Overview
On March 27, 2023, President Biden signed the Executive Order on Prohibition on Use by the United States Government of Commercial Spyware that Poses Risks to National Security (EO), restricting federal agencies’ use of commercial spyware. The Biden Administration cited targeted attacks utilizing commercial spyware on U.S. officials and human rights abuses abroad as motivations for these restrictions.
Usage Restrictions
The EO is not a blanket ban on commercial spyware.[1] Instead, it bars federal government agencies from using commercial spyware tools if they pose significant counterintelligence or security risks to the U.S. government, or significant risks of improper use by a foreign government or foreign person, including to target Americans or enable human rights abuses. Indirect use of such spyware (e.g. through a contractor or other third party) is also prohibited. The EO establishes risk factors indicative of prohibited commercial spyware, including:
- Past use of the spyware by a foreign entity against U.S. government personnel or devices;
- Past use of the spyware by a foreign entity against U.S. persons;
- The spyware was or is furnished by an entity that maintains, transfers, or uses data obtained from the commercial spyware without authorization from the licensed end-user or the U.S. government, or has disclosed or intends to disclose non-public information about the U.S. government or its activities without authorization from the U.S. government;
- The spyware was or is furnished by an entity under the direct or effective control of a foreign government or foreign person engaged in intelligence activities directed against the United States;
- A foreign actor uses the commercial spyware to limit freedoms of expression, peaceful assembly or association; or to enable other forms of human rights abuses or suppression of civil liberties; or
- The spyware is furnished to governments that have engaged in gross violations of human rights, whether such violations were aided by the spyware or not.