Zero-click spyware: Enemy of the press
Zero-click spyware can take over a phone without a user’s knowledge or interaction (Reuters/Dado Ruvic/Illustration)

CPJ recommendations to protect journalists against spyware 

The arbitrary or unlawful use of spyware technologies violates human rights and causes direct damage to journalists and their ability to report freely and safely. These recommendations are necessary to protect journalists and their sources.

For all governments

  • Implement an immediate moratorium on the development, export, sale, transfer, servicing, and use of spyware technologies until governments have enacted robust regulations that guarantee its use in line with international human rights standards.
  • Bar government agencies from purchasing or licensing the export of spyware technology from companies that sell to governments with a track record of attacking press freedom and/or journalists, or that lack mechanisms to prevent their clients from unlawfully targeting the press. 
  • Commit to not using spyware technology against journalists and pursue efforts to make it explicitly illegal in national legislation. 
  • Establish accountability and remedy mechanisms in documented cases of abuse against the media 
  • Where governments continue to engage in the use or sale of this technology, require public reporting and consultation about spyware purchases and exports 
  • Use targeted actions – including visa and economic sanctions and export control listings – to hold accountable those who have spied or facilitated spying on journalists through the sale or use of spyware, and to deter future spying. 
  • If not a member, join the Export Controls and Human Rights Initiative, an international effort to codify rights-respecting policy approaches to surveillance technology exports, and use it to build consensus for global action through concrete action.

For the U.S. government 

  • Comply with the Congressional requirement to create a list of companies known to sell such spyware to countries with a record of using it unlawfully or with poor human rights records. [Note: the State Department was required to do this by National Defense Authorization Act 2021 but hasn’t complied yet. State said they are working on it.] 
  • Continue to use the Department of Commerce’s (DoC) Entity List for Malicious Cyber Activities to impose export controls on spyware-producing companies, such as was done with NSO Group
  • Stringently enforce a new DoC rule establishing controls on the export, reexport, or transfer of items that can be used to spy on journalists.
  • Ensure U.S. businesses are complying with the State Department’s September 2020 Guidance on “Implementing the UN Guiding Principles for Transactions Linked to Foreign Government End-Users for Products or Services with Surveillance Capabilities.”
  • Congress should adopt the Surveillance Technologies Disclosure Rule, which would require companies to conduct human rights due diligence and provide transparency in the surveillance technologies’ supply chain.
  • Congress should adopt the Foreign Advanced Technology Surveillance Accountability Act, which would require the U.S. State Department to report on the wrongful use of surveillance technologies in the annual Country Reports on Human Rights Practices. 

For European Union institutions 

  • EU member states should fully implement the European Parliament regulation on the export of dual-use surveillance technology by EU-based companies and prevent the export of this technology from harming human rights in countries where journalists are targeted and under surveillance because of their work. 
  • The European Parliament’s Committee of Inquiry into Pegasus and equivalent spyware should conduct full and independent investigations into all allegations of abuse of Pegasus in EU member states and in third countries. The committee should issue ambitious and robust recommendations to EU member states, and the institutions, with a structured plan for continued scrutiny and timely monitoring to ensure all recommendations are implemented in full.
  • EU member states should fully and independently investigate all national reports that Pegasus has been used to spy on journalists, providing full access to remedy for journalists targeted, including guarantees of non-repetition and restitution.
  • The European Commission should assess the extent to which the Pegasus revelations have breached EU law, seek all sanctions against violating member states, including infringement procedures, and consider its own competencies to defend EU citizens against such abuse in the future.

For companies

  • Embrace corporate accountability by making  a public commitment to press freedom and protecting journalists and media outlets from covert surveillance. 
  • Prohibit clients from deploying technology to spy on journalists by inserting explicit terms in contracts and licenses. 
  • Revoke access to spyware when abuse is detected, and report abuse to affected individuals, relevant authorities, and oversight bodies. 
  • Establish procedures to review complaints and support human rights monitors investigating allegations of abuse involving specific products. 

For international organizations 

  • Consult with civil society, report on the use of spyware against journalists around the world, and raise cases with governments. 
  • Use human rights review mechanisms, including the Universal Periodic Review, and related processes to ensure that commitments to limit the abusive use of surveillance technologies, including spyware, translate to appropriate action, laws and policies that align with international human rights standards on targeted surveillance. 
  • Promote public debate about the abusive use of spyware and encourage member states to adopt policies and laws to stem the problem by requiring corporate actors to respect human rights and implement measures as prescribed by the United Nations Guiding Principles on Business and Human Rights.

See CPJ’s 2021 policy brief for summarized recommendations.  

Read CPJ’s complete special report on how spyware threatens journalists, their sources, and global press freedom.