On Feb. 5, 2024, the American Bar Association (ABA) adopted Resolution 509 in recognition of the profound threat to human rights and fundamental freedoms, as well as national security, posed by this malicious surveillance technology. The ABA was right to address this threat, not least because it undermines the assurances of confidentiality that its members give their clients every day.
Spyware is a powerful surveillance technology that has been used to violate a host of human rights, including the right to privacy, freedom of expression and association, and freedom of the press. Spyware can give operators almost complete access to, and control over, a target’s smartphone. It can expose a target’s emails, text messages, phone calls, contact lists, photos, search histories, and GPS locations; it can activate a smartphone’s microphone and camera; and it can do so without the target’s involvement or awareness. As detailed in extensive reports, repressive regimes and government actors around the world have used spyware to track and intimidate human rights defenders, journalists, activists, political opponents, and other government officials.
The U.S. government has taken steps to confront these violations over the past few years. In November 2021 and July 2023, the Biden administration added certain spyware companies to the “Entity List,” which effectively restricts the transfer of certain kinds of technology and information between the United States and foreign companies involved in “activities contrary to U.S. national security and/or foreign policy interests.” And in March 2023, President Joe Biden issued Executive Order 14093, restricting the operational use by U.S. agencies of commercial spyware “that poses significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person.” Most recently, the federal government announced a new policy allowing for visa restrictions on foreign individuals who have been involved in the abuse of commercial spyware to target journalists, activists, dissidents, and others.
In adopting Resolution 509, the ABA called for a doubling-down on these efforts. The rights-abusing deployment of spyware offends existing ABA policies that aim to protect human rights defenders and others working toward justice; to strengthen cybersecurity and safeguard personal data; and to preserve attorney-client privilege. The last of this list of policies is especially significant for the ABA, given attorneys’ profession-defining responsibility “to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client,” so it has sought to guard the attorney-client privilege against technological advancements. Still, the ABA needed more specific support for advocacy addressing the abuse of this particular technology. So, during the 2024 Midyear Meeting, the ABA adopted Resolution 509 with respect to “abusive commercial spyware,” defined along the lines set forth in Executive Order 14093. The Resolution sets out several ABA positions:
- First, the ABA joins U.N. special rapporteurs, civil society organizations, and others in urging a moratorium on the sale and use of “abusive commercial spyware” until an international regulatory framework that protects human rights can be put into place.
- Second, it supports the extension of the restrictions imposed under Executive Order 14093 to all levels of government in the United States, urging them to enact laws that would restrict the sale and use of “abusive commercial spyware” within the United States, and further urging them to impose penalties such as disgorgement of proceeds from the unlawful sale of spyware and to provide remedies for the victims of spyware attacks.
- Third, it calls for the continued addition to the Entity list of spyware companies that “knew or reasonably should have known” that the spyware they provided “posed a significant risk of improper use by a foreign government or foreign person,” and to pursue other sanctions against those companies.
- Finally, it turns to the technology companies whose infrastructure has been used to deliver spyware attacks to their users, urging “platform providers to develop safeguards to prevent abusive spyware attacks, protocols to detect abusive spyware attacks, protocols to announce and correct the system flaws that enabled the attacks, and policies to promptly notify the victims of abusive spyware attacks.”
The adoption of Resolution 509 empowers the ABA to file amicus briefs in spyware cases making their way through U.S. courts—for example, briefs detailing the damage done to client confidence in the attorney-client privilege by mere existence of commercial spyware—and to write letters urging legislative and executive action at all levels of government. Although the ABA speaks as one voice, it is a loud voice, and spyware victims around the world can hope that it will be heard.
Carrie DeCell is a senior staff attorney at the Knight Institute.