US to adopt new restrictions on using commercial spyware
WASHINGTON — The U.S. government will restrict its use of commercial spyware tools that have been used to surveil human rights activists, journalists and dissidents around the world, under an executive order issued Monday by President Joe Biden.
The order responds to growing U.S. and global concerns about programs that can capture text messages and other cellphone data. Some programs — so-called “zero-click” exploits — can infect a phone without the user clicking on a malicious link.
Governments around the world — including the U.S. — are known to collect large amounts of data for intelligence and law enforcement purposes, including communications from their own citizens. The proliferation of commercial spyware has made powerful tools newly available to smaller countries, but also created what researchers and human-rights activists warn are opportunities for abuse and repression.
The White House released the executive order in advance of its second summit for democracy this week. The order “demonstrates the United States’ leadership in, and commitment to, advancing technology for democracy, including by countering the misuse of commercial spyware and other surveillance technology,” the White House said in a statement.
Biden’s order, billed as a prohibition on using commercial spyware “that poses risks to national security,” allows for some exceptions.
The order will require the head of any U.S. agency using commercial programs to certify that the program doesn’t pose a significant counterintelligence or other security risk, a senior administration official said.
Among the factors that will be used to determine the level of security risk is if a foreign actor has used the program to monitor U.S. citizens without legal authorization or surveil human rights activists and other dissidents.
“It is intended to be a high bar but also includes remedial steps that can be taken ... in which a company may argue that their tool has not been misused,” said the official, who briefed reporters on condition of anonymity under White House ground rules.
The White House will not publish a list of banned programs as part of the executive order, the official said.
John Scott-Railton, a researcher at the University of Toronto’s Citizen Lab who has long studied spyware, credited the Biden administration for trying to set new global standards for the industry.
“Most spyware companies see selling to the U.S. as their eventual exit path,” Scott-Railton said. “The issue is the U.S. until now hasn’t really wielded its purchasing power to push the industry to do better.”