Day 0 Event #254 Spyware Accountability in Global South

Summary

This roundtable discussion focused on surveillance and spyware accountability from Global South perspectives, examining how commercial cyber intrusion capabilities like Pegasus are deployed against civil society actors worldwide. The conversation was moderated by Nighat Dad and featured speakers from Mexico, India, Lebanon, the UK, and Meta, alongside a former UN Special Rapporteur on Freedom of Expression.

Speakers highlighted how surveillance in the Global South differs significantly from the Global North context, often occurring within environments characterized by weak legal safeguards, corruption, and authoritarian tendencies. Ana Gaitan from Mexico described how governments exploit security crises to justify surveillance powers, which are then systematically abused to target human rights defenders and journalists investigating military abuses. Apar Gupta from India detailed how Pegasus revelations exposed targeting of reporters, opposition leaders, and even Supreme Court judges, demonstrating threats to democratic institutions built on colonial-era telecommunications laws.

Mohammad Najem from Lebanon explained how the MENA region experienced a dramatic shift after the Arab Spring, with authoritarian regimes implementing extensive surveillance alongside restrictive cybercrime laws. He noted that Gulf countries are not only using surveillance tools but also developing and selling their own spyware as part of geopolitical strategies. The discussion revealed that surveillance has become a thriving business, with over 500 companies selling tools to approximately 65 governments globally.

Elizabeth Davies from the UK presented the Pall Mall Process, a multi-stakeholder initiative launched by the UK and France to address commercial cyber intrusion capabilities through international consensus-building and codes of practice for states. David Kaye emphasized the importance of moving from soft law to concrete implementation, highlighting successful litigation like Meta’s $168 million award against NSO Group. Rima Amin from Meta described the company’s efforts to investigate and disrupt over 20 surveillance-for-hire firms targeting people across 200 countries.

The discussion concluded with calls for enhanced export controls, human rights due diligence, victim notification systems, and meaningful inclusion of Global South voices in international accountability processes.

Keypoints

## Major Discussion Points:

– **Global South surveillance patterns and impacts**: Speakers from Mexico, India, and MENA regions described how surveillance technologies like Pegasus are systematically used to target journalists, human rights defenders, and civil society activists, often exploiting security crises to justify expanded surveillance powers while operating with complete impunity and lack of accountability.

– **Business and geopolitical dimensions of spyware**: The discussion revealed how surveillance has become a lucrative business model, with countries like UAE and Gulf states not only using spyware domestically but developing and selling their own surveillance technologies to gain geopolitical influence and generate revenue, including surveillance of allies and friends.

– **Legal and accountability gaps**: Multiple speakers highlighted the failure of domestic legal systems to provide remedies for spyware victims, with court cases stalling, expert committee findings remaining secret, and authorities claiming no documentation exists of surveillance programs, demonstrating systemic obstacles to justice in the Global South.

– **International initiatives and their limitations**: The Pall Mall Process led by UK and France was discussed as a potential solution, but speakers emphasized the need for meaningful Global South inclusion, moving beyond soft law to binding implementation, and ensuring that international standards address the specific contexts of corruption, weak institutions, and authoritarian tendencies in developing countries.

– **Technical capacity building and victim support**: The conversation addressed the urgent need for Global South civil society organizations to build their own technical capacity for investigating spyware, supporting victims, and conducting device forensics, as current expertise and resources are concentrated in Global North organizations.

## Overall Purpose:

The discussion aimed to center Global South perspectives in international debates about surveillance accountability, examining how spyware technologies manifest differently in developing regions compared to the Global North, and exploring how international initiatives like the Pall Mall Process can be made more inclusive and effective for addressing surveillance abuses in contexts characterized by weak legal safeguards and authoritarian governance.

## Overall Tone:

The tone was serious and urgent throughout, with speakers conveying deep concern about the expanding surveillance threat. While maintaining a professional academic discourse, there was an underlying frustration about the lack of accountability and the concentration of power in surveillance technologies. The tone became slightly more optimistic when discussing potential solutions and international cooperation, but remained soberly realistic about the significant challenges ahead, particularly regarding implementation and the need for sustained commitment to meaningful change.

Speakers

**Speakers from the provided list:**

– **Nighat Dad** – Runs Digital Rights Foundation, based in Pakistan, working in South Asia on surveillance and digital rights issues (appears to be the moderator)

– **Ana Gaitan** – From R3D Mexico, expert on surveillance and digital rights issues in Latin America

– **Apar Gupta** – From Internet Freedom Foundation India, working on surveillance accountability and digital rights in South Asia

– **Mohamad Najem** – Runs SMEX (organization), based in Lebanon, working on digital rights issues in the MENA region

– **Elizabeth Davies** – Policy lead at Pall Mall Process Policy, UK Foreign Commonwealth and Development Office Cyber Policy Department

– **David Kaye** – Law professor at the University of California, former UN Special Rapporteur on Freedom of Expression

– **Rima Amin** – Security policy manager at META, focused on community defense

– **Jennifer Brody** – From Freedom House (asked a question from the audience)

**Additional speakers:**

None identified beyond the provided speakers names list.

# Surveillance and Spyware Accountability: Global South Perspectives

## Discussion Summary

### Introduction and Context

This roundtable discussion, moderated by Nighat Dad from the Digital Rights Foundation in Pakistan, brought together experts from across the Global South and international stakeholders to examine surveillance and spyware accountability. The conversation featured speakers from Mexico, India, Lebanon, the United Kingdom, and Meta, alongside a former UN Special Rapporteur on Freedom of Expression.

The discussion emerged against the backdrop of revelations about widespread spyware abuse, with over 500 companies now selling surveillance tools to approximately 65 governments globally, creating what speakers described as a thriving surveillance business that poses fundamental threats to democratic institutions and human rights.

### Global South Surveillance Patterns and Impacts

#### Latin America: Security Narratives Masking Repression

Ana Gaitan from R3D Mexico revealed how governments exploit security crises to justify expanded surveillance powers while systematically targeting those who challenge state authority. She explained that “these narratives are actually being used to criminalise citizens in contexts usually represented by high rates of impunity, corruption, and collusion with organised crime.”

Gaitan described how surveillance powers in Latin America are abused to target human rights defenders and journalists, particularly in countries with “legacies of past military dictatorships and systemic human rights violations where the rule has been to control, repress, and censor all dissent.” She highlighted Mexico, where military control of surveillance systems enables targeting of human rights defenders investigating army abuses.

The accountability gap in Mexico is particularly striking. Despite clear evidence of Pegasus targeting victims including “undersecretary Encinas” and “Centro Pro,” criminal complaints are systematically obstructed by authorities who claim no documentation exists of surveillance programmes, creating a cycle of impunity.

#### South Asia: Colonial Legacies and Democratic Threats

Apar Gupta from the Internet Freedom Foundation India emphasized that spyware represents “not a hypothetical threat and it is not a threat which is individualised, but is a societal threat to already democratic systems which are under strain and rule of law which exists inconsistently.”

Gupta explained how post-colonial telecommunications laws enable secretive executive surveillance without proper judicial oversight. The Pegasus revelations in India exposed targeting of reporters, opposition leaders, and even Supreme Court judges. Despite a Supreme Court-ordered investigation, the expert committee’s findings remain secret even from petitioners whose devices were examined.

Moderator Nighat Dad provided crucial context about Pakistan’s surveillance infrastructure, revealing that telecommunications providers are required to ensure surveillance capabilities for “at least 2% of their customer base, which is around 4 million people, so 4 million people are under surveillance at any given time in this country.”

#### MENA Region: Post-Arab Spring Surveillance Expansion

Mohamad Najem from SMEX in Lebanon described how the Middle East and North Africa region experienced dramatic transformation following the Arab Spring, with authoritarian regimes implementing extensive surveillance alongside restrictive cybercrime laws. He noted that “this kind of regulation affected a lot the space, and we started seeing a lot of people going to jail for, like, 10 years, 15 years, for things they have said online.”

Najem revealed that Gulf countries are not only using surveillance tools domestically but are also developing and selling their own spyware. He explained that “a lot of these countries are making these softwares to make money,” and noted concerning examples like the UAE providing surveillance software to “RSF Like the rapid support group in Sudan.”

The scope of surveillance extends beyond traditional targets, with Najem noting that “they’re not doing surveillance on their enemies, on activists, but they’re also doing surveillance on other politicians, on their friends, on their cousins.”

### Legal and Accountability Gaps

A consistent theme was the systematic failure of domestic legal systems to provide remedies for spyware victims. Ana Gaitan described how Mexican authorities obstruct criminal complaints by claiming no documentation exists despite clear evidence of abuse. In India, Apar Gupta highlighted how even Supreme Court interventions prove inadequate, with institutional limitations preventing effective parliamentary or judicial remedies.

Mohamad Najem pointed to high-profile cases like the Khashoggi assassination, where despite known spyware use and international attention, “no accountability even for major crimes” has been achieved.

### International Initiatives: The Pall Mall Process

Elizabeth Davies from the UK Foreign Commonwealth and Development Office presented the Pall Mall Process, launched by the UK and France in February 2024, as a multi-stakeholder approach to establish international consensus on surveillance technologies. The process has achieved support from 24 other states for a code of practice.

Davies announced the UK’s Common Good Cyber Fund, developed with Canadian partners, to support civil society actors at high risk of digital transnational repression. However, she emphasized that “implementation is crucial next step,” acknowledging that soft law commitments must translate into concrete action.

David Kaye, former UN Special Rapporteur on Freedom of Expression, warned that “states are just kind of driving trucks through any small space that they can carve out to do what they wanna do.” He highlighted concerning developments like the European Union’s Media Freedom Act, which “actually carves out a little bit of space for the use of spyware against journalism.”

### Private Sector Role and Litigation

Rima Amin from Meta described the company’s efforts to investigate and disrupt over 20 surveillance-for-hire firms targeting people across 200 countries. The WhatsApp lawsuit against NSO Group resulted in a $168 million award, which David Kaye highlighted as demonstrating that “legal action is possible.”

However, Amin emphasized that “legal recourse must be accessible specifically for those targeted by surveillance technologies,” highlighting the need for more comprehensive victim support systems.

### Capacity Building and Knowledge Transfer

Nighat Dad explained that “transfer of that knowledge is happening at a very slow pace,” forcing Global South organisations to “build our own knowledge and capacity so that we are on ground, can provide the support to the victims and survivors as first responders.” She mentioned that DRF is building an emerging threat lab to provide device forensics capabilities.

Apar Gupta highlighted the need for victims to access device testing methodology, given the high barriers that exist in domestic jurisdictions.

### Key Recommendations and Proposals

Apar Gupta outlined three specific recommendations:

1. A moratorium on commercial spyware

2. Export control alignments between countries

3. Victim notification rights

The discussion revealed tension between restrictive approaches that prioritise preventing abuse and permissive approaches that seek to balance legitimate uses with human rights protections. Kaye advocated for narrowing the scope as much as possible, while Davies promoted a broader multi-stakeholder approach that acknowledges legitimate uses with proper safeguards.

### Conclusion

The discussion revealed surveillance and spyware accountability as a complex challenge requiring coordinated international action while respecting the specific contexts of Global South countries. Speakers demonstrated consensus around the systematic misuse of surveillance technologies against civil society actors and the urgent need for victim support systems and accessible legal remedies.

The conversation highlighted the inadequacy of current responses, particularly in addressing the structural conditions that enable abuse in developing countries, and emphasized the need for enhanced capacity building and genuine partnership between Global North and Global South stakeholders.

Nighat Dad: In 2021, the Pegasus Project, an investigation by Forbidden Stories and Amnesty International shook the world. It revealed how Pegasus, a military-grade spyware developed by the Israeli firm NSO Group, had been used to target at least 189 journalists, 85 human rights defenders, and over 600 politicians and government officials globally, including cabinet ministers and diplomats. This was not just a moment of reckoning. It sparked a global demand for accountability. Since then, we have seen some movements in the U.S. blacklisted NSO Group and other surveillance firms. The U.K. and France launched the PolMol process earlier this year to start conversation around ethical oversight of such technologies. But despite these efforts, surveillance remains a booming, largely unregulated industry. Over 500 companies continue to market and sell these tools to around 65 governments worldwide, many of them in the Global South. While the discourse on ethical oversight and regulation is growing, it remains largely centered in the Global North. What’s missing are the perspectives, experiences, and context from the Global South, where surveillance not only thrives in silence, but often intersects with weak legal safeguards, authoritarian impulses, and shrinking civic spaces. And that’s why we are here. This roundtable is an attempt to bridge that gap to center the Global South voices in global surveillance and accountability debates. We want to ask, what does surveillance look like in regions like Latin America, South Asia, MENA region, and Africa? What forms does it take from sophisticated spyware like Pegasus to more traditional brick and mortar tactics still used by many actors around us? And critically, how do the solutions from the Global North apply or not apply in our context? Over the past five years, the surveillance industry, tech industry, has been a growing industry. It’s a growing industry. It’s a growing industry. It’s a growing industry. has only expanded. Even the most cautious individuals, journalists, human rights defenders, civil society actors, find themselves vulnerable. And it’s no longer just about states surveilling citizens. We are now seeing an ecosystem where private actors, outsourced contractors, and even foreign governments are deploying these tools to watch, track, and silence dissent. So I’ll just stop here with the introduction and just introduce some of our panelists who are here and two panelists who are joining us online. We have Ana Gaten from R3D Mexico. We have Apar Gupta from Internet Freedom Foundation India, Mohammad Najam from SMEX Lebanon, Elizabeth Davis, who is a policy lead at Pall Mall Process Policy, UK Foreign Commonwealth and Development Office Cyber Policy Department, David Kaye, who is a law professor at the University of California and former UN Special Rapporteur on Freedom of Expression. And last but not the least, Reema Amin, who is a security policy manager at META, focused on community defense. So I’ll start with my first question to Ana, basically. If you can just tell us a little bit about what are the implications of state-sanctioned cyber intrusion on its citizens in your region, but also in the global south, specifically, in what context in Latin America is differ from the north when it comes to surveillance and spyware technology?

Ana Gaitan: Sure. Thank you, Nighat. In many Latin American countries, governments have taken advantage of security crisis experienced by their societies to make it appear like our only alternative to protect ourselves is to give up our privacy, implying that if we do not, we will only be helping criminals commit more crimes. However, the reality is that these narratives are actually being used to criminalize citizens in contexts usually represented by high rates of impunity, corruption, and collusion with organized crime. Thus, rather to give us more security, surveillance powers in Latin America are abused to target human rights defenders and journalists in legacies of past military dictatorships and systemic human rights violations where the rule has been to control, repress, and censor all dissent. For example, in Mexico, abusive surveillance powers exacerbate in a context where Mexico has led and maintained for more than 15 years a military approach to public security risks, granting powers to the military that are constitutionally prohibited. The army has systematically abused surveillance technologies to interfere with investigations carried out officially and by human rights defenders and journalists related to the army’s human rights abuses, such as extrajudicial killings and enforced disappearances. Many of the Pegasus infections occur at times when the victims were carrying out work related to human rights violations committed by armed forces or police authorities. In fact, information that has been made public as a result of the hacking carried out by Colectivo Guacamaya confirms that the surveillance and monitoring activities carried out are mainly done against civil organizations, human rights defenders, activists, and journalists where they are classified as pressure groups for their work in defense of human rights. For example, in Mexico, one of the victims, undersecretary Encinas, was in charge of the Truth Commission for the disappearance of 43 students from Ayotzinapa in which army personnel participated. And another victim was Centro Pro, a human rights organization who represented the families of the victims in this case and represents many other victims of human rights violations by the army. In 2017, 2022, and 2023, surveilled victims of the Pegasus infections were identified teams in Mexico, mainly human rights defenders and journalists, filed criminal complaints with the Special Prosecutor’s Office for Crimes Against Freedom of Expression for the crimes of illegal interception of private communications and illegal access to computer systems. However, despite multiple calls by national and international actors regarding the need to carry out a diligent investigation, justice and accountability have been obstructed by the authorities under scrutiny, who consistently claim no database or formal documentation of the records regarding the persons of numbers targeted by Pegasus exist. Furthermore, in a context in which the army does not only control the federal security and intelligence apparatus but now controls ports, airports and roads, as well as operates trains, refineries, airlines, touristic resorts, banks and many other business interests, it is particularly problematic that it deploys surveillance technologies with complete opacity and impunity. And I think that in general terms, this is the context in which Latin American countries usually use and abuse surveillance powers in which they try to stifle dissent and represent censored human rights defenders and journalists without any type of redress or reparation for the victims’ access to justice, non-judicial or non-judicial remedies. So I would end with that.

Nighat Dad: Thank you so much, Ana. I’ll head to Apar Gupta, who is joining us online. And Apar, if you can build on what Ana basically described, what is happening in their region, how do you think surveillance has manifested in your or our part of the world? Are zero-click attacks a significant threat in the region or do other urgent issues take precedence? And what role has the Internet Freedom Foundation played in this regard?

Apar Gupta: Thank you so much, Nighat. Picking up from the remarks which were made by Ana. I think there is continuity as well as similarity in our experience in India. The Pegasus revelations of July 2021 included at least 38 reporters who were prominent in their criticism of the government, opposition leaders and activists, and even included a sitting Supreme Court judge. And this shows and demonstrates that the very functionaries who are vested with both official powers as well as roles and responsibilities in order to keep the state honest, in order to ensure that democracy preserves, are themselves the victims of zero-click attacks. Therefore, it’s not a hypothetical threat and it is not a threat which is individualized, but is a societal threat to already democratic systems which are under strain and rule of law which exists inconsistently in countries in South Asia. And this brings into sharp focus where the underlying foundation of the telecommunication laws in many countries in South Asia comes from a post-colonial legacy in which the state had absolute control over the spectrum and the airwaves, and extension of this has resulted in an opaque secretive system in which there is no requirement of judicial sanction and there is no independent parliamentary oversight in which most of the powers are centralized within the executive branch of the federal government itself. So, it is essentially a secretive procurement and then subsequent deployment of spyware technology which attacks the very roots of a democratic system across South Asia which builds off this colonial legacy. And is it still continuing? Or was it just a one-off instance in 2019 and then in 2021 in India? The notifications by Apple in October 2023 included scores of Indian MPs and reporters of a state-sponsored attack on iPhones, and which had echoes of Pegasus. So this is a problem which is much more wider than one specific company or one specific type of software. And our response to this has been, firstly, increasing the amount of public awareness around this issue, that this is not a conventional issue of surveillance in which information is being gathered in breach of the law. This is something which is a much more deeper harm to a democratic system itself. So IFF launched a campaign around it. There was strategic litigation, which was also conducted in the Supreme Court, which remains pending. And there was a special committee constituted by the Indian Supreme Court, whose findings are not yet public. This also demonstrates the remedial gaps which exist in rule-of-law processes, where institutions may not strongly react to infections by spyware domestically through this court. And subsequently, we have also filed one petition asking for a much more structural reform of India’s surveillance laws. Three short points before I end this intervention. The repeated instances of the use of spyware, the foundational deficiencies in our legal system, as well as institutional frameworks to enforce remedy, calls into sharp focus the need for platforms, as well as multilateral and multi-stakeholders, the organization and processes to do the following. Possibly consider monetarium, non-commercial spyware until its legality, necessity and proportionality principles can be set through multilateral frameworks, export control alignments which also have transparency requirements to which countries, what kinds of technologies are being used. issued, and what are the standards for which such kind of export controls actually apply. And specifically, till that happens, for victim notification and right, which enables the right to remedy, should be maintained by most platforms when they do detect spyware infections. So much.

Nighat Dad: Yeah. Apar, thank you so much for giving us a detailed picture of what is happening in India, but beyond India, in South Asia. And the kind of actions that IFF has taken. I just wanted to ask you, the cases are still pending, or in any of those petitions, have you heard from the courts or any hope around those petitions?

Apar Gupta: So, there was a high amount of hope when the petitions were initially filed, given there was a vast amount of public interest, as well as the reporting activity which was being carried around them. The petitions came to be filed shortly after the revelations were made, sometime in September 2021. And an expert committee was set up, however, its findings were not made public. And the case was then not posted for active hearing, at least for a period of two years, from 2023 to 2025. Earlier in the year, the case did come up for hearing, but then again, it is not a case which is proceeding fairly, with some kind of pace. And the fight right now is to get the determinations by the expert committee as to the examination of the devices made public, or at least even be made available to the very petitioners who have approached the court, whose phones were submitted to the committee. Even they don’t have access to the report. Again, I will re-emphasize, while it is essential for a lot of people in South Asia, not only in India, to engage with their courts, with Parliament, in the public sphere. There are limitations which are there in these institutional processes as to the autonomy and ability to provide remedy to victims.

Nighat Dad: Thank you so much, Apar. I would just say that, especially in South Asia, keeping in mind geopolitics and especially ongoing conflicts going on, I think it’s becoming more and more difficult for civil society to raise issues around spyware, surveillance. It sort of has become a taboo issue over the years, where you, when you mention accountability on spyware technologies, that’s where you also kind of, you are in a situation where you, there are several backlashes coming from different segments of the state and other actors. I’ll come to you, Mohamad Najem. You run this organization, SMACS, in MENA, and I wanted to ask you if you can also elaborate some patterns that you have observed in how spyware is deployed in your region, in MENA, and what SMACS is actually doing to address that challenge.

Mohamad Najem: Thank you, Negat. First I want to start by mentioning the MENA region has some specificity to it, because in 2010, 2011, when we witnessed the Arab Spring, the community and the societies in the region were going in one direction, and gradually we went into totally the opposite direction. So basically, the space, the tech space was really open before like the Arab Spring, or kind of open. When the Arab Spring happened, when we saw the results, all the authoritarian regimes, all the governments, like from the Gulf, Egypt, everybody came together and they started closing the civic space slowly, slowly. And one of the big tactics that they use is, is… surveillance. Of course, not only surveillance, but I’m just going to talk about some of these points. So, basically, they started first, like, there was almost zero regulations when it comes to the cyberspace, to the online space. And suddenly, in 2015, there was dozens of laws around, like, cybercrime laws, around freedom of expression, every, like, all the regulations started, came out, and all these regulations have one goal, to actually limit the speech, limit what people are talking about online. So, this kind of regulation affected a lot the space, and we started seeing a lot of people going to jail for, like, 10 years, 15 years, for things they have said online. So, regulation was really one of the big tools they have used. And then, when we want to talk about surveillance itself, of course, like, the Gulf country, they have a lot of money. We have seen the relationship with Israel was kind of, like, not known. Are they actually enemies, or are they friends? There was no public conversation about it. But then, later on, we discovered that the Gulf has been investing a lot with NSO, Pegasus, and there was a lot of cases about it. I’m sure you all know about it. So, Pegasus have been used heavily, and NSO, and so many other softwares and companies. So, this definitely affected a lot what we’ve seen right now, especially with the case of Jamal Khadjikshi, that everyone saw it happening, and we have seen that there’s actually no accountability. We’re not only talking about spyware accountability, we’re talking about accountability about a crime that happened. It’s really like, of course, spyware has been used. But like it’s much bigger than spyware, and I’m sure David will touch upon this a little bit So more and more of like the self-censorship has started to be created because of this Like there’s no accountability. There’s no transparency So there is really a lot of censorship that self-censorship that started to be created and Also at the same time we’ve seen these governments Because of the relationship with Israel has been publicly Known right now or like let’s say 2015 2017 2016 they also started to develop their own softwares their own local softwares We’ve seen Egypt doing this we’ve seen UAE doing this there’s so many articles on New York Times and so many other places We’ve seen Morocco. We’ve seen Saudi Arabia, so we started seeing these countries basically looking at this from a business perspective And I really think when we think about spyware we really need to look about it from a business perspective for so many authoritarian regimes and what they have been doing for the last five years is Not only producing their local solutions. I mean local solutions local spywares, but they’re also trying to sell it And there are geopolitical wars like we’ve seen We’ve seen for example like UAE are giving their softwares their surveillance to RSF Like the rapid support group in Sudan We have seen it happening in Egypt we have seen it happening in so many other places So it started to be part of the geopolitical game Mostly to gain more power. Sorry I put five minutes, and that was very quickly. So I need to finish quickly. And we also have seen it. Where was I? OK. So basically, UAE were selling it in terms of to empower their geopolitical presence, but to also make money. A lot of these countries are making these softwares to make money. So we need to understand this as advocates of digital rights. It’s a business decision as well for them. And one thing that we don’t talk a lot about in our communities is they’re also doing surveillance on their friends and allies. And this is something really important, because we have discovered in so many cases that all these countries are doing surveillance on each other’s. They’re not doing surveillance on their enemies, on activists, but they’re also doing surveillance on other politicians, on their friends, on their cousins. So they want to catch their secrets. They want to understand what they’re doing. So this is happening. I mean, in terms of SMACs, I know I didn’t answer the question yet, Negat. So briefly, what we’re trying to do, we’re trying to support civil society groups. We’re trying to support LGBT groups. We know there are so many criminalization of LGBT in our region. So these are the most vulnerable groups. So our team is distributed among the Arab-speaking countries. And we’re trying to do some kind of support to mitigate some of these threats. Of course, the threats are much bigger. We need to do more collaboration among civil society groups. And yeah, I’m going to stop here. Sorry, I passed my time.

Nighat Dad: No, thank you so much, Najem. I think that was really important to get a good picture of Gulf countries. I’ll come to you, Elizabeth. We would love for you to speak briefly about how the Paul Moll process can support efforts in the global south. Now you have heard three speakers from different regions. And the one pattern that is emerging is basically inaccountability and nontransparency by the governments. And how do you think that Paul Moll process or mechanisms like this can be meaningfully inclusive of actors outside the Global North?

Elizabeth Davies: Yeah. Thank you very much. Hopefully, everyone can hear me all right. I’m sorry to not be able to join you in person this morning. So, I’ll just do a brief overview on what the Pal-Mell process is at the start to avoid any confusion. So, it was launched in February 2024 by the UK and France as a multi-stakeholder international initiative to address the global threat posed by the rapidly growing market in commercial cyber intrusion capabilities. So, what we call C6 as a shorthand, but including but not limited to commercial spyware like Pegasus has been mentioned this morning. This threat includes a serious harm caused by the irresponsible use of these tools to target human rights defenders, journalists, and others who play a vital role in protecting and promoting fundamental freedom, much of which we only know about thanks to the brave work of many of you here today as we have set out. But we also, as the UK, have concerns because of this rapidly growing market’s impact on the cyber threat that we as states all face by lowering the barrier to entry to advance capabilities to a wider number of states and non-state actors. And that increased the volume, the variety, and severity of threats that we face threatening our officials, our infrastructure, our businesses, and our citizens. And we know that this threat will become increasingly acute into the future as the market expands, diversifies, and specializes. So, while we’re focusing today on commercial spyware in particular, I think it’s important to emphasize that the power map process looks more broadly across the commercial cyber intrusion market, so including elements of the supply chain that sit under these. sophisticated capabilities, like the vulnerability and export marketplace, because we don’t believe any one element can be tackled in isolation. The UK government does believe there are legitimate uses of these tools in defense of cybersecurity operations, for example, for national security and law enforcement. But these should be limited, and they should only be used with appropriate oversight and safeguards in place, and never in ways that threaten human rights or contravene international law and norms. So through building international consensus, the aim of the Pal-Mao process is, broadly, to ensure that access to the most advanced capabilities remains limited and controlled, that international norms and safeguards ensure the responsible development, use, and sale of cyber introduction capabilities around the world, and that better transparency across the market makes it easier for states to enhance national resilience and take proactive action to tackle irresponsible activity. So what we’re trying to do is set the rules of the road for different actors across the market and thinking about shared responsibility towards tackling this threat that impacts all of us. So in terms of action that the Pal-Mao process has done so far, we started with states as the major customers of this industry. As colleagues have set out, this is a business. So we’re talking here about trying to shift market incentives. So we used the findings of a multi-stakeholder consultation last autumn to draft a code of practice for states, which contained a series of detailed recommendations for states as responsible regulators, customers, and users of C6 under the four pillars of the Pal-Mao process, which are accountability, oversight, precision, and transparency. This final product was achieved through an extensive multi-stakeholder negotiation. So we’re hugely grateful for the constructive engagement in the process of this of many of you here today. We secured formal support from 24 other states for the code of practice so far, including Ghana, our first state supporter from the global south. And we hope that this number will continue to rise. But this is only a stepping stone, which I think is the really important thing to mention. we know that the code of practice will only have an impact if we implement the commitments we’ve made and continue to build on that momentum. So the next steps for the power mile process are sort of, we anticipate across three work streams, one of them being focused on implementation of the code of practice for states. So supporting states to put these commitments into practice, whether that’s through existing policy levers or creating new ones, there’s no point in having this if it’s not implemented properly and comprehensively. With industry, we are now turning our expectations to those working in this market themselves. So we have to agree collectively what practices, internal processes, security measures, and other elements should be implemented as standard across the market to help curb irresponsible activity and misuse, and accountability and tracking progress, and developing ways of formally doing this. We know this is needed to bring about this behavior change. Our approach so far has been to try and work to set a standard first because you can’t hold irresponsible actors accountable or shape the market until there is a credible standard to hold them accountable to. Well, that brings me to the huge importance of multi-stakeholder participation in the power mile process. You know, we need help from all of you in shaping the standard of behavior, convincing key players to join it, or at least a critical mass of them, enough to change this market, and then by holding them accountable to it. You know, the hugely valuable work all of you have done so far in highlighting that abuse that we want to continue to support you in doing. But we know that our efforts in this haven’t been inclusive enough so far. You know, the power mile process has always set out to be truly international from the beginning. We stated that it was a global problem that required a global solution. So an initiative that just involves states and other stakeholders from the global north is never going to move that dial. And we know that there is that huge importance in involving civil society stakeholders from the global south. And I’m sorry if some of you feel that that hasn’t been the case so far, and that’s something we would like to change. We know you can bring your significant expertise. to inform the process of developing some kind of code of practice for industry by applying the knowledge that you have of how these products and services have been developed, sold, and used in particular contexts and feeding that into the consultation process that we will be holding on this going forward. And to help determine, like I say, what standards need to be baked in in this industry or can never be included for a product to be responsibly used. And that expertise is important, too, in our work in supporting implementation of the code of practice for states. We want to know where you think that there are global examples of best practice in this space or where things have been tried in particular countries and haven’t worked. And as I said, you’re particularly vital partners when it comes to holding states and companies to account for irresponsible behavior and exposing whether their actions don’t meet their words, whether that is involving those who have signed up to the code of practice yet or not. Because we want to support efforts by states to address this threat in the global South, too. We want more states from the global South participating in these discussions if they are doing so in good faith and hopefully signing up to the code of practice, committing to the actions within it, and crucially, being held accountable to them. Like I say, we were delighted to have Ghana sign up to the code of practice and attend the conference in Paris in April. And we hope that more countries from the global South will follow. We’ve also worked to ensure that the issue is highlighted in the relevant multilateral fora so that the discussions are international. So we’ve consistently raised the issue at the UN’s open-ended working group on ICTs. And we hope that language will be included in this year’s final report. And I should say, last but very, very much not least, the UK wants to make sure that we are supporting those who are already victims of the irresponsible use of these capabilities or are at high risk of becoming so wherever they are in the world. And so that’s why we were pleased to announce alongside our Canadian partners last week the Common Good Cyber Fund, aimed at supporting civil society actors at high risk of digital transnational repression in particular, including in the global South. I’ll stop there because I think I’ve probably already gone over time. But I’m really keen to hear from all of you what more we should be doing, and particularly how we can support your efforts, both from the UK side and the Pal-Malt process.

Nighat Dad: Thank you so much, Elizabeth. I think it’s very useful what process UK and French-led initiative Pal-Malt process is doing and how you are trying to include Global South voices in this process. Professor David, I’ll come to you, and you have been in this space for so long. You are a former rapporteur at UNSR on freedom of expression, and I have seen you very actively engage with the accountability mechanisms around spyware technology in the US and also other processes. And I would like to ask you very candidly how international law, especially during these times, is effective when Global South actors, especially civil society, is trying to hold big actors accountable around spyware technology, and also if you think that Pal-Malt process and other processes like these would be useful for Global South.

David Kaye: Great. Thanks, Negat, for pulling us all together here. I guess the way I would answer the question at the highest level is that international law is only effective when it’s domesticated, when it’s actually applied. So I was very happy to hear from Elizabeth that Pal-Malt process is a stepping stone. How we judge it is by its implementation. And so in thinking about implementation, about the strength or the power, the effectiveness of international law, let me just try to make three points, or divide this into three sections. First, on global export constraint. Clearly. We need clarity and human rights standards to be a part of global export constraint. And that means that any of the constraint that we see that’s applied by governments or by international organizations needs to meet the three-part test of international law, precision, proportionality, legitimacy, and all of that. And those have to be implemented at the domestic level. I think one thing that we have seen in global constraint is that, particularly during the years of the Biden administration, the actual sanctioning of bad actors has an impact, right? So it’s one thing to have high-level soft law, but we really need the actual sanctioning of the bad actors because that has a very strong impact on the ability of those bad actors to continue to operate. And so as we’re thinking about global export control, we need to be thinking about how do we make that part real. The second part that I want to mention is litigation, right? So litigation is also a form of moving from the soft law, from the standards, to actual implementation. So I think we saw in a very constructive way WhatsApp or Meta suing the NSO group, which led just in recent months to an award against the NSO group of $168 million in a U.S. court. Now whether that holds remains to be seen, but that kind of pressure is absolutely essential. Now it’s more difficult to do that kind of litigation against states because of sovereign immunity. There’s variation in different jurisdictions. It’s harder to do in the United States than in the UK, for example. But we continue to see that kind of litigation as a tool to impress upon the global community and particularly on the bad actors, that there are consequences for their actions. The third area that I want to talk about, and I’ll devote sort of the balance of my time to this, is on domestic constraints. Domestic and sometimes supranational constraints that can be imposed on law enforcement and on the intelligence community. So actually, this has been an area where there’s been quite a bit of positive movement in recent years. Just last December, the Venice Commission, of which I’m a member, issued a report on spyware that has very strict rules with respect to law enforcement’s use of spyware tools in domestic settings. I think it’s important to look at that, to look at the European Union and the European Parliament’s PEGA committee process on this, and to ask a couple of questions about these domestic constraints. The first one is, will they be applied? So the Venice Commission really details some very significant rules that should be applied by states. Will they be applied by states? We’ve seen significant use of spyware against human rights defenders, against journalists. Even over the last several weeks, we’ve seen the scandal of the use by the Italian government against journalists. Will these standards actually be applied? That’s really a very open question right now. And then the second question, I think that’s very important is, will these standards be used to apply to global export constraint? Because it’s one thing for European governments. and others to say these are going to be the standards that are going to apply for the use internally, but will those standards actually be used in the consideration of what kind of tools can be exported to countries around the world? At the moment, I don’t know that we actually have an answer to that, but I would urge certainly processes like the Palma process to move quickly from sort of the higher level of soft law to really looking at these standards at the domestic level and say that these are the standards that also must apply to global export control. I’m at five minutes, so I’m going to stop there. I’m sure in the conversation, there’ll be more that we can talk about.

Nighat Dad: Thank you so much, Professor David. I’ll also encourage our audience, if they have questions, please prepare them. I’m not taking them right now. We have one more speaker, but I’ll open the floor after Rima. So Rima, I’ll come to you. You are working at Meta and your role is actually looking into issues like what we are discussing right now. Can you tell us how common is it over years or even recently to track individuals through online platforms? Recently the NSO was ordered to pay damages over $150 million to Meta for hacking WhatsApp in 2019. By the way, if you get that, I think you should proceed that to the civil society in the global south who are working on spyware accountability, but that’s just, I’m joking. So what does this mean for online platforms tackling vulnerability issues against cyber tech companies such as NSO?

Rima Amin: Sure. Thank you so much. And also just to say that is actually our plan if we are awarded those damages to be able to contribute that to organisations who are supporting people targeted by surveillance for hire. In terms of what we’ve seen on Meta’s platforms, we have investigated and disrupted operations from over 20 surveillance for hire firms across targeting people across 200 countries. And I think many of the speakers have pointed out that many of those people are based in the global South. These surveillance for hire firms claim that their technology is being used to target criminals and terrorists, but our investigations have shown over and over again, regular targeting of dissidents, critics of authoritarian regimes, families of opposition and sort of human rights activists. Our teams are very focused on sort of investigating these threats, disrupting them, notifying victims, working also with civil society organizations to find ways to support them. We also, where appropriate, do sort of intelligent sharing because we know that these types of threats cut across sort of different platforms and places. So it’s really important that we’re able to share that intelligence. And then also we release information about these threats through adversarial threat reports. In terms of your question relating to the NSO group, I think in the spirit of, you know, stepping stones as we’re talking about today, I think what that lawsuit really showed was that legal action here is possible. And in terms of having some optimism there, we hope that this will provide a bit of deterrence for, you know, the manner of which some of these surveillance for hire companies are operating. I think Mohammed also spoke about these being sort of businesses. And so, again, We hope that this lawsuit has provided insight for investors who may be thinking about investing in this type of technology as well. So, there’s a couple of things that I think we can be optimistic about. There were also a couple of things that we learned through the lawsuit. Firstly, we learned about NSO’s actual role in the data retrieval and delivery of the technology, which was sort of almost every part of it, so that was an interesting insight. And we also learned that WhatsApp were far from being the only ones targeted by the NSO group, so they spent tens of millions of dollars on malware installation across things like instant messaging, browsers, and sort of operating systems. In terms of sort of what we see as being needed next, of course it’s a really important step that we were able to take with the litigation, but we really need, and I think a lot of speakers here spoke about this, we need legal recourse to be accessible and attainable specifically for those who are targeted by these technologies. Elizabeth spoke very well about some of the controls and guardrails that are really needed for this industry. I think that’s pretty key as well, because we need something for these firms to be sort of accountable towards, and we also need to prevent these technologies from being misused in the first place.

Nighat Dad: Great. Thank you so much, Rima. So I’ll open the floor for questions. If you have questions, can you raise your hand, we’ll take two, three questions from the floor, and then please specify which speaker you want to ask questions to. There was one hand that I saw, yeah. So if you have a question, you have to go to the mic, which is there. We need to put this right here, yeah, okay. Hello, can you hear me? Yes. Yeah, thank you for the excellent panel.

Jennifer Brody: My name’s Jennifer Brody, I’m with Freedom House. I have a question really for the panel, but specifically to David Kaye. You mentioned the importance of export controls. In my work on this topic, what seems to be kind of the next step, lowest hanging fruit, is to help governments create enhanced human rights due diligence guides, essentially. It’s something civil society supports, governments in theory want to get behind, and the quote-unquote good actors in industry are also keen on this work. So curious if, yeah, David, if you have any comments. Also directed at Elizabeth Davies with the UKFCDO. Thank you.

David Kaye: Great, Jen, thanks for that question. It’s a great question. So I agree with that. I mean, I think going towards very specific due diligence approaches can just concretize what we’re talking about, and give a kind of checklist for governments to determine what is and is not legitimate. And also, I think to the extent that that due diligence can be transparent and widely shared, it also enables governments to share that kind of information for civil society, for other stakeholders to engage in that. I think getting to the title of this panel, I think it’s gonna be extremely important for that kind of due diligence to be widely shared outside of. of, you know, the global north. And there are efforts, there’s an African regional spyware initiative right now that can be one kind of vector to getting that kind of information and building that kind of capacity outside of the north, which could be really valuable. But I think due diligence like that is definitely important, particularly given that we’d be talking about fundamental human rights standards that should be applying here.

Elizabeth Davies: Yes. Elizabeth. Sure. Yeah. Just to come in on that as well, I think, yeah, fundamentally we would agree. I think this is, it’s one of the most obvious areas to focus on when it comes to that concrete implementation of the code of practice. So we are planning to sort of set up some particular working groups focused on particular areas of implementation that we think we can work on now over the next years. And one of them will be focused on export controls, because I think even also the sort of flip side of the human rights due diligence is also ensuring, I think, that national export control authorities fully understand what lots of these tools are capable of and therefore that they are asking the right questions when it comes to those human rights due diligence questions as well. It’s a complicated area and the technicalities of it, I think, sometimes are what kind of tie everybody up in knots. So improving that human rights due diligence and also just improving the application and enforcement of export controls across this space is something that we really want to look at quite closely. So yeah, we will be welcoming lots of input into that as to how all of this can be applied.

Nighat Dad: Do we have any other questions from the floor? Maybe any comment, addition, if there is no question, like if you want to add into this debate. If not, I would like to share some findings. So, I run this organization called Digital Rights Foundation, we are based in Pakistan, working in South Asia, now looking at the region, and so we are working on this series of regional scoping studies that will be released in coming months, and this study basically explores what surveillance looks like in South Asia, starting from Pakistan, India, Sri Lanka, Bangladesh, and Apar, who is also a speaker, they are also contributing to this study, and our aim is to uncover which cyber intrusion capabilities are available in our context, what risks they pose to privacy and digital rights, and what gaps exist in transparency and accountability. I’ll briefly mention a few findings in our report. In Pakistan, we found that the lawful intercept management system, which we call LIMS, is central to state surveillance. It is managed by a regulator, and funded by telecom providers, and the system facilitates real-time access to messages, call logs, metadata, and even audio-video content. Shockingly, telecom providers are required to insure at least 2% of their customer base, which is around 4 million people, so 4 million people are under surveillance at any given time in this country. I’ll go to Sri Lanka. In our research, some of the findings we are finding is the use of backdoors and unmonitored data transmission in devices provided by companies like Huawei. The Telecommunication Act gives sweeping interception powers to ministers while judicial approval is required. The lack of clear SOPs makes the entire process opaque and vulnerable to abuse. In India, while the landmark Putswami judgment recognized previously as a fundamental right, the passage of the Digital Personal Data Protection Act in 2023 marked a worrying regression. The law fails to meaningfully protect citizens from surveillance and decision-making around In Bangladesh, surveillance involves both traditional forms as physical tailing and white taping as well as more sophisticated and intrusive domains. Some police officers routinely have access to and use surveillance technologies, especially during protests or socially disrupted events to collect real-time information. National Regulatory Commission and National Telecommunication Monitoring Center both have the authority to collect data without incorporation from telecom providers. In one example, authorities deliberately slowed mobile and broadband internet access to force citizens in Dhaka to use traditional network communications, which are easier to trace. So these are some of the examples and findings. And they might not sound more sophisticated because the work in Global South is just starting, although by civil society, although the states and actors who have this capacity to acquire technologies are more advanced, and more advanced not only in using these technologies but have more resources. And I think that is the worrying trend where we are way behind in these conversations around accountability, transparency, and really have no means in terms of holding powerful actors accountable and how to hold them accountable, how we can use these international processes and what these processes mean for us. There are several initiatives that are going on. Civil society is building their own capacity, like SMEX and DRF is actually building this emerging threat lab, building our own capacity to support victims and survivors who, when they find that they are being surveilled or sophisticated spyware is used against them, they are at mercy of no one. And then they come to civil society or helplines or help desks. digital security helpdesk to seek guidance or support. And that’s where our role comes in. But we also need support in terms of building our capacity. So what we are trying to do is bridging this gap between the knowledge among Global North Organizations and Global South Organizations. We have really good advanced knowledge in Global North Organizations who are doing these investigations, but transfer of that knowledge is happening at a very slow pace. So what we are doing is trying to build our own knowledge and capacity so that we are on ground, can provide the support to the victims and survivors as first responders. I would like to mention SPIWARE Accountability Initiative, which is focused on Global South Organizations and Governments in their own context. And it’s a very interesting initiative in a very different industry that they can take in supporting civil society or actors who are trying to hold SPIWARE Governments or SPIWARE tech accountability work possible in their own context. So please, anyone who wants to start.

Ana Gaitan: I can start. It’s not going to be one, but I’m going to try to synthesize it. I agree with what was mentioned about the necessity of having national legal frameworks regarding implementation and not just soft law, because that way it can be legally binding. but also to contextualize it according to the global south and what we were discussing, to actually see what happens in countries of the global south regarding corruption, collusion with organized crime, impunity, and how these obstacles relate sometimes to our lack of access to justice, accountability, and transparency. And I think that’s very important for us to connect, and also what Nigat was mentioning about the fact that it’s not only related to the targeting of human rights defenders and journalists in public interest matters that affect democracies, but also we’re establishing a global trend where massive surveillance is happening everywhere. So for example, in Latin American countries, there’s a lot of now centralized data registries that are being interconnected and that allow for everyone to be massively surveilled. So I think that we have to also establish that it’s not only Pegasus and certain type of spywares, but that there is several surveillance technologies that are being implemented that are going to affect every citizen around the world. So that’s it.

Nighat Dad: Rima, can I continue?

Rima Amin: Sure. I think this is a global threat and cuts across different spaces. And so I think really working to drive initiatives like the Palmao process together, I think is going to be super important in making sure that they expand. I think a couple of key areas is driving to make sure the controls and guardrails are in place, both for the companies and also the customers themselves, make sure that human rights due diligence is there and that transparency is there too. And then the second piece to that is really. ensuring that remediation for targets is possible and the ability to drive accountability and legal action as needed is there too. Because unless you have that second piece, the first piece around guardrails completely falls apart, so yeah.

David Kaye: Sure, so I think there’s maybe two things that we need to be thinking about here. I mean, there’s a million things to be thinking about, but one is whether we’ve left open or are leaving open too many gaps. I mean, we live in an era where states are just kind of driving trucks through any small space that they can carve out to do what they wanna do. And so I’m particularly concerned about discussing the spyware industry and its legitimacy when in fact we’re talking about an industry that is essentially performing governmental functions when they shouldn’t be. And so when we have things like the European Unions Media Freedom Act, which actually carves out a little bit of space for the use of spyware against journalism, that’s a huge problem for us. And that’s a huge problem not only for European journalists, but it’s also a huge problem for the message that it sends to the rest of the world. So if I were sort of looking kind of generically at one thing that we should be focusing on, it’s really narrowing as much as possible any scope for the use of these tools at all, if not banning them, which seems not to be particularly on the table right now, but ensuring that that space is really not available for the use of these tools by states.

Nighat Dad: Najem, you have 20 seconds, and then 20 seconds each to Elizabeth and Opar.

Mohamad Najem: Oh my god, my turn, okay. I mean, briefly, I just want to say that coming to what we’ve seen in the last few years in terms of war in my region, I really think that we really need to think about digital rights everywhere, or like human rights everywhere. I mean, in the opening ceremony today, I’ve seen an interesting case of Ukraine. A gentleman was speaking about how successful it was to regain access to the telecom and how it’s helped them a lot through their communication by using Starlink. It’s interesting, and I really admire this experience, but also from the other angle, Starlink has been not used in Gaza, for example. So we really need to think about how we can think of human rights everywhere and digital rights everywhere, and we really need to think about how we can treat everybody equally to have access to the same telecommunication tools.

Nighat Dad: Thank you. Elizabeth, you, and then Opar, we have only 25 seconds left.

Elizabeth Davies: Okay, I will be very quick. I will say one, I think, as we said with the stepping stone, the actual comprehensive and sort of thorough implementation of code of practice is vital and following through on that. But also, you know, particularly in the spirit of this panel, but I think it’s vital to ensure that we don’t become a Global North initiative that is only talking to companies and countries based in the Global North. You know, otherwise we’re not going to have that global impact that we need.

Nighat Dad: Yeah, Apar, very quickly.

Apar Gupta: I think that notifications is something which needs to be universalised across platforms, especially for people in the Global South. The second thing is the ability for victims to reach out to organisations for having their devices tested and the methodology, given that there are very high barriers where evidence is tested in their domestic jurisdictions. So that capacity and that safety needs to be encouraged beyond the four or five organisations. which do it at least.

Nighat Dad: Thank you so much. Thank you everyone to our speakers. I would like to give a shout out to Jennifer Brody from Freedom House. She has been doing a lot of works. We have so many allies in the audience, our speakers. Thank you so much. And this is just the beginning of this debate. Please keep talking about this issue throughout IGF and beyond. Thank you. Thank you. Thank you. Thank you.

Agreement points

Surveillance is used to target human rights defenders and journalists rather than legitimate security threats

Speakers

– Ana Gaitan
– Apar Gupta
– Mohamad Najem
– Rima Amin

Arguments

Security narratives used to justify surveillance while actually targeting dissidents in contexts of impunity and corruption

Post-colonial telecommunications laws in South Asia enable secretive executive surveillance without judicial oversight

Arab Spring backlash led to dozens of restrictive cybercrime laws and massive surveillance expansion across MENA region

Meta disrupted over 20 surveillance-for-hire firms targeting people across 200 countries

Summary

All speakers agree that surveillance technologies are systematically misused to target civil society actors, journalists, and human rights defenders under the guise of security, rather than being used for legitimate law enforcement purposes

Topics

Human rights | Cybersecurity | Legal and regulatory

Lack of accountability and transparency mechanisms enables surveillance abuse

Speakers

– Ana Gaitan
– Apar Gupta
– Mohamad Najem
– Nighat Dad

Arguments

Criminal complaints in Mexico obstructed by authorities claiming no documentation of Pegasus targeting exists

Indian Supreme Court expert committee findings on Pegasus remain secret even from petitioners whose devices were examined

No accountability even for major crimes like Khashoggi case despite known spyware use

Surveillance accountability becomes taboo issue in South Asia due to geopolitical tensions and state backlash

Summary

Speakers consistently highlight how authorities obstruct investigations, withhold information, and prevent accountability mechanisms from functioning effectively, creating an environment of impunity for surveillance abuse

Topics

Legal and regulatory | Human rights | Cybersecurity

Need for victim notification and support systems

Speakers

– Apar Gupta
– Nighat Dad
– Rima Amin

Arguments

Victim notification by platforms should be universalized, especially for Global South users

Global South organizations building emerging threat labs to support surveillance victims as first responders

Legal recourse must be accessible specifically for those targeted by surveillance technologies

Summary

There is consensus that victims of surveillance need better notification systems, support mechanisms, and accessible legal remedies, with particular emphasis on supporting Global South victims who have fewer resources

Topics

Human rights | Cybersecurity | Development

Implementation and enforcement are more important than soft law standards

Speakers

– Ana Gaitan
– David Kaye
– Elizabeth Davies

Arguments

Security narratives used to justify surveillance while actually targeting dissidents in contexts of impunity and corruption

Sanctioning bad actors has real impact on their ability to operate effectively

Code of practice for states achieved support from 24 countries but implementation is crucial next step

Summary

Speakers agree that while international standards and codes of practice are important, the critical challenge is ensuring proper implementation and enforcement rather than just creating more soft law instruments

Topics

Legal and regulatory | Human rights | Cybersecurity

Similar viewpoints

All three speakers describe how historical legacies (military dictatorships, colonial laws, authoritarian backlash) create structural conditions that enable surveillance abuse in their respective regions

Speakers

– Ana Gaitan
– Apar Gupta
– Mohamad Najem

Arguments

Military control of surveillance in Mexico targeting human rights defenders investigating army abuses, with complete opacity

Post-colonial telecommunications laws in South Asia enable secretive executive surveillance without judicial oversight

Arab Spring backlash led to dozens of restrictive cybercrime laws and massive surveillance expansion across MENA region

Topics

Legal and regulatory | Human rights | Cybersecurity

Both speakers view the WhatsApp/Meta lawsuit against NSO as a significant precedent demonstrating that legal action against surveillance companies can be effective and revealing important information about their operations

Speakers

– David Kaye
– Rima Amin

Arguments

WhatsApp lawsuit against NSO resulted in $168 million award demonstrating legal action is possible

NSO lawsuit revealed company’s extensive role in data retrieval and tens of millions spent on malware

Topics

Legal and regulatory | Cybersecurity | Human rights

Both speakers recognize the critical need to bridge the gap between Global North and Global South in surveillance accountability efforts, emphasizing the importance of inclusive approaches and knowledge sharing

Speakers

– Nighat Dad
– Elizabeth Davies

Arguments

Knowledge transfer from Global North to Global South organizations happening at slow pace

Comprehensive implementation of international standards vital to avoid becoming Global North-only initiative

Topics

Development | Human rights | Cybersecurity

Unexpected consensus

Surveillance as a business model requiring market-based solutions

Speakers

– Mohamad Najem
– Elizabeth Davies
– Rima Amin

Arguments

Gulf countries developing local surveillance software as both business venture and geopolitical tool

Pall Mall process aims to set rules for commercial cyber intrusion market through multi-stakeholder approach

Meta disrupted over 20 surveillance-for-hire firms targeting people across 200 countries

Explanation

There was unexpected consensus that surveillance should be understood and addressed as a commercial market with business incentives, requiring market-based interventions rather than just human rights approaches. This business perspective was shared across civil society, government, and private sector speakers

Topics

Economic | Cybersecurity | Legal and regulatory

Need for technical capacity building in Global South

Speakers

– Apar Gupta
– Nighat Dad
– Rima Amin

Arguments

Need for victims to access device testing methodology given high barriers in domestic jurisdictions

Global South organizations building emerging threat labs to support surveillance victims as first responders

Meta disrupted over 20 surveillance-for-hire firms targeting people across 200 countries

Explanation

Unexpectedly, there was strong consensus across civil society and private sector that technical capacity building for device testing and threat detection in the Global South is a priority, suggesting alignment between advocacy and industry perspectives on practical support needs

Topics

Development | Cybersecurity | Human rights

Overall assessment

Summary

Strong consensus exists on surveillance abuse patterns, accountability failures, and the need for victim support, with unexpected alignment on treating surveillance as a business requiring market interventions and technical capacity building priorities

Consensus level

High level of consensus with significant implications for coordinated action. The agreement spans civil society, government, and private sector perspectives, suggesting potential for unified approaches to surveillance accountability that combine human rights advocacy with market-based interventions and technical capacity building in the Global South

Different viewpoints

Scope of surveillance regulation – narrow vs. comprehensive approach

Speakers

– David Kaye
– Elizabeth Davies

Arguments

Standards must be narrowed to prevent states from exploiting gaps in regulations

Pall Mall process aims to set rules for commercial cyber intrusion market through multi-stakeholder approach

Summary

David Kaye advocates for narrowing scope as much as possible or banning surveillance tools entirely to prevent state abuse, while Elizabeth Davies promotes a broader multi-stakeholder approach that acknowledges legitimate uses with proper safeguards

Topics

Legal and regulatory | Human rights | Cybersecurity

Legitimacy of surveillance tools usage

Speakers

– David Kaye
– Elizabeth Davies

Arguments

Standards must be narrowed to prevent states from exploiting gaps in regulations

The UK government does believe there are legitimate uses of these tools in defense of cybersecurity operations, for example, for national security and law enforcement

Summary

David Kaye is concerned about any carve-outs for legitimate use as they create exploitable gaps, while Elizabeth Davies explicitly acknowledges legitimate uses for national security and law enforcement with proper oversight

Topics

Legal and regulatory | Human rights | Cybersecurity

Unexpected differences

Universal application of digital rights across conflicts

Speakers

– Mohamad Najem

Arguments

Digital rights must be considered universally and equally across all regions and conflicts

Explanation

Mohamad Najem’s critique of differential treatment of telecommunications access (Starlink in Ukraine vs. Gaza) was unexpected as it introduced geopolitical considerations that other speakers didn’t address, suggesting disagreement with selective application of digital rights principles

Topics

Human rights | Infrastructure | Development

Overall assessment

Summary

The discussion showed remarkable consensus among Global South speakers on surveillance abuse patterns and accountability challenges, with main disagreements occurring between Global North and Global South perspectives on regulatory approaches

Disagreement level

Low to moderate disagreement level. Most disagreements were about implementation methods rather than fundamental goals. The strongest disagreement was between David Kaye’s restrictive approach and Elizabeth Davies’ multi-stakeholder approach to surveillance regulation. Global South speakers showed strong alignment on problems but varied approaches to solutions, suggesting the need for diverse, context-specific strategies rather than one-size-fits-all solutions.

Partial agreements

Similar viewpoints

All three speakers describe how historical legacies (military dictatorships, colonial laws, authoritarian backlash) create structural conditions that enable surveillance abuse in their respective regions

Speakers

– Ana Gaitan
– Apar Gupta
– Mohamad Najem

Arguments

Military control of surveillance in Mexico targeting human rights defenders investigating army abuses, with complete opacity

Post-colonial telecommunications laws in South Asia enable secretive executive surveillance without judicial oversight

Arab Spring backlash led to dozens of restrictive cybercrime laws and massive surveillance expansion across MENA region

Topics

Legal and regulatory | Human rights | Cybersecurity

Both speakers view the WhatsApp/Meta lawsuit against NSO as a significant precedent demonstrating that legal action against surveillance companies can be effective and revealing important information about their operations

Speakers

– David Kaye
– Rima Amin

Arguments

WhatsApp lawsuit against NSO resulted in $168 million award demonstrating legal action is possible

NSO lawsuit revealed company’s extensive role in data retrieval and tens of millions spent on malware

Topics

Legal and regulatory | Cybersecurity | Human rights

Both speakers recognize the critical need to bridge the gap between Global North and Global South in surveillance accountability efforts, emphasizing the importance of inclusive approaches and knowledge sharing

Speakers

– Nighat Dad
– Elizabeth Davies

Arguments

Knowledge transfer from Global North to Global South organizations happening at slow pace

Comprehensive implementation of international standards vital to avoid becoming Global North-only initiative

Topics

Development | Human rights | Cybersecurity

Key takeaways

Surveillance in the Global South operates in contexts of weak legal safeguards, corruption, and impunity, with states using security narratives to justify targeting human rights defenders and journalists rather than actual criminals

The surveillance industry has become a profitable business venture for authoritarian regimes, with Gulf countries developing local spyware capabilities for both domestic control and geopolitical influence

International accountability mechanisms face significant limitations in Global South contexts, with court cases stalled, evidence withheld, and institutional remedies proving inadequate

The Pall Mall process represents progress in establishing international standards but requires meaningful Global South participation and concrete implementation rather than just soft law commitments

Legal action against surveillance companies (like Meta’s $168 million award against NSO) demonstrates that accountability is possible and can create deterrent effects

Massive surveillance infrastructure affects entire populations, not just targeted individuals, with systems like Pakistan’s LIMS monitoring 4 million people simultaneously

Knowledge and capacity gaps between Global North and South organizations hinder effective response to surveillance threats, requiring enhanced cooperation and resource sharing

Resolutions and action items

Pall Mall process to establish working groups focused on export control implementation and human rights due diligence guidelines

Development of enhanced human rights due diligence guides for governments as immediate actionable step

UK announcement of Common Good Cyber Fund to support civil society actors at high risk of digital transnational repression

Global South organizations building emerging threat labs and first responder capabilities for surveillance victims

Spyware Accountability Initiative focusing on supporting Global South organizations and governments in their accountability efforts

Continued victim notification by platforms, especially for Global South users, and intelligence sharing across platforms

Implementation of Venice Commission’s strict rules for law enforcement spyware use in domestic and export control contexts

Unresolved issues

How to ensure meaningful Global South participation in international processes like Pall Mall beyond tokenistic inclusion

Whether domestic surveillance standards will actually be applied to global export controls by European and other governments

How to address the fundamental legitimacy question of whether private companies should perform governmental surveillance functions at all

How to overcome institutional limitations in Global South courts and parliaments that prevent effective remedy for surveillance victims

How to accelerate knowledge transfer from Global North to Global South organizations working on surveillance accountability

How to address the business incentives driving the surveillance industry while authoritarian regimes profit from both domestic use and international sales

How to ensure universal application of digital rights principles across different geopolitical contexts and conflicts

Suggested compromises

Treating Pall Mall process and similar initiatives as ‘stepping stones’ rather than final solutions, with emphasis on concrete implementation over high-level commitments

Focusing on ‘lowest hanging fruit’ like human rights due diligence guidelines that have support from civil society, governments, and responsible industry actors

Narrowing the scope for legitimate use of surveillance tools as much as possible, even if complete bans are not politically feasible

Combining multiple approaches including export controls, litigation, domestic constraints, and international standards rather than relying on any single mechanism

Balancing legitimate national security and law enforcement needs with strict oversight, judicial approval, and human rights safeguards

Supporting both international standard-setting processes and local capacity building for Global South organizations simultaneously

However, the reality is that these narratives are actually being used to criminalize citizens in contexts usually represented by high rates of impunity, corruption, and collusion with organized crime. Thus, rather to give us more security, surveillance powers in Latin America are abused to target human rights defenders and journalists in legacies of past military dictatorships and systemic human rights violations where the rule has been to control, repress, and censor all dissent.

Speaker

Ana Gaitan

Reason

This comment reframes the entire surveillance debate by exposing the false security-privacy trade-off narrative used by governments. It reveals how surveillance is weaponized against the very people it claims to protect, particularly in post-authoritarian contexts with weak institutions.

Impact

This established a critical framework that subsequent speakers built upon, shifting the discussion from technical aspects of spyware to the broader political and historical context of surveillance abuse in the Global South.

Therefore, it’s not a hypothetical threat and it is not a threat which is individualized, but is a societal threat to already democratic systems which are under strain and rule of law which exists inconsistently in countries in South Asia.

Speaker

Apar Gupta

Reason

This comment elevates the discussion from individual privacy concerns to systemic democratic threats, emphasizing how spyware attacks the foundational institutions of democracy itself in fragile political systems.

Impact

This broadened the scope of the conversation to include institutional vulnerability and democratic backsliding, influencing later discussions about the need for structural reforms rather than just technical solutions.

So, this kind of regulation affected a lot the space, and we started seeing a lot of people going to jail for, like, 10 years, 15 years, for things they have said online… And one thing that we don’t talk a lot about in our communities is they’re also doing surveillance on their friends and allies… They’re not doing surveillance on their enemies, on activists, but they’re also doing surveillance on other politicians, on their friends, on their cousins.

Speaker

Mohamad Najem

Reason

This reveals the comprehensive nature of authoritarian surveillance that extends beyond traditional targets to include allies and family members, showing how surveillance creates a climate of total mistrust and control.

Impact

This comment introduced a new dimension to the discussion about the psychological and social impacts of surveillance, moving beyond the typical focus on journalists and activists to show how surveillance affects entire social networks.

We need to understand this as advocates of digital rights. It’s a business decision as well for them… A lot of these countries are making these softwares to make money.

Speaker

Mohamad Najem

Reason

This insight reframes surveillance from a purely political tool to a commercial enterprise, revealing how authoritarian regimes are monetizing oppression and creating new revenue streams from surveillance technology.

Impact

This business perspective influenced later speakers to discuss market incentives and economic deterrents, leading to conversations about litigation, sanctions, and financial accountability as tools for change.

Shockingly, telecom providers are required to insure at least 2% of their customer base, which is around 4 million people, so 4 million people are under surveillance at any given time in this country.

Speaker

Nighat Dad

Reason

This specific statistic about Pakistan’s surveillance infrastructure provides concrete evidence of mass surveillance capabilities, moving the discussion from anecdotal cases to systematic, institutionalized surveillance.

Impact

This data point grounded the theoretical discussion in stark reality, prompting other speakers to acknowledge that the threat extends far beyond targeted spyware to encompass mass surveillance systems affecting millions.

I mean, we live in an era where states are just kind of driving trucks through any small space that they can carve out to do what they wanna do… when we have things like the European Unions Media Freedom Act, which actually carves out a little bit of space for the use of spyware against journalism, that’s a huge problem for us.

Speaker

David Kaye

Reason

This comment critically examines how even well-intentioned regulations in the Global North can create dangerous precedents that authoritarian regimes exploit, highlighting the global interconnectedness of policy decisions.

Impact

This shifted the conversation toward examining the unintended consequences of Global North policies and the need for more restrictive rather than permissive approaches to surveillance regulation.

But we also need support in terms of building our capacity… transfer of that knowledge is happening at a very slow pace. So what we are doing is trying to build our own knowledge and capacity so that we are on ground, can provide the support to the victims and survivors as first responders.

Speaker

Nighat Dad

Reason

This highlights a critical gap in the global response to surveillance – the lack of technical capacity and knowledge transfer to Global South organizations who are often the first responders to surveillance victims.

Impact

This comment redirected the discussion toward practical capacity-building needs and the importance of supporting local organizations, influencing speakers to consider more concrete support mechanisms rather than just policy frameworks.

Overall assessment

These key comments fundamentally shaped the discussion by moving it beyond technical and legal frameworks to examine the deeper political, economic, and social dimensions of surveillance in the Global South. The conversation evolved from describing surveillance problems to analyzing their root causes in weak institutions, authoritarian legacies, and economic incentives. The speakers collectively built a narrative that surveillance is not just a privacy issue but a comprehensive threat to democratic systems, social trust, and human rights. The discussion also highlighted the inadequacy of Global North solutions when applied to Global South contexts, emphasizing the need for locally-informed approaches and genuine capacity building rather than top-down policy prescriptions.

Are the legal cases and petitions regarding Pegasus surveillance still pending in Indian courts, and is there any hope for progress?

Speaker

Nighat Dad

Explanation

This follow-up question seeks clarity on the current status of legal remedies and accountability mechanisms in India’s judicial system regarding spyware abuse.

Will the Venice Commission’s strict rules on spyware use actually be applied by states in practice?

Speaker

David Kaye

Explanation

This questions the gap between establishing international standards and their actual implementation by governments, which is crucial for effectiveness.

Will domestic spyware standards be used to apply global export controls?

Speaker

David Kaye

Explanation

This explores whether internal governance standards will translate into restrictions on exporting surveillance technology to other countries, particularly in the Global South.

How can the Pal-Mal process become more meaningfully inclusive of Global South actors beyond current efforts?

Speaker

Nighat Dad

Explanation

This addresses the need for genuine participation from Global South stakeholders rather than tokenistic inclusion in international governance processes.

How can legal recourse be made accessible and attainable specifically for those targeted by surveillance technologies in the Global South?

Speaker

Rima Amin

Explanation

This highlights the need for practical remedies for surveillance victims who currently have limited access to justice mechanisms.

How can enhanced human rights due diligence guides for export controls be developed and implemented effectively?

Speaker

Jennifer Brody

Explanation

This focuses on creating practical tools that governments can use to assess human rights impacts before approving surveillance technology exports.

How can knowledge transfer between Global North and Global South organizations be accelerated to build local capacity for supporting surveillance victims?

Speaker

Nighat Dad

Explanation

This addresses the capacity gap where Global South organizations need technical expertise to serve as first responders for surveillance victims.

How can victim notification systems be universalized across platforms, especially for people in the Global South?

Speaker

Apar Gupta

Explanation

This seeks to ensure that surveillance victims worldwide receive timely warnings about attacks on their devices and accounts.

How can device testing methodology and capacity be expanded beyond the current few organizations that provide this service?

Speaker

Apar Gupta

Explanation

This addresses the limited availability of technical forensic services for surveillance victims who need evidence of attacks on their devices.

How can digital rights and telecommunications access be ensured equally across conflict zones and different geopolitical contexts?

Speaker

Mohamad Najem

Explanation

This raises questions about equitable access to communication tools and digital rights regardless of political circumstances or geographic location.