WASHINGTON — President Biden signed an executive order Monday restricting the US government’s use of a class of powerful surveillance tools that have been abused by both autocracies and democracies around the world to spy on political dissidents, journalists and human rights activists.
The tools in question, known as commercial spyware, give governments the power to hack into the mobile phones of private citizens, extracting data and tracking their movements. The global market for its use is booming, and some US government agencies have studied or implemented the technology.
Commercial spyware, including Pegasus, made by the Israeli company NSO Group, has also been used against US government officials abroad. On Monday, a senior administration official said at least 50 US government personnel in at least 10 countries had been hacked with spyware, a higher number than previously known.
The executive order prohibits federal government departments and agencies from using commercial spyware that could be abused by foreign governments, could target Americans abroad, or could pose security risks if installed on government networks. The US government order covers only spyware developed and sold by commercial entities, not tools created by US intelligence agencies.
The order is not a blanket ban and allows US agencies to use commercial spyware in some cases.
For example, the Drug Enforcement Administration has deployed an Israeli-made tool called Graphite, made by the Paragon firm, as part of its counternarcotics operations. US officials have indicated they have no plans to end the DEA’s use of the tool, but would review the decision if evidence emerges that other governments have abused Paragon’s hacking tools.
In December, Rep. Adam B. Schiff, a California Democrat and chairman of the House Intelligence Committee at the time, wrote to the DEA chief requesting more information about the agency’s use of the tool.
How Times reporters cover politics. We trust our journalists to be independent observers. So while Times staff members can vote, they are not allowed to endorse or campaign for political candidates or causes. This includes participating in marches or rallies in support of a movement or giving money or raising money for any political candidate or electoral cause.
That month, Congress passed a bill giving the director of national intelligence the power to prohibit the intelligence community from purchasing foreign spyware and requiring the director of national intelligence to submit to Congress a “watch list” that identify foreign spyware companies that pose a risk to US intelligence agencies.
The executive order signed by Biden on Monday states that for a US government agency to use commercial spyware, officials must determine that the tools “do not pose significant counterintelligence or security risks to the United States government or significant risks of use.” misconduct by a foreign government or foreign person.”
Administration officials said the executive order would be central to a message Biden plans to bring to a White House-sponsored meeting, the Democracy Summit, later this week. A White House press release said the order “demonstrates United States leadership and commitment to advancing technology for democracy, including by countering the misuse of commercial spyware and other surveillance technologies.”
Last week, the director of national intelligence issued new restrictions ex-US intelligence agents from taking lucrative jobs with foreign governments, including some that are developing advanced technologies to spy on their citizens.
In September 2021, three former US intelligence officers who had worked for DarkMatter, a hacking firm in the United Arab Emirates, admitted to hacking offenses and violating US export laws. Prosecutors said the men helped the Emirates to gain unauthorized access to “acquire data from computers, electronic devices, and servers around the world, including on computers and servers in the United States.”
The most prominent vendor of spyware is NSO Group. Governments from Mexico to India to Saudi Arabia have deployed NSO’s Pegasus spyware against political dissidents and journalists. In November 2021, the Biden administration put NSO and another Israeli spyware company on a Commerce Department blacklist.
Additionally, various US government agencies have purchased or deployed Pegasus. In 2018, the Central Intelligence Agency bought the surveillance tool for the Djibouti government, which used it inside that country. The following year, the FBI bought Pegasus and tested the tool for two years, before ultimately deciding not to implement it.
Documents produced as part of a Freedom of Information Act lawsuit filed by The New York Times against the bureau show that FBI officials lobbied in late 2020 and the first half of 2021 to deploy Pegasus as part of their criminal investigations. , including the development of guidelines for federal prosecutors on how the use of hacking tools by the FBI should be disclosed during criminal proceedings.