(forthcoming in Fordham Intellectual Property, Media and Entertainment Law Journal (2026))

Spyware has emerged as potent tool for rulers to shrink democratic contestation. In response to calls for constraints on the trade in spyware, states have updated the principal multilateral agreement on export controls, civil society groups have employed strategic litigation, and the EU has altered its regulation, in each case with the aim of limiting exports where there is a risk of human rights violations. Yet, scandals involving the Israeli company NSO, among others, have made clear that even the updated regulatory landscape is inadequate. Many actors are currently debating the reasons for existing regulation’s failures, and proposing new measures such as a treaty imposing additional export controls or regulation by design.

Against the background of this regulatory conundrum, this article reveals the regulatory role that Big Tech – specifically Meta, Google, Microsoft and Apple – has taken upon itself with respect to the human rights implications of spyware. The article shows that through legal proceedings, research activities and advocacy campaigns, Big Tech has sought to reign in the activities of spyware companies. In addition, the article analyses these efforts, and in particular Big Tech’s mobilization of international law and of its legal contracts, in light of scholarship on transnational private regulation. Like other instances of such regulation, Big Tech’s regulation of spyware is paradoxically both a response to the failures of the state in the face of harmful transnational economic activities, and dependent on collaboration with the state.

In addition to providing a new, more legal chapter to the literature on Big Tech, regulation and geopolitics, this study contributes to the urgent policy debates on international spyware regulation. With respect to those debates, its contribution is threefold. First, this article reframes the critique of existing spyware regulation as a critique of the effectiveness of self-regulation, whether by states or spyware sellers. Second, building on that reframing and the attention it draws to the identity and interests of the regulator, the article analyses in depth a regulatory phenomenon that has been ignored in those debates. While legal scholars have noted some of Big Tech’s legal activities against spyware companies, they have not understood their regulatory function and structural advantages. Big Tech is not only a third party to the spyware trade, avoiding the limitations of self-regulation. The companies forming Big Tech are also positioned at key nodes in the communications network that many forms of spyware must pass through. Third and finally, this article’s analysis highlights both the promise and dangers in Big Tech’s regulatory activities from the perspectives of both democratic politics and effectiveness, laying the ground for developing responses thereto. One of the article’s upshots is that lawyers, activists, and policy-makers seeking to regulate the international trade in spyware must integrate Big Tech into their analysis, and target not only international and domestic state rules but also Big Tech’s governance structure and terms of operation.