American federal government departments and agencies have been limited from using commercial spyware unless they have approval from the White House.
The restriction came in an executive order issued Monday by President Joe Biden, which says the administration believes technology has to be used in accordance with the rule of law, appropriate safeguards, and oversight.
Without naming brands, the order is aimed at applications used by police forces around the world, without judicial authorization, to surveil opponents. U.S. and Canadian law enforcement and intelligence agencies have to get judicial approval for wiretaps.
It comes after groups such as the University of Toronto’s Citizen Lab have issued detailed reports on the use of commercial spyware by governments, including an application called Pegasus from Israel’s NSO Group. Citizen Lab’s most recent report, on the use of Pegasus in Mexico, was released last October. Last April, Citizen Lab said it warned the U.K. government in 2020 and 2021 of multiple suspected instances of Pegasus spyware infections on devices within official government networks, including the Prime Minister’s Office.
Commercial spyware aimed at consumers can also be found in mobile app stores.
“The United States has a fundamental national security and foreign policy interest in countering and preventing the proliferation of commercial spyware,” the presidential order says.
U.S. federal departments and agencies “shall not make operational use of commercial spyware that poses significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person.”
In particular, they are banned from using commercial spyware that is under the direct or effective control of a foreign government or foreign person engaged in intelligence activities, including surveillance or espionage, directed against the United States.
Nor can federal agencies ask a third party to use commercial spyware where it poses significant counterintelligence or security risks to the United States Government, or if it poses significant risks of improper use by a foreign government or foreign person.
However, there is an out: Agencies can use commercial spyware that doesn’t pose significant counterintelligence or security risks to the United States Government, or significant risks of improper use by a foreign government or foreign person.
If an agency decides to make operational use of that type of commercial spyware, the head of the agency shall notify the Assistant to the President for National Security Affairs after doing due diligence on the application.
“I am very pleased with this Executive Order,” said Citizen Lab director Ron Deibert. “There are still areas that are not covered, such as local police and state-level agencies. But this is a huge improvement over the status quo. It is a very positive development for those of us who have been researching this sector for over a decade.”
It will, he said, accomplish several outcomes:
— it will prevent mercenary spyware firms from selling to the U.S. government sector;
— it will send a strong signal to investors and companies in this space that the Wild West days are over;
— it will likely catalyze other governments (especially allies) to do something similar, and hopefully help clean up the worst abuses of the mercenary spyware market that Citizen Lab has been documenting.
The executive order comes alongside a series of other regulatory measures that the Biden administration has taken in recent months, Deibert added, including putting NSO Group, Candiru, and other hack-for-hire firms on the U.S. Commerce Department’s designated entity list, and preventing U.S. intelligence personnel from working for foreign private intelligence firms.
“One hopes,” Deibert said, “that the Canadian government will be inspired to do something similar.”
Canadian Public Safety Minister Marco Mendicino’s office was asked for comment, but no reply was received by publication time.
Separately, Apple and WhatsApp parent Meta are each suing NSO Group. Apple is demanding a permanent injunction to ban NSO Group from using any Apple software, services, or devices. Citizen Lab discovered a now-patched vulnerability that Apple alleges was used by NSO Group customers to break into a victim’s Apple device and install Pegasus. Meta alleges NSO Group installed spy software on 1,400 people, including journalists, human rights activists, and dissidents, by exploiting a bug in its WhatsApp messaging app. Neither civil suit has been heard in court yet.