Bulgaria Licensed Surveillance Exports to Rights Violators

© 2026 Glenn Harvey for Human Rights Watch

 

 

(Brussels, June 18, 2026), The Bulgarian government between 2018 and 2023 licensed exports of surveillance equipment to countries that were likely to use it for internal repression or to commit serious human rights violations, Human Rights Watch said today.

Human Rights Watch previously reviewed data that shows that European Union governments often seem to issue such licenses. Human Rights Watch urged EU institutions to tighten enforcement of laws intended to restrict the export of surveillance technology to places where there is a credible risk it would be used in violation of international human rights and humanitarian law.

“All EU governments should be clamping down on exports of tools that can be used for repression, not rubber-stamping them,” said Zach Campbell, senior surveillance researcher at Human Rights Watch. “The European Commission has evidence that EU governments have been issuing licenses seemingly without conducting serious human rights due diligence, and yet appears to have taken no action despite having the legal framework to control this.”

Human Rights Watch reviewed documents that show the surveillance company, Circles, based in Bulgaria, was granted licenses to legally export telecommunication interception systems, communications monitoring software, and other types of surveillance technology to countries that have well-documented histories of using similar tools to spy on journalists, activists and to otherwise crack down on dissent.

Human Rights Watch wrote to Circles for their comment and for further information about their licenses on April 15, April 23, and May 21, and June 10, 2026, but received no response. Human Rights Watch correspondence with the Bulgarian authorities in April 2026 about their licensing practices is available on its web site.

The documents in question are export licensing records from 2018 to 2023, each valid for one year, from the Bulgarian government’s Interdepartmental Commission for Export Control and Non-Proliferation of Weapons of Mass Destruction. This is the Bulgarian Ministry of Economy and Industry’s body responsible for approving or denying export license applications from companies located in Bulgaria. Human Rights Watch has not had access to documents relating to exports for 2025 or 2026.

The documents describe licenses for exports of Circles’ surveillance technology to Azerbaijan, Bahrain, Brazil, Dominican Republic, El Salvador, Ghana, Guatemala, Israel, Jordan, Malaysia, Mexico, Morocco, Panama, Serbia, and the United Arab Emirates (UAE). Clients included intelligence services, military and police bodies, regional governments, and private companies.

These licenses allowed legal exports of cybersurveillance technology, although they do not reveal whether the technology was actually exported. Nonetheless, issuing the licenses demonstrates a major flaw in how individual governments implement EU export controls for surveillance technology. The controls are intended to limit exports of surveillance technology to destinations where there is a likelihood it could be used to violate rights, and to provide transparency about what exports take place.

Member states are obliged to take into consideration the human rights record of a destination country. when assessing an export license application. They should exercise special caution when there are human rights risks, and not grant a license if there is a clear risk that the export would be used for “internal repression.”

A Human Rights Watch report published on May 12, analyzed these EU controls and found that EU member countries were still exporting surveillance technology to rights violators across the globe. These new documents provide further evidence that the European Commission, which oversees and implements the law, is failing to achieve that goal.

Circles is a surveillance company, originally based in Cyprus and now in Bulgaria. One of Circles’ two founders, Tal Dillian, also founded the spyware company Intellexa, based in Greece. Dillian was found guilty on February 26, by an Athens court because the company’s spyware was used to surveil Greek journalists, politicians, businesspeople, and others. He has indicated he is appealing his conviction.

He was sanctioned in 2024 by the US government in connection with the company’s role in “developing, operating and distributing commercial spyware technology,” which the US government said was used against journalists, dissidents, policy experts, and US officials.

Digital security experts issued a report in 2020 detailing their research into how Circles products largely rely on using flaws in international telephone infrastructure (called SS7 attacks) to intercept communications and other data, and track users. In 2014, Circles was bought out by a company that also owns the Israeli spyware company NSO Group, forming the umbrella company Q Cyber Technologies.

The Bulgarian ministry documents also show licensed exports to Q Cyber Technologies and NSO Group in Israel.

The Bulgarian export documents describe the hardware and software being licensed as those used to intercept mobile phone communications and data traffic, as well as to surveil many users at once. These tools most likely rely on a vulnerability in international telecommunications infrastructure and include traditional wiretap software and hardware, mobile phone geolocation software, and IMSI catchers, stand-alone devices capable of intercepting mobile phone data and geolocating users.

Many of countries for which licenses have been granted have long histories of using surveillance technology to violate rights. In the UAE, authorities maintain a zero-tolerance policy toward criticism of the government, enforcing it with an arsenal of invasive surveillance tools, including, in the worst cases, by directly monitoring messages, emails, and mobile devices in the UAE and beyond its borders.

In Azerbaijan, authorities regularly carry out arbitrary arrests of activists, journalists, and human rights defenders, restricting freedom of expression, association, and assembly, and arbitrarily implement laws paralyzing civil society, including though the likely use of surveillance technology.

In Bahrain, El Salvador, Guatemala, Mexico, Morocco, Serbia, Israel, and Jordan, state authorities were found to have used technology, similar to the Circles’ products for which Bulgaria has granted licenses, to target journalists and members of civil society. Human Rights Watch does not know if Circles used the licenses to export its products to these countries and the company did not respond to repeated requests for clarification.

The documents describe exports of four types of Circles’ products:

“Landmark” software, described as a “network-based solution,” which allows users to “collect, process, validate and manage information for conducting intelligence operations, based on the location of mobile subscribers.”“Voice Over Location Enabler (VOLE)” software that most likely relies on using the SS7 protocol to “remotely intercept targets’ incoming and outgoing voice calls” as well as data including both parties’ locations.“Saphire” software that, according to the exporter, “allows a command to be sent to a mobile operator via a remote terminal to assign a new IP address to a specific device,” most likely for the targeted interception of communications.“Pixcell” line of IMSI-catchers described as a “tactical SIGINT [signal intelligence] system that intercepts voice data, messages, and internet data for specific cellular devices.”The fact that cybersurveillance items have been licensed for export to clients in so many destination countries where such technology has been repeatedly used to violate international human rights law calls into question the effectiveness of EU regulations intended to control these exports.

Human Rights Watch verified the authenticity of the documents by conducting checks on the metadata contained within them. The documents also include export codes for each transaction, which align with the export codes in documentation supplied by the Bulgarian Ministry of Economy and Industry to Human Rights Watch in response to a freedom of information request.

In response to written questions, the Bulgarian Minister of Economy and Industry in April, wrote that “[e]xports that contradict the country’s national, European and international commitments, including with regard to the protection of human rights, are not allowed” and that “[t]he Ministry maintains a consistent policy of zero tolerance for abuses and strictly monitors compliance with the established rules.”

In response to written questions, the European Commission stated that EU member states “are solely responsible for licensing decisions on dual-use exports.”

“The Bulgarian government and the European Commission both have a clear responsibility and a legal mandate to control these exports, and are failing to do so,” Campbell said, “All the while, European surveillance companies are receiving licenses to export their products worldwide seemingly without even minimal human rights controls.”