



WASHINGTON President Biden on Monday signed an executive order restricting the US government’s use of a class of powerful surveillance tools that have been abused by autocracies and democracies around the world to spy on political dissidents, journalists and human rights activists.

The tools in question, known as commercial spyware, give governments the power to hack into people’s cellphones, extract data and track their movements. The global market for their use is booming, and some US government agencies have studied or deployed the technology.

Commercial spyware, including Pegasus, made by Israel’s NSO Group, has also been used against US government officials abroad. On Monday, a senior administration official said at least 50 US government personnel in at least 10 countries had been hacked with spyware, a higher number than previously known.

The executive order prohibits federal government departments and agencies from using commercial spyware that could be misused by foreign governments, could target Americans overseas, or could pose security risks if installed on US government networks. The order only covers spyware developed and sold by commercial entities, not tools created by US intelligence agencies.

The order is not a general ban and it allows US agencies to use commercial spyware in certain cases.

For example, the Drug Enforcement Administration has deployed an Israeli-made tool called Graphite, made by the company Paragon, in its counter-narcotics operations. US officials have indicated that they do not plan to end the use of the tool by the DEA, but that they will reconsider the decision if it is found that the Paragons hacking tools have been abused by other governments.

In December, Rep. Adam B. Schiff, a Democrat of California and chairman of the House Intelligence Committee at the time, wrote to the DEA chief asking for more information about the use of the tool by the agencies.

That month, Congress passed a bill that gave the Director of National Intelligence the power to prohibit the intelligence community from purchasing foreign spyware and required the Director of National Intelligence to submit to Congress a list surveillance identifying foreign spyware companies that pose risks to U.S. intelligence. agencies.

The executive order signed by Mr. Biden on Monday states that for a US government agency to use commercial spyware, officials must determine that the tools do not pose significant counterintelligence or security risks to the US government or significant amounts of misuse by a stranger. government or foreign person.

Administration officials said the executive order will be central to a message Mr. Biden plans to deliver to a White House-sponsored rally, the Democracy Summit, later this week. A White House press release said the order demonstrates U.S. leadership and commitment to advancing technology for democracy, including countering the misuse of commercial spyware and other technologies. monitoring.

Last week, the Director of National Intelligence issued new restrictions preventing former US intelligence officers from taking lucrative jobs with foreign governments, including some that develop advanced technologies to spy on their citizens.

In September 2021, three former US intelligence officers who had worked for DarkMatter, a hacking firm in the United Arab Emirates, admitted to hacking crimes and violating US export laws. Prosecutors said the men helped the Emirates gain unauthorized access to acquire data from computers, electronic devices and servers around the world, including computers and servers in the United States. .

The largest spyware vendor is NSO Group. Many governments, from Mexico to India to Saudi Arabia, have deployed the NSO’s Pegasus spyware against political dissidents and journalists. In November 2021, the Biden administration placed NSO and another Israeli spyware company on a Commerce Department blacklist.

Additionally, several US government agencies have purchased or deployed Pegasus. In 2018, the Central Intelligence Agency purchased the surveillance tool for the government of Djibouti, which used it inside that country. The following year, the FBI bought Pegasus and tested the tool for two years, before finally deciding not to deploy it.

Documents produced as part of a Freedom of Information Act lawsuit filed by the New York Times against the bureau show that FBI officials pressed in late 2020 and the first half of 2021 to deploy Pegasus in as part of its criminal investigations, including developing guidelines for federal prosecutors on how the FBI’s use of hacking tools should be disclosed during criminal proceedings.

