Lena Riecke is a PhD candidate at Leiden University’s Institute of Security and Global Affairs. Her research is situated at the intersection of law, intelligence studies, and cyber security governance. It explores approaches to governing the spyware market. Lena has held fellowships from the European Cyber Conflict Research Initiative and the Europaeum Scholars Programme. Her previous research projects examined the protection of civilian data during international armed conflict and the regulation of lethal autonomous weapons systems. She holds a BA in Law from the University of Cambridge as well as a LLM in Public International Law from Leiden University.
How Democracies are Failing to Govern the Spyware Market: Of Political Economy and the Pitfalls of Privatisation
Companies have sold commercial spyware not only to authoritarian governments but also to several democratic states that have -at scale and in some cases systematically- deployed it against state officials, elected politicians, lawyers, political dissidents, journalists and other members of civil society in a manner that threatens national security, human rights and the rule of law across democracies worldwide. Yet, for more than two decades, these vendors have continued to operate with little restraint. The past years have seen several democracies launch efforts to reform old and create new spyware market governance regimes. While their emerging governance approaches vary, they make a common assumption: the market for commercial spyware remains, in some form, desirable.
Unpacking this presupposition, the article investigates the origins of the global and booming spyware industry. Leading spyware companies were established within, continue to operate and draw funding from, as well as do business with democracies. This reveals how democratic states have long commodified and capitalised on commercial spyware, simultaneously helping to constitute and shape the political economy of the spyware market by advancing commercial, geopolitical and organisational interests within it. Deconstructing this political economy, the article shows how it establishes incentives for spyware vendors that put national security, human rights and the rule of law at risk. Coupled with the potential pitfalls of privatising the sale and development of spyware –viz., outsourcing essential state functions and secrecy creep- this creates an ecosystem that facilitates spyware misuse. Democracies’ governance efforts, new and old, fail to solve these pitfalls of privatisation. While this may serve their vested interests as spyware market participants, it amounts to a failure in their responsibilities as market regulators to uphold the fundamental pillars of democracy, including human rights and the rule of law. That is, it jeopardises the very principles that ultimately distinguish democratic from authoritarian practices in cyberspace.