Citizens’ Nightmare: A Manual for Understanding Spyware

In recent years, spyware has emerged as one of the gravest threats to human rights and a central instrument of repression and social control. Intrusive by design, it operates silently in the background, stripping away what should be every person’s safest sanctuary – privacy. At first glance, its use can appear justified – safeguarding national security, fighting organized crime, or protecting the public interest. Yet beneath these seemingly legitimate arguments lies a technology fundamentally at odds with the rule of law and the principles of democratic societies.

In late 2023, when attempts to target civil society members with spyware were first uncovered, it quickly became evident that these incidents were only the beginning – and that attacks on journalists and activists in Serbia would grow both more frequent and more severe. This prediction soon proved correct: just a year later, Amnesty International published a report exposing the widespread abuse of spyware tools such as NoviSpy by the Serbian police and the Security Information Agency (BIA). What initially appeared to be an isolated incident revealed itself as part of a broader pattern of intimidation and repression. In this context, the need to understand spyware in greater depth became not only logical but urgent. 

The need for a comprehensive understanding of such a complex phenomenon as spyware led us to approach the issue from multiple angles – technical, legal, and social. This effort resulted in the book A Privacy Nightmare: Understanding Spyware. The publication explains what spyware is and how it operates, offers a comparative legal analysis across 13 countries, and explores its consequences for human rights, democratic processes, and everyday life.

The technical section traces the evolution of spyware from the rudimentary chat-interception malware of the 1990s to today’s sophisticated systems capable of compromising phones and computers without a detectable footprint. Using examples such as Pegasus, Predator, and NoviSpy, the book illustrates how these tools have far surpassed traditional surveillance methods – bypassing encrypted communications and exploiting hidden vulnerabilities in devices.    

The legal analysis reveals that spyware operates in a grey area. No national or international framework explicitly regulates it, and some states go even further by attempting to normalize its use under the pretext of national security or crime prevention. Yet the absence of clear regulation does not mean that the answer lies in drafting one. On the contrary, because of its very nature – all-encompassing and disproportional intrusiveness – spyware cannot be legitimized by regulation. At its core, it is incompatible with the rights to privacy and freedom of expression, as well as with basic democratic principles. It should therefore not be treated as a technology to be regulated, but as a practice to be categorically rejected and prohibited. 

In its social and practical dimension, the book shows how device infiltration has become a cornerstone of contemporary authoritarian regimes, which rely on digital surveillance to track, intimidate, and silence their dissenters. Global trends, such as the steady decline of internet freedoms in recent years, make clear that spyware is not an isolated phenomenon, but part of a wider strategy of repression. Those who are meant to safeguard the public interest – journalists, activists, and human rights defenders – are consistently among the first to be targeted. This makes spyware not only a personal threat, but an assault on the very foundations of democratic society.  

The conclusion is clear: the development and use of spyware must be banned outright. Proposals to regulate spyware do not offer a way out – they pave the way for abuse and amount to the de facto legalization of one of the most dangerous surveillance tools ever created. 

A similar stance is taken by the European network of digital rights organizations – EDRi, which offers a comprehensive definition of spyware while calling for a ban on its use. EDRi’s document reflects the position of the broader community committed to safeguarding freedom, privacy, and the rule of law in the digital age. It also reinforces the book’s central argument: spyware cannot be placed within the framework of legitimate surveillance, and its use must be prohibited. As a member of EDRi, the SHARE Foundation contributed to drafting this document, making this position not only ours, but a shared message against the normalization of repression. 

While the global perspective is crucial, it was also necessary to examine domestic legislation, which – like most – does not explicitly mention spyware and instead applies only general principles. Our analysis shows clearly that the use of spyware in Serbia can be neither legal nor legitimate. The Criminal Code prohibits acts typical of spyware, such as creating and planting computer viruses, unauthorized access to computers, or unlawful processing of personal data. Even the most intrusive measures allowed under Serbian law – special evidentiary procedures and measures applied by security agencies – cannot justify a technology that enables total, indiscriminate control over a device and all the data it contains, as spyware operates far beyond their intended scope.

In addition to examining spyware itself, we also analyzed digital forensics tools (DFTs) without which the installation of certain systems – particularly less sophisticated spyware such as Serbia’s NoviSpy – would often not be possible. Using the example of Cellebrite UFED, the tool employed in Serbia, we showed that the law permits its use only within criminal proceedings, and that any deployment without a court order constitutes abuse. Devices such as phones and computers enjoy a heightened level of legal protection, and any intrusion without proper safeguards amounts to a serious violation of citizens’ rights.  

All of this leads to a clear conclusion: spyware is not merely a technical challenge. It is a legal, political, and social problem, a tool that threatens the very foundations of democracy under the guise of protecting national security. Our book, together with the positions of the wider European community and the analysis of Serbia’s legal framework, demonstrates that the only principled stance on spyware is not regulation but a total ban – so that we do not become “the generation that killed privacy”.

Tijana Stevanović is an attorney-at-law and legal researcher at the SHARE Foundation, focusing on the legality of surveillance and the use of spyware.