U.S. President Joe Biden on Monday signed an executive order that restricts the use of commercial spyware by federal government agencies.
The order said the spyware ecosystem "poses significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person."
It also seeks to ensure that the government's use of such tools is done in a manner that's "consistent with respect for the rule of law, human rights, and democratic norms and values."
To that end, the order lays out the various criteria under which commercial spyware could be disqualified for use by U.S. government agencies. They include -
- The purchase of commercial spyware by a foreign government or person to target the U.S. government,
- A commercial spyware vendor that uses or discloses sensitive data obtained from the cyber surveillance tool without authorization and operates under the control of a foreign government that's engaged in espionage activities aimed at the U.S.,
- A foreign threat actor that uses commercial spyware against activists and dissidents with the goal of limiting freedom of expression or perpetrating human rights abuses,
- A foreign threat actor that uses commercial spyware to keep tabs on a U.S. citizen without legal authorization, safeguards, and oversight, and
- The sales of commercial spyware to governments that have a record of engaging in systematic acts of political repression and other human rights violations.
"This Executive Order will also serve as a foundation to deepen international cooperation to promote responsible use of surveillance technology, counter the proliferation and misuse of such technology, and spur industry reform," the White House said in a statement.
About 50 U.S. government officials in senior positions located in at least 10 countries are estimated to have been infected or targeted by such spyware to date, the Wall Street Journal reported, a number larger than previously known.
While the order stops short of an outright ban, the development comes as sophisticated and invasive surveillance tools are being increasingly deployed to access electronic devices remotely using zero-click exploits and extract valuable information about targets without their knowledge or consent.
Last week, the New York Times reported that Artemis Seaford, a former security policy manager at Meta, had her phone wiretapped and hacked by Greece's national intelligence agency using Predator, a spyware developed by Cytrox.
That said, the order also leaves open the possibility of other kinds of spyware devices, including IMSI catchers, being used by government agencies to glean valuable intelligence.
Viewed in that light, it's also an acknowledgment that the spyware-for-sale industry plays an important role in intelligence-gathering operations even as the technology constitutes a growing counterintelligence and national security risk to government personnel.
Earlier this month, the Federal Bureau of Investigation (FBI) confirmed that the agency has in the past purchased the location data of U.S. citizens from data brokers as a means to sidestep the traditional warrant process.
The FBI is also alleged to have bought a license for Israeli company NSO Group's Pegasus during 2020 and 2021, acknowledging that it was used for research and development purposes.
The Drug Enforcement Administration (DEA), in a similar fashion, uses Graphite, a spyware tool produced by another Israeli company named Paragon, for counternarcotics operations. It's not immediately not clear if other U.S. federal agencies currently use any commercial spyware.