Private military and security companies are increasingly using advanced surveillance technologies – including drones, facial recognition and spyware – to monitor people and environments. While these tools can enhance security, their unregulated use raises serious risks to privacy, human rights and accountability. In this article, Dr Ilia Siatitsa examines how private surveillance services operate, the technologies involved and the urgent need for oversight and regulation.
Introduction
Private military and security companies (PSMCs) today operate in an environment where advanced surveillance technologies are increasingly affordable and widely available. Tools such as drones, facial recognition systems, spyware and geolocation trackers are no longer confined to state actors; they are now part of the arsenal of private actors offering security and intelligence services.
Some of these technologies may be used for legitimate purposes. For example, installing cameras to secure a building or monitoring internal networks to prevent cyber-attacks can be essential for fulfilling contractual obligations. However, surveillance is also offered as a standalone service, creating a growing industry of private surveillance providers. The expansion of surveillance capabilities by private security companies raises urgent questions about regulation and oversight.
Without clearly defined benchmarks, the risk of privatised surveillance running unchecked is significant.
Which Technologies Are Enabling Private Surveillance Services?
The range of technologies used by private security companies is diverse and sophisticated. For instance, geolocation tracking through GPS enables real-time monitoring of individuals’ movements – a capability that has already been misused to track and intimidate activists and political opponents. Also, communications interception technologies, such as IMSI catchers that mimic cell towers, capture mobile phone data often without users’ knowledge.
To illustrate some of the risks of this trend, consider an intelligence contractor that develops an integrated data platform for clients seeking “operational visibility”. Although presented as a risk‑management tool, the platform quietly draws together data from CCTV feeds, commercial data brokers, social media, travel records and mobile phone metadata. Over time, analysts within the company begin generating behavioural risk scores about individuals with no connection to any ongoing incident. The system’s scale, opacity and lack of oversight demonstrate how easily private actors can construct powerful surveillance architectures under the guise of efficiency and modernisation.
In parallel, biometric surveillance tools, such as facial recognition and fingerprint scanning allow companies to identify and track individuals. A facial recognition company, for instance, is offering its services to police forces allowing them to identify individuals with minimal oversight. This company has faced global criticism for scraping billions of images from social media to build facial recognition databases, violating data protection laws across many jurisdictions in the process. On the other hand, drones equipped with high-resolution cameras and thermal imaging are used to monitor large estates, construction sites and high-profile events.
Drone‑surveillance creep has become increasingly common. A private firm contracted to secure luxury residential compounds might begin with routine aerial patrols strictly within property boundaries. Yet without clear rules, the drones gradually expand their routes into neighbouring streets, hovering over gardens and capturing footage of daily life far beyond the original scope of the contract. What begins as perimeter protection evolves into pervasive aerial monitoring of entire communities, normalising intrusive observation without consent or accountability.
These technologies, which are increasingly powered by artificial intelligence, consume large amounts of data. This creates a vicious cycle: surveillance feeds data-hungry systems, and those systems in turn justify further surveillance to remain relevant.
Risks to Privacy and Data Protection
The deployment of such technologies poses profound risks to privacy rights and data protection. Private security companies can collect communications data – calls, emails, photographs and location information – as well as biometric identifiers such as fingerprints, DNA and facial patterns. These are in turn amplified by sensor networks and autonomous surveillance systems, enabling real-time facial recognition and behavioural analysis. The integration of AI further escalates the scope of data collection and processing, as machine learning models require continuous streams of personal data to function effectively. This creates a structural incentive for companies to gather more data than necessary, quite often without abiding by adequate safeguards. Such mass surveillance deprives individuals of their right to privacy.
International and regional legal frameworks recognise privacy as a fundamental right. Article 12 of the Universal Declaration of Human Rights (UDHR) and Article 17 of the International Covenant on Civil and Political Rights (ICCPR) prohibit any arbitrary interference with privacy. It has further been recognised that companies must align with the UN Guiding Principles on Business and Human Rights (GPBHR), conducting human rights due diligence and adopting risk-based governance for high-risk technologies. This includes those affecting the right to privacy.
Additionally, numerous countries have adopted data protection and privacy regulatory frameworks, such as the European Union’s General Data Protection Regulation (GDPR) and the African Union’s Convention on Cyber Security and Personal Data Protection, which set strict standards for data processing and establish norms that apply to security companies. However, the application of these frameworks to private military and security companies operating across borders is often overlooked, while some these frameworks may not apply to national security or law enforcement contexts. As a result, enforcement is inconsistent and oversight mechanisms are rarely extended to private surveillance services. This regulatory gap creates a high risk of violations: companies can process sensitive data without legal basis, transfer it across jurisdictions with weak protections and retain it indefinitely. In practice, this means individuals may have no effective remedy when their personal information is misused.
Risks to Other Rights under Private Surveillance
Privacy is not an isolated right. Rather, it is a gateway to the enjoyment of other fundamental freedoms. Afterall, when surveillance technologies are used to track individuals’ movements, monitor their communications or analyse their social networks, the consequences can be severe.
For instance, location data can expose someone’s home address or daily routines, making them vulnerable to physical harm. This is substantiated by a former NSA chief who chillingly remarked, “We kill people based on metadata”. This statement underscores how data-driven targeting can endanger the right to life and security. Targeted surveillance of individuals – especially journalists, activists, political opponents and others exercising their right to free expression – has been linked to arbitrary arrests, instances of torture and, in some cases even extrajudicial killings.
The threat of pervasive surveillance can deter individuals from exercising their rights to express and assemble freely, among many others. Knowing that private actors may record protests, scan faces in crowds or intercept messages creates a dangerous climate of fear and self-censorship. These risks are not hypothetical. They have already materialised in multiple contexts where private security companies have monitored political gatherings or shared intelligence with relevant state authorities. These scenarios violate the right to remain anonymous – an element particularly essential for journalists when collecting unbiased and transparent information from their sources. The list of potential human rights violations and abuses that private surveillance can enable or facilitate is long.
This is why privacy matters.
Targeting Human Rights Defenders and Journalists
Perhaps the most alarming consequence of privatised surveillance is its use against those who hold authorities in power accountable. It is telling that, at a recent ISS World conference, a surveillance company was exposed by investigative journalists posing as representatives of a ‘private mining company, […] who intended to use it to surveil environmental protestors’.
Investigations have revealed that spyware developed by private companies has been deployed to monitor journalists, lawyers and human rights defenders. Pegasus and, shortly after, Predator spyware scandals have been linked to multiple instances targeting reporters and activists worldwide. In early 2025, reports emerged of Paragon spyware attacks on journalists, highlighting the growing crisis of digital repression facilitated by private actors. These practices not only violate privacy but also undermine democratic principles by silencing dissent and eroding press freedom. When surveillance becomes a tool for intimidation, it threatens the very fabric of accountability and transparency. As a result, it is critical that PSMCs utilise surveillance technologies responsibly and lawfully.
Even beyond spyware, risks arise when private security operators misuse more routine tools. Consider a security company responsible for monitoring CCTV networks in transport hubs or shopping centres. In one scenario, a guard with authorised access discreetly copies sensitive footage – perhaps of a public figure or a journalist meeting a confidential source – and shares it externally. The leak spreads online within hours, illustrating how insider abuse within private security operations can compromise both privacy and safety. Such incidents underscore the need for strict access controls, audit trails and training in surveillance governance.
Conclusion
The integration of advanced surveillance technologies by private security companies presents significant challenges for international human rights law. While some of these technologies, if used responsibly and lawfully, can enhance security services, they also pose substantial risks to the right to privacy, life and other fundamental human rights. In some instances, the use of spyware is in direct contravention of human rights standards. As such, it should be prohibited for both private and public actors. It is crucial for policymakers and industry leaders to address these challenges through robust regulation and oversight to ensure that the benefits of technology do not come at the expense of human rights.
The views and opinions presented in this article belong solely to the authors and do not necessarily represent the stance of the International Code of Conduct Association (ICoCA).
