Clamping Down on Commercial Spyware

Font Size:

Biden Administration issues executive order prohibiting federal contracts with spyware firms.

Font Size:

Pegasus, the winged horse, could never imagine its name would become synonymous with one of the most potent malicious spyware tools ever created. But in 2020, the Project Pegasus investigation sparked global outrage over the use of commercial spyware by non-democratic governments to surveil journalists and civilians. Foreign governments even used the Pegasus spyware against U.S. government employees.

In a more recent response to Project Pegasus, President Joseph R. Biden signed an executive order banning federal agencies from doing business with vendors that sell spyware that undermines U.S. interests. The order seeks both to promote universal human rights as well as to protect the U.S. government and its personnel from counterintelligence and security threats.

The recent executive order is part of the Biden Administration’s concerted effort to regulate spyware following the Project Pegasus investigation. Through the order, the United States aims to lead the world by example, as it creates new boundaries for use of commercial spyware. According to the Biden Administration, the order complements additional actions to limit the operational use of commercial spyware. It includes identifying commercial entities proliferating spyware that threatens the United States and its interests and enacts more stringent export controls on spyware.

The order directs actions on how U.S. agencies should guarantee that they, and any entity acting on their behalf, use only approved spyware. For example, if relevant information on a prohibited use arises, the order delegates the appropriate U.S. agency to certify that the commercial spyware does not pose a risk to the United States.

Furthermore, the order includes instructions that limit the U.S. government from using any spyware not developed in the United States. In addition, the order prohibits the use of any spyware directly or indirectly owned by a foreign government or person engaged in counterintelligence actions against the United States. It also bans the use of commercial spyware developed by the same vendor if the vendor knew or should have known that an entity used its spyware in violation of the prohibited uses, and if it did not act to remediate the use.

Nevertheless, President Biden’s executive order does not offer a complete ban on commercial spyware. Instead, it provides general guidelines on what are legitimate spyware and the legitimate use of spyware. The exact nature of violations of the order, however, is not explicitly defined and is open to interpretation. This undefined prohibition may lead to the politicized use of the order, worry some experts. The order also only refers to “operational use,” so non-operational procurement and use of prohibited spyware may be permitted.

The order maintains that any commercial spyware not authorized by the U.S. government poses a risk to the United States, and it outlines the commercial spyware authorization process. The order specifies that the responsibility of collecting data on commercial spyware and determining its risks within the U.S. government lies with the U.S. Director of National Intelligence.

The designation of one entity to collect information from the various administrative agencies periodically is essential to avoid cross-agency confusion. Currently, though, the order does not provide that the director will be required to share any information on banned spyware with the public who it aims to protect.

The order leaves room for the temporary bypass of prohibitions on the U.S. government’s use of commercial spyware in “extraordinary circumstances,” where there is no alternative. Moreover, it conditions the waiver on prompt notice to the President by the appropriate agency and a maximum effective period of one year. It does not, however, include any additional oversight or retroactive action following the use of the waiver.

The White House stated that the order will not be limited to domestic use but will “serve as a foundation to deepen international cooperation to promote responsible use of surveillance technology.” In addition, the order may positively deter foreign governments from purchasing prohibited commercial spyware.

Critics of the order worry about its limited nature. Because of its status as an executive order, any future administration could revoke it. Critics also refer to the refusal of U.S. officials to divulge information on commercial spyware currently used by the U.S. government, despite its continued use of spyware.

Critics also note how the requirement for vendor self-regulation consequently places the sole responsibility for permitted use on the vendor and not on the end-user. The order may limit the proliferation of commercial spyware to only the most established U.S. vendors, who possess the most comprehensive supervision powers.

In addition, despite White House statements, the order does not explicitly refer to cooperation with foreign entities to ensure compliance. Furthermore, the order does not mention international bodies with which it could further regulate commercial spyware, not just its proliferation.

Prior to the issuance of the order, the U.S. government determined its regulation of commercial spyware based on the end-users’ identity. The new order’s focus on the use and provision of regulatory tools creates new ways for U.S. agencies to supervise commercial spyware, but it also opens a door for a whole new set of regulatory questions for private actors.