Pegasus Project: Re-Questioning the Legality of the Cyber-Surveillance Mechanism

: States have recently indulged in purchasing surveillance spyware such as Pegasus from big corporations such as the NSO Group to track the activities of its people to curb dissidents. Unfortunately, such incidences are not new in the international domain. Thus, it is imperative to analyze the legality of such spyware used by the states with the assistance of foreign corporates under the international framework. In view of the same, the paper while majorly focusing on the signiﬁcance of right to privacy, traces the standing limitations in the legal mechanism and tries to propose a shared responsibility regime for states and surveillance companies indulging in human rights violations by drawing parallels with the ICoCA mechanism.


Introduction
On 18 July 2021, Amnesty International and Forbidden Stories revealed that several thousand political leaders, human rights workers, and journalists are under the widespread surveillance of Niv, Shalev, and Omri Group (NSO Group) using Pegasus spyware in their mobile phones (Khan 2022). As per the report, Pegasus spyware, unlike other spyware, does not require its victim to open any link; rather, the spyware can be inserted into any device with a simple missed call on any individual's mobile number. Amnesty International has also claimed that once inserted, the spyware can automatically operate its victim's mobile microphone or even camera to trace its victim's activities. 1 Nonetheless, the NSO Group has completely denied any illegal usage of its software, claiming that the company provides such spyware "only to Government intelligence and law enforcement agencies" with the objective of curbing terror activities or other serious offences. 2 It is also noteworthy that the terms and conditions for using the spyware are merely contractual, which means that its violation would only make the NSO Group entitled to basic municipal remedies ranging from black listing, liquated damages, or non-continuance of the service, without having any redressal for the shattering effect on individuals' human rights (Saxena 2022). Considering such devastating potential of Pegasus spyware, the UN Human Rights Experts have called for "a global moratorium" on the sale and use of such "life-threatening" spyware until concrete regulatory framework is developed to address the severe impact of such technology on human rights. 3 To analyze the abovementioned concerns, the authors have split the article into six parts. Part I lays down the background for the subsequent discussions by underlying the current position of international human rights law against cyber-surveillance in order to understand recent developments in the cyber-surveillance industry. Part II depicts the limitations of international law, which is primarily state-centric, in holding the liability of the corporates (such as the NSO Group) involved in cyber-surveillance, thereby violating the human rights of its victims. While doing so, the article focuses on two main points: first, the state-centric mechanism under international law, and, second, the inadequacy of the present soft laws. Part III draws a parallel between cyber-surveillance companies (such as the NSO Group) and private military and security companies (PMSCs) to understand whether the act of surveillance can be considered an "inherent state function". Part IV analyzes the viability of "a shared responsibility regime" for redressing human rights violations based on the multi-stakeholder mechanism of the International Code of Conduct for Private Security Service Providers' Association (ICoCA). Part V provides other potential solutions: the first is redefining the concept of privacy in the context of cyber surveillance, and the second is the application of human rights treaties in instances of extraterritorial cyber surveillance. Finally, Part VI gives concluding remarks along with some suggestions.

Background-Tracing the Violation of Human Rights Owing to Cyber-Surveillance
Many scholars have already validated the argument that the increase in technological enhancement cannot be seen solely from the positive side. The states are using these technologies for their national security and providing a platform for an individual's voice (La Rue 2013;McKune 2019;Chan 2019;Daly 2022). Rather, these technological enhancements have led to enhancement in mass surveillance via the states on their citizens (Karavias 2015). Here, it is necessary to understand that Pegasus is not an unusual case; in other words, there is indeed a larger international market in surveillance technology where international transfer of such technology happens commonly. The United Nations Commission on Human Rights (UNHRC), in its report, has acknowledged that the usage of commercially available cyber-surveillance technologies by authoritarian regimes is a worldwide policy issue (UNCHR 2019). The application of cyber-surveillance technologies for despotic purposes has been discussed since the early 2010s (Schaake 2015). Following the Arab Spring, the private surveillance sector, which had hitherto avoided public scrutiny, was thrust into the limelight for the first time. Numerous western firms' surveillance devices were linked to human rights breaches in nations that employed these technologies for oppressive objectives. Here, one example is an Egyptian case during Mubarak's ouster in which a UK-based firm, Gamma International and FinFisher, which was a subsidiary of Gamma International, provided the application of its spyware FinSpy to the Egyptian government in surveillance, hunting down human rights activists and any dissent (Fuchs 2012;Timm 2012). FinSpy is deployed surreptitiously on target devices and observes conversations, texts, and data transfers. It can even activate the target device's microphone or camera, very much akin to Pegasus. Some other significant instances include (network-based) surveillance systems built by Amesys (used in Libya), Trovicor (used in Bahrain), Blue Coat (used in Syria), and Sandvine (used in Egypt) (Marquis-Boire et al. 2013;Electronic Frontier Foundation 2012;Human Rights Watch 2014;Penney et al. 2018;Privacy International 2016;Silver and Elgin 2011;Coker and Sonne 2011). All these companies are based in Western countries; however, in recent years, the surveillance sector has drawn the attention of companies from other regions as well (most importantly China). 4 The emerging Chinese surveillance enterprises have taken the opportunity to export and promote their surveillance models not just in totalitarian or semi-totalitarian states but also in liberal democracies (Feldstein 2019;Qiang 2019;Rolley 2019). As a result, their presence can be traced in the regions of Africa and Asia with several government clients (Cave et al. 2019;Gwagwa 2018;Mozur and Chan 2019). Therefore, there is no doubt that Pegasus is not an isolated example, and there is a broader worldwide industry in surveillance technologies, with frequent foreign transfers of such technology.
Jennifer Daskal, one of the eminent jurists in the field of cyberlaw, has suggested that "the data collected using these mass surveillance touches on a bucket of relation rights that privacy protections safeguard" (Daskal 2016). These rights include rights to speech and expression, the right to assemble, and the right to free movement. Among these, one of the most directly affected rights is "the right to privacy", which prompted the authors to concentrate this paper's scope primarily on the right to privacy. It is a well-recognized human right globally that has been incorporated into several national legislatures (either explicitly or implicitly) (Global Internet Liberty Campaign 2022). Article 17 International Covenant on Civil and Political Rights, 1966 (ICCPR), makes the contracting parties ensure the individual's civil and political rights. In other words: "No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation, and everyone has the right to the protection of the law against such interference or attacks". 5 This provision can also be seen under Article 12 of the Universal Declaration of Human Rights (another component of the International Bill of Rights), Article 16 of the Convention on the Rights of the Child (1987), and Article 22 of the Convention on the Rights of Persons with Disabilities (2007). 6 Several regional instruments have also recognized privacy as a well-settled fundamental right of individuals. 7 Indeed, in 1988, the scope of the right to privacy was expanded with the adoption of General Comment 16 on ICCPR Article 17 in the beginning of recognizing the concerns of cyber-surveillance. It says, "the gathering and holding of personal information on computers, databanks and other devices by public authorities or private individuals or bodies, must be regulated by law". 8 Even on analyzing the jurisprudence of the Human Rights Committee, the article emphasizes an obligation of the states to take positive steps toward "giving effect to the prohibition of and protection against unlawful or arbitrary interference and attacks against the individual's privacy, whether emanated from state authorities or natural or legal persons". 9 It further recognized the requirement of state legislation to govern the framework of the processing the personal information by both states and private actors. 10 Such an expanded approach can also be traced from the EU's jurisprudence. For example, the European Court of Human Rights (ECtHR), in MK v. France, 11 observed that "the protection of personal data was of fundamental importance to a person's enjoyment of his or her right to respect for private life". 12 In the recent judgment of Schrems v. Data Protection Commissioner, 13 it was held that even the legislation enabling government authorities "a generalized basis for the content of electronic communications" must be considered as violating the core component of the 5 Article 17(1). International Covenant on Civil and Political Rights, 1966. 6 Although the language of the provisions of the latter two conventions is not exactly the same as Article 17 of ICCPR, the essence of the provision remains the same. rights to privacy guaranteed under Article 7 of the Charter of Fundamental Rights of the EU. Even in jurisdictions like the United States of America (US), where some government officials claimed that there is no constitutional right to privacy because of the absence of any express right to privacy in the US Constitution, judicial precedents subsequent to the Griswold v. Connecticut set a favorable jurisprudence toward the right to privacy. For example, Eisenstadt v. Baird and Lawrence v. Texas are the most well-known instances in which the American court has expanded the right to privacy. 14 Thus, there is no doubt that an individual's right to privacy is an intrinsic, legal principle under international, as well as national domain.
However, trends in technological advancement have led to the intensification of mass surveillance, which is different from the conventional model of policing (centralized on detecting the crime) both quantitatively (the amount of data accessibility) and qualitatively (ways of evaluation and processing of data) (Mitsilegas 2016). In 2013, when the former CIA agent Edward Snowden revealed the US National Security Agency's "Prism Program"-an unrestricted mass surveillance program carried out on not only US citizens but also all internet users across the globe (Mihr 2014) 15 -several scholars raised concerns about the application of such surveillance in crushing down any democratic movement against the government (UNHRC 2013a, Para. 46;Mendel 2012, p. 43;Gupta 2013). Here, one may argue that the way Pegasus spyware works, targeted at specific individuals and specific devices, is different from the given example of the massive NSA metadata collection effort that Snowden leaked (mass surveillance); however, more than 10,000 numbers in the Moroccan group of the database, as indicated by several media houses (Timberg et al. 2021;George 2021;Chawala 2021), indicate the contrary. Therefore, the personal data collected using Pegasus spyware has raised the vulnerability of using such data to stifle anyone's right to privacy or to identify targets for arbitrary arrests or even torture or death (Daskal 2016). Although this article's scope does not extend to detail the different allegations made against Pegasus, there is no doubt that the mere presence of such spyware without any proper regulatory framework has in itself raised concern about every individual's right to privacy. Such arguments seem to be more forceful in light of the past incidents of torture and detention using cutting-edge surveillance technologies Coker and Sonne 2011).

Limitations under International Law in Tracing Corporate Liability for Violating Human Rights
Under the contemporary international law regime, it is not easy to uphold the obligation of a corporate because international law is centralized on the legal obligations of states with very limited emphasis on non-state actors. 16 Further, the regulating principles such as the UN Guiding Principles of Business and Human rights, Reports of Human Rights Committees, or even UNGA Resolutions, are non-binding 17 and merely serve as guiding instruments (McBeth and NolanAdam McBeth) (McBeth and Nolan 2012;Tully 2012, p. 247). For a better elaboration of these limitations, this part is divided further into the following sub-parts:

State-Centric Mechanism of International Law
International law looks upon states as the "primary actors" (reflected from the international relations theory's primary approach, in other words, realism); thereby, it is evident to 14 Cornell Law School on Griswold. Privacy. Available online: https://www.law.cornell.edu/wex/privacy#:~: text=%E2%80%8BIn%20Griswold%2C%20the%20Supreme,to%20privacy%20in%20the%20Constitution (accessed 5 July 2022). 15 Edward Snowden. Leaks That Exposed US Spy Programme. BBC. Available online: http://www.bbc.com/ news/world-us-canada-23123964 (accessed 5 January 2022). 16 The reason to make specific reference to International Humanitarian law is that it is mainly associated with criminal liability which is not often applicable against the legal persons like corporate. (Karavias 2013, p. 19;Vazquez 2005 have obligations and duties only on the part of states or state actors (Karavias 2013, p. 10). There is a certain inclination toward bringing individuals into the picture post-World War II; however, such inclination primarily focuses on the nexus between the state and its nationals (Karavias 2013, p. 19). In the context of international human rights law, the major reason for its emergence is the protection of the individual's rights against the state's arbitrary actions and not against the actions of non-state actors, including private individuals or a corporate body (Karavias 2013, pp. 19-21). It often seems rare to directly address corporate actions under international law, except for cases like jus cogens (Vazquez 2005). Similarly, in the recent past, the concern about the responsibility of international organizations was raised after the adoption of the Articles on Responsibility of International Organisations in 2011; however, "in lack of clear basis of obligation and the threshold of proving international organizations attributability and violation of international legal obligation resting on the organization concerned, it becomes difficult to hold organizations responsible, whether actions or omissions". (Klabbers 2017) Additional hardship is added by the international organizations' special privileges and immunities. 18 Thus, in the standing reality, only informal pressure can be exerted on international organizations by influencing their source of funding or by other similar means absent of any hard enforcement (Pirvan 2021). Moreover, international law in contemporary times appears to be addressing the actions of the corporates in an indirect fashion, which means regulations are mainly brought to make a state enforce certain regulations toward such corporations (Vazquez 2005). Therefore, international law enforcement has a very narrow scope for non-state actors, including corporates. This argument can even be extended to argue that public international law has not matured enough to adopt the realities of the post-globalized world (Ryngaert 2015). Therefore, despite an increase in the adverse implications of the conduct of non-state actors such as big corporates, international law remains centralized toward state obligation. In other words, there is no direct recourse toward the conduct of corporates violating conventional or customary international law, including human rights law, other than municipal laws (Rivera 2015).

The Inefficiency of the Present Soft Laws
The UN and other international organizations have appeared to frame a voluntaristic obligation mechanism for the corporations, which needs the corporates to voluntarily bind themselves to some guiding principles to safeguard human rights (Layne 2015). The advent of these frameworks can be traced from the early 1970s when at the request of the United Nations Economic and Social Council, the Commission on Transnational Corporations was formulated in 1973 to frame a corporate code of conduct. However, it dissolved in 1994 because of the conflict between developed and developing nations on ratifying a common code (Deva 2012). In 1999, while addressing the World Economic Forum, UN Secretary-General Kofi Annan launched a non-binding principle-based mechanism for businesses known as the UN Global Compact programme (Layne 2015). It asked corporates to voluntarily become its members to ensure human rights protections and conformity with human rights principles (Layne 2015). Although more than 15,000 companies will join the program by 2021(United Nations Global Compact 2022), scholars claim that the sole purpose of the corporates joining such membership is merely to pacify their stakeholders and to have publicity without any real intention of protecting human rights (Layne 2015). Again, in 2003, the UN Sub-Commission on the Promotion and Protection of Human Rights launched a set of norms, non-binding in nature, for the corporates to ensure conformity with the human rights principles (Layne 2015). However, those norms were disapproved by the UN Commission on Human Rights.
To confront the contentious debate over businesses and human rights obligations, the UN Commission on Human Rights urged the appointment of a special representative on the subject (Commission on Human Rights 2005). This ultimately resulted in the appointment of John Ruggie, who established the framework of "Protect, Respect, and Remedy", which underlines the state's obligation to safeguard businesses from human rights violations. Ruggie's efforts culminated in the UN Human Rights Council endorsing the "Guiding Principles of Business and Human Rights (the Guiding Principles)" in 2011 (Ruggie 2011), and it seemed to cease any business conduct violating human rights (Rivera 2019). It is based on three basic principles: "First, state duties to protect against third party human rights violations through appropriate policies and regulation; second, corporate responsibility to respect human rights through the exercise of due diligence, including human rights impact assessments, tracking and monitoring and other measures; and third, access by victims of human rights abuses to effective remedies, both judicial and non-judicial". (Ruggie 2007) However, one of the problems with this guideline is that it merely reiterates the standing legal obligations, which are not that effective in redressing corporate violations of human rights. For example, several principles (for example, Principle 1, Principle 4, and Principle 5) restate the established law as laid down under ARSIWA.
Further, the Guiding Principles are non-binding, solely based on the voluntary acceptance of its principle (Layne 2015). Some scholars argue that these Guiding Principles have brought "Transnational Private Regulations (TPR)," where the corporates engage in self-monitoring (Ryngaert 2015, pp. 99-101). However, such TPR is mostly restricted in states promoting CSR (Ryngaert 2015, p. 108). Further, such TPR is also mostly based on the pressure put on them by the consumers and other stakeholders, thereby "having no genuine desire to change the business policies". (Ryngaert 2015, p. 108) Thus, in a general sense, it is conspicuous that the legal hurdles (apart from the economic hurdles-another major factor) in establishing the case in an international forum have made it almost improbable for the victim to bring her/his claim due to the requirement of, first, satisfying jurisdiction in the nation (which generally needs the incorporation of that corporation in that other nation); second, tracing the applicable laws in the matter; third, the corporate need to have voluntarily undertaken certain guidance to be government, otherwise international law simply becomes a namesake with little meaning or obligation. Therefore, the standing international framework has left the victims of human rights violations with no feasible redressal mechanism against the accused corporations indulging in surveillance.

Other Hardships in Holding a Corporate Entity Liable for Human Rights Violations
Victims of human rights violations also face hardship in taking action against any particular corporate entity under its national laws (Wallace 2017). One of the best instances would be the Kiobel case, in which the US Supreme court "undermined the usage of the Alien Tort Statute (ATS)-the major source of transnational human rights litigation in the US-by putting foreign corporates' violation of human rights out of the scope of ATS" (Karavias 2015). 19 A similar situation can also be traced in other jurisdictions (Baughen 2015). Further, applying legal doctrines like forum non-conveniens (inconvenient forum) makes it more difficult for the victims to seek redressal of their infringement within their nations (Wallace 2017). However, overlooking that cyber torts such as cyber-surveillance can take place from any place globally, the application of forum non-conveniens is highly possible, leading to an accountability gap, which further narrows down the scope of redressal mechanism for victims.
However, considering the nature of these conducts of surveillance, which is highly vulnerable to the human rights of individuals and requires a formal regulation for its usage, it seems important to regard such conduct as inherent state conducts in order to attach more obligations while carrying out cyber-surveillance.

Drawing a Parallel with the PMSC Industry: In Terms of Analyzing Inherent State Activity
Most states engaged in digital surveillance in furtherance of their so-called national security. Thus, it is questionable if such conduct can be deemed an inherent state activity restricted to the state alone (Sullivan 2010). Here, it is imperative to draw a parallel with the private military and security firms (PMSCs), for which the UN Working Group on the Use of Mercenaries has suggested an international framework confirming that the state must retain monopolistic control over industries dealing with inherently state activities (White 2011). There are certain conducts-"direct involvement in hostilities, war or combat operations, the capturing of captives, lawmaking, espionage, spying and the transmission of information with military, security and police application" (United Nations 2010)-which a state cannot outsource or delegate (United Nations 2010). Clearly, the application of digital surveillance systems also attracts the concept of inherent state function. Only state participation gives the act of surveillance some sort of justifiable legitimacy, backed by reasons such as countering terrorist action or other highly criminal actions; otherwise, this cyber-surveillance is in itself prima facie unlawful. 20 Apart from drawing a parallel from the PMSC industry in terms of the inherent state functions, it also offers the International Code of Conduct for Private Security Service Providers' Association (ICoCA) mechanism to consider in the context of industries indulging in spying activities. 21 The member companies of ICoCA are required to embrace the Montreux principles (which were the precursor to the UN Guiding Principles) and to confirm that they have a responsibility to respect human rights and fulfil humanitarian obligations toward all those affected by their business activities [ . . . ]. 22 Importantly, the ICoCA has equal representation from the state, commerce, and the civil society, 23 which on the other hand, certifies, 24 monitors, 25 and handles the complaints against the corporate entities. 26 Apart from providing the governance and oversight mechanism, it also offers an open-for-all complaint mechanism against any kind of harm caused or violation of the code involving the ICoCA members and affiliated countries. 27 In the last few years, ICoCA implementation seems to be getting more stringent. As per the last annual Report of ICoCA, three companies had their membership cancelled owing to the non-submission of the yearly assessment of the company and the other two companies due to cooperation in bad faith. 28 It can be regarded as the strength of the ICoCA mechanism that prompted major PMSCs to call for more rigorous guidance, particularly for enterprises working in challenging environments. ICoC for providing private security services. 29 Moreover, nations are also incorporating the code into their domestic legislation. 30 In 2013, the Swiss Parliament publicly introduced a Draft Federal Act on Private Security Services Provided Abroad, which obligates the PMSCs to undertake the ICoC. 31 The abovementioned discussion made the efficiency of the ICoCA mechanism evident. This mechanism is discussed in greater detail in the subsequent section. Nonetheless, it is clear that today it is time for the cyber-surveillance industry to adopt the mechanism from PMSCs to become self-regulating with the capabilities to address the claims of arbitrary actions in the name of national security. It may be possible that the private corporates engaged in these surveillance industries find it difficult to keep their business profitable by confirming their human rights obligations, but this fact nonetheless confirms the nature of such conduct, which is inherent to state functions.

The Feasibility of a Shared Responsibility Regime for Redressing the Human Rights Concerns: In Pursuance of the ICoC and ICoCA Mechanism
The globe has become more interlinked with the enhancement in the collaborative measures between state and non-state stakeholders (focusing on corporates) at a transnational level; however, the standing international law regime seems to overlook this reality (Nollkaempur 2013). It is uncommon to see instances of shared state responsibilities under the institutional frameworks where the state entered into an agreement with a non-state actor (such as the NSO Group) for carrying out certain activities (d' Aspremont et al. 2015). Thus, there is a requirement for a thorough re-examination of the viability of shared responsibility in the international legal framework to fill the accountability gap that remains attached with the emergence of corporates (Schechinger 2014). In this regard, this section will examine how, by expanding the Wassenaar Agreement-the international agreement governing the transfer of weapons, including spyware-a shared responsibility mechanism might be adapted to regulate the commercial usage of cyber-surveillance spyware. Again, a parallel can be drawn from the PMSCs (Jagers 2012) because the nature of the conduct in spyware operating in conflict zones has a close government connection; it also requires significant state involvement. In this regard, the authors find it imperative to look upon Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies ("Wassenaar Arrangement"), which is one of the seminal international agreements concerning arms transfer, including surveillance spyware transfer as all the forty-two participating states have "agreed to meet on a regular interval to maintain that transfers of arms and technologies are handled out responsibly and in pursuit of international and regional peace and security" (Bellal 2014). Additionally, the signatory states chose to keep sharing information pertaining to the transfer of such dual-use goods and to regularly review the list of goods so as to adopt changes as per the technical advancements. 32 At the present time, the Wassenaar Arrangement is the agreement that reaches the international consensus to offer a transnational legal mechanism for limiting the transborder exchange of surveillance devices, software, and know-how. 33 The agreement encompasses a long range of dual-use commodities and technology for which states agreed to enact export control legislation, granting licensing agencies the authority to accept, deny, and examine their transfer. its introduction, the incorporation of cyber-surveillance technology in the list has been the most contentious item (although all the member nations unanimously agreed to amend it, recognizing its need in the aftermath of the Libyan incident where the government was found to be indulging in the deployment of surveillance spyware).States commit to "keep effective export restrictions [of weapons and technology] on the agreed list and to make sure that their national policies do not compromise international and regional security". 34 Here, the question may arise whether Pegasus as cyber-surveillance technology falls under dual-use goods. While there is no single definition of "cyber-surveillance technology", it has been addressed by legal scholars, lawmakers, and professionals in works that examine surveillance technologies as dual-use commodities. "Cyber-surveillance technology" refers to "devices, software and skills used by intelligence and law enforcement agencies, as well as network operators operating to secretly monitor, exploit, and analyze data stored, processed, and transferred over ICT". 35 Taken together, this definition and all discussions on Pegasus's usage, there is no doubt that Pegasus can be deemed to be "cyber-surveillance technology". Moreover, the dual-use nature of Pegasus can be justified in view of its capability of assisting states in their law enforcement by carrying out their national security work of tracking out terrorist activities along with other security initiatives and its inherent military capabilities. Here, the commercial aspects come from the fact that since most of the countries lack the technological capability to undertake the surveillance in the way companies as the NSO Group do, which evidently opens a huge commercial opportunity for these companies (including the NSO Group) whereby they assist other nations in realizing their objectives for law enforcement and technologically enabled intelligence. Therefore, the argument of looking at Pegasus spyware under the regime of dual-use goods appears to be justified to a great extent, thereby the proposed regime based on the Wassenaar Agreement would be able to regulate Pegasus spyware, which is currently unchecked (the subsequent discussion in this section makes it more evident). However, we cannot ignore that the Wassenaar Arrangement loses its potential due to the sole discretion of the member states in the approval or denial of an export license of such technologies (Bellal 2014, p. 468). Further, some member states are yet to incorporate national legislation in consonance with the objectives of the Arrangement (Bellal 2014, p. 471). This led to an inconsistency in effectively controlling the states with doubtful histories of human rights in their ability to acquire dual-use goods (Thomsen and Thomsen 2015). However, the Wassenaar Arrangement can be sufficiently used to have scope for the engagement of other stakeholders such as civil organizations and state actors to enter otherwise private transactions. This should be framed based on the ICoCA mechanism to the significance of active participation from other stakeholders; otherwise, only state actors might be held attributable; that is also in case it had control or provided effective directions to the corporate. Therefore, there is a requirement for an instrument similar to ICoC, based on the export-regulating mechanics of Wassenaar Arrangement, which includes restricted distribution, transparency through information sharing, and sharing of due notifications on the transferor denial of export licenses, with the sole purpose to safeguard the human rights.
Moreover, the important factor in the creation of a shared responsibility would be the formation of an oversight committee (akin to the ICoCA multi-stakeholder framework) made up of equitable representation from state, non-state organizations (for example, Amnesty International) and a corporate industry involved in providing spyware (for example the NSO Group). This committee would examine the corporate policies and management to observe the conformity with the proposed code (mentioned above) to prevent human rights violations. Non-compliance may lead to actions ranging from penalties, sanctions, or even withdrawal of membership. To begin with, the states and their national legislations are required to correspond to the proposed code (reflecting ICoC regulations on export licensing). This would benefit the common people, state and civil societies, and the corporates involved in the spyware industry by improving the latter's reputation (which is currently facing downfall all across the globe) and enhancing the possibilities of lucrative exports of their technologies.
Although the shared responsibility approach with the involvement of the multistakeholder may foster accountability and openness in comparison to the standing position where the states' discretion on accepting or rejecting the usage of dual-use goods, including spyware, the most significant aspect of the shared responsibility approach is the requirement of the active state involvement and the composition of the national legislations with the suggested code. The corporations' participation in the proposed framework and their adherence to the code would give a positive impact on their profile in the cyber-surveillance sector and enhance the commercial opportunity for them (in a similar manner to how the PMSCs' adherence to the ICoCA has positively impacted them). Additionally, under this arrangement, the state authorization and granting of export permits for the dual-use good (spyware) would be contingent on corporate membership and adherence to the proposed framework. The other significant impact of this proposed framework is that even if the proposed oversight committee does not intervene against the corporates that fail to adhere to the proposed obligation under this framework, the aggrieved person could submit the complaint before the committee and a civil action attributable to the state involved. Thus, the proposed framework of shared responsibility would not only mandate that the states keep an eye on corporate behavior to prevent any abuse but also provide the aggrieved persons with a greater opportunity of redressal.

Other Required Solutions
One of the evident drawbacks that the standing legal regime faces is the comparatively outdated version of the legal provisions. For example, when General Comment No. 16 was adopted by ICCPR Article 17 in 1988 (UNHRC 1988), there was no way to understand the implications of technological advancement on the right to privacy, as we are observing today. Consequently, the requirement of reframing the legal instruments has been put forward by many eminent scholars like UN Special Rapporteur Frank La Rue, 36 multiple civil societies (UNHRC 2013b), and the UNGA (UNGA 2013). In this regard, the authors find it imperative to mention some of the required alterations toward the understanding of the right to privacy, as discussed below:

Redefining the Concept of Privacy
Most of the major conventions, declarations, and legislation around the world dealing with the right to privacy (expressly or implicitly) were adopted before the 1980s, when cybersurveillance technologies like Pegasus did not exist and could not be anticipated, making them inadequate in addressing threats to personal privacy posed by data acquisition and digital technology (UNHRC 2016, Para. 46(a)). Even the major incidents of cyber surveillance (as mentioned on page 2) came after the year 2000. Therefore, it would not be wrong to say that the current body of text on privacy rights (mostly presented in various outdated documents) is restrictive or limited in nature. Further, there is also divergence in a uniform acceptable definition of the right of privacy due to variation in some documents. The lack of any acceptable universal version of the right to privacy, along with the difference in the technological advancement in different demographical locations, is indicative that the principles relating to privacy established almost fifty years 36 "Legal frameworks must ensure that communications surveillance measures: (a) Are prescribed by law, meeting a standard of clarity and precision that insufficient to ensure that individuals have advance notice of and can foresee their application; (b) Are strictly and demonstrably necessary to achieve a legitimate aim, and adhere to the principle of proportionality and are not employed when less-invasive techniques are available or have not yet been exhausted." (UNHRC 2013a), Para. 6. ago need to be modified to take into account the highest level of modernization which we have today. Thus, the modernization of the narrow definition of the right to privacy to encompass them as broader, comprehensive, and universal is one of the first steps forward in curbing the recent threats due to the advancement in cyber-surveillance. Here, it is important to understand the expansion in the ambit of the right to privacy is not only with respect to international conventions or declarations but also with the way the concept is understood, articulated, and interpreted by courts and policymakers globally (not only at the international level but also at the national level). The simple reason being the right to privacy is part of not only the significant human rights declarations but also practically most national constitutions (Rengel 2013). To get the real implications, the change should be at all levels, especially because, as we discussed, the enforcement of the international obligation of the right to privacy also primarily involves support from the national domestic law mechanism (as discussed previously). There is a requirement to encompass the concepts of self-determination and autonomy into the definition of privacy, which is also referred to as "information privacy", dealing with the people's interest in holding control over the access of information regarding themselves. 37 This aspect is partially reflected in the standing General Comment to Article 17, which reads as "the accumulation and holding of personal information on databanks, computers and any other devices by private individuals or bodies or public authority, must be under legal regulation (UNHRC 1988)". This practice can also be seen to be followed under the existing jurisprudence of the ECtHR and has been applied by the Human Rights Committee in many of its concluding Observations (UNHRC 2009, Para. 11). The ECtHR has even expressly mentioned on multiple occasions that "safeguarding of personal information is of primary importance to an individual's exercise of respect of her or his personal information and family life" 38 and recognized that personal life cannot be "susceptible to exhaustive definition". 39 The Charter of Fundamental Rights of the EU has recognized the individual's right to protection of personal data (Article 8) separately from the right to privacy (Article 7). Therefore, the international community can take into consideration these ECtHR rulings. Additionally, a historic ruling of the Court of Justice of the EU came in Schrems v. Data Protection Commissioner, 40 where the complaint was made against Facebook contesting data transfer outside the EU to the US, in light of the PRISM surveillance program. 41 The court determined that the said data transfer is illegal by recognizing that the legal framework allowing the state authorities to "access on a generalized basis to the content of electronic communications must be recognized as a compromise of the essences of the fundamental right to privacy as enshrined under Article 7." 42 Thus, it is suggested that the General Comment should affirm the application of Article 17 to "information privacy", which ensures the individual's right to hold control of the access to their personal data. Further, the expansion of the notion of the right to privacy in the major international declarations will impact the way privacy is treated in its member nations (which may be an indirect side-effect, as the municipal courts of member states which often investigate privacy may refer major declarations as evidence of evolving jurisprudence on privacy). Thus, overall, there is no doubt to have a positive impact of such redefinition. The need for revision is apparent; there has to be an updated understanding of what the fundamentals of the right to privacy entail and what it must safeguard in light of the duties imposed not just on states but also, and perhaps more challengingly, on corporations by international law.

Required Application of Human Rights Treaties in Instances of Extraterritorial Cyber Surveillance
The ICCPR's ambit, as defined under Art. 2(1), extends to all the persons who come "within the territory and subject to the jurisdiction" of the signatory states. 43 The issue arises on the determination of state jurisdiction in the matters of cyber surveillance. Here, the major question is whether it covers the persons not living within the state territory. If not, then it would simply mean that states are not obliged with respect to persons who may not reside in the state territory but are, in reality, under "the control of its jurisdiction". Even the national legislations in many developed nations distinguish between their internal and extraterritorial surveillance in terms of the obligation that arises from such conduct. 44 These include the US Foreign Intelligence Surveillance Act 1978, 45 the Australian Intelligence Services Act, 46 and the Regulation of Investigatory Powers Act 2000 (RIPA), 47 among others. In the modern world, where neither state governments nor surveillance companies seem to be respecting territorial borders, it is logically infeasible to rely on the victim's location while protecting its privacy rights. In Jaloud v. the Netherlands, an Iraqi was shot by mistake by a Dutch soldier in Iraq in 2004 for approaching a checkpoint after the checkpoint was attacked by insurgents. 48 The ECtHR formulated the extraterritorial jurisdiction because state authorities were exercising control over an individual's right without having physical custody of that individual. In other words, the Netherland's jurisdiction was invoked because they exercised control and authority over the victim's right to life at the time of the incident, leading to the extraterritorial jurisdiction without having physical control over the victim. Thus, the question is, if the state could have a human rights obligation to exercise its control and authority over an individual's right to life, then why not exercise the right to privacy, leading to the extraterritorial obligation in the matters of cyber-surveillance? Such an evolution is necessary; the current approach focuses on physical control over the individual or territory, which is prima facie inadequate for the cyber realm (Margulies 2014). In the wake of cyber-surveillance systems like Pegasus, which can exert remote control over the data of any foreign national, the mentioned shift is highly essential. The lower threshold based on physical control will allow the states to continue interference with the individual's right to privacy using the standing gap by easily circumventing their human rights obligation. Therefore, the realities of the existing cyber-surveillance activities cannot be ignored.
In this regard, multiple suggestions are put forward, focusing on the "control of communication" rather than physical control. As per Carly Nyst, when data are intercepted under the territory of a state, it triggers that state's obligation toward that individual whose information is intercepted (Nyst 2013(Nyst , 2018. This line of argument is in consonance with the argument put forward by Marko Milanovic (2016), who differentiates the state's positive obligation toward securing an individual's human rights (including prevention of human rights violation by third parties) to the state's negative obligation that needs the state to not interfere with individual's right. 49  accents the prohibition against state interference; however, there is a bigger concern which goes beyond the protection toward data storage and interfered communication. The issue of cooperation and transfer of individual data among states and state actors makes it challenging to enforce privacy protection. 50 In this regard, Peter Margulies's virtual control test, among many other suggestions provided with respect to the model of jurisdictions, seems to be applicable to the standing requirements (Margulies 2014). This test will invoke the application of the human rights treaties, including ICCPR, if a state is found to have exercised "virtual control" over people's personal data or communications no matter where that person is located at that time or whether the state has any physical control over that person or its location (Margulies 2014). Here, virtual control implies the ability of the state to store, intercept, use, or analyze personal information or communication. This approach seems to align with the recent perspective of human rights courts and bodies (Georgieva 2015). This approach incorporates the jurisdictional challenges of human rights obligations in surveillance cases, as the organizations involved in the surveillance can even control individuals' lives and personal information with a single click. Further, one of the biggest advantages of this particular model is that it promotes equality in the sense that any individual's human rights are equally protected no matter what is his/her nationality or demographical location. More importantly, the state's tie-up for circumvention can fall within their obligation-which means that in the present situation of Pegasus, in which the governments are tying up with the NSO Group for the application of this cyber-surveillance, would make the states fall under human rights obligations. In fact, these approaches are also reflected in recent years, as UNGA, while adopting Resolution 68/167, has supported the application of ICCPR in cases of extraterritorial surveillance (UNGA 2013). Further, Emmerson, the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism, has observed that "state jurisdiction is also invoked in the matters where it exercises a regulatory authority over the internet or telecommunication service provider that can physically control the information or data (UNHRC 2014, Para. 41)". The UN Office of High Commissioner has also noted that in the situation where the state is exercising the regulatory jurisdiction over the third party which physically exercises control over the individual's personal data, that the state would have an obligation under that agreement (UNGA 2014, Para. 34).
Resultantly, it is evident that a virtual control test is necessary since the components of an effective control test are in appropriate in the modern digital era. Since the digital data transit through a multitude of jurisdictions before reaching the intended recipient, it would be arduous to determine where the conventional territorial control is established and how the conventional physical control (which is narrowly defined and leaves a significant gap to exploit) is accomplished. Therefore, the conundrum of the applicability of the virtual control test, irrespective of the victim's jurisdiction and nationality, has become crucial.

Conclusions
With the enhancement in technology, there has been a spike in the use of spyware for mass surveillance, leading to human rights abuse ranging from the violation of the right to 50 Parliamentary Assembly of the Council of Europe. 2015. Mass Surveillance. Doc. 13734, para. 30-33. privacy, unlawful detention, torture, or even death (Gupta 2013). The recent incident of the Pegasus project is one of the biggest examples of such a negative aspect of technological development. However, the state-centric approach and "the voluntaryism mechanism" in international law, particularly international human rights law, have kept these corporates detached from any strong obligation to protect individuals from their surveillance actions. In the existing framework, liability can only emerge if it can be connected to the state action, which is difficult to prove in most cases. Thus, it is high time for international institutions to formulate a shared responsibility framework based on the ICoCA mechanism-to sufficiently govern the conduct of the corporates involved in the cyber-surveillance business. While doing so, it is also imperative to not let these mechanisms become state-centric; rather, it must ensure the active participation of all the stakeholders, including civil societies, state actors, and corporate bodies. Alternatively, redefining the contours of the right to privacy under Article 17 ICCPR, addressing how the human rights obligations of states can be ensured in cyber-surveillance, including third-party collusion, can be seen as a step forward to solving the existing problems, thereby ensuring that the international legal framework stays abreast with the increasing need of a technologically advanced society. In addition, there are other crucial recommendations, most of which stem from the preceding debate. First, states must guarantee that cyber-surveillance mechanisms, like Pegasus, are only deployed where the legitimate objective is exemplified while adhering to the principles of necessity and proportionality (a reference can be made from the right to self-defense under the PIL). For the effective implementation of the former point, there is a requirement to establish an autonomous body (or an oversight committee, as suggested above, akin to the ICoCA multi-stakeholder framework) to screen states and their data privacy practices, inspect complaints from victims and different organizations, and impose effective sanctions in case of unlawful infringement on the privacy of the others (here, the role of international organizations becomes imperative). Second, states and corporate entities must take robust measures to foster greater transparency and accountability while having involvement in utilizing the cyber-surveillance mechanism. Third, adequate remedies must be made available to all the victims for the infringement of privacy by the states without distinguishing between national and non-national because of the evident involvement of the transboundary concerns (here, the extraterritorial jurisdiction can also be brought up, as suggested in the above discussion). Fourth, the corporate entities must endeavor to gratify their obligation to uphold individuals' human rights, including the right to privacy. This can be done by effective implementation of the Guiding Principles of Business and Human Rights, which entails the obligation of undertaking due diligence in relation to the right to privacy, followed by adequate measures to ameliorate any adverse implications (even if such implications are merely suspicions in nature). Fifth, in case the conduct of the corporate entities has led to detrimental repercussions of an individual's privacy, they must engage in restoration through authorized channels, encompassing the effective redressal mechanisms. For ascertaining the effectiveness of these mechanisms, there is a need to ensure that they are consistent, accessible, transparent, fair, and coherent. Although these recommendations seem to be rigorous, they are merely illustrative in nature, considering the pace of technological advancement in recent years in the field of the cyber-surveillance.