President Biden has approved a new executive order (EO) banning government use of any commercial spyware that has previously been misused by foreign states to spy on citizens, dissidents, activists and others.
The ruling applies to any tools used to spy on foreign or US citizens to suppress civil liberties or abuse human rights.
The EO also covers spyware that poses “counterintelligence or security risks” to Washington – for example if it has been used to access US government computers and/or is under the “direct or effective control” of a foreign intelligence agency.
Commercial spyware of the sort produced by NSO Group and others is increasingly controversial. The vendors claim their wares are only sold to governments for legitimate law enforcement and other purposes, but reports suggest otherwise.
The Israeli firm is being sued by Apple and WhatsApp for developing and installing its Pegasus spyware on hundreds of customers’ devices without their knowledge. These included human rights activists, journalists and even government officials, according to WhatsApp.
Read more about NSO Group: Facebook Takes Spyware Firm NSO Group to Court.
That firm is now blacklisted by the Commerce Department, limiting its access to US technology – although many of its peers have until now continued operating without repercussions.
“Foreign governments and persons have deployed commercial spyware against United States government institutions, personnel, information and information systems, presenting significant counterintelligence and security risks to the United States government,” the EO argued.
“Foreign governments and persons have also used commercial spyware for improper purposes, such as to target and intimidate perceived opponents; curb dissent; limit freedoms of expression, peaceful assembly or association; enable other human rights abuses or suppression of civil liberties; and track or target United States persons without proper legal authorization, safeguards or oversight.”
John Scott-Railton, a senior researcher at Citizen Lab, described the news as a “huge deal” as it will disincentivize commercial spyware developers hoping one day that they may be able to sell their wares to the US government.
Even the waiver provision for use of spyware by the US government will require agencies to leap a high bar, and is therefore designed not to be easily circumvented, he added.
“The #SpywareEO is the first comprehensive action by any government on #spyware. It was clearly drafted to pump the breaks on proliferation & is written with a good understanding [of] the slippery nature of the industry. It closes many loopholes,” Scott-Railton tweeted.
“Whenever the USG regulates there’s always temptation to speculate about protectionism for American companies. But reading the #SpywareEO...these provisions hit US-based spyware companies just as hard if they meet the triggers/contribute to proliferation. Good.”