top of page


Regulating Spyware beyond the State


Dr. Natalie R. Davidson

In the past decade, since the use of spyware to counter protests in the Arab Spring, scholars, activists, human rights mandate holders at the UN, domestic regulators and even technology companies have advocated for the development of a new regulatory framework for the design, transfer and use of this technology. Current proposals focus either on state-centered regulation (such as a treaty imposing on participating states obligations to limit exports), on forms of Corporate Social Responsibility (such as corporate due diligence obligations), or on a combination of the two. Yet the global trade in spyware (like the global arms trade more generally) constitutes a particularly sharp instance of the inadequacies of state-centered, top-down regulation. Private regulation by corporations is also challenging in this field. In addition to the well-known limitations of CSR, there is no possibility of consumer pressure on spyware producers.
This paper proposes to map a research agenda for private forms of regulation of spyware that rely primarily neither on the state nor on CSR. The paper would begin by surveying the current regulatory landscape and pointing out its limitations. Then, drawing on recent developments in reaction to spyware and weapon sales by leading US defense companies, the piece would argue that the following regulatory tools have potential to restrict the harms of spyware and should be further explored: regulation by large corporations with an interest in limiting the use of arms (such as tort and contract lawsuits by Meta and Microsoft against spyware providers); and shareholder activism within technology companies (such as Christian groups’ shareholder activism in Lockheed Martin and other US companies). Beyond the paper’s substantive argument, it would demonstrate the methodological benefits of considering spyware, for regulatory purposes, together with weapons, and learning from the regulatory experience in the arms trade field more broadly.

Read More
bottom of page