US federal government departments and agencies are prohibited from using commercial spyware unless they have approval from the White House.
ban came in a Executive order issued by President Joe Biden on MondayWhich says the administration believes the technology should be used in accordance with the rule of law, appropriate safeguards and oversight.
Without naming the brands, the order is aimed at applications used by police forces around the world to surveil opponents, without judicial authorisation. US and Canadian law enforcement and intelligence agencies must obtain judicial approval for wiretaps.
It comes after groups such as the University of Toronto’s Citizen Lab released detailed reports on the use of commercial spyware by governments, including an application called Pegasus. Israel’s NSO Group, Citizen Lab’s most recent report on the use of Pegasus in Mexico, was released last October. Last April, Citizen Lab said it has warned the UK government Several suspected instances of Pegasus spyware infection on equipment from official government networks, including the Prime Minister’s Office, in 2020 and 2021.
Commercial spyware targeted to consumers can also be found in mobile app stores.
The presidential order states, “Deterring and preventing the spread of commercial spyware is a fundamental national security and foreign policy matter of the United States.”
US federal departments and agencies “shall not make operational use of commercial spyware that poses a significant counterintelligence or security risk to the United States government or a significant risk of improper use by a foreign government or foreign person.”
Specifically, they are prohibited from using commercial spyware that is under the direct or effective control of a foreign government or foreign person engaged in intelligence activities, including surveillance or espionage, directed against the United States.
RELATED CONTENT: RCMP say spyware used only with permission of court
Nor can federal agencies ask a third party to use commercial spyware where it poses a significant counterintelligence or security risk to the United States government, or if it is intended for improper use by a foreign government or foreign person. poses a significant risk.
However, there is a remedy: agencies may use commercial spyware that does not pose a significant counterintelligence or security risk to the United States government, or does not pose a significant risk of improper use by a foreign government or foreign person.
If an agency decides to make operational use of that type of commercial spyware, the head of the agency will notify the Assistant to the President for National Security Affairs after due diligence on the application.
“I am very pleased with this executive order,” said Ron Debert, director of Citizens Lab. “There are still areas that are not covered, such as local police and state-level agencies. But this is a vast improvement on the status quo. This is a very positive development for those of us who have been working for more than a decade. doing research in this area.”
This, he said, would accomplish several outcomes:
– It would prevent mercenary spyware firms from selling to the US government sector;
– It will send a strong signal to investors and companies in this space that the Wild West days are over;
— it will likely catalyze other governments (especially allies) to do something similar, and hopefully help clean up the worst abuses of the mercenary spyware market that Citizen Lab is documenting.
The executive order comes with a series of other regulatory measures the Biden administration has taken in recent months, Debert said, involving NSO Group, candiruand other hack-for-hire firms On the US Department of Commerce’s Designated Entity Listand barring American intelligence personnel from working for foreign private intelligence firms.
“Hopefully,” Debert said, “the Canadian government will be inspired to do something similar.”
The office of Canada’s Minister of Public Safety Marco Mendicino was asked for comment but did not receive a reply by publication time.
Separately, Apple and WhatsApp parent Meta are each suing NSO Group. asking for apples A permanent injunction prohibiting NSO Group from using any Apple software, services or equipment. Citizen Lab has discovered a now-patched vulnerability that Apple alleges was used by NSO Group customers to break into a victim’s Apple device and install Pegasus. Meta alleges NSO Group took advantage of a bug in its WhatsApp messaging app to install spying software on 1,400 people, including journalists, human rights activists and dissidents. So far neither the civil suit has been heard in the court.
