Skip to main content

Statements Office of the High Commissioner for Human Rights

Committee on Legal Affairs and Human Rights, Parliamentary assembly Council of Europe - Hearing on the implications of the Pegasus spyware

14 September 2021

Statement by United Nations High Commissioner for Human Rights, Michelle Bachelet

14 September 2021

Excellencies,

I thank you for the opportunity to share my views on a pivotal topic for our privacy today and our freedom in the future.

Let me be clear from the outset: today's unprecedented level of surveillance across the globe by state and private actors is incompatible with human rights. Many -- if not most of us -- are unaware of the amount of information that is being collected, processed, used and distributed about so many aspects of our lives.

These previously unknown challenges go to the core of democracy and freedom, and require urgent, deep reflection and further action.

Most of us were far from surprised by the recent revelations documenting the widespread use of the spyware commercialized by the NSO group, affecting thousands of people in 45 countries across four continents. The targeting of human rights defenders, journalists and politicians is just another example of how tools allegedly meant to address security risks can end up being weaponized against people with dissenting opinions.

Abuses facilitated by the surveillance industry have grown so common that only days before the Pegasus revelations, another report described opaque deals involving the marketing of a different spyware, Candiru. That spyware was said to have similarly targeted at least 100 human rights defenders and journalists in at least 10 countries.

I commend the outstanding work of experts, journalists and civil society organizations in documenting the impact of tools like Pegasus and Candiru, their reports provided further evidence of the serious and global threat posed by the surveillance tech industry to civic space.

We need to ask ourselves: how have risks reached these levels? And I think we know the answer. Governments and companies have developed numerous surveillance tools, citing real security threats and noting the urgent need to fight criminal activity online and offline. And this surveillance industry has thrived in the absence of minimal levels of regulation and control at both national and global levels. A surveillance technology market has dangerously flourished in the shadows, far from justice oversight and public scrutiny –both in authoritarian countries and in democracies. The prevailing opacity and lack of regulation created the perfect conditions for broad security claims to be translated into new measures of repression.

Without minimal safeguards and control, highly intrusive technologies will continue to be used to monitor voices regarded as critical or hostile at home and abroad. These technologies, that detect and exploit vulnerabilities of digital communications without leaving any trace will keep being used as weapons to silence dissent and punish independent reporting.

There should be no excuses for inaction. States have come together to acknowledge the chilling effect that illegal surveillance poses to public freedoms and to the tenets of democracy in successive UN resolutions. And its other nefarious consequences are evident. As we have seen with the recent revelations, spyware technology can and has contributed to arbitrary detention, torture and possibly even extrajudicial killings.

One key obstacle in the path of addressing the risks of these technologies is the utter lack of transparency regarding how digital surveillance tools are developed, bought, sold, and used. How can we ensure effective oversight or control of intrusive technologies if so little information is shared about them? How can we push for responsible business practices when so little is known about the companies responsible for their development and sale, including to governments with poor human rights records? What sort of due diligence is being carried out by Governments adopting these tools and by the companies selling them?

Parliamentary discussions such as this one are crucial to shed light on these questions. As you move ahead in your important debates, allow me to share some key recommendations human rights mechanisms have presented in the last years.

First and foremost, the human rights law applicable here is clear: surveillance measures can only be justified in narrowly defined circumstances, based on the law. In addition, such measures must be both necessary and proportionate to a legitimate goal. Government hacking at the scale reported is never going to meet these criteria.

States have not only the duty to refrain from these abuses, but also the duty to protect individuals from them. This can be done by establishing robust legislation and institutional regimes to make States meet their human rights obligations and companies meet their own responsibilities under the UN Guiding Principles for Business and Human Rights.

The Guiding Principles clearly underscore companies' responsibility to prevent and mitigate adverse human rights impact in the design, development or use of digital technologies. Corporate leaders should publicly recognize and live up to those demands.

It is time for a pause. As human rights experts have already emphasised, until compliance with human rights standards can be guaranteed, governments should implement a moratorium on the sale and transfer of surveillance technology.

This pause will allow States to work on an export and control regime, as well as to boost legal frameworks securing privacy. But far more can and must be done to ensure a global export and control regime with transparency and careful human rights impact assessments.

Limited – and often complete lack of – accountability for abuses has also contributed to the problem. States must conduct impartial investigations on cases of targeted surveillance. Victims must be informed and supported to seek redress. And companies need to ensure mechanisms are available to remediate those whose rights have been adversely impacted.

Finally, effective due diligence must always be implemented. Any time States are considering the use of technologies for government services or functions, they must work together with civil society, including marginalized groups and those most likely to be affected, to both identify risks and address them. That is their obligation.

Excellencies,

The recent revelations of repeated malware abuse were a wake-up call.

The wide and continued impact of the spyware market makes the implementation of these human rights recommendations more pressing. It is time for authorities to finally rein in the surveillance industry.

Thank you.