Following President Joe Biden’s executive order issued on Monday, the US government will curtail its use of commercial spyware, which has been employed to monitor human rights activists, journalists, and dissidents worldwide. This action addresses growing global concerns about software capable of intercepting text messages and other mobile data, including “zero-click” exploits that can infiltrate phones without user interaction.
Countries worldwide, including the US, are known to amass extensive intelligence and law enforcement data, even involving their citizens. The spread of commercial spyware has provided potent tools to smaller nations while generating potential for abuse and repression, as researchers and human rights activists warned.
The executive order, released before this week’s second democracy summit, showcases the US’s dedication to promoting technology for democratic purposes and countering the misuse of commercial spyware and other surveillance technologies. Biden’s directive, described as a ban on commercial spyware posing national security risks, permits certain exceptions.
Heads of US agencies employing commercial software must certify that the program does not present significant counterintelligence or security risks, according to a senior administration official. Factors to determine security risk levels include unauthorized monitoring of US citizens by foreign entities or surveillance of human rights activists and dissidents.
While the order sets a high bar, it also allows for remedial measures where companies can argue against misuse of their tools. The White House will not publish a list of prohibited programs. According to Scott-Railton, a research professor at the University of Toronto’s Citizen Lab, the administration’s initiative to develop global industry standards has been a great success.
Last year, Congress mandated that US intelligence agencies investigated foreign spyware usage and granted the Office of the Director of National Intelligence the authority to prohibit agencies from using commercial software. Rep. Jim Himes of Connecticut, a leading Democrat on the House Intelligence Committee, called for other democracies to take action against spyware, stating that Biden’s order is a powerful statement and tool but insufficient.
Security researchers and a global media investigation published in July 2021 revealed that Israel’s NSO Group’s Pegasus software targeted over 1,000 individuals across 50 countries. The US has already imposed export restrictions on NSO Group, limiting the firm’s access to US components and technology.
Officials did not disclose if US law enforcement and intelligence agencies are using commercial spyware. Last year, the FBI confirmed that it had purchased the Pegasus tool from NSO Group for testing and evaluation, not for operational use. White House officials reported on Monday that 50 devices used by US government employees across ten countries were compromised or targeted by commercial spyware.
Researchers found the phone numbers of over 180 journalists, 600 politicians and government officials, and 85 human rights activists in NSO’s software despite NSO’s claim that its software is designed for counterterrorism and crime-fighting purposes. Pegasus usage has been most closely associated with Mexico and Middle Eastern countries.
According to Amnesty International, Jamal Khashoggi’s fiancée’s phone was found with Pegasus installed four days before he became a victim of a Saudi killing. A claim that NSO’s software was used to murder Khashoggi has been denied by the company.
The family of Paul Rusesabagina, who saved more than 1,200 lives during the Rwandan genocide as depicted in the film “Hotel Rwanda,” has also alleged that they were targeted by spyware. Rusesabagina was tricked into returning to Rwanda and imprisoned on terrorism charges before being released last week. Rwanda has denied using commercial spyware.
