law to protect digital rights. Journal of Law and Sustainable Development, 11(5). https://doi.org/10.55908/sdgs.v11i5.554
Amnesty International. (2021, July 19). The Pegasus Project: Massive data leak reveals Israeli NSO Group’s spyware used to target activists, journalists, and political leaders globally. https://www.amnesty.org/en/latest/press-release/2021/07/the-pegasus-project/
Ball, K., & Webster, W. (Eds.). (2020). Big Data and surveillance: hype, commercial logics and new intimate spheres. Big Data & Society. (SAGE). https://doi.org/10.1177/2053951720925853
Bapat, K. (2021, August 16). MEITY filed a limited affidavit in Supreme Court without confirming or denying if the Government used Pegasus. Internet Freedom Foundation https://internetfreedom.in/meity-filed-a-limited-affidavit-in-supreme-court-but-did-not-confirm-or-deny-if-the-government-used-pegasus/#:~:text=Govt's%20affidavit%20in%20SC%20doesn,Government%20used%20the%20Pegasus%20Spyware
Bapat, K. (2021, August 16). MEITY filed a limited affidavit in Supreme Court without confirming or denying if the government used Pegasus. Internet Freedom Foundation. https://internetfreedom.in/meity-filed-a-limited-affidavit-in-supreme-court-but-did-not-confirm-or-deny-if-the-government-used-pegasus/
Bhandari, V., & Lahiri, K. (2020). The surveillance state: Privacy and criminal investigation in India—Possible futures in a post-Puttaswamy world. University of Oxford Human Rights Hub Journal, 3(2), 15–45. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3580630
Bhatia, G. (2021, October 12). “The yes or a no”: The court must ask about Pegasus. The Hindu. https://www.thehindu.com/opinion/lead/the-yes-or-a-no-the-court-must-ask-about-pegasus/article36953053.ece
Broeders, D., & van den Berg, B. (2020). Governing cyberspace: Cyber norms and responsible state behavior in cyberspace. Bloomsbury Publishing.
Bromley, M. (2024, March 8). Export controls and cyber surveillance tools: Five suggestions for the Summit for Democracy. Stockholm International Peace Research Institute. https://www.sipri.org/commentary/2024/export-controls-cyber-surveillance-summit-democracy
Brown, C. (2024). Article 4 of the ARSIWA: Conduct of organs of a State. In A. Kulick & M. Waibel (Eds.), General International Law in International Investment Law: A Commentary (pp. 104–113). Oxford University Press. https://doi.org/10.1093/law/9780192849922.003.0018
Brown, C. (2024). Article 8 of the ARSIWA: Conduct of organs of a State. In A. Kulick & M. Waibel (Eds.), General international law in international investment law: A commentary (Chapter 17). Oxford University Press. https://doi.org/10.1093/law/9780192849922.003.0022
Carter v. Canada (Attorney General), 2015 SCC 5, [2015] 1 S.C.R. 331. Supreme Court of Canada.
Chatinakrob, T. (2024). Interplay of international law and cyberspace: State sovereignty violation, extraterritorial effects, and the paradigm of cyber sovereignty. Chinese Journal of International Law, 23(1), 25–72. https://doi.org/10.1093/chinesejil/jmae005
Coco, A., & de Souza Dias, T. (2021). “Cyber due diligence”: A patchwork of protective obligations in international law. European Journal of International Law, 32(3), 771–806. https://doi.org/10.1093/ejil/chab056
Court of Justice of the European Union. (2020). Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Schrems II), Case C-311/18.
De Gregorio, G. (2022). Digital constitutionalism in Europe: Reframing rights and powers in the algorithmic society. Cambridge University Press.
Deibert, R. J. (2020). Reset: Reclaiming the internet for civil society (CBC Massey Lectures). House of Anansi Press.
Dumbrava, C. (2023, June). Investigation of the use of Pegasus and equivalent surveillance spyware (At a Glance, PE 747.923). European Parliamentary Research Service, European Parliament. https://www.europarl.europa.eu/thinktank/en/document/EPRS_ATA%282023%29747923
European Court of Human Rights. (2015). Roman Zakharov v. Russia, No. 47143/06.
European Court of Human Rights. (2016). Szabó and Vissy v. Hungary, No. 37138/14.
European Data Protection Supervisor. (2022, February 15). Preliminary remarks on modern spyware. Complex Discovery. https://complexdiscovery.com/spyware-revelations-edps-remarks-on-modern-spyware/
European Parliament. (2023, May 8). Report of the Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware (PEGA). https://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/PEGA/DV/2023/05-08/REPORTcompromises_EN.pdf
European Union. (2000). Charter of Fundamental Rights of the European Union. (Article 7 & 8).
Gascón Marcén, A. (2024). The Budapest Convention and the UN Cybercrime Convention negotiations. In Global Cybersecurity and International Law (pp. 174–192). Routledge.
George, P. J. (2021, July 25). Explained: Pegasus and the laws on surveillance in India. The Hindu. https://www.thehindu.com/news/national/explained-pegasus-and-the-laws-on-surveillance-in-india/article61437972.ece
Human Rights Committee. (1988). General Comment No. 16: The Right to Respect of Privacy, Family, Home and Correspondence, and Protection of Honour and Reputation (Art. 17). https://www.refworld.org/legal/general/hrc/1988/en/27539
Human Rights Committee. (2011). General Comment No. 34: Freedoms of opinion and expression. UN Doc. CCPR/C/GC/34. https://www.refworld.org/legal/general/hrc/2011/en/83764
Human Rights Committee. (2019). General Comment No. 36 (2018) on Article 6 (Right to Life) of the International Covenant on Civil and Political Rights (CCPR/C/GC/36). United Nations.
Human Rights Watch. (2014, July 17). United Nations: Rein in mass surveillance. Human Rights Watch. https://www.hrw.org/news/2014/07/17/united-nations-rein-mass-surveillance#:~:text=In%20the%20report%2C%20Pillay%20reaffirmed,some%20national%20laws%20currently%20provide.
Humble, K. P. (2021). International law, surveillance and the protection of privacy. The International Journal of Human Rights, 25(1), 1–25. https://doi.org/10.1080/13642987.2020.1763315
Inter-American Court of Human Rights (IACtHR). (2017). Advisory Opinion OC-23/17.
Inter-American Court of Human Rights. (2009). Escher et al. v. Brazil, Series C No. 200
International Court of Justice. (1986). Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America), Merits, ICJ Reports 1986, 14.
International Criminal Tribunal for the former Yugoslavia. (1997, May 7). Tadić case: the verdict.
International Law Commission. (2001). Draft articles on responsibility of states for internationally wrongful acts, with commentaries (Art. 6) (Supplement No. 10, A/56/10, ch. IV.E.1). United Nations. https://legal.un.org/ilc/texts/instruments/english/commentaries/9_6_2001.pdf
International Law Commission. (2001). Draft articles on responsibility of states for internationally wrongful acts, with commentaries (Art. 11) (Supplement No. 10, A/56/10, ch. IV.E.1). United Nations. https://www.refworld.org/legal/otherinstr/ilc/2001/en/20951
International Law Commission. (2001). Draft articles on responsibility of states for internationally wrongful acts, with commentaries (Chapter IV, Article 16). United Nations.
International Telecommunication Union. (1992). Constitution and Convention of the International Telecommunication Union (Article 40). Geneva: ITU.
Jaffe, A. (2023). Global Surveillance (CQ Researcher). CQ Press.
Kaster, S. D., & Ensign, P. C. (2022). Privatized espionage: NSO Group Technologies and its Pegasus spyware. Thunderbird International Business Review, 65(3), 355–364. https://doi.org/10.1002/tie.22321
Kirchgaessner, S., Lewis, P., Pegg, D., Cutler, S., Lakhani, N., & Safi, M. (2021, July 18). Revealed: leak uncovers global abuse of cyber surveillance weapon. The Guardian. https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus
Kotliar, D. M., & Carmi, E. (2024). Keeping Pegasus on the wing: legitimizing cyber espionage. Information, Communication & Society, 27(8), 1499–1529. https://doi.org/10.1080/1369118X.2023.2245873
Kumar, R. (2025, January 12). How the Data Protection Act will impact you personally. The New Indian Express. https://www.newindianexpress.com/explainers/2025/Jan/12/how-the-data-protection-act-will-impact-you-personally
Kuner, C. (2021). The path to recognition of data protection in India: The role of the GDPR and international standards. National Law Review of India, 33(1), 1–23. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3964672
Lewis, P. (2021, July 18). Huge data leak shatters the lie that the innocent need not fear surveillance. The Guardian. https://www.theguardian.com/news/2021/jul/18/huge-data-leak-shatters-lie-innocent-need-not-fear-surveillance#:~:text=The%20data%20leak%20is%20a,entered%20on%20to%20a%20system.
MacAskill, E. & Dance, G. (2013, November 1). NSA files: Decoded—What the revelations mean for you [Interactive feature]. The Guardian. https://www.theguardian.com/world/interactive/2013/nov/01/snowden-nsa-files-surveillance-revelations-decoded#section/1
MacAskill, E., & Dance, G. (2013, November 1). NSA Files: Decoded – decoding Snowden’s surveillance revelations [Interactive report]. The Guardian. https://www.theguardian.com/world/interactive/2013/nov/01/snowden-nsa-files-surveillance-revelations-decoded#section/1
Manohar Lal Sharma v. Union of India, AIR 2021 SC 5396.
Marczak, B., Scott-Railton, J., McKune, S., Abdul Razzak, B., & Deibert, R. (2018, September 18). Hide and seek: Tracking NSO Group’s Pegasus spyware to operations in 45 countries (Research Report No. 113). The Citizen Lab. https://nsarchive.gwu.edu/document/27613-6-citizen-lab-report-pegasus-spyware
Milanović, M. (2011). Extraterritorial application of human rights treaties: Law, principles, and policy. Oxford University Press.
Milanović, M. (2015). Human rights treaties and foreign surveillance: Privacy in the digital age. Harvard International Law Journal, 56, 81–112. https://www.ilsa.org/Jessup/Jessup16/Batch%202/MilanovicPrivacy.pdf
Milanović, M. (2022). Surveillance and cyber operations. In M. Gibney, et al. (Eds.), The Routledge handbook on extraterritorial human rights obligations (pp. 366–378). Routledge.
Moalin, United States v. Moalin, 973 F.3d 977 (9th Cir. 2020).
Naithani, P. (2021, December 4). Pegasus and the law. Letters, Economic and Political Weekly, 56(49). https://www.epw.in/journal/2021/49/letters/pegasus-and-law.html
NSO Group Technologies Ltd. (2021, June). Transparency and responsibility report 2021 [PDF]. NSO Group. https://www.nsogroup.com/wp-content/uploads/2021/06/ReportBooklet.pdf
Paranjoy. (2024, December 8). Indian use of Pegasus. Centre for the Study of Organized Hate. https://www.csohate.org/2024/12/08/indian-use-of-pegasus/
Penney, J. (2017). Internet surveillance, regulation, and chilling effects. Internet Policy Review, 6(2). https://doi.org/10.14763/2017.2.692
Penney, J. W. (2021). Cybersecurity, human rights, and empiricism: The case of digital surveillance. In P. Cornish (Ed.), The Oxford Handbook of Cyber Security (Chapter 56). Oxford University Press
Project Pegasus: How Phones of Journalists, Ministers, Activists May Have Been Used to Spy on Them. (2021, July 18). The Wire. https://thewire.in/rights/project-pegasus-journalists-ministers-activists-phones-spying
Riecke, L. (2023). Unmasking the term “dual use” in EU spyware export control. European Journal of International Law, 34(3), 697–720. https://doi.org/10.1093/ejil/chad039
Rosen Zvi, R. (2023, January 30). Managing Risky Business – The international regulatory framework of spyware companies: Where it is lacking and where it is heading. Center on Transnational Business and the Law Blog, Georgetown Law. https://www.law.georgetown.edu/ctbl/blog/managing-risky-business-the-international-regulatory-framework-of-spyware-companies-where-it-is-lacking-and-where-it-is-heading/
Schmitt, M. N. (Ed.). (2017). Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations. Cambridge University Press.
Sirohi, N. (2021, August 7). Pegasus in the Room: Law of surveillance and national security’s alibi [Commentary]. Observer Research Foundation. https://www.orfonline.org/expert-speak/pegasus-in-the-room-law-of-surveillance-and-national-securitys-alibi
Stahl, B. C., Schroeder, D., & Rodrigues, R. (2023). Surveillance capitalism. In Ethics of artificial intelligence (pp. 39–52). Springer. https://doi.org/10.1007/978-3-031-17040-9_4
Telford, T. (2021, December 28). Claims Polish government used spyware is ‘crisis for democracy’, says opposition. The Guardian. https://www.theguardian.com/world/2021/dec/28/poland-pegasus-spyware-donald-tusk
Tsagourias, N., & Buchan, R. (Eds.). (2021). Research Handbook on International Law and Cyberspace (2nd ed.). Edward Elgar Publishing.
Tufekci, Z. (2015). Algorithmic harms beyond Facebook and Google: Emergent challenges of computational agency. Colorado Technology Law Journal, 13(1), 203–218. https://scholar.law.colorado.edu/ctlj/vol13/iss2/4/
U.S. Department of Commerce, Bureau of Industry and Security. (2021, November 4). Commerce adds NSO Group and other foreign companies to Entity List for malicious cyber activities. https://www.bis.gov/press-release/commerce-adds-nso-group-other-foreign-companies-entity-list-malicious-cyber-activities
UN Human Rights Committee. (1988). General comment No. 16: Article 17 (Right to privacy). UN Doc. HRI/GEN/1/Rev.9.
United Nations General Assembly. (2014, December 18). The right to privacy in the digital age (A/RES/68/167). United Nations Digital Library. https://digitallibrary.un.org/record/764407?ln=en&v=pdf
United Nations Human Rights Committee. (2004, May 26). General comment No. 31 [80]: The nature of the general legal obligation imposed on States Parties to the Covenant (CCPR/C/21/Rev.1/Add.13). Refworld.
United Nations Human Rights Council. (2011). Guiding Principles on Business and Human Rights: Implementing the United Nations “Protect, Respect and Remedy” Framework. United Nations Office of the High Commissioner for Human Rights.
United Nations. (1948). Universal Declaration of Human Rights, Article 12.
United Nations. (1966). International Covenant on Civil and Political Rights, Article 17.
Wagner, B. (2012). Exporting censorship and surveillance technology. Netherlands: Humanist Institute for Co-operation with Developing Countries. PP. 1-19. https://www.academia.edu/2133607/Exporting_Censorship_and_Surveillance_Technology
Walker, S. (2024, April 1). Poland launches inquiry into previous government’s spyware use. The Guardian. https://www.theguardian.com/world/2024/apr/01/poland-launches-inquiry-into-previous-governments-spyware-use
Zalnieriute, M. (2022). Big Brother Watch and Others v. the United Kingdom. American Journal of International Law, 116(3), 585–592.
Descargas
Publicado
Cómo citar
Número
Sección
Licencia
Derechos de autor 2026 Law, State and Telecommunications Review
Esta obra está bajo una licencia internacional Creative Commons Atribución 4.0.
Al enviar este documento a la Revista de Derecho, Estado y Telecomunicaciones,
declaro que estoy aceptando los términos de Creative Commons Attribution 4.0 International (CC BY 4.0)
