President Joe Biden says the US cannot buy spyware other countries have used against it
The Biden administration is trying to curb the government’s use of commercial spyware that could also be used by other countries to harm its interests. The chairman has signed an executive order saying federal agencies cannot use spyware “that poses significant counterintelligence or security risks to the U.S. government or significant risks of misuse by a foreign government or foreign person.”
The order spells out exactly what disqualifies spyware – software that steals information and data from a device without the user’s knowledge – from use by the US government. It is not allowed if it:
- has been used by a foreign person or government to attack the United States government
- sold by an entity interested in publishing “non-public information” about the activities of the US government without its consent
- “under the direct or effective control of a foreign government or foreign person” seeking to spy on the US
- used to monitor U.S. citizens or commit human rights violations by spying on activists, academics, journalists, dissidents, political figures, or members of non-governmental organizations or marginalized communities
- also sold to countries that “engage in systematic acts of political repression, including arbitrary arrest or detention, torture, extrajudicial or politically motivated killing, or other gross violations of human rights”
Government agencies have some leeway in determining whether a particular piece of spyware meets those qualifications. It may be OK for the spyware to have been used against the US if the developers took “appropriate action” when they found out, such as terminating the offending party’s contracts or cooperating with the US to prevent “improper use” of the software to counteract. The government should also consider whether the spyware vendor “knew or reasonably should have known” that the software would be misused when selling it.
White House officials do not specify the exact software that is banned, according to TechCrunch, but there are many honest commercial spyware applications that offer services to governments. (And plenty more on the black market, which you probably hope the US government wouldn’t consider using.)
While the order doesn’t completely ban spyware, it likely excludes many offerings on the market. Unless the software is sold exclusively to the US government, there’s virtually no way to be sure that foreign entities aren’t also using it to target the US or the kinds of people protected by the warrant.
For example, the NSO Group’s Pegasus spyware is said to contain protections; the company claimed it only sold access to government agencies approved by the Israeli Defense Ministry. Reporters found that the spyware, which could silently hack phones to exfiltrate and record all sorts of data, was likely used by various governments against heads of state, journalists, activists, and others. (The FBI also reportedly considered using it.)
Pegasus was already almost completely banned in the US; in 2021, the Department of Commerce added NSO, along with Candiru, to its entity list, preventing U.S. companies from doing business with it. That means it can’t buy hardware and software from companies like Dell and Microsoft, for example. according to The New York Times. However, Pegasus is far from the only piece of spyware used by governments. A Meta employee allegedly had her phone hacked by the Greek National Intelligence Agency using Cytrox’s Predator spyware.
Spyware isn’t the only software spying on US citizens
It is worth noting what this order not. It defines spyware as software that allows you to gain unauthorized access to a computer so that you can access data on it, record audio and video, or track its location. The government often tracks people’s location using technology such as Stingrays or obtains data through other means, such as paying data brokers, and that is still on the table. People might think of that as their phones being used to spy on them, but the apps that provide this data are not counted as spyware.
Following on from that same thread, the order calls explicitly foreign governments or people using spyware to target journalists, politicians and activists. However, our own government also has a history of electronic surveillance of people in those groups, both within and beyond its borders; it seems unlikely that the US would ban a piece of spyware if it was the one caught using the software improperly.
The government is not alone in taking action against such spyware. For example, Apple has sued NSO Group and introduced a “Lockdown Mode” for its devices that is intended to make it more difficult to install spyware on them remotely.