State actors have weaponized commercially available spyware designed for legitimate purposes, deploying it against journalists, human rights activists, and political opponents to suppress dissent and eliminate accountability. The clearest evidence emerged in 2021 when investigations by Forbidden Stories and major news outlets revealed that NSO Group’s Pegasus spyware—marketed as a tool for fighting terrorism and organized crime—had been used by at least ten government clients to target over 50,000 phone numbers belonging to activists, lawyers, and dissidents across multiple continents. This practice represents a deliberate inversion of commercial surveillance technology: what governments claimed would be surgical law enforcement tools became instruments of political control.
The business model makes this pivot inevitable. When a private company sells intrusion capabilities to governments with minimal oversight or meaningful restrictions on targets, those governments eventually use them for their actual priority: monitoring domestic opposition. NSO Group and similar vendors maintained the fiction that their products would target only criminals and terrorists, but the reality, documented through forensic analysis and investigative journalism, is that dissidents in Turkey, Mexico, Saudi Arabia, the United Arab Emirates, and dozens of other countries were among the first people whose phones were compromised. Governments found commercial spyware useful precisely because it offered plausible deniability and required no visible arrest, warrant, or public legal process.
Table of Contents
- Why Do Governments Choose Commercial Spyware Over Traditional Surveillance?
- How Commercial Spyware Became a Repression Infrastructure
- Documented Cases of State Actors Using Commercial Spyware Against Dissidents
- Technical Capabilities That Make Commercial Spyware a Repression Tool
- Detection, Attribution, and Accountability Gaps
- The Role of Geopolitical Competition in Normalizing Spyware Sales
- The Persistence of Commercial Spyware Despite Public Exposure
Why Do Governments Choose Commercial Spyware Over Traditional Surveillance?
Traditional surveillance requires legal procedures, warrants, court oversight, and often public disclosure. Commercial spyware bypasses these constraints entirely. A government agent can infect a dissident’s phone remotely, without ever placing them under formal arrest, and without leaving conventional evidence that would appear in legal records or investigative reports. The surveillance is invisible—the target sees no indication they are being monitored. Unlike a wiretap order filed in court or a police tail visible to surrounding observers, spyware operates in the background, extracting messages, location data, photos, and call logs with the target unaware. The efficiency is also seductive to authoritarian regimes.
One operator, in one control center, can monitor hundreds or thousands of targets simultaneously. A single spyware operator in a government agency can accomplish what would previously have required dozens of surveillance officers, technical infrastructure, and ongoing operational risk. The financial cost per target is low compared to maintaining traditional human intelligence networks. For governments facing significant domestic opposition, this represents a force multiplier: more people watched, more comprehensively, for less money and personnel. The legal cover is perhaps the most valuable feature. Because the spyware is sold by a private commercial vendor nominally for fighting crime, authoritarian governments can claim they are using modern law enforcement tools. When journalists investigate or when the spyware is detected, the government can assert the targets were criminals, terrorists, or security threats—allegations made without evidence, but effective in silencing critics in environments where independent journalism is weak or dangerous.
How Commercial Spyware Became a Repression Infrastructure
The transformation of commercial spyware from a law enforcement tool to a repression infrastructure happened gradually and was not a technical accident—it was a policy choice by vendors and their government customers. NSO Group, the most prominent example, was founded in 2010 by Israeli security researchers with backing from venture capital and strategic partnerships with Israeli intelligence. The company was designed to sell cyber-intrusion capabilities to governments. From the beginning, the stated restrictions on use—that spyware would only target criminals and terrorists—were unenforceable. A critical limitation: there is no technical mechanism that prevents a government customer from misusing the spyware once they have obtained access to it. NSO Group could not remotely monitor which individuals were targeted or prevent a government from changing the justification for a target after the fact.
The company maintained that it included contractual restrictions and post-sale audits, but these claims were never independently verified and were contradicted by the documented targeting of activists with no plausible connection to terrorism or organized crime. When human rights organizations or journalists demanded accountability, NSO Group responded with vague statements about being bound by law and unable to comment on specific operations—a response that effectively shields the company from liability while maintaining relationships with paying government customers. The regulatory gap is profound. International arms control frameworks that restrict weapons sales do not clearly apply to software. Unlike a fighter jet or a tank, spyware can be exported, sold, updated, and transferred with minimal international oversight. Individual countries have export controls on cyber-intrusion tools, but these controls are often weak, unenforced, or exploited through intermediary sales and partnerships. Israel, where NSO Group is based, does have an approval process for exporting cyber-weapons, but investigations revealed that NSO received licenses and continued operations even as evidence mounted that customers were using the spyware to target activists and journalists.
Documented Cases of State Actors Using Commercial Spyware Against Dissidents
The 2021 Pegasus investigation identified specific, high-profile targets. Turkish officials used the spyware to monitor journalists and opposition figures during and after the failed coup attempt in 2016, including targeting Jamal Khashoggi (the Washington Post journalist assassinated in 2018, suggesting the spyware was part of a broader intelligence operation). Mexican federal police and government agencies deployed Pegasus against human rights activists investigating disappearances and extrajudicial killings, as well as against journalists covering organized crime and corruption. In Saudi Arabia, the government targeted family members of dissidents and journalists critical of the regime. The targeting was not random or reactive.
A pattern emerged: governments purchased the spyware and then used it to monitor their domestic critics, particularly those with international platforms or investigative capabilities. The spyware was deployed against lawyers defending political prisoners, journalists investigating government abuses, and members of opposition parties. In some cases, the timing of arrests or targeted harassment followed digital evidence that would only have been available through spyware-based surveillance—investigators could trace the phone number targeted, the timeframe of the intrusion, and the arrest that followed, establishing a causal chain from surveillance to persecution. Importantly, the spyware was often used for monitoring, not immediate arrest. Governments used the capabilities to gather intelligence on opposition organizing, intercept private communications about protest planning, and identify networks of activists. This allowed governments to disrupt opposition movements before they could organize effectively and to monitor what dissidents were planning in private conversations where they believed they were safe from state surveillance.
Technical Capabilities That Make Commercial Spyware a Repression Tool
Pegasus and similar spyware can extract text messages, photos, videos, email, location history, and call logs from a smartphone. It can access encrypted messaging applications by running on the device itself, meaning even end-to-end encrypted conversations become readable once the spyware has infected the phone. It can activate the camera and microphone without the user’s knowledge or any visible indicator. It can log passwords and intercept two-factor authentication codes. The capabilities are comprehensive—essentially, full access to everything the phone contains and everything the user does with the phone. The delivery mechanism is also relevant.
The spyware is typically delivered through a text message containing a link, or through a zero-day vulnerability (a security flaw unknown to Apple or Google) that allows infection with no user action required. Once installed, the spyware operates silently, consuming minimal battery power and data, rendering it difficult to detect through normal means. A user might experience slight degradation in performance or unusual heat generation, but these symptoms are vague and easily attributed to other causes. The phone appears normal; the surveillance is invisible. The comparison to traditional surveillance is stark: a wiretap captures phone calls; spyware captures the entire digital life of the target. The scope of access, the permanence of the data collected, and the difficulty of detection make commercial spyware more invasive than almost any form of physical or traditional electronic surveillance available to law enforcement. This asymmetry makes the tool exceptionally valuable to repressive regimes and exceptionally dangerous to human rights and privacy.
Detection, Attribution, and Accountability Gaps
Detecting spyware on a phone owned by a dissident living under an authoritarian regime is difficult and dangerous. Forensic analysis requires specialized tools and expertise, which is why detection typically happens only after journalists, human rights organizations, or academics with international resources conduct investigations. A dissident in most countries cannot simply take their phone to a local technician for analysis without risking exposure or arrest. The asymmetry of information—the government knows it is surveilling the dissident, but the dissident cannot easily discover they are being surveilled—is a core feature of the repression model. Attribution is a second major challenge. Even when spyware is detected and forensic analysis confirms the infection, proving which government purchased and deployed it requires additional investigation. NSO Group’s products are sold to government agencies, but leaked documents and investigations have revealed that some government customers shared access with foreign intelligence agencies, sold access to intermediary private companies, or allowed the tools to be stolen and resold.
In some cases, proxies of the state have been used to conduct targeting, creating layers of plausible deniability. Mexico’s documentation of Pegasus use was only confirmed because journalists obtained the list of phone numbers targeted and cross-referenced them with disappearances and arrests. The accountability gap is perhaps the most troubling aspect. As of the last major investigation, NSO Group and other spyware vendors faced no criminal charges for facilitating mass surveillance of dissidents. Lawsuits have been filed in several countries, and some governments have imposed restrictions on exports or purchases, but these measures are incomplete and inconsistently enforced. The company itself maintained it had no direct responsibility for how customers used its products, a position echoed by other vendors and accepted in most jurisdictions where enforcement is theoretically possible. This creates a situation where the infrastructure of repression remains legal, profitable, and widely available.
The Role of Geopolitical Competition in Normalizing Spyware Sales
The commercial spyware market exists within a broader context of intelligence competition between major powers. Israel’s government benefits from NSO Group’s market position and the intelligence it can purchase in return for export licenses. Similarly, other nations develop and sell cyber-intrusion tools as part of strategic competition and intelligence gathering.
Authoritarian governments view spyware as a standard component of state surveillance, no different from other weapons and tools they acquire from international markets. The normalization of spyware sales—treating them as legitimate commerce rather than enabling human rights abuses—reflects geopolitical acceptance of surveillance as a tool of statecraft. Western governments, including the United States, have also purchased spyware or used similar intrusion capabilities from commercial vendors, creating a situation where the technologies are perceived as legitimate state tools rather than instruments of repression. This muddies the international response: governments that benefit from surveillance technology themselves are reluctant to impose strict restrictions on countries they view as geopolitical competitors or partners, even when those countries use spyware to target political opponents.
The Persistence of Commercial Spyware Despite Public Exposure
Despite years of investigations, public exposure, and advocacy by human rights organizations, the commercial spyware market continues to operate and grow. NSO Group has faced restrictions from some countries and payment processors, but the company continues to operate and sell new products. Newer spyware vendors have emerged and are now being investigated for similar practices. The underlying business model—selling intrusion capabilities to governments with minimal restrictions—remains legal and lucrative.
The persistence reflects the reality that no single country or organization has the authority to shut down the market entirely. Export controls work only if multiple countries cooperate, and cooperation is hindered by countries that benefit from access to spyware. Victims of spyware have few legal remedies because governments claim sovereign immunity, and holding private companies accountable requires laws that most countries have not enacted. The infrastructure of commercial spyware-enabled repression remains standing, accessible to any government with the financial resources and willingness to pay for access.
