Biden acts to limit US government’s use of spyware
Tools give users power to hack citizens’ phones
WASHINGTON — President Biden on Monday signed an executive order restricting US government use of a class of powerful surveillance tools that have been abused by autocracies and democracies around the world to spy on political dissidents, journalists, and human rights activists.
The tools in question, known as commercial spyware, give governments the power to hack the mobile phones of private citizens, extracting data and tracking their movements. The global market for their use is booming, and some US government agencies have studied or deployed the technology.
Commercial spyware, including Pegasus, made by Israeli firm NSO Group, has also been used against US government officials overseas. On Monday, a senior administration official said that at least 50 US government personnel in at least 10 countries had been hacked with spyware, a larger number than was previously known.
The executive order prohibits federal government departments and agencies from using commercial spyware that might be abused by foreign governments, could target Americans overseas, or could pose security risks if installed on US government networks. The order covers only spyware developed and sold by commercial entities, not tools built by US intelligence agencies.
The order is not a blanket prohibition, and it allows for US agencies to use commercial spyware in some cases.
For instance, the Drug Enforcement Administration has deployed an Israeli-made tool called Graphite, made by the firm Paragon, as part of its counternarcotics operations. US officials have indicated they have no plans to terminate the DEA’s use of the tool, but would revisit the decision if evidence emerges that Paragon’s hacking tools have been abused by other governments.
In December, Representative Adam B. Schiff, Democrat of California and the chairman of the House Intelligence Committee at the time, wrote to the head of the DEA requesting more information about the agency’s use of the tool.
That month, Congress passed a bill that gave the director of national intelligence the power to prohibit the intelligence community from purchasing foreign spyware, and required the director of national intelligence to submit to Congress a “watch list” identifying foreign spyware firms that pose risks to US intelligence agencies.
The executive order signed by Biden on Monday states that for a US government agency to use commercial spyware, officials must determine the tools do not “pose significant counterintelligence or security risks to the United States government or significant risks of improper use by a foreign government or foreign person.”
Administration officials said the executive order would be central to a message Biden plans to bring to a White House-sponsored gathering, the Summit for Democracy, later this week. A White House news release said the order “demonstrates the United States’ leadership in, and commitment to, advancing technology for democracy, including by countering the misuse of commercial spyware and other surveillance technology.”
Last week, the director of national intelligence issued new restrictions on former American intelligence operatives from taking lucrative jobs with foreign governments, including some that are developing advanced technologies to spy on their citizens.
In September 2021, three former American intelligence officers who had worked for DarkMatter, a hacking firm in the United Arab Emirates, admitted to hacking crimes and violating US export laws. Prosecutors said the men helped the Emirates gain unauthorized access to “acquire data from computers, electronic devices and servers around the world, including on computers and servers in the United States.”