Opinion | Anyone Can Hire a Team of Spies

In 2015, Hacking Team, an Italian company that markets software to remotely break into and monitor people’s electronic devices, was itself hacked. Five years’ worth of the company’s internal emails and documents were posted online, revealing that Hacking Team had marketed its product to authoritarian countries including Syria and Azerbaijan — and that Italian export laws didn’t forbid such activity.

The mounting outrage over these sorts of sales increased support for reforms proposed by Britain and France to the Wassenaar Arrangement, the pact signed by more than 40 countries, including the United States, that helps determine what sort of dual-use and weapons technologies are regulated.

Among the new proposals was an attempt to include surveillance technology, such as spyware, in that pact. The changes wouldn’t prohibit companies from selling surveillance technology; they would simply have required signatories to regulate it in some manner. In the United States, this translated initially into a proposal to require export licenses for surveillance software. Other Wassenaar members, including the European Union, moved forward fitfully with regulations, but for a variety of reasons, the United States’ proposed changes have languished.

So far, no one has come up with a good solution for how to regulate this industry. If anything, there’s evidence that the private spies have been emboldened. At a recent arms show in Abu Dhabi, WiSpear, a surveillance company, was openly advertising a mobile surveillance system fit for a Hollywood villain: a black van equipped with a suite of equipment that the company claims can spy on a phone several hundred meters away. Customers can also buy a drone to hack phones. WiSpear, which is registered in Cyprus, was founded by a former Israeli intelligence official who sold his last company to NSO Group.

[If you’re online — and you are — chances are someone is using your information. We’ll tell you what you can do about it. Sign up for our limited-run newsletter.]

Even those who work in cybersecurity believe the industry requires oversight. “I think it needs to be better regulated — primarily in Europe and Asia, since that’s where companies like Hacking Team and these other sketchy shops operate from,” said Jason Syversen, a former Defense Advanced Research Projects Agency official and one-time hacker who later founded his own cybersecurity firm. But what to do is another question. “I’m not sure what the right answer is though, because it’s such a complicated, nuanced area,” he said. “And politicians suck at complex, nuanced technical topics.”