U.S. departments restricted from use of commercial spyware by Presidential order

American federal government departments and agencies have been limited from using commercial spyware unless they have approval from the White House.

The restriction came in an executive order issued Monday by President Joe Biden, which says the administration believes technology has to be used in accordance with the rule of law, appropriate safeguards, and oversight.

Without naming brands, the order is aimed at applications used by police forces around the world, without judicial authorization, to surveil opponents. U.S. and Canadian law enforcement and intelligence agencies have to get judicial approval for wiretaps.

It comes after groups such as the University of Toronto’s Citizen Lab have issued detailed reports on the use of commercial spyware by governments, including an application called Pegasus from Israel’s NSO Group. Citizen Lab’s most recent report, on the use of Pegasus in Mexico, was released last October. Last April, Citizen Lab said it warned the U.K. government in 2020 and 2021 of multiple suspected instances of Pegasus spyware infections on devices within official government networks, including the Prime Minister’s Office.

Commercial spyware aimed at consumers can also be found in mobile app stores.

“The United States has a fundamental national security and foreign policy interest in countering and preventing the proliferation of commercial spyware,” the presidential order says.

U.S. federal departments and agencies “shall not make operational use of commercial spyware that poses significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person.”

In particular, they are banned from using commercial spyware that is under the direct or effective control of a foreign government or foreign person engaged in intelligence activities, including surveillance or espionage, directed against the United States.

Related content: RCMP says spyware only used with court approval

Nor can federal agencies ask a third party to use commercial spyware where it poses significant counterintelligence or security risks to the United States Government, or if it poses significant risks of improper use by a foreign government or foreign person.

However, there is an out: Agencies can use commercial spyware that doesn’t pose significant counterintelligence or security risks to the United States Government, or significant risks of improper use by a foreign government or foreign person.

If an agency decides to make operational use of that type of commercial spyware, the head of the agency shall notify the Assistant to the President for National Security Affairs after doing due diligence on the application.

“I am very pleased with this Executive Order,” said Citizen Lab director Ron Deibert. “There are still areas that are not covered, such as local police and state-level agencies. But this is a huge improvement over the status quo. It is a very positive development for those of us who have been researching this sector for over a decade.”

It will, he said, accomplish several outcomes:

— it will prevent mercenary spyware firms from selling to the U.S. government sector;
— it will send a strong signal to investors and companies in this space that the Wild West days are over;
— it will likely catalyze other governments (especially allies) to do something similar, and hopefully help clean up the worst abuses of the mercenary spyware market that Citizen Lab has been documenting.

The executive order comes alongside a series of other regulatory measures that the Biden administration has taken in recent months, Deibert added, including putting NSO Group, Candiru, and other hack-for-hire firms on the U.S. Commerce Department’s designated entity list, and preventing U.S. intelligence personnel from working for foreign private intelligence firms.

“One hopes,” Deibert said, “that the Canadian government will be inspired to do something similar.”

Canadian Public Safety Minister Marco Mendicino’s office was asked for comment, but no reply was received by publication time.

Separately, Apple and WhatsApp parent Meta are each suing NSO Group. Apple is demanding a permanent injunction to ban NSO Group from using any Apple software, services, or devices. Citizen Lab discovered a now-patched vulnerability that Apple alleges was used by NSO Group customers to break into a victim’s Apple device and install Pegasus. Meta alleges NSO Group installed spy software on 1,400 people, including journalists, human rights activists, and dissidents, by exploiting a bug in its WhatsApp messaging app. Neither civil suit has been heard in court yet.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs