It's old news that governments around the world are misusing private company-sold digital surveillance software track and target people for human rights abuses. Recently, Amnesty International reported finding that two prominent Moroccan human rights defenders had been targeted using Israeli-based NSO Group’s software. Just this week WhatsApp sued NSO group for using spyware, noting in the legal Complaint that NSO group counts the Kingdom of Bahrain, the United Arab Emirates and Mexico as customers and that WhatsApp had found targets with telephone numbers from each of those countries. Thanks to advocacy and research by EFF as well as our friends at Citizen Lab, Amnesty International, Privacy International, and others, there is now widespread understanding of the problem. But companies and activists and governments are still struggling to find solutions.  All the while private companies based in the UK and Germany (FinFisher), Italy (Hacking Team), and Israel (NSO Group) continue to profit by selling “lawful interception software” to governments and law enforcement organizations in countries with unquestionably poor human rights records. 

Some, including Citizen Lab and UN Special Rapporteur David Kaye, have suggested that a moratorium on the sale, transfer, and use of this kind of surveillance software should go into effect until a robust human-rights-compliant regulatory framework is in place. “Companies appear to be operating without constraint,” says Kaye.  “It is critical that companies themselves adhere to their human rights responsibilities, including by disclosing their transfers, conducting rigorous human rights impact assessments, and avoiding transfers to States unable to guarantee their compliance with their human rights obligations.” 

Whether we achieve a moratorium or not, in the long run we need a strategy to protect human rights defenders, journalists, activists, and ordinary people from unlawful and human rights-violating intercepts, even as law enforcement conducts lawful intercepts that abide by human rights law.   Especially in smaller countries, private companies will likely continue to offer tools that can do both.  

So what should responsible corporate behavior look like? The first step is drafting solid policy documents. This is essential and a close review of the document can often show whether it reflects a true commitment to protecting human rights or not.

The second step, and the  true measure of a good human rights policy, is whether it actually protects human rights in practice.  If not, the issuance of a human rights policy becomes just another public relations stunt. So while calling for strong policies is good, and EFF continues to do so, whether the paper policy works or is just papering over of bad behavior must ultimately be seen in the implementation.

That’s why we’re highly skeptical about the Human Rights Policy recently issued by NSO Group.  At first glance, it appears to be exactly the kind of policy document that we are pushing for, but the gap between the words and NSO Groups actions is already big, and seems to be getting bigger with the WhatsApp lawsuit. 

But let's start with the words.  The policy begins, “As part of NSO’s commitment and alignment to the UN Guiding Principles on Business and Human Rights, human rights protections are embedded throughout all aspects of our work. We hold ourselves to the highest standards for ethical business, taking all reasonable steps to prevent and mitigate the risk of misuse of our products.”

Sounds good so far. 

But later we see clear signals that this policy may be the product of the PR and marketing departments, rather than an indication of an actual shift in policy. Let’s start with the short shrift given to transparency and accountability.  The closest thing to outside oversight is a promise that “procedures will be reviewed periodically by experienced human rights compliance experts and updated based on their findings and recommendations.” Who are these experts? We don’t know. Of course the document itself need not have the names in it, but NSO should somewhere be transparent about who is doing their outside transparency reviews and so far, we haven't seen that. 

Who will read these findings? How will we know if they are implemented? Here’s another place where NSO Group gives itself a lot of leeway. On the one hand the policy emphasizes the company’s commitment to transparency, in the form of public reports on the “principles and effectiveness of our human rights policy.” But then here’s the catch—it’s only after “taking into consideration the legal, contractual, security, and commercial constraints which may limit our freedom to disclose specific information.” While we understand that some constraints might exist—there could be legitimate confidential information in human rights reviews—this language, plus our understanding of how confidentiality and secrecy are part and parcel of  these government surveillance arrangements, makes us worry that these "considerations"  could swallow the transparency promise whole. And of course NSO Group decides these “constraints,” so it has left itself a loophole to publish reports containing nothing of value. We will be watching closely to see how this plays out.

More importantly, this new policy has been issued in the shadow of  a tremendous disconnect between what NSO Group  says it is going to do and its record on human rights abuses so far. This includes its involvement in Mexico, in Saudi Arabia and its decision to sue the Guardian newspaper for reporting the (true) fact that a major stake in the company is co-owned by former chief executive of London’s famous Serpentine Galleries.  And of course this now includes the facts of the WhatsApp complaint of targets including "attorneys, journalists, human rights activists, political
dissidents, diplomats, and other senior foreign government officials." 

While the NSO Group is currently in the hot seat, EFF also highlighted the need to ensure that companies don’t just issue paper promises on human rights in our recent comments to the US Department of State’s Bureau of Democracy, Human Rights, and Labor. The Bureau recently published draft guidance for the export of these technologies that we think is an excellent start for companies who don’t want to assist in human rights abuses. The Guidance comports with, and develops further, the ideas contained our own proposal, called Know Your Customer. Both are modeled on requirements that U.S. companies already have to follow in the export control and anti-bribery context, adding human rights concerns to the list of screens and actions that companies already undertake when selling their products to foreign governments. 

Under this framework, companies providing technologies or technical services either directly or indirectly to governments—especially the kinds of technologies that require ongoing support and upgrades—should investigate who is buying and using their technologies. They should either try to build tools that are resistant to abuses or, if they cannot do so, refrain from providing or supporting technologies that appear to support human rights abuses.  And the process must be ongoing. Companies should conduct periodic review, audit and update of their processes, require empowered staff participation up to and including the executive team, and ensure public reporting.

In our comments we note that the State Department has done a good job outlining what a strong policy should look like. There, as here, we note that the challenge will lie in the implementation. 

Even with Guidance from the U.S. State Department, more work needs to be done.  This is especially true since most of the high profile companies selling these surveillance tools are not based in the U.S. and may not sell directly into the U.S. market.

The fact that NSO Group recognized that it needed to provide a policy aimed at protecting human rights shows that those of us in the civil society community have made progress. Just a few years ago these companies flew under the radar or, worse, claimed that they had no responsibilities to protect human rights at all.  

The next step is clear. We need to hold them to their promises. All  companies selling tools to governments that can be used to violate human rights, whether based in the U.S. or around the world, must go beyond paper policies and actually stand up to protect human rights. In that regard, NSO Group still has a long, long way to go. 

But it’s good that the State Department is seeking to be a leader in promoting human rights protective policies and we hope that it will continue to work to be a  leader in this kind of guidance. Overall, we hope that the Know Your Customer approach will be adopted by companies and countries around the world to ensure the tools we build and sell are not used to enable human rights abuses anywhere in the world.