Subversion Inc: The Age of Private Espionage

Issue Date April 2022
Volume 33
Issue 2
Page Numbers 28–44
file Print
arrow-down-thin Download from Project MUSE
external View Citation

Over the last decade, a sophisticated and lucrative industry has sprung up that puts potent surveillance and intelligence capabilities in the hands of a wide range of private actors. Clandestine influence operations, targeted espionage against civil society, and political subversion—an organized activity whereby the decay of legitimate political institutions is deliberately and surreptitiously seeded—are easier to undertake than ever before. At least three contingent factors have combined to create conditions for subversion to become more widely practiced: 1) neoliberal globalization; 2) the rise and spread of businesses that offer private intelligence, surveillance, and “black ops”; and 3) the digital communications environment. Liberal democracies need to bring greater transparency, oversight, and public accountability to their own clandestine, law-enforcement, signals, and other intelligence agencies. If subversion continues to flourish unchecked, then the rule of law, public accountability, and even the scientific research necessary for our very survival in the face of these risks will suffer.

Let me begin with a story—a peek inside the disturbing worlds that are the focus of the Citizen Lab’s research. In August 2020, Citizen Lab senior researcher Bill Marczak was investigating espionage aimed at a dissident from the United Arab Emirates (UAE) then living in Britain. Marczak discovered that IP addresses belonging to a prominent British law firm were also being targeted.1 Eventually, Marczak determined that phones connected to the firm’s lawyers and others involved with one of its highest-profile clients had all been hacked using Pegasus—a sophisticated spyware sold by an Israel-based surveillance vendor, the NSO Group.

Among the victims was Princess Haya, the ex-wife of Sheikh Mohammed bin Rashid al-Maktoum, the UAE’s prime minister and the absolute ruler of one of its component parts (Dubai). A phone belonging to Princess Haya’s lawyer, Baroness Fiona Shackleton—a sitting member of the British House of Lords—had also been hacked, along with the devices of several people close to the princess. The sheikh and the princess had been waging a child-custody dispute in U.K. courts. Originally designed for use by governments investigating crime and terrorism, Pegasus had become a billionaire’s tool in a private legal battle.

About the Author

Ronald J. Deibert is director of the Citizen Lab and professor of political science in the Munk School of Global Affairs and Public Policy at the University of Toronto. His books include Reset: Reclaiming the Internet for Civil Society (2020).

View all work by Ronald J. Deibert

In fact, the UAE’s authoritarian regime has a long track record of exploiting private security, surveillance, and intelligence firms to bolster its rule. The first documented case of Pegasus spyware being abused came in 2016. At that time, the Citizen Lab reported that the UAE had used Pegasus to target the iPhone of human-rights defender Ahmed Mansoor, who is now in a UAE prison.2

The UAE also worked with a startup called Dark Matter on Project Raven, a scheme to hack the phones of dissidents, lawyers, journalists, and activists worldwide.3 Although we did not know it at the time, the Citizen Lab’s 2016 report on a threat group that we called “Stealth Falcon,” which had hacked the device of U.K. journalist Rory Donaghy, in fact concerned the secret work of Dark Matter.4 In September 2021, the U.S. Justice Department indicted three U.S. citizens—all former employees of the U.S. National Security Agency—who worked as contractors for Dark Matter.5

The Dark Matter case was not the only one in which there were interactions between the UAE, private intelligence firms, and U.S. persons. The Dubai sheikh and his royal relatives reportedly paid U.S.-Lebanese businessman (and convicted sex offender) George Nader to facilitate foreign engagements and make deals with surveillance firms, including a now-defunct Israel-based disinformation and private-intelligence company called PsyGroup.6 “Reality,” PsyGroup’s slogan went, “is a matter of perception.” The marketing brochure advertised services such as “deep due diligence,” “targeting and monitoring,” and “honeypots and covert operations.”

Nader also helped to set up a meeting between UAE officials and Donald Trump associates Jared Kushner, Michael Flynn, and Steve Bannon a month after Trump’s election as president. In January 2017, a UAE prince met in the Seychelles with, among others, Erik Prince of the private security firm Blackwater. Both meetings were investigated by Special Counsel Robert Mueller, who subpoenaed Nader. In December 2019, Nader faced federal charges that he had broken campaign-finance laws by using the sum of US$3.5 million—its source unknown—to ingratiate himself with Hillary Clinton’s 2016 presidential campaign.7

The UAE’s disturbing activities offer a window into a larger phenomenon that is becoming common worldwide. With local variations, we see the same pattern repeating: High government officials act secretly for personal gain behind the shield of sovereign immunity. They may violate laws in foreign jurisdictions, but they enjoy impunity. To avoid public accountability, they use private intelligence and security contractors, including private investigators and “dark PR” firms, to carry out covert activities once done solely by national governments. This phenomenon is transnational and involves democratic as well as authoritarian societies. Institutions, private firms, and individuals based in Western or liberal-democratic countries are deeply implicated, readily servicing authoritarian regimes that seek to extend their repressive tactics beyond their borders by targeting adversaries and critics who live abroad.

In the case of the UAE alone, we see espionage-for-hire firms and U.S.-trained security contractors, disreputable associates of a former U.S. president (some of them convicted criminals later pardoned by that president), and the wife of a former British prime minister acting as paid consiglieri to autocrats and spyware firms.8

The Seymour Martin Lipset Lecture on Democracy in the World

Ronald J. Deibert delivered the eighteenth annual Seymour Martin Lipset Lecture on Democracy in the World on 1 December 2021. The title of his lecture was “Digital Subversion: The Threat to Democracy.”

Seymour Martin Lipset (1922–2006) was one of the most influential social scientists and scholars of democracy of the second half of the twentieth century. A frequent contributor to the Journal of Democracy and a founding member of its Editorial Board, Lipset taught at Columbia, the University of California–Berkeley, Harvard, Stanford, and George Mason University. He was the author of numerous important books, including Political Man, The First New Nation, The Politics of Unreason, and American Exceptionalism: A Double-Edged Sword. He was the only person ever to have served as president of both the American Political Science Association (1979–80) and the American Sociological Association (1992–93).

Lipset’s work covered a wide range of topics: the social conditions of democracy, including economic development and political culture; the origins of socialism, fascism, revolution, protest, prejudice, and extremism; class conflict, structure, and mobility; social cleavages, party systems, and voter alignments; and public opinion and public confidence in institutions. Lipset was a pioneer in the study of comparative politics, and no comparison featured as prominently in his work as that between the two great democracies of North America. Thanks to his insightful analysis of Canada in comparison with the United States, most fully elaborated in Continental Divide (1990), he has been dubbed the “Tocqueville of Canada.”

The Lipset Lecture is cosponsored by the National Endowment for Democracy, the Munk School, and the Embassy of Canada in Washington, with financial support this year from Johns Hopkins University Press, the Schar School of Policy and Government at George Mason University, and the Embassy of Canada. To view videos of the Lipset Lecture from this and past years, please visit

Variations of this story can be found the world over. In Hungary, the Citizen Lab discovered in August 2021 that a photojournalist’s phone had been hacked the previous month using Pegasus, presumably because he had been trying to track the use of a private luxury yacht by a close associate of Prime Minister Viktor Orbán.9 In Mexico, front companies and corrupt entrepreneurs brokered sales of NSO’s spyware, which was then used on behalf of drug cartels to spy on investigative journalists and cover up mass killings.10 In fact, NSO’s very first sale to a government was reportedly to Mexico’s in 2011. It was brokered by Elliott Broidy, a fundraiser for the U.S. Republican Party and a paramilitary-sales pitchman who in October 2020 pled guilty to conspiring to violate foreign-lobbying laws, only to receive a pardon from Trump a few months later. Broidy was also a close confidant of ex–prime minister Benjamin Netanyahu of Israel, who is currently on trial in that country for fraud and bribery.

In Saudi Arabia, Crown Prince Mohammed bin Salman engineered a multipronged hacking and disinformation campaign against Saudi activists and dissidents prior to the October 2018 murder of journalist Jamal Khashoggi at the Saudi consulate in Istanbul, Turkey. As part of that campaign, the Saudis hired McKinsey consultants to identify key social-media “influencers” in the Saudi opposition, whose devices then became targets of Pegasus hacks.11 Or take Honduras, where in 2019 an Israeli consulting firm called Archimedes Group used Facebook pages designed to mimic news sites to spread messages backing President Juan Orlando Hernández and attacking his opponents, while a Mexico-based, Puerto Rico–registered firm called “Wish Win” similarly used social media and a “fake news” website to spread disinformation about a major opposition figure in advance of the country’s November 2021 general election.12

For many years it was widely assumed that digital technologies and especially social media were empowering global civil society by means of a new type of distributed “people power” that could hold governments and corporations accountable. Although there is still ample evidence to support this assumption, the causal relationship between digital technologies and civil society is changing quickly and dramatically.13

Over the last decade, a sophisticated and lucrative industry has sprung up to sell private clients and governments potent intelligence and surveillance capacities that they could scarcely have dreamed of even a few years ago. Clandestine influence operations, targeted espionage against civil society, and political subversion both near and far are easier to undertake than ever before. Researchers are beginning to chart the spread and dynamics of transnational repression (including the digital technologies involved), but the resources that this industry lays open to repressive regimes, private firms, and corrupt individuals have so far come in for little systematic attention.14 Something novel is happening, and the implications for liberal democracy, human rights, and the rule of law are disturbing. Our age is has become one of privatized subversion in service of kleptocracy, authoritarianism, and despotism.

Our Golden Age of Digital Subversion

Subversion is an organized activity whereby the decay of legitimate political institutions is seeded—on purpose and in secret—from the inside out. As expert Lennart Maschmeyer puts it, “subversion produces outcomes by exploiting vulnerabilities in systems. Through exploitation, it either undermines the integrity of these systems or manipulates them to use them against the adversary.” Stealth is critical to the success of subversion. “If done right,” Maschmeyer continues, “it interferes without revealing that interference is taking place.”15

Most people associate subversion with governments, as they have long used it. Subversion goes with espionage, sabotage, and assassination as one of the four principal clandestine activities of statecraft known throughout history. When undertaken by modern states, subversion efforts have traditionally been labor-intensive, costly, and complicated to mount with any hope of success. Subversion requires specially trained people who are willing and able to go on dangerous undercover missions, often on hostile ground.

Unlike assassination or sabotage, subversion is a “slow-burn” activity—it takes persistence, patience, and time.16 Subversion is also inherently risky. If exposed, an attempted subversion operation can end with agents in jail or dead, a government humiliated, and an international conflict exacerbated. Historically, these risks have kept subversion at the edges of politics and made it a game for a few well-resourced states—until now.

At least three contingent factors—accidents of history, not fruits of any plan—are driving subversion’s spread, lowering its risks, and (arguably) raising its chances of success. Social forces, in short, are coming together to produce an unexpected and very unwelcome development.

Shadow globalization. The first and broadest underlying factor is linked to neoliberal globalization, and especially the privatization and deregulation that it brought. The late 1970s and 1980s saw regulatory rollbacks and the selling of state shares in telecommunications, banking, mining, broadcasting, and many other economic sectors. Huge capital flows washed across the globe, their effects amplified by the budding digital age with its telecom networks, rapid computing, and novel financial instruments.17 Governments junked traditional safeguards in favor of tax incentives and other fiscal mechanisms meant to draw corporate investment. Vast inequalities of wealth emerged. According to the Credit Suisse Research Institute’s Global Wealth Report for 2021, the world’s richest 1.1 percent (those whose wealth exceeds $1 million) now own almost 46 percent of all global wealth. Power-seeking behavior among the ultra-wealthy has predictably followed, with dark money and corporate lobbying now plaguing political processes across the industrialized world, and especially in the United States.18

At around the same time, the USSR’s collapse set off a corruption-filled scramble for newly privatized state assets. Early in Vladimir Putin’s tenure as Russia’s president, his fellow ex-KGB officers exploited the post-Soviet power vacuum to seize private enterprises (typically purloined state industries) while aligning themselves with organized criminals. Together they raked in billions through corruption, intimidation, and extortion. Kleptocracy spread quickly across the former Soviet space and then flowed into the global financial system.19

Meanwhile, China’s economic modernization produced its own class of super-rich industrialists backed by the Chinese Communist Party and in charge of businesses that included state-owned enterprises in mining, construction, manufacturing, electronics, and telecommunications. Chinese investments began to flood sub-Saharan Africa, Latin America, Central Asia, and other regions where oversight and regulations are often lax and corruption pervasive. Profits mounted: Of the ten cities in the world with the most billionaires, five are in mainland China. Trillions of dollars from Chinese oligarchs have found their way to Europe, the United States, and Canada as well, carrying along organized criminal groups. On the receiving end, greedy officials and other accomplices turn a willfully blind eye, as evidenced by the owners of casinos in Vancouver, British Columbia—a notorious money-laundering haven for China’s corrupt plutocrats.20

Russia and China’s bursting wealth and kleptocratic ways have influenced other parts of the world: Oil-rich Gulf monarchs, Central Asian gangster-plutocrats, and African kleptocrats all follow the same script to misuse political power, grab state assets, and enrich themselves.21 A new transnational class of billionaire oligarchs now enjoys close ties to authoritarian governments and fleets of lawyers, mandarins, and fixers. Naturally, this class seeks ways to integrate its assets into the “legitimate” economy, to disguise corrupt activities, and to fend off legal and other risks. Offshore financial centers and other vehicles of money laundering have flourished, along with the legal and other professional services to go with them, as the Panama and Pandora Papers have shown. Shell companies, secretive financial havens, law and public-relations firms, investment managers, accountants, real-estate professionals, private investigators—most of them based in the West—form an elaborate support system for this transnational class. For the ultra-rich, seemingly insulated from any serious risk of legal exposure by coteries of well-paid professionals, flirting with illicit activities for personal enrichment is now de rigeur.

Privatized subversion. The second factor is the rise and spread of businesses that offer private intelligence, surveillance, and “black ops” to make possible what I call privatized subversion. The tradecraft, once the exclusive province of spies and commandos sworn to serve nation-states, is now routinely carried on by private firms and even individuals. During the Cold War, the Soviet KGB matched wits with the U.S. CIA. The latter’s officers called it “the company,” but now there are many real private companies that do what intelligence agencies once monopolized.

As tools and methods of subversion became more elaborate, business opportunities began to flower. Retired intelligence officers built startups to assess risks, manage reputations, support litigation, and offer other “solutions” for thorny problems. Governments began hiring private contractors, seen as smarter and nimbler than bureaucrats, to handle security and intelligence matters. A growing number of unethical corporations working in conflict zones used such contractors as well, creating a new arena of clandestine private intelligence work. In some countries (Israel being a prominent example), the national government has promoted a private-intel “startup culture.” Black Cube, the notorious contractor that convicted rapist Harvey Weinstein hired to discredit his accusers, was founded by a pair of former Israeli intelligence officers. In late 2018 and early 2019, its operatives tried and failed to subvert our own staff at the Citizen Lab.22

The market for privatized subversion has gone global. Many firms from many countries now do spying and hacking for hire as well as dark PR, and most are glad to sell their services across borders. It is now common to see companies registered in Bulgaria, Cyprus, India, Panama, the Philippines, and Serbia working for clients in the Gulf, Latin America, sub-Saharan Africa, the United Kingdom, or the United States. Lack of direct contact with the operatives who do the actual subverting—they are hired through law firms and private investigators—offers deniability. Handsome websites, LinkedIn profiles, and bland marketing copy mentioning “reputation management” and “deep background checks” gloss over what is, in reality, duplicitous work on behalf of despots, criminals, and sociopaths.

Like the clients they serve, purveyors of privatized subversion play financial and accounting shell games to evade public scrutiny and accountability. Law firms and front companies sidestep export controls and other regulations. Complex ownership structures obfuscate who is responsible and make investigations harder. Clients that are government agencies may be nominally accountable but they often use nondisclosure agreements to keep the firms that they hire quiet. Such opacity is not unique to authoritarian regimes; democratic countries hire surveillance vendors behind the shield of national-security exemptions from public-disclosure laws. With little meaningful regulation and shadowy, furtive clients, firms act with impunity. Authoritarian regimes, kleptocrats, despots, and autocrats—those most likely to undertake subversion—are prized, top-dollar clients. So are big corporations and even wealthy individuals. Anyone with enough cash can hire a “private Mossad.”23

The expanding market for privatized subversion has given authoritarian powers and kleptocrats potent resources. Even a few decades ago, most authoritarian regimes lacked the in-house capacities to mount the types of foreign-influence, espionage, and subversion operations that have become common today. Missions abroad were too costly and politically risky for most smaller-country governments to try. Now, anyone with enough cash can order a hack-and-leak smear campaign against a distant investigative journalist or opposition leader with little more effort than it takes to buy a sweater from Amazon.

Digital Exploitation. The third and final factor is the digital communications environment: invasive by design, insecure, poorly regulated, prone to widespread abuses, and engineered to exploit human emotions and cognitive biases. We are immersed in networks of ubiquitous devices that connect us to the world via the internet. But these devices are also windows into our private lives. Our phones and other devices are designed to store and transmit masses of information about our movements, purchases, habits, routines, social relationships, and more. The details of a person’s life are now fed routinely into a vast digital labyrinth—a new and enormous datasphere that is connected to, but also separate from, all of us. The trends toward networked appliances (the so-called Internet of Things) and, eventually, neural networks are ominous to contemplate in this light. Our most intimate details are relentlessly mined and globally networked.

Privatized subversion capitalizes on at least three features of this digital ecosystem: its bottomless appetite for highly revealing personal data, its inherent insecurity, and the underlying attention economy that lies at the core of social media’s business model. Insecurity pervades the system because tech companies favor innovation above all. Endless vulnerabilities invite exploitation. All users now rely on networks that are replete with insecurities. Privacy breaches are routine, with masses of personal data winding up for sale. Decisions early in the internet’s history to “leave the state out” and go light on regulation have led to innovation racing ahead of safety standards. Governments talk about the problem, but the flaws run so deep and wide, are generated so quickly, and come from developers in so many countries that little gets done. Indeed, governments make matters worse by purchasing software vulnerabilities or mandating secret “backdoors” into apps and devices that law-enforcement and intelligence agencies can exploit.

Internet platforms seek out attention and audience engagement above all. More posts, tweets, and page views mean bigger profits. The platforms’ algorithms promote sensational, extreme, and conspiracy-minded content. Citizens now live in a real-time, ceaseless tsunami of conspiracy claims, “fake news,” and half-truths that sweeps them toward epistemological fatigue and fatalism. The emotional-manipulation machine at the heart of social media is a near-perfect vehicle for spreading the lies and distortions that subversion requires. Truth is easily buried under an avalanche of well-engineered falsehoods dispersed by paid trolls and (to a lesser degree) bots. New disinformation techniques, such as deep fakes, are cheap, accessible, and spreading quickly—effectively “democratizing” the tradecraft.

Privatized-subversion companies feed on all of these features. Some sweep up data (including from breaches) and provide intelligence analysis of targets to their clients. Others provide smartphone interception, biometrics, facial recognition and other surveillance services. Location-tracking firms are a prime example. Most users carry always-on devices containing dozens of apps that record the user’s movements. Developers sell this data to third parties, who then package it with information from other sources in easy-to-use interfaces for other clients.

Firms that harvest personal data see police and intelligence services as potential customers. Predicio, to take one example, is based in France and pays app developers for access to their users’ granular location data. It has links with a company called Venntel that sells such data to, among others, U.S. Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP).24 Another firm in the supply chain is Aspectum, which boasts of its software’s ability not only to map natural disasters and wildfires, but also to aid “countermeasures” against “social unrest” including “demonstrations” and “protests,” which the firm’s advertisement cavalierly lumps together with riots in the category of “mass civil disorder acts.” Clearview AI is notorious for having scraped billions of images from social media to build an aggressively marketed facial-recognition service. Customers include the UAE government. With services such as these, any state or corporate client is a click away from having a thick dossier on almost anyone.

Other firms specialize in exploiting security gaps in global phone networks to provide government clients with interception and tracking capabilities. An Israeli company called Circles—a sister of NSO Group—received a telecommunications “global title” (effectively a license to join the international telephony club) in Bulgaria. Circles takes advantage of flaws in SS7, a signaling system originally designed to keep track of mobile-phone roaming for billing purposes. A global title makes it possible to identify and locate any device with precision, to mount denial-of-service attacks, to intercept and mimic SMS messages, and even to record voice calls. In 2020, the Citizen Lab identified Circles deployments in at least twenty-five countries including notorious human-rights abusers such as El Salvador, Equatorial Guinea, Guatemala, Mexico, and Vietnam.25 In a few cases, we were able to attribute the deployment to a particular customer such as the Royal Thai Army, which has allegedly tortured detainees. The appeal of this type of tech to governments is summed up by the slogan of Ability, a Circles rival: “While others talk, we listen.”

Hacking is another major sector of privatized subversion. A target’s device is a goldmine of information including photos, videos, messages, conversations, location data, and more. Spyware firms such as NSO Group pay highly trained engineers to find vulnerabilities that government customers can “weaponize.” Over time, spyware has become refined to the point where the target need not be induced to do anything (no clicking on socially engineered text messages or emails required), the hacking leaves almost no visible trace, and the spyware itself is designed to evade forensic analysis.

For example, the latest known iteration of Pegasus, which Citizen Lab researchers captured in the wild, was a “zero-click, zero-day,” meaning that it could be activated against any vulnerable device in the world without user interaction, and took advantage of software flaws of which Apple itself was unaware.26 Surveillance firms advertise and justify their services as helping law enforcement to investigate crimes (including pedophilia) and stop terrorism. While there are legitimate uses, it is also the case that in this scantily regulated market, firms routinely sell their powerful capabilities to governments that are serial human-rights abusers, as investigations by the Citizen Lab, Amnesty International, and journalists have revealed.

Thanks to spyware firms, autocratic regimes with no in-house tech capability can simply buy signals intelligence (SIGINT) “off the shelf.” Take Ethiopia, a poor country where only about a quarter of the populace has internet access. In the past, transnational repression and foreign espionage were largely beyond the reach of its government, as was most SIGINT (given the country’s lack of direct links to the global telecom system). Today, with help from Israel-based Cyberbit, as a 2017 Citizen Lab investigation showed, officials in Addis Ababa can aim cyberespionage at dozens of people in more than twenty countries at once.27

Meanwhile, on the emotional-contagion side of the digital ecosystem, there are firms that specialize in psychologically based influence operations, trolling, or professional disinformation campaigns—sometimes referred to in shorthand as “dark PR” or “digital black ops.” Extensive publicity regarding the role of Russian social-media disinformation in the 2016 U.S. presidential election and the dubious practices of Cambridge Analytica may have unfortunately served to distract attention from the degree to which black-ops firms and disinformation practices have evolved since 2016, especially in other parts of the world.

One recent ethnographic study in the Philippines found that the use of fake accounts and paid influencers was widespread, with numerous local advertising and PR firms using branding techniques and paid influencers to distort trending rankings, confuse the public, and intimidate and discredit critics.28 The study found that the ground was prepared for the success of such efforts by public habits of accepting corporate PR and political spin as part of normal practice. The Philippines is by no means unique. A recent survey undertaken by the Oxford Internet Institute revealed that at least 65 firms are helping 81 governments to use social media as a means of spreading propaganda.29

Some of the best illustrations of privatized subversion via social media come from Facebook. The platform occasionally publishes details on takedowns for what it calls “Coordinated Inauthentic Behavior.” These reveal not only the scope and scale of social-media subversion campaigns worldwide, but also their commercial roots, often involving companies based in the West. In 2020, for example, Facebook removed dozens of disinformation accounts focused primarily on subversion of political processes in Bolivia, Mexico, and Venezuela. Behind them all was a single entity in Washington, D.C., called CLS Strategies.30 These takedowns offer a window into social-media disinformation; they do not mean that it is under control. On the contrary, conspiracy theories and falsehoods continue to roll out across the platform (propelled by Facebook’s own engagement-hungry algorithms), all too often making their way into traditional news outlets.

Is Pax Despotica the New World Order?

The ancient clandestine arts are becoming not only normalized, but professionalized and commercialized. What was once on the margins is moving to the center. The world of the shadows is coming to dominate the world at large. How are we to understand this newly emerging world order? What conceptual language and theories should we use to describe it? Can we prevent it from spreading, and if so, how?

Sadly, the academic study of world politics is poorly equipped to help us interpret these developments. It is based on a textbook image of the international system organized around territorially distinct units divided by domestic regime types: good “democratic” countries here, and bad “authoritarian” countries over there. But the practices outlined above are inherently transnational, and implicate individuals, companies, and institutions in every regime. What we are witnessing are assemblages of authoritarian practices that cut across political borders.

Privatized subversion is the main means by which power is projected in this emerging system, but covert operations have received scant attention in the social sciences—and this new, post–Cold War type of high-tech spying perhaps least of all. The political economy of privatized subversion is the embodiment of globalization’s dark side, and the spearpoint of a world increasingly organized around the norms and values of a transnational class of oligarchs, gangsters, and kleptocrats. This is no “Westphalian System,” or “Liberal World Order” but something more along the lines of a “Pax Despotica.” If you really want to understand the dynamics of world politics today, think less Bismarck, Churchill, or Roosevelt, and more Al Capone or the villains in James Bond movies.

Other misconceptions about international politics need to be dispelled as well. Dictators are not all old men unfamiliar with fast-paced digital technologies. Authoritarians today can be younger, with social-media savvy and deep attraction to what high-tech private spies are able do. Consider El Salvador’s President Nayib Bukele. Only forty years old, he is an examplar of what Manual Meléndez-Sánchez calls millennial authoritarianism—“a distinctive political strategy that combines traditional populist appeals, classic authoritarian behavior, and a youthful and modern personal brand built primarily via social media.”31 It should come as no surprise that in January 2022, the Citizen Lab discovered that Pegasus was used to hack thirty-five journalists and civil society activists in El Salvador.32

Harms and Cures

Subversion is now big business. As it spreads, so too do the authoritarian practices and the culture of impunity that go with it. The rule of law and public accountability suffer. Law-enforcement agencies are of limited help: Not only is the problem too widely distributed, but such agencies are all too often implicated in it.33 Evidence of norm erosion is rising: We see Belarus’s forced downing of a European flight to apprehend a journalist; the brazen poisonings of exiled Russian opposition figures and others; state-sanctioned executions of journalists and dissidents by Saudi Arabia and Rwanda; and the 6 January 2021 insurrection in the United States, encouraged by President Trump and his supporters and followed by efforts to promote the “Big Lie,” restrict voter rights, and install election officials sympathetic to the coup plotters’ aims in advance of the next U.S. election.

There is now undeniable evidence of democratic backsliding worldwide. Freedom House’s report covering 2021 sees deterioration on just about every measurement of democratic rights and freedoms. Larry Diamond, one of the leading thinkers of democracy, calls our era a time of “democratic regression.”34

Meanwhile, real-life harms are piling up, often with deadly effects, as research at the Citizen Lab and elsewhere has shown. The wares of just one company, NSO Group, are implicated in the hacking of hundreds of innocent members of civil society worldwide, some with lethal consequences. When spyware is sold by front companies linked to drug cartels, as it was in Mexico, it is used to hunt down journalists who investigate cartel affairs. One such reporter, Javier Cárdenas, was gunned down in broad daylight in Sinaloa; shortly thereafter, the phones of his widow and his associates were targeted with Pegasus.35 Similar stories of violence and intimidation can be told about victims of privatized subversion in El Salvador, Poland, Rwanda, Saudi Arabia, and the UAE, among others.

There are major effects for civil society: Reports of self-censorship and psychological trauma resulting from transnational repression are growing. Targeted transnational activists can have their whole networks exposed, placing in jeopardy people who themselves have not been hacked or tracked. Blackmail and false incriminations can damage reputations and even send people to jail. As the mere knowledge of these risks grows, civil society is chilled.36 Interviews of refugees and immigrants who have experienced transnational digital repression reveal widespread fear and psychological trauma. People are afraid to communicate, to use the internet, or to trust their computers and mobile devices. Fear is causing global civil society to grind slowly to a halt.

Solving the problems that I have identified will not be easy. They are rooted in multiple, deep-seated social and political forces that will be extremely difficult to slow, let alone turn back. First, we need to recognize that this is an emergency for liberal democracy. Symptoms are everywhere, but we need to systematically document them to spread awareness of their key dynamics and features. Privatized subversion hides in the shadows; the first step toward mitigating its harms is to drag the industry and its clients into the light. For this we need more investigative journalism, and more rigorous open-source research in the public interest such as that undertaken by Bellingcat, the Citizen Lab, Amnesty International, and others.

Second, we need stronger legal countermeasures, and in particular legislation and law-enforcement actions that target kleptocracy, including use of the 2012 U.S. Global Magnitsky Act. Governments must investigate threats to civil society with the same priority and resources that they apply to threats against state institutions and businesses. Lawmakers and law enforcement should investigate and, where appropriate, criminally prosecute privatized-subversion firms, especially those working for autocrats and authoritarian regimes given to menacing critics who have fled abroad for safety. Civil actions can help as well: Suits that WhatsApp and Apple have filed in U.S. courts against NSO Group could lead to stiff fines that may make the industry more responsible. New laws letting individuals sue foreign governments and private-subversion firms in liberal-democratic jurisdictions may be of use as well.

As part of these countermeasures, liberal democracies need to get their own houses in order. That means bringing much greater transparency, oversight, and public accountability to their own clandestine, law-enforcement, signals, and other intelligence agencies. These organizations must be held to a higher standard, including with respect to the companies from which they procure intelligence services and surveillance technologies. Export controls over surveillance companies must also be strengthened to include human-rights compliance. Firms that facilitate serial rights abuses should find themselves placed on a designated deny list, as the U.S. Commerce Department recently did to NSO Group, Candiru, and other hack-for-hire firms. Private-equity and venture-capital firms based in liberal-democratic jurisdictions should be compelled to undertake rigorous human-rights due diligence or face investigations and penalties.37 All these measures are part of the existing governance toolkit; they simply require political will and resources.

We will also need to clean up the security flaws and attention-seeking algorithms that are endemic to social media and the business model of surveillance capitalism. Takedowns and corporate self-governance are welcome, but the firms’ own attention-seeking algorithms push in the opposite direction. More outside accountability is desperately needed. We also need to drain the cesspool of location-tracking, facial-recognition, and other companies that feed off the worst aspects of social media. Stiff liabilities for tech companies whose reckless engineering practices breed constant data breaches are an obvious and easy fix.

What’s at Stake

Several years ago, evidence started to emerge that Exxon had knowledge of the industry’s effects on climate change and actively worked not only to bury that evidence but to spread misinformation about it. Beginning around 2017, several organizations involved in the self-described #exxonknew campaign started receiving emails with links to documents that appeared to be relevant to the groups’ advocacy. The tantalizing documents required recipients to enter their credentials into genuine-looking (but fraudulent) online portals designed to steal the target’s credentials.

Soon after, unflattering news stories about #exxonknew began to appear, complete with confidential meeting notes and private emails. The organizers suspected hacking, and the Citizen Lab was able to confirm it. The culprits made mistakes that let us observe their doings. We discovered how the phishing emails were timed and we shed light on the hackers’ backend operation and identities.

To our surprise, at the center of this hack-and-leak operation was a tiny company in Delhi, India, called Belltrox LTD—whose advertised services include the benign-sounding “corporate reputation management” and whose slogan is “You Desire, We DO!”38 At the victims’ request, we turned over our evidence to the U.S. Justice Department. A U.S. private investigator who allegedly hired Belltrox has been indicted, but the ultimate perpetrators are hiding behind layers of privatized subversion spread across multiple jurisdictions, and may never be held criminally liable. The hackers who work for Belltrox have little to fear; they almost certainly will not be extradited to the United States. Nor is Interpol likely to help: Its current head is a former UAE general who has been accused of torture.

The dawning of a golden age of subversion is a disaster for humanity. The more that subversion is normalized and practiced, the greater the challenges for liberal democracy and the rule of law. But the threats are even greater than this. We face a growing number of catastrophic and potentially species-ending risks, including nuclear war, artificial superintelligence, engineered pandemics and—above all else—climate change. If subversion continues to flourish unchecked, then the rule of law, public accountability, and even the scientific research necessary for our very survival in the face of these risks will suffer. Countering digital subversion is an existential imperative.


Portions of this article are derived from Ronald J. Deibert, “Authoritarian Power and the Commercial Surveillance and Private Intelligence Marketplace,” Democracy and Autocracy 20, no. 1 (2022).

1. Danica Kirka, “UK High Court Finds That Dubai Ruler Hacked Ex-Wife’s Phone,” Associated Press, 6 October 2021,; see also Paul Waldie, “How Toronto’s Citizen Lab Uncovered the Hacking of Princess Haya,” Globe and Mail (Toronto), 11 October 2021.

2. Bill Marczak and John Scott-Railton, “The Million Dollar Dissident: NSO Group’s iPhone Zero-Days Used Against a UAE Human Rights Defender,” Citizen Lab, 24 August 2016,

3. Christopher Bing and Joel Schectman, “Project Raven: Inside the UAE’s Secret Hacking Team of American Mercenaries,” Reuters, 30 January 2019,

4. Bill Marczak and John Scott-Railton, “Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents,” Citizen Lab, 29 May 2016,

5. “3 Former U.S. Officials Charged in United Arab Emirates Hacking Scheme,” Associated Press, 14 September 2021,

6. Jon Gambrell, “Powerful Emirati Crown Prince Entangled by Mueller Report,” Associated Press, 19 April 2019,; Dania Akkad and Ian Cobain, “George Nader: How a Convicted Paedophile Became Key to an Emirati Hook-up with Trump,” Middle East Eye, 5 July 2019,

7. Spencer S. Hsu and Matt Zapotosky, “Key Mueller Witness, Major Clinton and Trump Donor Charged with Funneling $3.5 Million in Illegal Contributions,” Washington Post, 3 December 2019.

8. Haroon Siddique, “Ruling in Princess Haya Case Raises Fresh Questions for Cherie Blair,” Guardian, 6 October 2021,

9. Stephanie Kirchgaessner, “Phones of Journalist Who Tracked Viktor Orban’s Childhood Friend Infected with Spyware,” Guardian, 21 September 2021,

10. Nina Lakhani, “Fifty People Linked to Mexico’s President Among Potential Targets of NSO Clients,” Guardian, 19 July 2021.

11. Bill Marczak et al., “The Kingdom Comes to Canada: How Saudi-Linked Digital Espionage Reached Canadian Soil,” Citizen Lab,1 October 2018; Sheelah Kolhatkar, “McKinsey’s Work for Saudi Arabia Highlights Its History of Unsavory Entanglements,” New Yorker, 1 November 2018,

12. Leo Schwartz, “A Prominent PR Firm Is Spreading Disinformation Ahead of Honduras’ Elections, New Investigation Reveals,” Rest of World, 29 October 2021,

13. Ora John Reuter and David Szakonyi, “Online Social Media and Political Awareness in Authoritarian Regimes,” British Journal of Political Science 45 (January 2015): 29–51.

14. Dana M. Moss, “Transnational Repression, Diaspora Mobilization, and the Case of the Arab Spring,” Social Problems 63, no. 4 (2016): 480–98; Nate Schenkkan and Isabel Linzer, “Out of Sight, Not Out of Reach: Understanding Transnational Repression,” Freedom House, 2021,; Fiona B. Adamson, “Non‐State Authoritarianism and Diaspora Politics,” Global Networks20 (January 2020): 150–69. See also Marcus Michaelsen, “Silencing Across Borders: Transnational Repression and Digital Threats Against Exiled Dissidents from Egypt, Syria and Iran,” Hivos Report, 2020,; “Far Away, So Close: Transnational Activism, Digital Surveillance and Authoritarian Control in Iran,” Surveillance and Society 15, no. 3–4 (2017): 465–70; and “The Digital Transnational Repression Toolkit, and Its Silencing Effects,” Freedom House Special Report, 2020,

15. Lennart Maschmeyer, “Why Cyber War Is Subversive, and How That Limits Its Strategic Value,” War on the Rocks, 17 November 2021,’s analysis of “cyber subversion” narrowly focuses on computer hacking and suggests its limits. My analysis is broader and comes to a different conclusion.

16. Lennart Maschmeyer, “The Subversive Trilemma: Why Cyber Operations Fall Short of Expectations,” International Security 46 (Fall 2021): 51–90.

17. Michael Lewis, Flash Boys: A Wall Street Revolt (New York: Norton, 2014).

18. Jane Mayer, Dark Money: The Hidden Story of the Billionaires Behind the Rise of the Radical Right (New York: Anchor, 2017).

19. Catherine Belton, Putin’s People: How the KGB Took Back Russia and Then Took on the West (New York: Farrar, Straus and Giroux, 2020).

20. Sam Cooper, Willful Blindness: How a Network of Narcos, Tycoons and CCP Agents Infiltrated the West (Toronto: Optimum, 2021).

21. Alexander A. Cooley and John Heathershaw, Dictators Without Borders: Power and Money in Central Asia (New Haven: Yale University Press, 2017).

22. D.J. Pangburn, “How a Spyware-Hunting PhD Student Foiled a Private Spy over Lunch,” Fast Company, 4 February 2019,

23. Adam Entous and Ronan Farrow, “Private Mossad for Hire,” New Yorker, 11 February 2019,

24. Joseph Cox, “Google Kicks Location Data Broker That Sold Muslim Prayer App User Data,” Vice, 2 September 2021,

25.Bill Marczak et al., “Running in Circles: Uncovering the Clients of Cyberespionage Firm Circles,” Citizen Lab, 1 December 2020,

26. Bill Marczak et al., “FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild,” Citizen Lab, 13 September 2021,

27. Bill Marczak et al., “Champing at the Cyberbit: Ethiopian Dissidents Targeted with New Commercial Spyware.” CitizenLab, 6 December 2017,

28. Jonathan Corpus Ong and Jason Vincent A. Cabañes, “Architects of Networked Disinformation: Behind the Scenes of Troll Accounts and Fake News Production in the Philippines,” Communication Department Faculty Publication Series, University of Massachusetts–Amherst, 2018, See also Muyi Xiao, Paul Mozur, and Gray Beltran, “Buying Influence: How China Manipulates Facebook and Twitter,” New York Times, 20 December 2021.

29. Samantha Bradshaw, Hannah Bailey, and Philip N. Howard, “Industrialized Disinformation: 2020 Global Inventory of Organized Social Media Manipulation,” Computational Propaganda Research Project, Oxford University, 2020,

30. Craig Timberg and Elizabeth Dwoskin, “Washington Firm Ran Fake Facebook Accounts in Venezuela, Bolivia, and Mexico, Report Finds,” Washington Post, 4 September 2020.

31. Manuel Meléndez-Sánchez, “Latin America Erupts: Millennial Authoritarianism in El Salvador,” Journal of Democracy 32 (July 2021): 19–32.

32. John Scott-Railton et al., “Project Torogoz: Extensive Hacking of Media and Civil Society in El Salvador with Pegasus Spyware,” Citizen Lab, 12 January 2022,

33. Ronen Bergman and Mark Mazzetti, “The Battle for the World’s Most Powerful Cyberweapon,” New York Times, 31 January 2022.

34. Larry Diamond, “Democratic Regression in Comparative Perspective: Scope, Methods, and Causes,” Democratization 28, no. 1 (2021): 22–42.

35. John Scott-Railton et al., “Reckless VII: Wife of Journalist Slain in Cartel-Linked Killing Targeted with NSO Group’s Spyware,” Citizen Lab, 20 March 2019,

36. Marcus Michaelsen, “Exit and Voice in a Digital Age: Iran’s Exiled Activists and the Authoritarian State,” Globalizations15, no. 2 (2018): 248–64; Noura Al-Jizawi et al., “Psychological and Emotional War: Digital Transnational Repression in Canada,” Citizen Lab Research Report No. 151, University of Toronto, March 2022,

37. Amnesty International, “Risky Business: How Leading Venture Capital Firms Ignore Human Rights When Investing in Technology,”2021,

38. John Scott-Railton et al., “Dark Basin: Uncovering a Massive Hack-For-Hire Operation,”Citizen Lab,9 June 2020,


Copyright © 2022 National Endowment for Democracy and Johns Hopkins University Press

Image Credit: Gorodenkoff/