Under an executive order issued on Monday, March 27, 2023, by President Joe Biden, the U.S. government will restrict its use of commercial spyware tools that have been used to monitor human rights activists, journalists and dissidents around the world.
The order responds to growing U.S. and global concerns about programs that can capture text messages and other cellphone data. Some programs, known as “zero-click” exploits, can infect a phone without the user clicking on a malicious link.
Governments around the world, including the U.S, are known to collect large amounts of data for intelligence and law enforcement purposes, including communications from their own citizens.
The proliferation of commercial spyware has made powerful tools newly available to smaller countries, but also created what researchers and human-rights activists warn are opportunities for abuse and repression.
The White House released the executive order in advance of its second summit for democracy this week. The order “demonstrates the United States’ leadership in, and commitment to, advancing technology for democracy, including by countering the misuse of commercial spyware and other surveillance technology,” the White House noted in a statement.
Biden’s order, billed as a prohibition on using commercial spyware “that poses risks to national security,” allows for some exceptions.
The order will require the Head of any U.S. agency using commercial programs to certify that the program does not pose a significant counterintelligence or other security risk, a senior administration official said.
Among the factors that will be used to determine the level of security risk is if a foreign actor has used the program to monitor U.S. citizens without legal authorization or surveil human rights activists and other dissidents.
“It is intended to be a high bar but also includes remedial steps that can be taken … in which a company may argue that their tool has not been misused,” said the official, who briefed reporters on condition of anonymity under White House ground rules.
The White House will not publish a list of banned programs as part of the executive order, the official disclosed.
Biden Administration Lauded For New Global Standards
John Scott-Railton, a researcher at the University of Toronto’s Citizen Lab who has long studied spyware, credited the Biden administration for trying to set new global standards for the industry.
“Most spyware companies see selling to the U.S. as their eventual exit path. The issue is the U.S. until now hasn’t really wielded its purchasing power to push the industry to do better.”
John Scott-Railton
Last year, Congress required U.S. intelligence agencies to investigate foreign use of spyware and gave the Office of the Director of National Intelligence the power to ban any agency from using commercial programs.
Rep. Jim Himes of Connecticut, the top Democrat on the House Intelligence Committee, said in a committee hearing last year that commercial spyware posed a “very serious threat to our democracy and to democracies around the world.”
Himes stated on Monday, March 27, 2023, that the new order should be followed by other democracies taking steps against spyware. “It’s a very powerful statement and a good tool, but alone it won’t do the trick,” he added.
Perhaps the best known example of spyware, the Pegasus software from Israel’s NSO Group, was used to target more than 1,000 people across 50 countries, according to security researchers and a July 2021 global media investigation, citing a list of more than 50,000 cellphone numbers.
The U.S. has already placed export limits on NSO Group, restricting the company’s access to U.S. components and technology.
Officials would not say if U.S. law enforcement and intelligence agencies currently use any commercial spyware.
Last year, the FBI confirmed that it had purchased NSO Group’s Pegasus tool “for product testing and evaluation only,” and not for operational purposes or to support any investigation.
White House officials noted on Monday that they believe 50 devices used by U.S. government employees, across 10 countries, had been compromised or targeted by commercial spyware.
READ ALSO: Scottish National Party Elects Humza Yousaf As New Leader
