US to Adopt New Restrictions on Using Commercial Spyware

WASHINGTON (AP), -- Under an executive order Monday by President Joe Biden, the U.S. government will limit its use of commercial spyware instruments that were used to spy on human rights activists, journalists, and dissidents all over the globe.

This order was issued in response to increasing concerns worldwide and the U.S. about programs that could capture text messages and other data from cellphones. The so-called "zero-click" exploits can infect a phone even if the user does not click on malicious links.

All governments around the globe, including the U.S., are well-acquainted with the ability to gather large amounts of data for law enforcement and intelligence purposes. This includes communications from their citizens. Although powerful tools have been made available to smaller countries through the proliferation of spyware, researchers and human rights activists warn that there are also opportunities for abuses and repression.

The White House issued the executive order ahead of the second summit on democracy, which takes place this week. In a statement, the White House stated that the order "demonstrates the United States’ leadership in, and commitment, to, advancing technology in democracy, including countering the misused of commercial spyware or other surveillance technology,".

Biden's order, which is billed as a ban on commercial spyware that 'poses risks to national security', allows for some exceptions.

A senior administration official stated that the order will require any head of any U.S. government using commercial programs to confirm that the program does not pose a significant security threat or counterintelligence risk.

The level of security risk will depend on whether a foreign actor used the program to monitor U.S citizens without authorization or to surveil human rights activists or other dissidents.

The official said that although it was intended to set a high bar, it also included remedial steps that could be taken by companies if they claim that their tool was not misused.

According to the official, the White House won't publish a list containing banned programs under the executive order.

John Scott-Railton is a researcher at University of Toronto's Citizen Lab, who has been studying spyware for many years. He credits the Biden administration with trying to establish new standards in the industry.

Scott-Railton stated that most spyware companies view selling to the U.S. their exit route. "The problem is that the U.S. has not used its purchasing power to encourage the industry to improve," Scott-Railton said.

Congress required U.S. intelligence agencies last year to investigate foreign spyware use and gave the Office of the Director of National Intelligence the power of banning any agency from using commercial software.

Representative Jim Himes, a top Democrat on Congress' House Intelligence Committee said last year in a hearing that commercial spyware posed a very serious threat' to democracy worldwide. He stated Monday that the new order would be an "essential tool" and should be used by all other democracies to combat spyware.

He said, "It's powerful and a great tool, but it doesn't do the trick alone."

The most well-known example of spyware is the Pegasus software by Israel's NSO Group. It was used to target over 1,000 people in 50 countries according to security researchers. A global media investigation conducted July 2021 cited a list of more that 50,000 cell phone numbers. NSO Group has been subject to U.S. export restrictions, which restricts the company's access U.S. technology and components.

Officials wouldn't say whether U.S. intelligence agencies and law enforcement use commercial spyware. Last year, the FBI confirmed that it purchased NSO Group's Pegasus tool "for product testing and evaluation only", and not to support any operational investigation.

Officials at the White House said Monday that they believed 50 devices used in 10 countries by U.S. government workers had been compromised or targeted with commercial spyware.

NSO claims that the program is meant to counter terrorist and crime. However, researchers discovered the identities of more than 180 journalists and 600 politicians, as well as 85 human rights activists.

Pegasus was most often linked to Mexico and the Middle East. Amnesty International claims that Pegasus was installed on Jamal Khashoggi’s phone just four days before he was murdered in Istanbul's Saudi consulate. NSO denied that Khashoggi was murdered using its software.

Paul Rusesabagina's family is credited with saving over 1,200 lives during Rwanda's genocide. This story was also depicted in the film 'Hotel Rwanda'. However, it has also claimed that the spyware had been used to target them. Rusesabagina was lured to Rwanda by false pretenses, and was then arrested on terrorist charges. He was released last week. Rwanda has denied using commercial spyware.