Lessons from the Pegasus Project: Reforming Surveillance Through Open Gov

On July 18, a global investigation uncovered how mobile phones of journalists, activists, and opposition leaders across the world were targets of illegal surveillance by at least eleven governments. This was done using the software “Pegasus,” sold by the NSO Group, an Israeli firm known for cybersurveillance. This scandal throws into sharp relief the dangers of unaccountable use of technologies, and how this is a fundamental threat to open government.

The Pegasus leak shows how technology can be systematically used to undermine press freedom and democracy. Governments targeted journalists who were critical of their policies and were investigating systemic corruption. For instance, among those targeted were those who uncovered the 1Malaysia Development Berhad scandal (1MDB) and the fiancee of murdered Saudi journalist Jamal Khashoggi. Governments also used this alleged security system for political ends, including against opposition leaders during electionsImproving transparency in elections and maintaining the independence of electoral commissions is vital for promoting trust in the electoral system, preventing electoral fraud, and upholding the democr... More. This will have a chilling effect on civil society, journalists, and reformers beyond those immediately tracked – contributing to further fear and self-censorship, attempting to silence those who hold their governments to account.  

The countries identified in the Pegasus investigation are known to rank low on the Press Freedom Index, including three countries that are members of the Open Government Partnership (OGP): Azerbaijan (currently suspended), Morocco and Mexico. That said, given the prevalent use of surveillance by law enforcement and security agencies across borders, and not just by a few countries, some democratic controls and open government principles need to be in place to check abuse and promote accountability. 

In 2017, the former Mexican government was first found to be targeting activists and journalists using the Pegasus software. This included journalists such as Juan Pardinas, who was part of the group of governments and civil society leaders who founded OGP, and activists part of the OGP national process at the time. This led to a breakdown in dialogue between government and civil society, resulting in civil society organizations leaving the OGP table. Once a new government was elected, Mexican civil society groups such as Article 19, Social TIC and others advocated for greater accountability and oversight on government regulationGovernment reformers are developing regulations that enshrine values of transparency, participation, and accountability in government practices. Technical specifications: Act of creating or reforming ..., procurement and use of surveillance technologies. 

This OGP brief highlights innovations in democratic oversight of surveillance technologies by OGP members in detail. Relevant to the unfolding Pegasus case, here are five key open government ideas for governments and activists navigating the policy vacuum in this space:

• Ensure transparency, accountability and oversight: There is very little oversight on the procurement and deployment of surveillance technologies across the jurisdictions emerging from the Pegasus leak. This needs to be tackled as an urgent priority. A few years ago, the UN Special Rapporteur on Freedom of Expression called on Member States to “publish, at minimum, aggregate information on the number of requests approved and rejected, a disaggregation of the requests by service provider and by investigation and purpose.” Under OGP, the Supreme Court of Georgia committed to maintaining statistics on motions for phone tapping. Following a request by civil society involved in the OGP process, the Supreme Court began publishing them on an annual basis. In 2019, as part of their OGP action plan, civil society in Mexico prompted the government to commit to increase transparencyAccording to OGP’s Articles of Governance, transparency occurs when “government-held information (including on activities and decisions) is open, comprehensive, timely, freely available to the pub... More and accountability in the use of surveillance technology. Mapping the experiences of other countries to inform the commitment’s implementation showed that there are very few examples of similar reforms elsewhere. 
• Integrate into broader data protection reform:  As countries consider their policy infrastructure around data protection and data sharing, it is essential to include provisions on surveillance reform. The European Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data has some strong provisions on this, some of which are reflected in the EU’s General Data Protection Regulation (GDPR). 
• Consider the role of civil society and independent oversight bodies: Transparency and supervision are essential for public agencies as they tackle organized crime and promote trust among citizens. Involving civil society in monitoring and oversight therefore becomes important. Where surveillance technologies are used to tackle organized crime, they need to be implemented in compliance with international human rights and data protection frameworks. In this regard, mechanisms such as independent task forces or ethics committees set up to work with law enforcement agencies are important. Emerging examples to consider include, the data ethics committee created by the West Midlands Police & Crime Commissioner and West Midlands Police in the UK, New Zealand Police independent advisory panel on emergent technologies, and a local surveillance technology ordinance in Oakland which mandates public consultations.
• Couple global principles and declarations with concrete country reforms: There have been many calls for developing a set of global principles and frameworks to regulate surveillance technology recently – including to ban export and transfer. In addition to proposed global trading regulations, countries (like Israel in this case) must regulate its domestic spyware industry. While global standards are valuable, concrete policy actions at the country level are key. There needs to be a multi-stakeholder push to strengthen national-level policies and enhance accountability for implementation to bridge the gap between global principles and country action. On this, Mexico’s commitment from its OGP action planAction plans are at the core of a government’s participation in OGP. They are the product of a co-creation process in which government and civil society jointly develop commitments to open governmen... has the opportunity to set a precedent in what a multi-stakeholder, transparency-led framework for the use of surveillance technology could look like.
• Strengthen whistleblower protection frameworks: While data and digital governance policy frameworks need to be prioritized, they should not be seen as divorced from the wider legal frameworks around fundamental freedoms and human rights. Reforms related to surveillance should also take into account intersections with strong whistleblower protection frameworks. There are several countries in OGP that are now advancing this – from Latvia to Ireland. Employees from private companies or public agencies must be given the enabling environment to report abuse without retaliation. This is a critical safeguard to guarantee transparency in the use of technologies.

The courageous and critical work on the Pegasus Project by the consortium of journalists and activists behind Forbidden Stories, Amnesty International, Citizen Lab and their partners has demonstrated the continued importance to protect civic space and the space for independent journalism – something that governments, foundations, business should unequivocally support across borders. Equally critical, the Pegasus Project has shown how personal data protection is inextricably linked to protecting democracy and media freedom. As reformers in the open government community, we should direct collective, multi-stakeholder action towards global principles for regulation of surveillance along with concrete country actions. 2021 is an important opportunity to advance this agenda through the 100+ action plans expected from OGP members tackling some of the most pressing challenges in their jurisdictions. Additionally, the upcoming OGP Global Summit and the forthcoming U.S.-hosted Summit for Democracy will be important fora to advance the global agenda on this.

***

This blogpost draws on insights from the OGP civil society community in Mexico, as well as an OGP-hosted roundtable on surveillance including experts from Article 19, Amnesty Tech, CyberPeace Institute, Human RightsAn essential part of open government includes protecting the sacred freedoms and rights of all citizens, including the most vulnerable groups, and holding those who violate human rights accountable. T... Watch, ICNL, Northumbria University, Privacy International, Rutgers University, and University of California, Irvine, School of Law.