Devices from at least 50 U.S. government employees in 10 countries on multiple continents “are confirmed or suspected to have been targeted by commercial spyware,” a senior Biden administration official told reporters on March 27.
That number could even be higher, the senior official added.
In response to the growing threat the technology presents, President Joe Biden on March 27 signed an executive order that prohibits U.S. federal agencies from using commercially developed spyware that poses risks to national security and threats of “foreign actors” to allow “human rights abuses” around the world, according to a White House statement.
The mandate will apply to all federal agencies and departments, including defense, intelligence, and law enforcement.
“We are very concerned about the threat of digital authoritarianism and practices around the world, but we are also very cognizant that the misuse of technology can occur in any state,” the senior official said in a call with reporters. “So, we are taking steps to make sure that the way that we would like technology to be used is aligned with human rights and democratic principles all around the world.”
The White House said that Biden’s order will “serve as a cornerstone U.S. initiative” when the second Summit for Democracy is held on March 29–30. Biden will co-host the event with the leaders of Costa Rica, the Netherlands, Morea, and Zambia.
Concern Over Government Abuses
Biden’s order “demonstrates the United States’ leadership in, and commitment to, advancing technology for democracy, including by countering the misuse of commercial spyware and other surveillance technology,” the White House statement noted.The mandate will also “serve as a foundation to deepen international cooperation to promote responsible use of surveillance technology, counter the proliferation and misuse of such technology, and spur industry reform.”
For years, human rights advocates and security researchers have voiced caution about risks created by commercial spyware developed in the private sector and mostly sold to governments and nation-states.
The surveillance technology exploits undisclosed defects in iPhone and Android software and steals a person’s call logs, contacts, messages, photos, and real-time location data.
Governments have claimed they use spyware to investigate crimes, but critics claim the technology has been implemented to target people who are critical of their officials and policies.
The order does not list any commercial spyware company by name. Israel-based NSO Group has received criticism for its Pegasus spyware. The technology can hack phones, steal information, record calls, and turn on cameras among other functions. In most cases, the user is not aware.
FBI Use of Pegasus Scrutinized
In December 2021, FBI Director Christopher Wray told lawmakers that the agency had bought a Pegasus license for research and development, “to be able to figure out how bad guys could use it, for example.”FBI documents disclosed after a Freedom of Information Act lawsuit against the bureau by The New York Times indicate that in 2020 and 2021, agency officials pushed to use the Pegasus hacking tools in criminal investigations.
In 2021, the NSO Group was one of four firms added to the U.S. Department of Commerce’s “entity list” for “engaging in activities that are contrary to the national security or foreign policy interests of the United States.”
The Commerce Department reported in a statement that the NSO Group and Candiru, which is also an Israeli company, were added to the entity list “based on evidence that these entities developed and supplied spyware to foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.”
“These tools have also enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists, and activists outside of their sovereign borders to silence dissent,” the statement continued.
Two more firms—Positive Technologies from Russia and Computer Security Initiative Consultancy PTE LTD from Singapore—were also placed on the entity list at that time, which essentially blacklists the companies.
On March 27, the White House added that a growing number of foreign governments around the world “have deployed this technology to facilitate repression and enable human rights abuses, including to intimidate political opponents and curb dissent, limit freedom of expression, and monitor and target activists and journalists.
“Misuse of these powerful surveillance tools has not been limited to authoritarian regimes,“ the statement continued. ”Democratic governments also have confronted revelations that actors within their systems have used commercial spyware to target their citizens without proper legal authorization, safeguards, and oversight.”