Agencies are banned from using software that poses ‘significant counterintelligence or security risks’ or that could be used improperly by foreign entities.
The Biden administration is trying to clamp down on the government’s use of any commercial spyware that could also be used by other countries to harm its interests. The president has signed an executive order saying that federal agencies can’t use spyware “that poses significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person.”
The order spells out exactly what disqualifies spyware — software that steals information and data from a device without the user’s knowledge — from being used by the US government. It’s not allowed if it’s:
- been used by a foreign person or government to target the US government
- sold by an entity that’s interested in publishing “non-public information” about the US government’s activities without its permission
- “under the direct or effective control of a foreign government or foreign person” that’s trying to spy on the US
- been used to surveil US citizens or commit human rights violations by spying on activists, academics, journalists, dissidents, political figures, or members of non-governmental organizations or marginalized communities
- also sold to countries that “engage in systematic acts of political repression, including arbitrary arrest or detention, torture, extrajudicial or politically motivated killing, or other gross violations of human rights”
Government agencies do have a little leeway when determining whether a particular piece of spyware matches those qualifications. It may be okay that the spyware was used against the US if the developers took “appropriate measures” upon learning about it, such as canceling the offending party’s contracts or working with the US to “counter improper use” of the software. The government also has to consider if the spyware vendor “knew or reasonably should have known” that the software would be abused when it sold it.
White House officials aren’t specifying exact software that’s banned, according to TechCrunch, but there are many aboveboard commercial spyware applications out there offering services to governments. (And many more black market ones, which you’d probably hope the US government wouldn’t consider using.)
While the order isn’t an outright ban on spyware, it likely rules out a lot of offerings on the market. Unless the software is sold exclusively to the US government, there’s pretty much no way to know for sure that foreign entities aren’t also using it either to target the US or the types of people protected by the order.
For example, NSO Group’s Pegasus spyware supposedly had safeguards; the company claimed it only sold access to government agencies that had been cleared by Israel’s Ministry of Defense. Reporters discovered that the spyware, which could silently hack phones to exfiltrate and record all kinds of data, was likely used against heads of state, journalists, activists, and others by several governments. (The FBI reportedly considered using it as well.)
Pegasus was already pretty much completely banned in the US; in 2021, the Department of Commerce added NSO, along with Candiru, to its Entity List, barring US companies from doing business with it. That means it couldn’t buy hardware and software from companies like Dell and Microsoft, for example, according to The New York Times. However, Pegasus is far from the only piece of spyware used by governments. A Meta employee reportedly had her phone hacked by Greece’s national intelligence agency using Cytrox’s Predator spyware.
It’s worth noting what this order isn’t. It defines spyware as software that lets you gain unauthorized access to a computer so you can access data on it, record audio and video from it, or track its location. The government often tracks people’s location using tech like Stingrays or gets data through other means, such as paying data brokers, and that’s still on the table. People may think of that as their phones being used to spy on them, but the apps providing this data aren’t counted as spyware.
Following that same thread, the order explicitly calls out foreign governments or people using spyware to target journalists, politicians, and activists. However, our own government also has a history of electronically surveilling people in those groups both inside and outside its borders; it seems unlikely the US would ban a piece of spyware if it were the one caught using the software improperly.
The government isn’t the only entity taking action against spyware like this. Apple, for example, has sued NSO Group and introduced a “Lockdown Mode” for its devices that is meant to make it more difficult to remotely install spyware on them.