Deep Diving into President Biden's Commercial Spyware Prohibition
It's less pro-privacy and more pro-American
President Biden published a new Executive Order prohibiting certain uses of commercial spyware by the United States Government. This is the first time an Executive Order has been issued about spyware by any recent President. Federal agencies have previously discussed the use of spyware and the risk it poses in the commercial and private sectors but have not commented regarding the United States’ use of it.
It’s important to note that Executive Orders are “fragile law”—meaning that any sitting President can issue an Executive Order as easily as they can revoke them. So this order doesn’t necessarily have any strong staying power. If there’s enough interest, I might consider writing something on how the administrative state works for the more tech-focused readers here. That being said, there is potential by this order to dictate direction of where the President wants the government to go and it will be interesting to see how much of this is codified in the coming months.
What does the order say?
This is not, as the language initially alludes to, a ban on the use of spyware. The order prohibits “use of commercial spyware that poses significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person.” The order focuses more on ensuring that the tools used by the US are not used by other countries. The order does mention that spyware is used to curb dissent and target journalists but the rest of the order primarily focuses on the American use of such tools rather than a principled objection on the use of spyware.
The preambles of the order state policy concerns on civil liberties and human rights, but it only makes sense to look at this order as a sort of data localization requirement for spyware manufacturers. The order is concerned with risks to the United States government and less about persons.
So what?
Really this effectively is more of a pro-American order that prioritizes American spyware manufacturers and vendors unless it can be determined that it does not “pose significant counterintelligence or security risks to the United States Government.” So this could theoretically ban tools like Pegasus but would not necessarily cover concerns around consumer apps alleged to spy on citizens like TikTok.
The core concern that the Biden administration appears to be targeting is supporting an ecosystem that enables adversaries to purchase the same technology to surveil American officials or persons. It underlines a desire to ensure that spyware companies uphold American values over others. The fact sheet published by the administration focuses more on the contractual alignments between different countries rather than the actual use of technology itself.
The Impact on the Spyware Industry
The executive order, in a sense, draws a line in the sand: if you want to do spyware business with the United States, you have to do so on our terms. It restricts the market for “black hat” groups that may be more interested in selling to the highest bidder or reselling an exploit to multiple countries. From one angle, this could be responding to the fact that some countries, like China, will require that exploits to not be disclosed to outside parties and instead to domestic authorities. However, this seems more like economic pressure or incentive which seem challenging in a $12 billion industry.
The administration claims that this is going to be a start to reforming the industry but the order doesn’t to do much to lay out what reforms the administration has in mind (especially given the seeming lack of awareness of the extent of spyware use in the government). Either way spyware needs to be reigned in because of the dangers to individuals and society, we’ll have to see who gets onboard with a reform.
More Reading: