While I agree that the trade in these tools is reprehensible, I worry about creating a new class of software that is prohibited to possess or trade in. It wasn't so long ago that strong encryption was labelled a 'dual use technology', and moving it across national borders was non-trivial.
How long will it take for pentesting tools and end-to-end encryption to be labelled 'military weapons' under such a scheme?
I worry, too. Regulators do hatchet jobs when it comes to software law. But slippery slopes aside, it's pretty clear that selling tools to take over phones en masse is a bad deal for free societies.
Here's what we will find next: military and political leaders' phones have also already been compromised by NSO Group tools. I feel confident it has happened at a higher rate than among journalists. Imagine both your favorite and your most hated political firebrands: how will their rhetoric sound when they realize they've been pwned by the opposition for the past year using COTS tools?
How long will it take for pentesting tools and end-to-end encryption to be labelled 'military weapons' under such a scheme?