Action needed to address targeted surveillance of human rights defenders

Front Line Defenders is deeply concerned about the increasing use of surveillance technology created by private companies, by governments to target, intimidate and retaliate against human rights defenders and the impunity faced by these companies for the negative human rights impact of their products and services. In November 2021 the UN General Assembly’s Third Committee adopted a resolution on providing a safe and enabling environment for human rights defenders and ensuring their protection which, among other recommendations, called on States to refrain from using surveillance technologies to target human rights defenders. Front Line Defenders welcomes this call and urges States to go even further and immediately institute a moratorium on the sale of surveillance technology until proper oversight and safeguards can be established.

In October 2021, Front Line Defenders uncovered surveillance spyware on the devices of six Palestinian human rights defenders.¹ These revelations came just days after the Israeli Defence Ministry issued an order declaring the Palestinian civil society organizations in which they worked to be ‘terrorist organizations’ under Israel’s Anti-Terrorism Law. The defenders targeted were Ghassan Halaika, a field researcher and human rights defender working for Al-Haq, Ubai Al-Aboudi, Executive Director at Bisan Center for Research and Development, Salah Hammouri, a lawyer and field researcher working at Addameer Prisoner Support and Human Rights Association, and three others who wish to remain anonymous. Their devices had been infected with Pegasus spyware developed by Israeli Cyber arms firm NSO Group technologies.

In July 2021, the Pegasus project – a collaboration between Forbidden Stories, Amnesty International and 17 media organisations including Le Monde, The Guardian, The Washington Post and Die Ziet – revealed that human rights defenders, journalists and lawyers around the world were under surveillance by governments using Pegasus spyware.² The project revealed that Pegasus could extract messages, photos and passwords, access the microphone and camera to record and gather information from apps. The project also revealed a list of 50,000 phone numbers which had been identified as persons of interest to the clients of NSO Group including large numbers of human rights defenders, despite NSO’s insistence that the technology was used to target terrorists and criminals.³

The infections on six Palestinian human rights defender’s devices discovered by Front Line Defenders (read more in our report) – which were confirmed by both Citizen Lab and Amnesty International’s Security Lab – and the Israeli designation of these organizations as ‘terrorist organisations’ around the same time Pegasus was detected on their devices is further evidence that despite their protestations Pegasus is being used to target human rights defenders.

The impact of being under such intrusive surveillance is significant. Front Line Defenders has also been working with three human rights defenders from the Bahrain Center for Human Rights who have faced on again off again surveillance since around 2017, when there is evidence that the government of Bahrain purchased Pegasus spyware.⁴ The defenders have described feeling on high alert, as if they are always being watched. They report being unable to sleep and being hugely concerned about the welfare of their families. Their fears are not unwarranted. In 2012 human rights defender and lawyer Mohamed Al-Tajer was threatened by someone he believed to be an intelligence agent of the Bahrain government. The perpetrator threatened to release intimate photos and videos of him and his wife. These private photos and videos were later circulated online. Despite Pegasus spyware now being removed from the devices of the defenders from the Bahrain Center for Human Rights, there is no way to know what of their personal data has already been taken, or if and when they might get reinfected. The fear of of private data being made public therefore remains.

Surveillance technologies are often used to target human rights defenders in a bid to dissuade them from continuing their human rights work. The prevalence of the misuse of surveillance technology contributes to a chilling effect in which defenders are aware they may be targeted through these technologies and therefore may become fearful to continue their work. In the aftermath of the Pegasus scandal, several human rights defenders have reported to us that they are purposefully reducing their public facing human rights work.

The revelations about NSO Group’s Pegasus have captured the world’s attention, but surveillance technology created by private companies being used to target human rights defenders is not new. In 2019, the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression found that “Surveillance of individuals – often journalists, activists, opposition figures, critics and others exercising their right to freedom of expression – has been shown to lead to arbitrary detention, sometimes to torture and possibly to extrajudicial killings”.⁵

In India, in June 2018 sixteen human rights defenders were jailed under anti-terror law, in what is known as the Bhima Koregaon case, which relates to the violence that took place in Bhima Koregaon on 1 January 2018. One of the defenders, 84 year old Jesuit priest, Stan Swamy, died in custody in July 2021. A digital forensics investigation found that ‘evidence’ relied on by the prosecution had been planted through malicious software onto human rights defender Rona Wilson and Surendra Gadling’s computers and that there was no evidence that the defenders interacted with these files.⁶ Amnesty International and Citizen Lab also found that nine further human rights defenders were targetted in 2019 in a coordinated malware attack. Eight of the nine defenders had worked on campaigns to free the Bhima Koregaon detainees.⁷

The lack of transparency regarding these private surveillance companies means civil society has little information about how they consider the human rights impacts of their products, if at all. The UN Guiding Principles on Business and Human Rights states that all companies have a responsibility to respect human rights; a responsibility which they should uphold by making a policy commitment to respect human rights as well as to conduct human rights due diligence to identify and then prevent or mitigate any potential or actual human rights impacts of their business. The due diligence process should include ongoing consultation which affected groups.

Despite commitments,⁸ the investigations of Front Line Defenders, Amnesty International, Citizen Lab, and others showing the presence of Pegasus malware on many devices owned by human rights defenders from around the world shows that NSO Group has not undertaken adequate due diligence to ensure their product is not being used to perpetrate human rights abuses.

In the words of Michelle Bachelet, the UN High Commissioner for Human Rights, “today's unprecedented level of surveillance across the globe by state and private actors is incompatible with human rights… States have not only the duty to refrain from these abuses, but also the duty to protect individuals from them. This can be done by establishing robust legislation and institutional regimes to make States meet their human rights obligations and companies meet their own responsibilities under the UN Guiding Principles for Business and Human Rights.”1

In early November, the United States Commerce Department placed NSO Group onto its trade blacklist for engaging in activities contrary to U.S. national security or foreign policy interests.⁹ Other States must also take swift and decisive action, not just on NSO Group but on all private surveillance firms which are being used to target human rights defenders.

While we welcome the UN Resolution on Implementing the Declaration on the Right and Responsibility of Individuals, Groups and Organs of Society to Promote and Protect Universally Recognized Human Rights and Fundamental Freedoms through providing a safe and enabling environment for human rights defenders and ensuring their protection, including in the context of and recovery from the coronavirus disease (COVID-19) pandemic of November 2021, which calls on States to refrain from using surveillance technologies to target human rights defenders, decisive action is urgently needed.

In particular we recommend that States:

• Place a moratorium on the export of surveillance technologies by private security firms until regulation which can hold surveillance technology companies accountable for their negative human rights impacts can be put into place.

• Call for independent and transparent investigations into all alleged cases of targeted surveillance abuse

• Hold surveillance companies accountable for their human rights impacts by developing a legal framework which require surveillance companies to conduct human rights due diligence to identify, prevent, mitigate and remedy any human rights impacts of the use of their products. This should be conducted before the sale or transfer of any surveillance technology and throughout any partnerships with other companies and/or governments and include liability for harms which are not properly prevented.

• Establish an independent mechanism with oversight of companies selling spyware to monitor and investigate their use and ensure that use is consistent with human rights.

• Adopt legislation which mandates transparency on the sale and use of surveillance technologies, including on human rights due diligence processes and outcomes

• Ensure legislation adopted to regulate surveillance technology companies is developed in consultation with human rights defenders who have been impacted by the misuse of surveillance technologies.

• Promote policies which enhance, strengthen, and promote the use of strong encryption
  _________________________________________________________________________________________________________________________________________________