Cybersecurity & Tech

Regulating Commercial Spyware

Asaf Lubin
Wednesday, August 9, 2023, 9:00 AM
Only a binding multistakeholder legal framework can effectively regulate a legitimate and efficiently controlled market for spyware.
July 16, 2012. (Victor Grigas, https://commons.wikimedia.org/wiki/File:Wikimedia_Foundation_Servers-8055_35.jpg; CC BY-SA 3.0, https://creativecommons.org/licenses/by-sa/3.0/legalcode)

Published by The Lawfare Institute
in Cooperation With
Brookings

The rapid evolution of spyware technologies and their abuse by both democratic and autocratic governments has been the subject of increased international scrutiny. Spyware has been used to target the computers and phones of world leaders, human rights advocates, journalists and attorneys uncovering corruption, and political dissidents. As these sophisticated tools become more pervasive and intrusive, the potential for misuse and infringement of individual rights is only exacerbated. 

To address this problem a set of traditional legal and policy tools have been employed: (a) industry self-regulation, (b) ad hoc public enforcement and sanctions, (c) private litigation by victims, (d) moratoriums and tech bans, and (e) international cooperation. As I discuss in this paper, each of these solutions—and the ways they have been structured—have suffered from significant limitations. These limitations reduce the effectiveness of each of the measures in deterring and preventing human rights violations.

In March, the United States and two-dozen other countries adopted a Code of Conduct for the regulation of spyware. The state parties to this code made clear that they are committed to developing a new multilateral approach to the regulation of spyware and will work together to develop a future framework. This paper sets the building blocks for a new binding multi-stakeholder framework: the Commercial Spyware Accreditation System (or CSAS). I hope CSAS could serve to structure some of the discussion among the members of this growing consortium of states concerned about the future of spyware regulation.


Asaf Lubin is an Associate Professor of Law at Indiana University Maurer School of Law, a Fellow at the Center for Applied Cybersecurity Research at Indiana University, an Affiliated Fellow at the Information Society Project at Yale Law School, and a Faculty Associate at the Berkman Klein Center for Internet and Society at Harvard University.

Subscribe to Lawfare