Abstract Spyware has been heralded as an essential tool for law enforcement and intelligence operations. However, examples abound of states that use it in a manner that violates human rights as well as undermines democracy and the rule of law. Against this backdrop, the European Union (EU) Dual-use Regulation was recast in 2021. It now makes an effort to control the export of cyber surveillance technologies, including spyware, which it defines as dual use. What narrative is created by framing spyware as ‘dual use’? This article illustrates how the term 'dual use' roots in a distinction between ‘peaceful’ and ‘non-peaceful’, or ‘civil’ and ‘military’ uses, and has gradually become associated with a broader dichotomy between ‘legitimate’ and ‘illegitimate’ purposes. Historically, this duality served not only to articulate the risks posed by certain technologies and indicate the rationale for their export control but also to justify their trade. Yet recourse by EU actors to dual use tilts the EU discourse on spyware export control towards state-centric security considerations and commercial interests over human rights. Unmasking how the term transposes a conceptually flawed, deceptive and empty duality to the spyware context, this article shows that the very concept of dual use may undermine human rights safeguards in spyware export control.