Spyware is a complicated technology for several reasons. The underlying software is advanced and varied; 11 companies or spyware groups develop 16 strains, and their uses range from the mundane to the nefarious.
In their panel discussion at Infosecurity Europe 2024, Aude Gery, post-doctoral fellow at GEODE, and Brian Honan, CEO of BH Consulting, explored the complicated ethics of spyware technology.
Introducing Spyware
In the discussion, Gery and Honan identified two key types of spyware. While there are many more types, these two technologies best demonstrate the complicated role it plays in our society.
Parental monitoring apps are arguably the most well-known type of spyware, at least to the layman. These technologies are available in app stores and grant parents a complete view of their child’s phone usage.
Commercial spyware, however, is a more expensive, less common option, often purchased by large organizations for purposes such as employee monitoring, parental control, or law enforcement surveillance. The intent is usually to enhance security, productivity, or regulatory compliance.
Ethical Concerns
According to Gery and Honan, while these two types of spyware have legitimate uses—as outlined above—they can have profound ethical and legal ramifications if they fall into the wrong hands.
The perhaps more obvious concern with parental monitoring apps is that they invade a child’s privacy. While well-intentioned, monitoring a child in this way – especially without their knowledge – can significantly damage the parent-child relationship.
But more importantly, parental monitoring apps, on a technological level at least, are no different from stalkerware. Stalkerware is a spyware technology that gives users real-time access to their victim’s location, messages, calls, photos, and other personal information, just as parental monitoring apps do. However, these technologies are more often used by abusers to monitor and control romantic partners.
Commercial spyware comes with even more significant ethical concerns. While the market is more limited due to its high cost, those who can afford commercial spyware are granted enormous power. Honan says, “Some companies are set up to write software to steal information and monitor activity and phone calls, or even turn on microphones and cameras to spy on meetings.” The ethical and legal consequences of these technologies should be obvious: if commercial spyware users fail to obtain consent from those they are monitoring, they stand on, at best, shaky legal and moral ground.
A Legal Grey Area
The dual nature of spyware makes it extremely difficult to regulate. The simplest solution would be to ban the technology outright, but this would mean disregarding spyware’s legitimate benefits. Moreover, nation-states are reluctant to ban spyware as it plays a vital role in espionage and military campaigns – outlawing a technology and subsequently being caught using it would not be a good look.
This is why, according to Gery, spyware exists in a legal grey area. While writing the software itself is legal, using it could breach privacy or even human rights laws. Gery notes that “there is no prohibition on developing spyware, but it doesn’t mean there is a legal vacuum. There are rules that apply that constrain the way governments use these tools.”
These rules include restricting use to legitimate purposes, such as national security, crime prevention, or public safety, ensuring that use is proportionate to the threat and necessary for achieving the specific objective, and, in some cases, only used when authorized by a judicial authority.
For both Gery and Honan, stronger regulations for spyware technologies are sorely needed. “For a very long time, spyware was framed as just a human rights problem,” said Gery, “which was nonsense to people who have been for people who have been working on the topic because it’s a national and international security issue as well.” According to Gery, it’s only since diplomats and other public figures have been targeted with the technology that governments have woken up to the importance of managing it.
Regulating Spyware
According to Gery, governments are making efforts to control spyware. In February 2024, for example, the UK and France launched The Pall Mall Process, which brought together international partners and stakeholders for “an ongoing and globally inclusive dialogue to address the proliferation and irresponsible use of commercial cyber intrusion tools and services.” Similarly, the US recently introduced visa restrictions for those who misuse commercial spyware.
However, both Gery and Honan believe that more needs to be done to control spyware. Gery notes that because states enjoy sovereign immunity, some nations are flouting rights and sanction obligations, as well as international laws of peace and security. According to Gery, “The rules exist, at least there are some rules, but there is a lack of enforceability, largely due to a lack of willingness from governments.”
In conclusion, spyware is a legally and ethically complex technology—and one that isn’t going anywhere anytime soon. Honan suggests that you ensure that your security vendor protects against spyware or, failing that, “put your phone in the fridge” to ensure that you aren’t being listened to.
If you enjoyed reading this article you can find more great content in our blog back catalog, here.
