2025 Digital Rights Review: Spyware, AI War & EU Regulations

The spyware market has evolved beyond traditional phishing, with tools like Graphite leveraging zero‑day, zero‑click exploits that compromise devices without any user action. This shift undermines conventional defenses such as VPNs, forcing security teams to prioritize endpoint hardening, rapid patch cycles, and threat‑intelligence sharing. The clandestine zero‑day marketplace, where hackers sell undisclosed flaws to governments and private actors, creates a feedback loop that fuels state‑sponsored surveillance and erodes civil‑society space.

Artificial intelligence is now a force multiplier in modern conflict, turning civilian data pipelines into battlefield assets. Systems such as Lavender can ingest massive data streams, generate target lists, and feed autonomous weapons platforms at speeds no human analyst can match. The Gaza war illustrated how mass surveillance combined with AI‑driven targeting blurs the line between defensive security tools and offensive weaponry, prompting UN officials to label such “killer robots” as morally repugnant. Yet, without binding international norms, developers and militaries continue to experiment, raising profound accountability and accuracy concerns.

In Europe, the regulatory tide appears to be turning away from the strong privacy standards that once defined the bloc. Proposals to mandate lawful access to encrypted communications threaten the viability of end‑to‑end encryption and the no‑log guarantees that underpin many VPN services. While the EU’s export‑control framework now references human‑rights considerations, weak catch‑all clauses and uneven national enforcement dilute its impact. Companies and digital‑rights advocates must therefore brace for a prolonged policy battle to safeguard encryption, data minimisation, and the broader digital‑rights ecosystem as 2026 approaches.