U.S. President Joe Biden has signed an executive order that limits U.S. government agencies from using commercially available spyware – but that doesn’t mean there will be no government use of spyware in the United States. Spyware is a type of malicious software (or malware) which allows someone to gain remote access to a target’s device without the knowledge or consent of the device operator. This includes all of the data on it: messenger logs, photos, files, and contacts. It also gives the ability to conduct novel forms of real-time surveillance, for example, by accessing the device’s microphone and cameras. This technique has been used by nation-states around the world to spy on journalists, dissidents, and minority groups.
Additionally, spyware allows governments to manipulate data on devices, including corrupting, planting, or deleting data, or recovering data that has been deleted, all while erasing any trace of the intrusion. There is a growing concern about law enforcement taking control of suspects' digital devices and tampering with their content.
The executive order arrived only days before revelations that the United States, which was previously thought to have steered clear of some of the most infamous foreign spyware products, actually had a contract to test and deploy the notorious Pegasus created by Israeli company NSO Group. The contract was signed under a fake name on November 8, 2021 between an organization that acts as a front for the U.S. government and an American affiliate of NSO group. Only five days before, on November 3, 2021, the U.S. Commerce Department added NSO Group and other foreign spyware companies to a blacklist —the “Entity List for engaging in activities that are contrary to the national security or foreign policy interests of the United States.” So the signing of this straw contract was in apparent breach of this ban.
NSO Group is just one of the companies that should be covered by the new executive order. Foreign spyware like Karma has been used to abuse human rights as well, purchased by the UAE-based cyber-espionage company DarkMatter. DarkMatter went a step further than even the NSO Group, deploying the spyware to targets themselves and closely coordinating with its government customers in operations using spyware. One such operation involved the arrest and torture of prominent women’s rights advocate Loujain AlHathloul. Representing AlHathloul, EFF took DarkMatter to court for their violation of U.S. anti-hacking and international human rights laws.
The executive order signals that the Biden administration’s biggest concern with using spyware like Pegasus is that its foreign origins create a counter-intelligence concern.While this is a relatively narrow lens to look at the harms of spyware,, the executive order does make strides in specifying ways in which spyware is not to be used, bucking the global trend of using this software to target on journalists and dissidents. The EO prohibits the US from purchasing or using any spyware sold by a company whose products have been used for either of two prohibited purposes::
(1) to collect information on activists, academics, journalists, dissidents, political figures, or members of non-governmental organizations or marginalized communities in order to intimidate such persons; curb dissent or political opposition; otherwise limit freedoms of expression, peaceful assembly, or association; or enable other forms of human rights abuses or suppression of civil liberties; or
(2) to monitor a United States person, without such person’s consent, in order to facilitate the tracking or targeting of the person without proper legal authorization, safeguards, and oversight
Though the NSO Group’s Pegasus spyware has garnered particular attention for its widespread use against human rights advocates, journalists, and politicians, the EO did not name any company specifically, keeping the policy broad. This may lead some government agencies to think that their purchase of foreign spyware might fly under the radar if it comes from another, smaller vendor, or the vendor can plausibly deny that it is really spyware that they are selling. We urge the Biden administration to publish a non-exhaustive list of spyware companies included as part of this ban. That would send a clear message to agencies who wish to exploit any ambiguity in order to skirt the law.
Building upon the U.S. EO, a global coalition of eleven countries, including Australia, Canada, Costa Rica, Denmark, France, New Zealand, Norway, Sweden, Switzerland, the United Kingdom, and the United States, are working towards a common goal of countering the misuse of commercial spyware. This alliance is committed to establishing robust guardrails and procedures that uphold fundamental human rights, civil liberties, and the rule of law, within each of their respective systems.
While this signals discomfort with foreign-made spyware, no one should take this as an indication that the U.S. government is averse to using similar technologies developed internally, or indeed acquiring foreign spyware companies for domestic use. Given the government’s long history of using and abusing incredibly invasive techniques, people in the United States should push for robust human rights safeguards to ensure the government won’t proceed with only the minor restrictions of this executive order to rein them in.