Dual Use Tech Regulation

An important perspective for us at Data Rights is to be tech-agnostic when long-term solutions are needed. Technologies change, democratic values stay. We see the temptation to reinvent the wheel every time there is a new technology hatching. Often, this temptation needs to be fought. Otherwise civil society and researchers will always be reactive, trying to catch up with the private sector. It is exhausting and frankly, where is our added value in that dynamic?

We particularly feel this regarding dual use technologies. According to the European Commission, dual use items are “goods, software and technology that can be used for both civilian and military applications”. Because these technologies and software have military advantages, States have incentives to push investments and limit regulation for their industry to be ahead of the curve.

Examples of the dual use technologies or software:

Biometric recognition
Artificial intelligence (AI)
Spyware
Satellite visualisation

Why is this important?

Another way to see dual use technology is to picture it as a powerful technology that is wonderful in times of democratic stability, but is extremely potent if a government decides to use it against its population. Extremely potent in the sense that it can harm a high number of people, quickly (unlike for instance, a knife). Put simply, these are technologies that are amazing, but can quickly become surveillance technology in hands of powerful players. These technologies are often deployed with public money to make the population safer, to avoid fraud, or just to make things simpler. A few examples:

Uganda's deployment of biometric IDs on its population became a way to surveil it and crackdown on human rights;
European States are now able to use AI with face recognition for law enforcement purposes. Given how most EU states are gradually increasing surveillance on human rights defenders in the name of law enforcement, this is worrying;
The used of spyware by States, originally meant for intelligence purposes, quickly became used in Europe to surveil journalists and human rights defenders in countries like Poland, Spain and Hungary.

Methods

Primary means of action for this programme are advocacy and strategic litigation where we can be useful, for instance with third party intervention and/or involvement with litigation strategy.

Status of work

Work has started! See section below.

We are hoping to produce public articles soon!

Projects

We helped set up a spyware litigation and advocacy coalition; the PEGA coalition. The coalition was officially launched on June 18th 2025, from EDRi's offices. As part of this coalition we already intervened in a Polish case that reached the European Court of Human Rights, the Brezja case. This case's stakes are high as it involves a Pegasus target whose phone communications were extracted, including 10 years of text messages. Data extracted was later reorganised and sometimes merged to build a new narrative. Such actions by authorities are akin to digital sabotage of target citizens. The tampering with data was probably not done directly on the phones, to not raise the suspicions of victims. It must nonetheless be stressed that tampering directly with the primary source of data, i.e. here targets’ phones, is made possible by powerful hacking tools like Pegasus.

This is an illustration that powerful spyware tools can be used to support the tampering with evidence by authorities. Here is our joint intervention.

In the intervention Data Rights chose to mention a case that deeply shakes us. In India, reports on human rights defenders and activists have documented they were hacked by Pegasus and then infected with malware that enabled to plant incriminating evidence on their computers to ensure their jail convictions. The Indian case illustrates that hacking tools are able to and/or facilitate the modification, removal or addition of data to tamper with evidence. In other words, this Indian case illustrates how hacking tools are beyond mere surveillance tools. Especially as the facts of the Indian case date back to 2018. Companies selling tools like Pegasus sell the ability to gain complete control over a device. The more powerful the hacking tool, the higher its market share. Hacking tools enabling one to gain complete power over one’s phone or computer are unacceptable in democratic societies as they put political dissidents and human rights defenders at the mercy of the arbitrariness of leaders.

Unlike what happened in India, in Europe spyware has not yet been used to plant fake evidence. But it could be just a question of time. Powerful hacking tools must be regulated. In fact, certain features enabling to take admin access must be outright banned if we do not want authorities to frame what is true in the digital age! Indeed, tools enabling to edit, add and/or remove data from devices make it impossible to protect vulnerable communities from abuses of power. Data integrity, that is to say, the protection from any modification of the data, is fundamental for to our societies to flourish.

Want to know more? Stay tuned for our incoming talk at the biggest European hacker congress, the German Chaos Computer Club's. The talk will take place right after Christmas, will be streamed, and we will put the recording in the resources section below.

A past project may be relevant to mention. In 2019 Data Rights' Director, Lori Roussey, was granted the right to intervene in Privacy International's proceedings against the use of hacking by the UK's intelligence, security and cyber agency (the GCHQ). More details in the resources section below, and here.

Resources

Spyware
- Data Rights
- - European Parliament Hearing, November 2025, on the impact of the EU's law on the protection of the media, the European Media Freedom Act (EMFA). The EMFA's article 4 has become infamous due to its clear mentioning of spyware. The fact that this law was written to establish protections for journalists makes it cynical, as it is the first EU legislation applying to the deployment of spyware.
  - - Intervention of Data Rights, invited for its expertise as well as its role in the PEGA Coalition.
  - CPDP, May 2025, panel of spyware and cybersecurity with GFF, Data Rights, cybersecurity expert Sven Herping, former MEP Sophie in 't Veld and Mme Buchta, Closing the Digital Backdoor: Strengthening Vulnerability Management to Combat Spyware, May 21st, 2025
  - Data Rights Founder intervention, Privacy International and other vs GCHQ, 2019
  - - Intervention in Privacy International’s case against the hacking powers of the British NSA, the GCHQ agency. Data Rights’ founder intervened in 2019 to bring information of issues of the French regime on the regulation of hacking by intelligence services. Unfortunately the court did not rule on the substance of the case due to the consideration that all British legal remedies had not been exhausted by Privacy International before they referred the case to the ECtHR. This case was analysing the different hacking capabilities of GCHQ and led the British services to improve their internal accountability. Although unrelated to this case, to give a sense of the activities of GCHQ at the time it is useful to point out that they had hacked into the telecommunications provider of the European Commission, the European Parliament and the European Council, to impress the NSA. To read more on this operation.
    - More details on this intervention here.
  - PEGA Coalition (Data Rights, HCLU, Iridia, Panoptikon, Homo Digitalis, GFF and Share). 2025. Intervention in the Brejza case before the European Court of Human Rights.
  - - This case is the Polish Pegasus case currently before the European Court of Human Right (ECtHR). This case’s stakes are high as the previous spyware case before the ECtHR was dismissed by the court. The Brezja case is a case bringing multiple Pegasus targets who were infected on instructions of Polish authorities. Mr Brezja was infected due to his belonging to the political opposition to the far right. Pegasus was used to collect huge amounts of data sets from his phone, including 10 years of texts. Once extracted, this data was rearranged and/or merged by authorities to create a new narrative, and then sent to the press. The goal was to destroy his reputation. Mme Brezja, his attorney, was also infected. This case is a robust illustration of how much powerful spyware in the hand of authorities can lead to egregious abuses of power focussed on tampering with facts to manipulate the public and elections. Last but not least, it is noteworthy that Pegasus was sent on Mr Brezja based on the excuse of the fight against corruption, not the protection of national security. Since then Polish authorities have found that how Pegasus was used violated Polish laws. Although this is a positive development, we see that the Polish government is pushing against the review of the ECtHR of the Polish cases. Pushing back on human rights accountability is not the way forward.
- Exégètes Amateurs, French litigation coalition created by H. Roy and where several members of Data Rights met before creating Data Rights
- - Exegetes Amateurs, Brief challenging the Intelligence Laws of France, 2027
  - - In the context of the Exégètes litigation coalition (French Data Network, Quadrature du net, and FFDN - the federation of non-profit ISPs of France), Data Rights founder Lori Roussey, with the support of Data Rights advisor Hugo Roy, developed in 2017 the coalition’s sections on hacking rules of France’s intelligence services. This work formed part of the case against the entirety of France intelligence rules. This brief of 2017 came one year afer the Exegetes referred the reform of intelligence powers to the French Constitutional Council and won the closure of a surveillance loophole on all wireless communications. Soon after this 2017 brief was sent to the Conseil d’État the case was referred to the EU’s top court, the CJEU. Before the CJEU Privacy International intervened in our case, and this led to the 2020 ruling Quadrature du net et alia. Read Data Rights’ take on the CJEU ruling.
    - Read the 2017 brief [FR] to France’s top administrative court, the Conseil d’État, about hacking powers of intelligence services in France. The document is long, you might want to search for keywords: Budapest; Cybercrime; Stuxnet; Wannacry.
- External
- - CitizenLab. 2012. “Backdoors are Forever: Hacking Team and the Targeting of Dissent?” The Citizen Lab.
  - CitizenLab. 2013. “For Their Eyes Only: The Commercialization of Digital Spying” The Citizen Lab.
  - Fidler, Mailyn. 2015. “Regulating the Zero-Day Vulnerability Trade: A Preliminary Analysis.” A Journal of Law and Policy for the Information Society, 11(2):405–83.

Dual use technology regulation
- Access Now produced a brochure on the topic in 2018
- Quentin M., Paile S., Tsukanova M., and Viski A. 2013. Controlling the Trade of Dual-Use Goods - A Handbook. PIE Peter Lang.
- Sukumar, Arun. 2017. “The UN GGE Failed. Is International Law in Cyberspace Doomed As Well?” Lawfare blog.
- Yasuhara, Yoko. 1991. "The Myth of Free Trade: The Origins of COCOM 1945–1950". The Japanese Journal of American Studies, 4: 127–148. This resource is about the historic root of dual use technologies regulation, at the initiative of the US to weaken the USSR economy.

Wassenaar Arrangement
- Bratus, Sergey, et al. 2014. “Why Wassenaar Arrangement’s Definitions of Intrusion Software and Controlled Items Put Security Research and Defense At Risk—And How To Fix It”. Computer Science Department, Dartmouth College.
- Galperin, Eva et al. 2015. “What Is the U.S. Doing About Wassenaar, and Why Do We Need to Fight It?” Electronic Frontier Foundation (EFF) website.
- Galperin, Eva et al. 2016. “House Grills State Department Over Wassenaar Arrangement” Electronic Frontier Foundation (EFF) website.
- Granick, Jennifer. 2014. “Changes to Export Control Arrangement Apply to Computer Exploits and More”. Center for Internet and Society, Stanford Law School.
- US Department of Commerce, Bureau of Industry and Security (BIS). 2015. “Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items”.
- Wassenaar Arrangement, Secretariat. 1996. Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies. Founding Document. WA-DOC (17) PUB 001.
- Wassenaar Arrangement, Secretariat. 2013. Public Statement 2013 Plenary Meeting of Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies. Vienna.

Biometrics
- Roussey L., 2023, Digital ID Litigation & Dual Use presentation at the Alan Turing Institute

Artificial Intelligence
- To start with, regarding the AI act we recommend Sandra Wachter's paper published in 2024. She summarised it in a helpful video.
- Fang, Lee. 2019. “Google continues investments in military and police AI technology through venture capital arm”. The Intercept.
- Gasler, 2020. “Thousands of contracts highlight quiet ties between Big Tech and U.S. military”. NBC News.
- Wong, J. C., 2019. “'We won't be war profiteers': Microsoft workers protest $480m army contract”. The Guardian.