US president Biden kind of mostly bans commercial spyware

US president Joe Biden on Monday issued an Executive Order on Prohibition on Use by the United States Government of Commercial Spyware that Poses Risks to National Security – a title that is not quite as simple it seems.

The order represents a “policy of the United States Government that it shall not make operational use of commercial spyware that poses significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person.”

The Order and explanatory statement point out that commercial spyware has been used by authoritarian regimes to target activists and journalists, has been deployed without proper authority in democracies, and poses a security risk to the US and other nations.

But the Order falls short of a complete ban.

The reference to “commercial spyware” leaves open the possibility of government spyware being deployed.

The test of whether commercial spyware is prohibited is also complex, requiring assessment of whether a commercial spyware vendor “is under the direct or effective control of a foreign government or foreign person engaged in intelligence activities, including surveillance or espionage, directed against the United States” or “maintains, transfers, or uses data obtained from the commercial spyware without authorization from the licensed end-user or the United States Government.”

The Register can imagine a US-based commercial spyware vendor could structure its affairs to satisfy those requirements – being owned and operated by US citizens and only using spyware with approval could do the trick.

The Order also bars commercial spyware that “poses significant counterintelligence or security risks to the United States Government or poses significant risks of improper use by a foreign government or foreign person.”

Might it be possible to create commercial spyware that doesn’t pose those risks?

The Order also requires the US government to “discourage the improper use of commercial spyware” – still short of a total prohibition.

The document also encourages “the development and implementation of responsible norms regarding the use of commercial spyware that are consistent with respect for the rule of law, human rights, and democratic norms and values.”

The Order is a response to incidents such as discovery that Israel-based NSO Group’s Pegasus spyware, which the company promised it only sold to enable lawful investigations, had in fact been widely deployed for other purposes. The US Department of Commerce assessed it as having been used by “foreign governments that used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.”

Another alleged target of commercial spyware was Meta’s former security policy manager Artemis Seaford who claims Greece’s government employed another strain of spyware to probe her affairs. Greece’s government is also accused of using spyware to keep tabs on its opponents.

The Order does not mention the forums in which the US intends to work to develop norms for the use of spyware. A recent United Nations report identified “an alarming increase in the use of intrusive and high-risk technologies – including drones, biometrics, artificial intelligence (AI) and spyware – in the global fight against terrorism, without due regard for the rule of law, governance and human rights.”

So that’s one forum that might find it hard to find norms that allow any use of such tools! ®

READ MORE HERE