The Biden administration wants to stop the government from using commercial spyware that could be used by other countries to harm their interests. President Biden has signed an executive order stating that federal agencies cannot use spyware “that poses substantial counterintelligence or security threats to the United States Government, or significant risks of misuse by a foreign Government or person.”
This order outlines exactly what is prohibited from spyware, software that steals data from a device without user’s permission — and prevents it from being used for any purpose by the US government. If it is:
- used by a foreign government or person to attack the US government
- An entity is interested in publishing non-public information about the US government’s activities, but without its permission.
- “Under the direct or effective supervision of a foreign government” spying on the US
- been used to spy on US citizens, activists, journalists, dissidents or members of marginalized non-governmental organizations.
- Also sold to countries that “engages in systematic acts of repression”, including arbitrary arrest or torture or extrajudicial or politically motivated murder, or other gross violations or human rights.
When determining whether a piece of spyware meets these qualifications, government agencies have some leeway. If the developers take “appropriate steps” to notify the US and cancel the contract of the offending party, or work with them to “counter inappropriate use” of the spyware, it may be acceptable for the spyware to have been used against the US. The government must also consider whether the spyware vendor knew or should have known that the software could be misused when it sold it.
The White House officials don’t list the exact software that is banned . However, there are many commercial spyware programs available that offer services to governments. You’d hope that the US government would not consider using these black market versions.
Although the order doesn’t ban spyware completely, it does likely prohibit a lot more offerings from the market. It is impossible to be certain that the software is not sold only to the US government.
NSO Group’s Pegasus spyware was supposedly protected by safeguards. The company claimed that it only sold access to government agencies that were cleared by Israel’s Ministry of Defense. Reporters found that the spyware could silently hack into phones and record all data. It was used by several governments. It was also reportedly used by the FBI .
Pegasus had been banned in the US for years. In 2021, the Department of Commerce added NSO and Candiru to its EntityList. This effectively prohibited US companies from doing business in this country with Pegasus. According to The report , this means that it could not buy software and hardware from companies such as Microsoft and Dell. Pegasus is not the only spyware that governments use. According to Meta, a Meta employee had her phone hacked using Predator spyware by the Greek national intelligence agency.
Spyware isn’t the only software that spy on US citizens
It is worth noting that this order doesn’t exist. It defines spyware as software that allows you to gain unauthorized access to a computer. This includes the ability to access data, make audio or video recordings, and track its location. It is common for the government to track people’s locations using technology such as Stingrays. Or, it can get data through other methods, such paying data brokers. Although people may view this as their phones being used as spying devices, the apps that provide this data are not considered spyware.
The order also specifically calls out foreign government or anyone using spyware to target journalists and politicians. Our own government has a history of electronically monitoring people within groups inside and beyond its borders. It seems unlikely that the US would ban spyware if the US were to be caught using it improperly.
This is not the only way that spyware can be stopped. Apple has sued NSO Group, and introduced a Lockdown Mode to its devices, which makes it harder to remotely install spyware.