The Biden administration on Monday announced a new executive order that would broadly ban U.S. federal agencies from using commercially developed spyware that poses threats to human rights and national security.
The move to ban federal agencies — including law enforcement, defense and intelligence — from using commercial spyware comes as officials confirmed that dozens of U.S. government personnel had their phones targeted.
Human rights defenders and security researchers have for years warned of the risks posed by commercial spyware, created in the private sector and sold almost exclusively to governments and nation states. This powerful surveillance technology often exploits previously undisclosed flaws found in an iPhone or Android’s software to steal a person’s photos, contacts, call logs, messages and real-time location data. But while governments claim to exclusively use the technology for investigating serious crimes, critics say the spyware has been deployed against journalists, lawyers and human rights defenders, often those who are vocally critical of their governments.
In a call with reporters ahead of the order’s signing, Biden administration officials said that the United States was trying to get ahead of the problem and set standards for other governments and its allies, which buy and deploy commercial spyware. The order is the latest action taken by the government in recent years, including banning some spyware makers from doing business in the U.S. and passing laws aimed at limiting the use and procurement of spyware by federal agencies.
Officials wouldn’t name the specific spyware affected by the executive order, though the criteria would likely affect known government spyware makers and vendors known to sell to authoritarian governments that commit human rights abuses, including NSO Group, Cytrox and Candiru. The officials said the order includes both domestic and foreign-made spyware, as to not incentivize companies to relocate to the United States, but that the list of banned spyware would not necessarily be made public.
The officials warned that the misuse of these surveillance tools is not limited to authoritarian regimes, noting that democratic governments — including European nations like Greece, Spain and Poland — have also relied on commercial spyware.
Last week, former Meta trust and safety manager Artemis Seaford, who holds both U.S. and Greek passports, was confirmed hacked by the Predator spyware, likely at the behest of the Greek government, which denies using the spyware developed by North Macedonian company Cytrox. Seaford, who said she doesn’t know why she was targeted, is the latest known U.S. victim of targeted commercial spyware, including children of targeted journalists living in the U.S. and U.S. government employees working overseas.
In 2021, the iPhones of several U.S. Embassy employees in Uganda were hacked by Pegasus, a spyware developed by Israeli company NSO Group. Biden officials confirmed Monday that at least 50 U.S. federal employees in 10 countries on multiple continents are suspected or confirmed as being compromised by spyware, but could not rule out more instances.
The U.S. also hasn’t escaped questions about its own alleged use and deployment of commercial spyware. The FBI reportedly bought a license for NSO Group’s Pegasus during 2020 and 2021 but said that the license was only for research and development. The Drug Enforcement Administration also uses Graphite, a spyware tool developed by the Israel-based Paragon. The DEA claims to only use the tool outside of the U.S., but would not say if Americans are targeted.
Biden administration officials declined to tell reporters Monday if other U.S. federal agencies are operationally using commercial spyware.
The order is the latest in a rash of responses by the executive branch in recent weeks following years of congressional inaction, including gun violence and voting access. As the executive order was introduced as law by the Biden administration, it can be revoked at any time, including by any subsequent administration.