Eli Kronenberg is a rising junior and a FIRE summer intern.
In the last decade, the rise of the mercenary spyware industry has created a potent new weapon for authoritarian regimes bent on silencing dissent. Represented most prominently by the Israeli-based NSO Group and its flagship spyware Pegasus, surveillance malware is often sold to the world’s most repressive governments with little thought given to the nature of its eventual use.
Regimes like those in Saudi Arabia and Egypt have long track records of suppressing political opposition and independent journalism. When they acquire state-of-the-art surveillance technology, the result is a crackdown on free expression worldwide, carried out using the devices in our very pockets. And because the surveillance is secret and largely undetectable, it impacts anyone with a reason to suspect that the government might not like what they have to say.
What is mercenary spyware?
Mercenary spyware is a type of malicious software developed and sold by private companies to governments. Unlike general malware, which spreads widely and somewhat randomly, mercenary spyware is designed to infiltrate specific devices and extract information.
The University of Toronto’s Citizen Lab has published numerous reports explaining how spyware like Pegasus is used to hack the personal devices of political opponents in retaliation for criticizing the government. Victims include an Italian journalist critical of the Meloni government, an Egyptian opposition politician with presidential ambitions, dozens of Catalan separatist leaders in Spain, Mexican journalists investigating presidential corruption, and even a Saudi dissident living in exile in Canada.
“The consequences that we’ve seen in our research are profound,” said Ronald Deibert, the director of the Citizen Lab. “People are afraid to engage over social media, to use the internet, paranoid about their surroundings, about their social relationships. There’s an obvious chilling effect.”
Here’s how it works: Mercenary spyware companies like NSO Group search technological operating systems for novel security vulnerabilities known as “zero-days,” which can be used to infiltrate products as ubiquitous as Apple iPhones. Then, they develop spyware designed to exploit these zero-days and sell it to governments, ostensibly for law enforcement and intelligence agencies to use for legitimate data-gathering purposes.
In practice, governments with long histories of repression often abuse spyware to hack the devices of anti-government activists, journalists, and other members of civil society. And, even for democratic regimes who preach tolerance of dissent, the temptation of spyware capabilities often proves too powerful.
All it takes is one click on a phishing message for spyware to be implanted onto a device. From there, governments can read all of the target’s communications, track the device’s location, and secretly turn on the camera and microphone to listen to live conversations — without the victim receiving any indication that their device has been compromised.
In recent years, spyware has evolved past the point of needing victims to fall for fake links, instead relying on “zero-click” attacks which automatically implant the spyware without requiring the user to do anything. Not even the most meticulous digital hygiene measures can keep those who have drawn the government’s ire safe in this day and age.
“I imagine from the perspective of an operative who’s using this type of product, how addictive it must be,” Deibert said. “It’s almost godlike to be able to just drop into somebody’s life, find out everything about them, watch what they’re doing, turn on the microphone, turn on the camera. That is extremely compelling from an intelligence collection point of view, and opens up all sorts of opportunities that otherwise wouldn’t exist for those types of operatives, which explains why the business is so lucrative.”
While today’s surveillance agents have shiny new tools, their tactics are tried and true. The Nazis famously used IBM punch cards to categorize citizens by ethnicity and other metrics, as well as wiretaps to track Jews, political dissidents, and other “undesirables.” In East Germany, the Stasi used hidden cameras and bugging devices to maintain files on more than one-third of the population. They even stored body odors to identify dissidents using dogs. The Chinese Communist Party uses facial recognition software so advanced they caught a suspect in a crowd of 60,000 people — and that was seven years ago.
In 2025, it is easier than ever to invade the private lives of those who dare speak up against public officials. The mercenary spyware industry emerged in the early 2010s, coinciding with the rise of social media-enabled revolutions like the Arab Spring. For regimes seeking to quell political opposition but lacking the technological means to effectively control it, mercenary spyware companies provided a saving grace.
“What this market offers them is the ability to leapfrog ahead in surveillance capacity, in espionage capacity, effectively drawing from some of the world’s most well-trained, sophisticated veterans of intelligence agencies,” Deibert said.
Reining in the industry
Fortunately for supporters of free expression, the U.S. has taken concrete steps to crack down on mercenary spyware companies. In 2023, former President Joe Biden issued an executive order directing agencies to cease procuring commercial spyware that poses a threat to human rights or national security. Twenty-two countries signed on to the Biden administration’s “Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware,” pledging to implement similar guardrails.
The industry’s biggest fish, NSO Group, was added to the Commerce Department’s trade blacklist in 2021, stifling the company’s business prospects on American soil. NSO has also been dealt blows by the courts, most recently being ordered to pay WhatsApp $170 million in damages after its spyware was used to hack over 1,000 accounts on the messaging app.
“To me, that was all a roadmap of how you go about effectively reining in this wild west that’s causing all sorts of harm,” Deibert said of these efforts.
The bad news? While some of the world’s biggest spyware developers have been wounded, they won’t give up easily. NSO Group recently hired a new lobbying firm with the mission of reigniting its relationship with Washington lawmakers and reversing the novel regulations, according to an April report by WIRED.
Those efforts have been rebuffed for now. The Trump administration canceled a meeting with NSO officials in May, citing the company being “not forthcoming in its motives for seeking the meeting,” according to an unnamed official in the Washington Post.
Still, spyware companies and their opportunistic governmental clients thrive when operating from the shadows. The U.S. must remain vigilant and further crack down on companies whose spyware is used to spy on civil society, ensuring that political dissidents worldwide can speak without the threat of dictators — or even democratically elected governments — invading their pockets and upending their lives.