The Biden administration plans to issue an executive order restricting how federal agencies can use spyware that poses security risks to the U.S., according to a letter sent to House Intelligence Committee leaders.
According to the letter from the Departments of State and Commerce shared with CyberScoop by Rep. Jim Himes, D-Conn., the forthcoming order plans to “prohibit U.S. Government operational use of commercial spyware that poses counterintelligence or security risks to the United States or risks of being used improperly.”
The letter does not define what would amount to improper use or what these security risks entail — potentially leaving opportunities for the U.S. government to still deploy spyware. Nonetheless, the measure would entail the latest effort by the Biden administration to address the privacy risks posed by highly intrusive software used by law enforcement and intelligence agencies around the world.
The prospect of an executive order limiting the use of spyware would likely set up an intense debate among law enforcement and intelligence agencies interested in the technology and surveillance watchdogs in Congress.
The letter — a response to a September request by Himes and a bipartisan group of 13 members of the House Permanent Select Committee on Intelligence expressing concerns about addressing the “unethical uses” of commercial spyware — did not provide a timeline for signing the executive order.
The White House’s National Security Council did not respond to a request for comment.
Foreign governments’ growing use of spyware to surveil dissidents, activists and politicians has raised alarms in Washington and led to growing concerns about how American adversaries could weaponize the technology against U.S. citizens and allies. The U.S. government last year blacklisted Candiru and NSO Group, two Israeli spyware firms, after several high-profile incidents of autocratic governments using NSO Group’s Pegasus software to spy on political opponents, activists and dissidents.
But there is evidence that the U.S. government is interested in deploying these technologies as well, partly in response to the increasing difficulty of obtaining evidence from encrypted devices and messaging services.
The FBI confirmed earlier this year that it had obtained a license for Pegasus, the flagship product of Israel’s NSO Group that has been linked to a long list of privacy and human rights abuses. But FBI Director Christopher Wray told Congress that the agency never used the software and had only obtained the software to better understand how it worked.
But according to a New York Times report from last week, the FBI appears to have come close to deploying the tool and drew up guidelines for federal prosecutors on how the FBI would use the NSO group’s hacking tools, stoking fears that the U.S. government may embrace the use of invasive spyware.
“If you are going to use a tool like this — let’s say for law enforcement purposes — you better build the Fourth Amendment protections around the use of it, which we have not really been able to do,” Himes said on Thursday at an event hosted by the Center for a New American Security. The conversation as to “whether” and “under what circumstances” law enforcement should use commercial spyware is ongoing, Himes said.
Himes added that it would be negligent for the U.S. to not examine the technology from a research and development standpoint: “I don’t want any technology out there that our people don’t understand.”
Himes said that his legislative priorities include passing a provision in the 2023 Intelligence Authorization Act that would give the president the discretionary authority to sanction persons or entities who trade in spyware or contribute to the construction or deployment of spyware.