Executive Summary

Insikt Group assesses that government digital surveillance activities pose a high or very high risk in 31 countries, where state actors exploit telecommunications infrastructure, homegrown and commercial spyware, and artificial intelligence (AI)-powered tools to monitor foreign nationals and business travelers with little to no legal accountability. A further 55 countries categorized as medium risk frequently deploy less-sophisticated surveillance capabilities to target political opposition and dissent –– highlighting the need for organizations to adopt appropriate mitigation measures in jurisdictions with limited oversight mechanisms and track records of surveillance targeting foreign entities or supporting domestic repression.

Insikt Group has identified five broad categories of digital surveillance capabilities built in-house or acquired by governments: network interception, endpoint compromise, platform-level access, public space surveillance, and data aggregation. The risk of a government abusing these capabilities is almost certainly higher in jurisdictions lacking independent oversight mechanisms or clear delineations of the legal, necessary, and proportional use of these capabilities, in line with international standards.

Foreign nationals and business travelers who fail to adequately understand and prepare for digital surveillance risks prior to traveling or conducting operations in a given location can face significant personal and organizational damages, including sensitive data breaches, IP theft, targeted intelligence operations, reputational harm, and increased risks from physical threats or detention.

As such, individuals traveling abroad and their respective organizations should implement mitigation measures to protect sensitive data, commensurate with the level of state surveillance risk in the destination country. These measures range from maintaining standard security hygiene in lower-risk environments to using sterile, non-corporate devices when operating in high-risk jurisdictions.

Key Findings

• Insikt Group assesses that there are “high” or “very high” levels of digital surveillance risk in 31 countries due to their use of advanced surveillance capabilities against foreign businesses, travelers, and government critics, with limited to no oversight.
• A further 74 countries have “medium” levels of digital surveillance risk. While 55 of these countries are not known to have deployed advanced surveillance capabilities, there is evidence that their governments have deployed less sophisticated surveillance measures for a variety of purposes, which may include monitoring political opposition, human rights activists, and journalists. The remainder (19) of countries in this category possess advanced surveillance capabilities, but are not known to typically use them in violation of national or international laws.
• By exploiting control over telecommunications infrastructure and online platforms, governments can conduct mass, indiscriminate monitoring of traffic and user data. The risk of abuse of network interception and platform-level access is almost certainly greatest where judicial authorization requirements and procedural safeguards are weak.
• The proliferation of commercial spyware, AI-powered public security infrastructure, and increasing collection of biometric and personal data almost certainly enables governments to build comprehensive digital profiles of individuals and leverage them for targeted surveillance operations.
• Digital surveillance that is not subject to robust oversight and does not abide by the principles of legality, necessity, and proportionality very likely incurs heightened operational, reputational, and legal costs for organizations and individuals, including the loss of sensitive data, the proliferation of cyber vulnerabilities, and legal and physical risks.

Components of Surveillance Risk

Insikt Group regularly assesses risks to business travelers and foreign nationals from government-run digital surveillance operations in 193 countries using Recorded Future’s Country Risk analytic framework. Customers can access Country Risk analysis by querying for State Surveillance Notes in the Recorded Future Intelligence Operations Platform. State Surveillance Notes assess the overall level of state surveillance risk in a given country based on three primary categories:

• Surveillance Capabilities: The ability of intelligence services, law enforcement agencies, or other state-affiliated or directed entities to undertake digital surveillance, and the scope of these digital surveillance capabilities. This category includes the capabilities of a variety of state and state-nexus actors, including specialized surveillance agencies with broad access to digital infrastructure, state-affiliated groups that deploy spyware for cyber espionage, and individual law enforcement units that carry out traditional wiretapping.

• History of Digital Surveillance Operations: A government’s historical willingness to carry out unlawful, arbitrary, or overbroad digital surveillance operations. This can include surveillance that violates national law — such as government entities monitoring communications without appropriate authorization — but also covers surveillance that may be sanctioned under national legislation but violates international principles of legality, necessity, and proportionality.

• Oversight Mechanisms: The existence and efficacy of judicial, legislative, or independent oversight bodies that approve and monitor a government’s digital surveillance operations for compliance with domestic and international law.

A comprehensive evaluation of state surveillance risk in a country requires a composite assessment that takes into account all three categories. For example, a country purchasing high-profile spyware may not, by itself, indicate a high level of risk to business travelers or foreign nationals, provided that the government has a good track record of respecting domestic and international privacy protections and has strong judicial and legislative oversight of intelligence and security agencies. In contrast, a country with less advanced capabilities, but strict control over internet infrastructure and few restrictions on the government’s ability to collect user data, likely poses a greater risk to travelers’ and foreign nationals’ data security.

Insikt Group assesses whether a country’s history of digital surveillance constitutes a risk to foreign nationals and travelers based on its alignment with international principles on privacy and digital rights. Article 12 of the United Nations (UN) Universal Declaration of Human Rights establishes that no individual “shall be subjected to arbitrary interference with his privacy, family, home, or correspondence”. A 2022 UN General Assembly resolution on privacy in the digital age states that

“unlawful or arbitrary surveillance and/or interception of communications, as well as the unlawful or arbitrary collection of personal data, hacking and the unlawful use of biometric technologies, as highly intrusive acts, violate the right to privacy” and that states should ensure that any interference with this right is consistent with principles of “legality, necessity, and proportionality.”

“Legality,” in this formulation, requires that surveillance or interception be prescribed by “a legal framework, which must be publicly accessible, clear, precise, comprehensive and non-discriminatory.” Surveillance must also be necessary to further the purposes identified in corresponding law, take the least intrusive form required to do so, and be proportionate in scope to the interest being protected.

Key Components of State Digital Surveillance Risk

Table 1: State surveillance risk level is a function of not only a jurisdiction’s surveillance capabilities, but also its history of deployment of those capabilities and oversight mechanisms (Source: Recorded Future)

Applying these criteria, and based on data collected from 2024 to 2026, Insikt Group has assessed the level of risk associated with state digital surveillance in 193 countries:

• Six countries (3%) –– Belarus, China, Iran, Myanmar, North Korea, and Russia –– are “very high risk,” denoting evidence of advanced surveillance capabilities, a lack of independent oversight, regular surveillance targeting foreign businesses and travelers, and widespread suppression of political opposition or dissent.
• 25 countries (13%) are “high risk,” indicating evidence of moderate to advanced surveillance capabilities, limited independent oversight, and the use of surveillance tools to repress domestic political opposition, activism, or reporting critical of the government.
• 74 countries (38%) are “medium risk,” either indicating evidence of advanced surveillance capabilities that are not typically used in violation of national or international laws (19 countries), or evidence of less advanced capabilities that are frequently employed to suppress political dissent and activism (55 countries). While countries in this risk tier may have established systems for oversight or judicial review, government surveillance operations do not always abide by their purview.
• 65 countries (34%) are “low risk,” indicating evidence of moderate to advanced surveillance capabilities exercised under strong oversight with established records of avoiding unlawful or arbitrary surveillance (39 countries), or evidence of limited surveillance capabilities (26).
• 23 countries (12%) are “very low risk,” indicating minimal ability to conduct digital surveillance, well-established oversight mechanisms, and no indications of surveillance abuses.

Taxonomy of Surveillance Capabilities

Digital surveillance technologies are constantly evolving. This report does not seek to create an exhaustive list of specific surveillance tools, but a framework to assess the potential risks posed by the misuse of broad categories of surveillance technologies and tactics. Based on the access point –– where surveillance takes place –– Insikt Group has identified five primary categories of surveillance capabilities, enabling varying levels of access to sensitive data and presenting differing risks of abuse (Figure 2).

These capabilities generally facilitate access to “content data” (referring to the actual content of intercepted traffic), “communications data” (also known as “metadata,” or information about online activity, such as the sender and recipient, IP addresses, or websites visited), or “subscriber data” (referring to information about the user of an account or service, including geolocation). Many jurisdictions afford content data greater legal protection against interference, requiring government agencies to obtain judicial authorization before accessing it. However, in many jurisdictions, metadata or subscriber data is often subject to less stringent restrictions and, in some cases, access to this data may not require a court order. However, there are diminishing distinctions between the implications of government access to the content of communications, as opposed to metadata or subscriber data, which can often provide just as rich a picture of a target –– if not more detailed –– as the actual content of a message.

Network Interception

Network interception provides access to traffic or data transiting a network and generally involves installing hardware and software at service providers to facilitate interception at the network level. This includes lawful interception, traffic monitoring and deep packet inspection, and requirements for telecommunications companies and internet service providers (ISPs) to store and share user data. Given the potential for these systems to facilitate mass surveillance, a country’s oversight mechanisms and respect for the rule of law can often indicate whether network interception constitutes a likely threat to data security.

Lawful Intercept Systems

Lawful interception (LI) refers to technical systems built into telecommunications networks that allow law enforcement or intelligence services to monitor communications in real time, underpinned by legislation that legally authorizes the interception. These systems vary by jurisdiction, but generally require network operators, telecommunications providers, and ISPs to install equipment and software that enables authorized entities to access user data or communications. In this context, surveillance capabilities are embedded at the ISP or provider level, without compromising individual devices. LI frameworks include those formulated by the European Telecommunication Standards Institute (ETSI) and the Communications Assistance for Law Enforcement Act (CALEA) — which establish LI standards in Europe and the United States (US), respectively — as well as Russia’s System for Operative-Investigative Activities (SORM). The UN warns that systems that permit governments to compel telecommunications and ISPs to give them direct access to their networks “are of serious concern, as they are particularly prone to abuse and tend to circumvent key procedural safeguards.”

Russia’s SORM, the foundation of its digital surveillance apparatus, exemplifies risks inherent to LI systems that lack transparency and oversight mechanisms. SORM requires a wide range of service providers to install monitoring devices directly connected to control points (пульт управления) accessible to law enforcement. For instance, in August 2025, the Ministry of Digital Development published requirements for satellite operators to install SORM devices at ground stations to track 5G device traffic connecting to satellite networks beginning in March 2026. While SORM technically requires law enforcement to obtain interception warrants, authorities are not required to show them to service providers.

According to Vas Experts, a Russian SORM provider, “the differences between the ETSI, CALEA, and SORM lawful interception models revolve around the role of law enforcement agencies in the interception process.” In the ETSI and CALEA models, the law enforcement agency merely processes intercepted information that a telecom operator obtains and manages. By contrast, in the SORM model, “an authorized service with a control unit independently establishes control over the user and manages the information acquisition process; the telecom operator’s role is insignificant, consisting solely of purchasing and installing the SORM equipment.” As a result, Boris Goldstein, a telecommunications and SORM expert at the St. Petersburg State University of Telecommunications (СПБГУТ), notes that “in the Russian SORM model, the secrecy of legal interception is the greatest, since control is exercised entirely from the control point, preventing station personnel [referring to service providers] from identifying either the monitored user, or the very fact that SORM measures have been activated.” Further, SORM control point users can initiate commands to cease monitoring of a user and delete all data about the monitored individual, almost certainly reducing the transparency of surveillance operations and creating opportunities for abuse.

Recognizing SORM’s inherent risks to privacy rights, in a 2015 ruling, the European Court of Human Rights found that Russian legal provisions governing the interception of communications did not offer adequate and effective guarantees against arbitrariness and the risk of abuse. In 2018, the UN Human Rights Committee echoed these concerns regarding LI in Belarus, which has implemented a version of SORM since 2010. In January 2025, Insikt Group assessed that Belarus, Cuba, Kazakhstan, Kyrgyzstan, Nicaragua, and Uzbekistan almost certainly purchased technologies from eight Russian SORM vendors. Given the high volume of data that SORM ingests and the opaque nature of its operation, Insikt Group assessed that these countries are high-risk from a state surveillance perspective. Russia’s largest SORM technology providers –– most notably, Citadel, Norsi-Trans, and Protei –– export to and participate in regional trade expositions in Africa, Latin America, and the Middle East, further indicating continued efforts to expand globally.

Traffic Monitoring and Deep Packet Inspection

Deep packet inspection (DPI) technology allows governments or network operators to inspect data packets as they pass through a network point, thereby facilitating the filtering of internet traffic in real time. In addition to enabling selective censorship of websites, these capabilities support surveillance by providing broad visibility into users’ online activities, including the services they used, the websites they visited, and, in some cases, the content of their communications.

An example of an advanced traffic monitoring and DPI system is the “Great Firewall of China”, an informal term for the techniques Chinese authorities employ to inspect, manipulate, and block internet traffic, which constitute the cornerstone of the country’s digital surveillance and censorship system. The Great Firewall combines IP blocking, domain name system (DNS) tampering and hijacking, and DPI and keyword filtering to restrict and monitor online content. In September 2025, InterSecLab reported that Geedge Networks, a private Chinese network intelligence company involved in developing provincial firewalls within China, exported surveillance and censorship capabilities similar to the Great Firewall to Kazakhstan, Ethiopia, Pakistan, and Myanmar between 2019 and 2025. A September 2025 Amnesty International report found that Pakistan’s Web Monitoring System, a national firewall first installed in 2019 using DPI capabilities from Canada-based Sandvine, now deploys DPI technology from Geedge Networks shipped to the country by a subsidiary of the state-owned China Electronics Corporation. In June 2024, Justice for Myanmar reported that Myanmar’s military junta uses Geedge Network’s Tiangou Secure Gateway (TSG), an internet surveillance and censorship product. According to InterSecLab, TSG “utilizes deep packet and flow inspection techniques on Internet Protocol (IP) packets to facilitate advanced classification, interception, and manipulation of application and user traffic.”

In August 2025, Ethiopian news outlet Borkena reported that Ethiopian telecommunications operators, including Ethio Telecom and Safaricom, implemented DPI technology to filter and monitor citizens’ communications on behalf of Ethiopia’s National Intelligence and Security Service, Information Network Security Administration (INSA), and Federal Police. While Safaricom denied the report, a 2016 Amnesty International report concluded, based on local testimonies and analysis of internet traffic, that the Ethiopian government used DPI to block access to news outlets, political opposition websites, LGBTQ+ websites, and circumvention tools, enabling both censorship and surveillance of internet traffic. In 2014, Human Rights Watch reported that INSA “plays an important role in Internet monitoring and filtering of websites,” is increasingly integrated with Ethio Telecom, and facilitates access to private communications for security and police forces. As early as 2012, a Tor Project report found that Ethio Telecom, then the country’s sole telecommunications service provider and known as the Ethiopian Telecommunication Corporation, had begun testing DPI technology to conduct censorship.

Access to Stored Data

Mandatory data retention laws and provisions requiring providers to share stored information with law enforcement and intelligence services support government collection of subscriber and communications data. The risk of abuse is particularly high where data retention regimes do not align with principles of proportionality, or lack clear oversight and judicial authorization requirements for access to and use of collected data. In 2018, an Office of the UN High Commissioner for Human Rights (OHCHR) report assessed that laws requiring telecommunications companies to indiscriminately store all traffic and subscriber data “exceed the limits of what can be considered necessary and proportionate.”

Since 2024, Insikt Group has identified multiple instances of governments imposing data retention requirements that likely pose a heightened state surveillance risk, given their lengthy timeframes, a lack of legal authorization to access collected data, and vaguely defined use cases:

• Ecuador’s June 2025 Organic Law of Intelligence compels telecommunications providers to share historical and real-time information on subscribers’ communications and connections with the National Intelligence System without the requirement of a judicial order. Article 51 of the law states that providers must share “historical and real-time information on communications and connections of related telephone subscribers, technical information, computer, digital telecommunications, the location of cells where terminals are located, and any other information that facilitates their identification and location" for intelligence and counterintelligence activities. Digital rights organizations challenged the law's constitutionality, arguing that it enabled mass surveillance and violated the requirements of necessity, proportionality, and oversight.
• Myanmar’s January 2025 Cybersecurity Law requires online service providers to store user data, including IP addresses and browsing logs, for three years and provide it to authorities upon request. Compliance failures are punishable by temporary or permanent suspension of the online service provider’s right to operate. A May 2025 report from Human Rights Myanmar found that appeals against surveillance or takedown orders are handled by military-controlled bodies, “making every data request opaque and arbitrary.”
• Nicaragua’s October 2024 General Law of Convergent Telecommunications requires telecommunications service providers to share any requested information with the Nicaraguan Institute of Telecommunications and Postal Services (TELCOR), including geolocation. Digital rights groups assessed that the law enables unfettered government access to user data, and the UN Group of Human Rights Experts on Nicaragua reported in March 2026 that TELCOR’s digital surveillance activities violate the rights to freedom of expression and privacy. In September 2024, the Nicaraguan National Assembly approved reforms to the Criminal Procedure Code, allowing the National Police to access a wide range of user data from telecommunications companies without a court order, including call logs, text and voice messages, geolocation, and IP addresses.

Case Study: Internet Infrastructure Control as Network Surveillance Enabler

Direct control over internet and telecommunications infrastructure –– either through ownership of critical providers, or measures to require all service providers in a country to use state-owned infrastructure in their networks –– almost certainly supports governments’ ability to conduct network surveillance and exert leverage over these providers to obtain communications and subscriber data.

In October 2025, Nikkei reported that Cambodia plans to build key infrastructure for the pending National Internet Gateway in 2026. The project aims to centralize internet traffic, enable the government to force ISPs to block or restrict content, increase the government’s ability to surveil users’ online activity, and require operators to collect and store bulk data. The gateway will consist of a Domestic Internet Exchange (DIX) and an International Internet Gateway (IIG); all telecommunications operators, ISPs, data centers, and content providers must connect to the DIX, and operators of submarine cable landing stations and satellite ground stations must connect to the IIG or risk suspension of operating licenses. Provisions of the February 2021 subdecree require National Internet Gateway operators to retain traffic data for one year and to provide other network information upon request by authorities. A February 2022 UN report assessed that the plan “grants exhaustive power to so-called National Internet Gateway operators to monitor websites that people visit, as well as the metadata related to every website visit.”

In July 2025, Kyrgyzstan’s President Sadyr Japarov signed a decree granting state-owned company ElCat a one-year monopoly over international internet bandwidth, effective August 15, 2025. The decree also required all other providers to shift their contracts to ElCat within two months, likely expanding the government’s ability to monitor internet traffic.

Endpoint Compromise

Endpoint surveillance enables operations focused on specific individuals without requiring access to broader telecommunications infrastructure. Unlike network surveillance, endpoint surveillance tools –– including commercially available spyware, custom malware, and digital forensics tools –– generally do not require permanent installation on a network, and enable highly targeted access to individual devices. Endpoint compromise systems often conduct surveillance on far fewer users than network surveillance, but enable extremely intrusive access to individual targets’ data.

Commercial Spyware

Commercial spyware, such as NSO Group’s Pegasus, can be deployed on a victim’s device to exfiltrate files, activate microphones and cameras, and monitor activity in real time. These technologies are developed by private companies and marketed toward government users, such as intelligence, law enforcement, or military agencies (though there are documented use cases of a wide range of government actors obtaining these tools). Often bundled with support teams and training manuals, commercial spyware can serve as a relatively user-friendly surveillance solution for governments with otherwise limited digital surveillance capabilities. Since March 2023, 23 countries have endorsed the Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware, which calls for guardrails to prevent the misuse of commercial spyware to violate civil liberties and to prevent its export to end-users likely to deploy such technologies for malicious cyber activity. As commercial spyware relies on zero-day exploits for deployment, Insikt Group previously assessed that, in addition to posing serious human rights concerns, its misuse threatens the broader cyber ecosystem by enabling the proliferation of critical vulnerabilities.

From 2024 to 2026, Insikt Group investigations found evidence that at least sixteen countries — including Angola, Armenia, Azerbaijan, Botswana, the Democratic Republic of the Congo (DRC), Egypt, Hungary, Indonesia, Iraq, Kazakhstan, Mongolia, Mozambique, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago — had deployed Predator or Candiru spyware. With the exception of Botswana, Mongolia and Trinidad and Tobago, Insikt Group assesses that the state surveillance risk level in these countries is “medium” or “high,” largely reflecting limited oversight mechanisms and a history of misuse of surveillance capabilities.

• In February 2024, Insikt Group identified new infrastructure associated with Predator spyware, indicating likely continued use in Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago, with Botswana and the Philippines representing new Predator customers.
• In September 2024, Insikt Group identified Predator infrastructure likely linked to Angola and a customer in the DRC –– a country not identified as a Predator spyware user in previous Insikt Group reporting.
• In June 2025, Insikt Group identified infrastructure tied to known Predator operators, indicating use in Mozambique for the first time.
• As of December 2025, Insikt Group assessed that Predator activity in Angola, Kazakhstan, Mongolia, and Saudi Arabia remained ongoing; identified new evidence of a Predator spyware customer in Iraq, which likely remained operational in 2025; and uncovered infrastructure indicators likely associated with use of Predator spyware linked to Pakistan –– though it was unclear whether these were deployed against Pakistani targets or involved a customer operating from Pakistan.
• In August 2025, Insikt Group found new infrastructure associated with the spyware vendor Candiru, including components likely used for deploying DevilsTongue spyware; at the time of reporting, five clusters were likely still active, including those linked to Hungary and Saudi Arabia.

Subsequent investigations have revealed continued use of commercial spyware in these jurisdictions, including against members of civil society, journalists, and activists. For example, in February 2026, Amnesty International reported that Predator spyware targeted Angolan journalist Teixeira Cândido in 2024, the first forensically confirmed case of the spyware targeting a member of Angolan civil society. In October 2025, a Lighthouse Reports investigation found that First Wap, a surveillance company registered in Indonesia, had marketed its Altamides technology for mobile device geolocation for use against Indonesian and global activists, journalists, diplomats, and businesses.

Since January 2025, public reporting has also indicated the use of commercial spyware to surveil activists and journalists, even in countries generally assessed to pose a lower surveillance risk. In June 2025, Italy and Paragon spyware ended their contract following allegations that Rome used the spyware to target critics. In January 2025, WhatsApp notified approximately 90 account users in two dozen countries that they had been targeted with Paragon’s spyware, including journalists and members of civil society. In March 2025, Citizen Lab conducted a forensic analysis of the January 2025 WhatsApp notifications that concluded that three devices in Italy — belonging to a journalist and two founders of a migrant rescue organization — were among the targeted devices. In June 2025, Paragon stated that it canceled its contract with Italy after the Italian government declined the company’s offer to assist in investigating whether its spyware had been used against a journalist in violation of Italian law and Paragon’s terms of service.

Custom Malware

In addition to commercially available spyware, governments with advanced cyber capabilities often employ sophisticated, bespoke malware developed by intelligence or military entities to conduct surveillance of end users. Because these tools are custom-built, they can be harder to detect, and the state exerts greater control over the infrastructure and supply chain, complicating efforts to prevent or stop their deployment by pressuring suppliers.

For instance, China’s surveillance capabilities are almost certainly supplemented by advanced surveillance tools developed by the Chinese government and its contractors. In November 2025, leaked data from China-based cybersecurity firm Knownsec supported assessments that the company is almost certainly a trusted vendor for Chinese authorities and had very likely developed offensive cyber tools for the Ministry of Public Security (MPS) and elements of the Chinese military, including the People’s Liberation Army (PLA), in addition to defensive solutions. Samples of leaked documents referred to a tool called GhostX, a Windows remote access trojan (RAT) that reportedly enables file browsing, screen monitoring, keystroke logging, and password extraction. In December 2024, researchers at Lookout Threat Lab uncovered a “mobile phone judicial monitoring product” known as EagleMsgSpy, which has been operational since 2017 and is likely developed by Chinese software company Wuhan Chinasoft Token Information Technology Co., Ltd., for use by public security bureaus. The tool, which targets Android devices, reportedly requires physical access to a device for installation and collects extensive data, including SMS and third-party chat messages, screen and audio recording, call logs, device contacts, location data, and network activity. In February 2024, an online leak of documents from private security contractor I-SOON, which has contracted with the MPS, detailed multiple tools I-SOON provided to a wide range of public sector clients in China. Among other products and services, I-SOON directly or indirectly supplied Chinese public security clients with automated website penetration systems, password-cracking platforms, social media control and forensics platforms, WiFi close-in attack equipment, services for penetrating websites, and services for collecting and analyzing intelligence.

In December 2025, Reporters Without Borders (RSF) identified a previously unknown spyware called ResidentBat, which it assessed Belarus’s State Security Committee (KGB) had used since at least 2021 to access call logs, SMS messages, and locally stored files on the devices of detained activists and journalists. While RSF stated that it lacked concrete evidence of ResidentBat’s origin, it assessed that the spyware was likely either "developed in-house by the KGB; or purchased as a white label solution by the KGB or developed by a commercial third party for the KGB.”

Case Study: How State Mobile Applications Can Enable End-User Surveillance

Government-mandated software can enable endpoint surveillance by leveraging extensive access to mobile device functions, such as cameras and microphones, photos and files, contact lists, or device location. North Korea’s “Mobile User Identification App” is a clear example of how the mandated installation of state-developed applications facilitates end-user surveillance by exploiting access to mobile devices. In July 2025, a Daily NK report analyzing the application — which North Korea’s government installed on all devices to identify smartphone users — found that it enables continuous surveillance by automatically launching at device power-on and has permission to read or write files. Further, the Kwangmyong application, which smartphone users must install to access North Korea’s intranet, reportedly enables the Ministry of State Security and other agencies to monitor users’ activities in real time. In 2017, security researchers analyzing North Korea’s Ullim tablet found pre-installed applications enabling government surveillance, including “Red Flag” software. The program, which runs in the background on a device, takes a screenshot every time the user opens an app, records browser history, and identifies attempts to tamper with core operating system files. A second app, “Trace Viewer,” allows users to view (but not delete) the history recorded by Red Flag; researchers note that this app is provided to show Ullim tablet users that everything they do on the device is recorded.

In December 2025, India revoked an order requiring smartphone manufacturers to pre-install the Sanchar Saathi cybersecurity application on all devices, following backlash from digital rights organizations and technology companies over privacy concerns. In November 2025, India’s Department of Telecommunications had ordered smartphone manufacturers to install the app on all new mobile phones and issue software updates to install the app on existing devices within 90 days, alongside a provision that “[the application’s] functionalities cannot be disabled or restricted.” The government has stated that the app –– which allows users to check a device’s International Mobile Equipment Identity (IMEI), report lost or stolen devices, and report suspected fraudulent communications –– does not collect personal data without notification. However, the app reportedly requires access to cameras, photos, and files for iPhone users, and permissions to access call logs, send messages for registration, make and manage phone calls, and view cameras and photos for Android users. The Internet Freedom Foundation assessed that mandatory installation of the app would enable surveillance and violate the principle of proportionality, given the availability of less intrusive means to verify IMEI numbers and report fraud.

Digital Forensics Tools

Digital forensics tools, such as Cellebrite’s Universal Forensic Extraction Device (UFED), enable the recovery, preservation, and extraction of data on seized digital devices. In contrast to spyware, these tools do not perform remote, real-time surveillance and generally require physical access to the device. Nevertheless, a lack of effective law enforcement oversight and respect for civil liberties during arrest, detention, and interrogation can facilitate abuses of these tools.

In March 2026, Radio Free Europe/Radio Liberty (RFE/RL) reported that Kazakh authorities had likely used Cellebrite’s UFED to access the locked mobile device of an activist detained in January 2026, who the authorities believed had criticized the government on social media. The activist alleged the Kazakh government had configured the 2GIS map application on their Xiaomi Redmi Note 10 smartphone to broadcast the device’s location upon internet connection. Citing import-export data, RFE/RL’s Kazakh service found that Kazakh companies AskomMET and IRPLAB imported UFED systems from Georgian Digital Forensics, a regional representative of Cellebrite, three times in 2022–2023. The Center for Forensic Expertise under Kazakhstan’s Ministry of Justice confirmed use of UFED, along with digital forensics software from South Korean software company GMDSOFT.

In December 2024, Amnesty International reported that Serbian police and the Security Information Agency (BIA) used Cellebrite products to install NoviSpy –– an Android spyware that captures data and remotely activates the device's microphone and camera –– on activists’ phones. Authorities used Cellebrite UFED exploits to unlock detainees’ devices during police interviews, enabling the covert installation of spyware. Following these reports, in February 2025, Cellebrite stated that it had stopped working with some Serbian customers following an investigation into the use of its products violating its ethics and integrity policies.

Platform-Level Access

This category of surveillance encompasses government requests to online platforms and technology companies to store and share subscriber data, as well as monitoring of social media activity. While these methods often enable access to metadata and subscriber data, rather than the content of online communications, governments can leverage access to these categories of information to gain insight into an individual’s identity, location, beliefs, and patterns of behavior.

Direct Requests to Online Platforms

Governments frequently make direct requests to online platforms for user data, leveraging legal requirements for service providers to comply with these requests. While online platform service providers are not always subject to the same blanket metadata retention laws as telecommunications operators or ISPs, government entities can order these companies to share specific content and account-level data, depending on local laws. This data can include private messages, email content, user profile information, IP address, or login history associated with a specific account.

Recent reports indicate that the Russian government is requiring major web platforms and businesses to collect data on customers using virtual private networks (VPNs), supporting government efforts to identify and monitor users’ online activity. On April 5, 2026, Russian news outlet RBK reported that the Ministry of Digital Development had disseminated guidelines to major internet platforms for detecting VPN use on customer devices, after Minister Maksut Shadayev reportedly instructed these platforms to restrict access to services for users with VPNs enabled by April 15. An RKS Global investigation analyzed 30 popular Russian applications –– including the search engine Yandex, the social media platform VKontakte, and Sberbank’s mobile banking application –– and found that 22 of them actively detected VPN use and 19 retained data on their servers that law enforcement agencies could access upon request. Yandex’s browser application also searched for the use of the anonymous browser Tor, and two applications –– the food delivery app Samokat and marketplace app MegaMarket –– obtained a list of all VPN apps installed on the device.

In January 2025, Switzerland proposed metadata retention requirements for service providers with more than 5,000 users, including VPNs, encrypted email, and messaging platforms, to collect government-issued identification and retain subscriber data for six months. While the Swiss Federal Assembly accepted a motion in December 2025 to revise the legislation pending the commission of an independent analysis, the original proposal required the collection of email addresses, phone numbers, IP addresses, and device port numbers, and mandated service providers to share information with the government on request, even without prior judicial authorization. In February 2026, nineteen civil society organizations published a letter expressing concerns about the proposal, stating that indiscriminate metadata retention would impose an unacceptable surveillance risk and violate principles of necessity and proportionality.

Vietnam’s Decree 147, in effect from December 2024, compels social media platforms that provide services to individuals in Vietnam to maintain user account information, login times, IP addresses, and activity logs for 24 months; store this data locally; and share it with Vietnam’s Ministry of Information and Communications and Ministry of Public Security upon request. Digital rights groups have criticized the decree for failing to require the government to obtain authorization from an independent authority prior to accessing user data.

Social Media Monitoring

Social media monitoring refers to the collection and processing of personal data shared on social media platforms, either manually or using keyword-based or scraping tools that facilitate aggregation and analysis of large amounts of content and metadata. Such tools and techniques do not necessarily require exploiting vulnerabilities to obtain access to devices or accounts. However, they can still enable mass surveillance of online activity that violates the principles of necessity and proportionality. Even manual monitoring of public-facing social media profiles can enable access to or the ability to ascertain users’ private information, such as political or religious beliefs, sexual orientation, close relationships, and habits –– information that government operators can use to inform further surveillance efforts, facilitate leverage over a target, or justify punitive legal actions. The Electronic Frontier Foundation notes that governments can gain “vast amounts of personal information from viewing such profiles, invading privacy and implicating legal rights.”

In December 2025, the United States Customs and Border Protection agency (CBP) filed a proposal to add social media as a “mandatory data element for an ESTA [Electronic System for Travel Authorization] application.” The proposal would require all ESTA applicants and visitors eligible for the US visa waiver program –– which allows individuals from 42 countries to travel to the US for up to 90 days upon obtaining electronic travel authorization –– to provide access to their social media from the last five years to CBP, almost certainly supporting CBP and law enforcement surveillance of social media activity. Additionally, in March 2025, US Citizenship and Immigration Services published a “Generic Clearance for the Collection of Social Media Identifier(s) on Immigration Forms,” authorizing the collection of social media handles on nine common immigration forms, including applications for naturalization and permanent residency. Shortly afterward, the State Department announced a joint program termed “Catch and Revoke,” which planned to use AI to review student visa holders’ social media accounts for “alleged terrorist sympathies” or “antisemitic activity.” In June 2025, the US Department of State instructed all applicants for F, M, and J nonimmigrant visas to set their social media profiles to public –– facilitating the monitoring of the social media activity of a broad range of foreign nationals seeking to enter the US.

In Venezuela, an October 2013 decree created the now-defunct Strategic Center for Security and Homeland Protection (CESPPA), responsible for collecting information “of strategic interest” to the Venezuelan government. The agency was believed to have monitored activity on social media platforms. In 2014, CESPPA Internal Regulations expanded the agency’s scope to the analysis of social networks, with Article 8 stating that “the Directorate of Technological and Information Studies” (Dirección de Estudios Tecnológicos y de Información) will conduct studies of social networks and technologies. While current Acting President Delcy Rodríguez, via Decree No. 5.248, ordered the elimination of CESPPA in February 2026, this decree also indicated that CESPPA’s mission “has been assumed by other State entities” –– very likely suggesting a transfer of responsibility, rather than the elimination of social media monitoring functions.

Case Study: Platform-Level Surveillance via National Messengers

In 2025 and 2026, several governments have implemented efforts to promote state-backed or state-developed messenger platforms. These messaging applications often incorporate a wide range of other functions, such as digital payments or identification, that lack end-to-end encryption or other privacy protections. Unlike state-mandated applications that can facilitate end-user surveillance by exploiting privileged access to devices, a primary surveillance risk associated with national messengers is a lack of security features, such as end-to-end encryption, that protect user data and communications within the messenger platform. This risk is likely greatest where the government mandates the use of national messengers, curbs access to more secure alternatives, or restricts independent development of alternatives.

Since mid-2025, the Russian government has widely promoted its state-backed messenger application, Max; blocked access to popular alternative applications, including WhatsApp and Telegram; and restricted access to VPNs used to circumvent such blocks. Max lacks end-to-end encryption, and the Kremlin has increasingly sought to mandate its use to obtain public services and access official communications, prompting concerns that the application facilitates government surveillance. Similarly, in September 2025, Kazakhstan began shifting official communications to state-backed messenger Aitu. In November 2025, Tajikistan launched a national messaging application, ORIZ, developed by the state-run Tajiktelecom, with all servers hosted within the country. Billed as an effort to support “digital sovereignty,” ORIZ has also raised surveillance concerns.

Public Space Surveillance

Public space surveillance, also known as street-level surveillance, uses digital infrastructure to track individuals as they move through public spaces. This category of surveillance includes cell site simulators collecting data within a geographic radius, as well as localized public security infrastructure, such as Safe City projects. Without appropriate oversight mechanisms and limitations on use, the proliferation of these systems can enable indiscriminate monitoring of individuals in public or semi-public spaces, potentially infringe on freedoms of assembly and protest, and violate data privacy laws.

Safe City Projects and Facial Recognition

“Safe City” or “Smart City” security projects integrate closed-circuit television (CCTV) camera surveillance networks with other security systems, data analytics, cloud storage systems, and law enforcement monitoring centers. Safe City projects, particularly those using solutions from Chinese technology firms Huawei, Dahua, and Hikvision, have proliferated in Africa, Central Asia, and Eastern Europe. These systems often incorporate AI-powered facial recognition and automatic license plate recognition (ALPR) capabilities. An October 2023 UN Human Rights Council resolution found that “remote biometric surveillance systems, including facial recognition, raise serious concerns about their proportionality, given their highly intrusive nature and broad impact on large numbers of people.”

While these systems are generally advertised as supporting legitimate security purposes, Insikt Group has identified evidence of government agencies deploying them to repress political dissent and target ethnic minority populations. Following large-scale protests in Türkiye in March 2025 triggered by the arrest of Istanbul Mayor Ekrem İmamoğlu, Turkish authorities deployed AI-powered facial recognition systems to identify and detain protesters. Police reportedly demanded that demonstrators uncover their faces in order to be filmed and arrested multiple protesters, likely identified through facial recognition, the morning after demonstrations took place. One day after İmamoğlu’s arrest, the General Directorate of Security reportedly issued procurement tenders for 13,000 facial recognition cameras and other crowd-control technologies, very likely in anticipation of deploying these capabilities against protesters.

Extensive installation of CCTV cameras under “Safe City” projects in Yangon, Mandalay, Naypyidaw, and other major cities in Myanmar — largely supplied by Chinese technology firms Huawei and Dahua — almost certainly supplements Myanmar’s government surveillance capabilities. In May 2025, advocacy group Human Rights Myanmar reported that, “within months of installation, there were allegations that individuals from ethnic minority groups were being flagged by these CCTV cameras based on their clothing, and subsequently detained without charge, held incommunicado for weeks.” That report also noted concerns that military facial recognition systems were primarily trained on images of ethnic Bamar men, resulting in higher levels of false positives for women and ethnic minorities.

Cell Site Simulators

Cell site simulators (CSS), or international mobile subscriber identity (IMSI) catchers, can detect and identify mobile devices –– and, in some cases, intercept device traffic –– within a given geographic area. These tools function by emitting a stronger signal than legitimate cell towers, luring nearby mobile devices to connect to CSSs in order to collect IMSIs. IMSI data consist of unique identifiers stored on a device’s SIM card that identify a user on a cellular network. CSSs can also enable real-time location tracking and, in some cases, intercept communications. Government operators can use these tools to collect IMSIs within a certain radius, enabling the indiscriminate collection of identifying information about mobile device users (and potentially communications content) in an area, including private spaces that would otherwise require a warrant to access.

In May 2025, the digital rights non-profit organization TEDIC reported that the Paraguayan government issued a procurement notice for surveillance software worth $12 million, including an IMSI-catcher system for the Ministry of the Interior. TEDIC also identified procurement records from the Ministry of the Interior in 2014 that awarded bids for unspecified interception equipment to Israeli firm Septier Communication, known for manufacturing IMSI catchers. In an October 2025 report, TEDIC assessed that “the lack of transparency and public oversight in the deployment of these mass surveillance tools raises serious concerns about privacy and the protection of fundamental rights.”

Case Study: Crowdsourced Surveillance via Digital Applications

Digital informants incorporate aspects of traditional human intelligence (HUMINT) and digital surveillance. As a surveillance technique, intelligence and law enforcement agencies have deployed networks of individuals tasked with collecting digital information, often in search of evidence of activities or beliefs deemed to pose a threat to government interests that cannot be easily collected via other means. An inherent risk with this mode of surveillance is the lack of oversight and accountability for informants, potentially enabling pervasive surveillance of individuals beyond the confines of national or international law.

In September 2023, Iranian opposition media reported that the Iranian government had developed a mobile application called “Nazer” (ناظر), allowing volunteers vetted by the Police Command of Iran (FARAJA) to report unveiled women in public. According to a March 2025 UN report, once volunteers were approved to use Nazer, they could select types of violations to report (for instance, “improper hijab” or “removal of hijab”) and add the location, date, time, and the license plate number of the vehicle in which the alleged infraction occurred. When volunteers uploaded reports, the application would send a text message to the registered owner of the vehicle, warning them that they had been found in violation of the law and that their vehicle would be impounded. In January 2024, Miaan Group’s FilterWatch project reported that the Nazer application’s code shows that future updates could expand its use to solicit reports of other activities prohibited by the government, such as protesting or consuming alcohol. Authorities had previously established a phone line and messaging service for members of the public to report offenders.

In 2024, the government of former Venezuelan President Nicolás Maduro openly encouraged Venezuelan citizens to inform on neighbors involved in anti-government protests via VenApp, a government application initially created to report public service failures. Maduro announced on July 30, 2024 — amid widespread anti-government protests in the context of the contested July 28, 2024, presidential election — that the application would enable an option to report the personal information and addresses of targeted individuals, although major app stores subsequently removed the application.

Data Aggregation

Data aggregation refers to government access to personal information through centralized or compiled repositories, such as data brokers, public records systems, or biometric databases, rather than through communications in transit or direct access to a user’s device. While often not overtly linked to surveillance or security initiatives, these systems enable authorities to collect, merge, and query sensitive information about individuals across multiple domains of life, supporting the identification, profiling, and tracking of individuals at scale. An October 2022 OHCHR report found that government use of surveillance services offered by businesses, including data brokers, can circumvent procedural restrictions and safeguards, allowing governments to indirectly access tools or information without legal authorization that they could not have obtained otherwise without contravening human rights obligations.

Access to National Databases

In April 2025, the Myanmar Internet Project reported that Myanmar’s military junta had built a national database by integrating personal data from a wide range of sources, enabling mass surveillance. The personal data in the database includes SIM card registration records, national identity cards, CCTV networks, the Guest List Management System tracking stays at hotels, the Myanmar Advanced Passenger Processing System implemented at airports, and the National Service Information Management System for identifying conscription and labor status. An August 2025 report assessed that this database is “designed to eliminate anonymity by fusing personal, travel, and financial data,” creating a comprehensive profile of individuals that assists Myanmar’s government in profiling and targeting dissidents.

Since early 2025, the Russian government has expanded its efforts to collect data on foreign nationals, almost certainly indicating an increased risk of surveillance targeting foreign visitors and residents. A forthcoming “digital profile” of foreign citizens, expected to be developed by June 2026, will incorporate extensive personal and biometric information on foreign nationals and stateless individuals in Russia from multiple government agencies and databases. According to a draft regulation published in January 2026, individuals will also be required to provide family information to the state, which will form the basis of a “family dossier.” The July 2025 executive order underpinning the profile lists 25 categories of data to be collected by at least fourteen agencies, including the Ministry of Internal Affairs; Federal Security Service (FSB); Ministry of Foreign Affairs; Ministry of Digital Development; Ministry of Agriculture; the Ministry of Science and Higher Education; Federal Tax Service; the Bank of Russia; the Social Fund of Russia; the federal real estate registry; and federal bodies overseeing education, public health, and consumer protection.

In May 2026, the cybersecurity-focused NetAskari blog identified a software demo for a people-tracking dashboard that illustrates the Chinese public security apparatus’s goal of aggregating data from disparate sources to build detailed and highly personalized profiles of individuals, almost certainly in support of surveillance efforts. Named the “Dynamic Control Platform for Overseas Personnel,” the demo system aggregates access to information such as registered address, visa details, employer, frequently visited locations, physical movements, and social relations to enable individual-level tracking. Although not itself connected to real-time data sources, systems like these would connect to China’s large-scale networks of surveillance cameras with facial recognition and other data sources to enable investigations and close monitoring of targeted groups. A review of the system by The Telegraph found that the demo system included data from as early as 2021 on foreign students, foreign spouses of Chinese citizens, and foreign journalists; for example, a “relational mapping tool” in the dashboard appeared to enable identification of foreign individuals photographed together within a specific district.

In many countries where SIM card registration is mandatory, registrants must provide national identification numbers as part of the application. While these regulations are often introduced to prevent fraud, they also very likely undermine the anonymity of online communications. Approximately 160 countries require SIM card registrants to provide a national identity card or passport, and at least 35 also require biometric data, such as fingerprints or facial images. Privacy International notes that, without comprehensive data protection legislation and judicial oversight, the collection of this data can enable government access to extensive citizen profiles, thereby supporting surveillance.

Collection and Exploitation of Biometric Data

Biometric databases are centralized repositories that store unique physical or behavioral identifiers, such as facial images, fingerprints, iris scans, voiceprints, or DNA profiles, for the purpose of identifying or verifying individuals. In the surveillance context, they allow governments to match a person’s data across different systems and settings, linking identity to other forms of personal data held in administrative, security, or law-enforcement databases. A 2022 UN General Assembly resolution on the right to digital privacy states that large-scale processing of

biometric data and data on an individual’s behavior, social relationships, race or ethnicity, religion or belief … can pose serious risks to the enjoyment of the right to privacy, especially when done without proper safeguards, in particular when employed for identification, tracking, profiling, facial recognition, classification, behaviour prediction or scoring of individuals.

Russia’s “digital profile” for foreign nationals, outlined above, coincides with recent initiatives to expand the collection of biometric data. Specifically, the collection of biometric and health data would likely enable the Kremlin to use seemingly non-political reasons to levy very likely politically motivated administrative or criminal penalties on an individual. In July 2025, the Russian government approved a measure requiring foreigners receiving mobile phone services to submit biometric data to Russia’s Unified Biometric System (UBS), a state database. In February 2025, Digital Development Minister Maksut Shadayev stated that the government was pursuing the integration of UBS into all businesses within two years.

In February 2025, Finland’s Ministry of the Interior proposed amendments to biometric data regulations that would allow law enforcement to use biometric data collected in existing passport and identity card registers for criminal investigations. The amendments would specifically apply to facial images and fingerprints stored in the police passport register and the identity card register, as well as to the biometric data of foreign nationals stored in the registers of the Finnish Immigration Service. The proposal would also allow the Finnish Security Intelligence Service (Supo) and Finnish Defence Forces to access biometric data “when national security is severely threatened,” and enable sharing with the Schengen Information System, which facilitates information-sharing on people and objects between over 300 European border, police, customs, and judicial authorities. While the Ministry of the Interior stated that the Finnish security services could only use data to investigate predefined serious offenses at the request of law enforcement or a commanding police officer of Supo, digital rights advocates criticized the proposed expansion of biometrics beyond the original intent of collection in the registers and expressed concern that this would violate privacy rights. In April 2026, Finland’s Constitutional Law Committee assessed that the proposal did not fully meet proportionality requirements due to its overbroad wording and must be “significantly specified,” including explicitly limiting covered crimes to include only serious offenses and establishing requirements for prior authorization by an independent body for use of biometric data for criminal investigations.

Case Study: Privacy and Surveillance Implications of National ID Cards

Mandatory digital identity card systems can enable digital surveillance by facilitating the collection of a wide range of personal data and linking individuals’ real-name identities to their online activities. These systems, often required to access public services, typically assign ID numbers to individuals linked to their government-issued identification and store large amounts of personal data –– such as name, birth date, gender, identifying characteristics, address, and photograph –– in a centralized database. Increasingly, such systems include biometric information, such as fingerprints, iris scans, or DNA. While these systems enable access to a wide range of public and private services, and biometric identification specifically can help combat fraud, digital rights groups frequently warn of their potential to facilitate surveillance abuses without appropriate oversight and safeguards on data access. A 2025 UN report found that “as a key layer in allowing data-intensive transactions across domains, digital public infrastructure can enable arbitrary surveillance.” As such, their use is particularly problematic in countries with a history of unlawful, arbitrary, or mass surveillance, and where data protection and oversight mechanisms are lacking.

For example, in July 2025, Myanmar signed a memorandum of understanding with India to collaborate on a digital ID system modeled after India’s Aadhaar system. In November 2025, the Myanmar Ministry of Information announced the start of the digital ID pilot and integration tests. However, data from the e-ID system will almost certainly be integrated with the national database system previously outlined to support intelligence collection and surveillance targeting perceived threats to the ruling military government.

In February 2025, Senegal launched a digital strategy aiming for 90% adoption of a digital ID by 2034. Under Law No. 2016-09, the ECOWAS Biometric Identity Card has been mandatory for citizens aged 15 or older since 2016 and is required to access mobile service, bank accounts, and public utilities. In December 2025, the Institute of Development Studies assessed that Senegal’s digital ID system “is vulnerable to state surveillance and political misuse due to weak parliamentary and administrative controls.” Specifically, the report found that a lack of oversight and accountability mechanisms regulating access to and use of ID data, combined with the linking of the ID to banking and mobile phone accounts, “provides the Senegalese state with a potentially powerful real-time panoptic surveillance capability.”

Predictive Policing

Data analytics tools used to predict where future crimes may occur –– or flag specific individuals as likely to pose a security threat –– are known as predictive policing tools. These tools ingest massive quantities of data, including criminal and arrest records, crime statistics, social media data, and communications data. However, there is a well-documented risk that racial and other biases may appear in the results. An October 2025 OHCHR report noted that predictive tools “often display significant biases, often as a consequence of historical biases in law enforcement and criminal justice systems, adversely affecting racial, ethnic and religious minorities in particular.” Reflecting these risks, in September 2025, Peru adopted legislation regulating the use of AI in the public sector, including defining “improper use” of AI to include unlawful mass surveillance, real-time biometric surveillance in public spaces (except under narrowly defined exceptions) and predictive policing.

In July 2024, South Korea’s Electronics and Telecommunications Research Institute announced the development of the “Dejaview” predictive policing system, which uses historical crime statistics to analyze real-time CCTV footage, flag potential criminal scenarios, and identify high-crime areas. Under the Public Security Technology Plan, South Korea’s National Police Agency aims to incorporate crime prediction capabilities into CCTV and facial recognition systems. However, in a February 2025 report, the Korean Progressive Network Jinbonet and Institute for Digital Rights expressed concerns that “legality assessment and supervisory mechanisms related to personal information collection, use, and processing appear to be very weak.” That report further noted that the use of citizens’ data to train AI programs “could constitute an unjustified and disproportionate violation of personal information self-determination rights.”

Mitigating Surveillance Risks

In countries lacking robust oversight and accountability mechanisms, pervasive digital surveillance has significant and detrimental human rights implications for government critics, human rights activists, journalists, and political opposition and dissident figures. Moreover, digital surveillance that fails to abide by the principles of legality, necessity, and proportionality can also incur significant operational, reputational, and legal costs for organizations and individuals, including foreign nationals and business travelers to high-risk countries. The risks include the following:

• Loss of sensitive corporate data: In addition to targeting domestic political dissent and reporting critical of the government, authorities can deploy digital surveillance measures against foreign business travelers and organizations, leading to the loss of critical proprietary data and intellectual property theft. In April 2026, the United Kingdom’s (UK) National Cyber Security Centre assessed that the targeting scope of commercial spyware had expanded to more frequently include bankers and executives.
• Proliferation of cyber vulnerabilities: Because many cyber intrusion capabilities rely on zero-day vulnerabilities in widely used software, the availability of commercial spyware can create commercial incentives for threat actors to identify and exploit the same vulnerabilities. In March 2026, exploit chains Coruna and DarkSword facilitated the mass targeting of iPhone users, illustrating the risks associated with the spread of nation-state-level cyber-intrusion capabilities.
• Loss of data privacy: Without robust data privacy laws, data retention requirements and extensive collection of personal and biometric data supporting government surveillance can create significant data privacy risks in the event of exposure of collected data. For example, in January 2026, the threat actor Green Blood Group claimed to have breached Senegal’s digital ID system and exfiltrated 139 TB of data, including biometric data.
• Reputational risk: Given the invasive nature of some surveillance capabilities and the often extensive storage of information on digital devices and online platforms, digital surveillance can enable the collection of highly personal information on individuals that, if revealed, could pose significant reputational risk. In the lead-up to Poland’s 2019 parliamentary elections, Pegasus spyware was used to surveil then-opposition candidate Krzysztof Brejza 33 times, and Brejza’s text messages were subsequently obtained, doctored, and aired on state television to discredit his campaign. Opposition politicians subsequently questioned the legitimacy of the 2019 election, which the then-ruling Law and Justice party won.
• Legal or physical risk to individuals: Depending on the jurisdiction, failure to appropriately account for surveillance-related risks can result in legal action against individual travelers or employees who are more likely to be targeted by a government. In 2023, Human Rights Watch documented 45 cases in which security services in Egypt, Jordan, Lebanon, and Tunisia arrested individuals and attempted to collect digital evidence of their sexual orientation from their mobile devices. Researchers attributed 29 such arrests and prosecutions in Egypt, including against foreigners, to a likely coordinated effort to target LGBTQ+ individuals.

Insikt Group’s Country Risk analysis, available to Geopolitical Module users of the Recorded Future Intelligence Operations Platform, supports the development of mitigation strategies to help protect sensitive personal and corporate data against risks associated with state digital surveillance. Insikt Group recommends that organizations and individuals adopt the following mitigations corresponding to each country’s State Surveillance risk tier. In addition to the specific recommended mitigations for each risk tier, travelers should adopt all precautions for lower-risk tiers. For example, a traveler to a “high-risk” country should also adopt all precautions suggested for “medium-risk” and “low-risk” countries.

Table 2: Recommended mitigations for state surveillance risks (Source: Recorded Future)

Outlook

The proliferation of commercial spyware, AI-powered tools, and the increasing data collection enabled by the digitization of public service platforms are almost certainly driving advances in governments’ digital surveillance capabilities. In April 2026, the UK assessed that approximately 100 countries had procured commercial spyware, indicating a decrease in barriers to access to cyber-intrusion capabilities. Furthermore, access to large language models (LLMs) may accelerate the development of digital surveillance capabilities. For example, Anthropic’s Claude Mythos model, which it has not released to the public, has prompted concerns over its reportedly unprecedented ability to identify and exploit cyber vulnerabilities. Recent reports of unauthorized access to Mythos via a third-party vendor environment illustrate the potential challenges of expanding access to tools for large-scale identification of software vulnerabilities.

At the same time, oversight mechanisms to prevent the abuse or misuse of these technologies have likely lagged behind what is necessary to ensure their use does not violate international principles of legality, necessity, and proportionality. Without corresponding oversight and accountability mechanisms, the convergence of advanced technical capabilities and increasing access to personal data will likely lower barriers to governments’ abilities to conduct bulk and targeted surveillance in ways that pose greater threats to organizational and individual privacy. As a result, organizations conducting operations and travel abroad need to continuously assess surveillance risk and align policies on travel, data access, and device security to outpace governments acquiring and operationalizing these capabilities.

Related Resources

Explore expert insights, reports, and tools to strengthen your cybersecurity strategy.