Exclusive: Senator calls on Commerce to tighten proposed rules on exporting surveillance, hacking tech to problematic nations
Sen. Ron Wyden is asking the Commerce Department to strengthen proposed rules meant to keep U.S. technologies out of the hands of repressive nations that spy on dissidents, journalists and American citizens, arguing that regulators should expand the list of applicable countries and close a loophole that could be used to avoid the restrictions.
The proposed rules promulgated by Commerce’s Bureau of Industry and Security arise from a law that Congress enacted in 2022, and apply to foreign civilian police and intelligence agencies, rather than just military intelligence agencies under previous law. That 2022 law was inspired by a Reuters investigation that revealed how the United Arab Emirates hired former U.S. intelligence operatives to employ cyber-espionage tools against enemies, including the proposed targeting of Americans. Under the proposed rules, the senator said, some of the export controls wouldn’t apply to the UAE.
In a letter to the department Wednesday, first reported by CyberScoop, Wyden — an Oregon Democrat and a co-author of the 2022 law — said the bureau had done important work on the regulations it first proposed in July, but that it needed to go further.
“The proposed export controls will make it harder for regimes to engage in human rights abuses ranging from mass surveillance of their citizens to hacking into the phones of dissidents and independent journalists,” Wyden wrote. “However, we are concerned that the draft rules contain gaps that would allow autocratic governments to continue buying technologies and services from American companies to commit human rights abuses.”
First, the bureau should expand the list of countries subject to the export controls beyond the 23 nations’ foreign security agencies they would apply to because they were under arms embargoes, unilateral economic embargoes or are designated as state sponsors of terrorism. the senator said. That “leaves out many other severely repressive regimes,” like Azerbaijan, Egypt, Laos, Saudi Arabia, Turkmenistan, the UAE and Vietnam.
The list of foreign intelligence agencies subject to the export controls would be longer, 45 in all, but would still exclude those of nations Wyden wrote had “troubling human rights records,” — including Algeria, Brunei, El Salvador, Ethiopia, Hungary, India, Morocco, Thailand, Tunisia, Turkey and Uganda — as well as agencies that conduct espionage or other disruptive operations against the United States.
Second, the bureau should shore up due diligence requirements for exporters and consultants.
“The proposed rules also apply if a U.S. company wants to do business with a private foreign company that provides goods or services to intelligence or security agencies in designated countries,” Wyden wrote. “However, the rules contain a loophole: no license would be required if the foreign company does not disclose its client list. And as a general rule, surveillance companies such as spyware providers don’t reveal which governments they sell to.”
Lastly, the rules should apply to all biometric surveillance technologies, not just facial recognition, the senator contended.
The bureau opened up public comment on the proposed rules at the end of July, then extended that comment period into October.
“We must prevent hack-for-hire business models from circumventing our human rights-based export controls, such as those on cyber-intrusion tools,” Thea D. Rozman Kendler, assistant secretary of commerce for export administration, said in a July 25 news release. “Today, we are proposing enhanced controls on activities supporting foreign police and security services, including those known to violate human rights, as well as new controls on facial recognition technologies that can enable mass surveillance.”
In separate comments, some industry groups have argued the rules will backfire, as the foreign agencies targeted under the export controls would be able to buy the same technologies from foreign competitors and the new rules would create compliance challenges for U.S. companies.
Wyden’s letter comes in the same week the Biden administration released a final rule to limit U.S. foreign investment into sensitive quantum, artificial intelligence and semiconductor tech that could undermine American national security. It particularly targets transactions that would enhance China’s military, intelligence, surveillance or “cyber-enabled” capabilities.