Governments state that they use commercial spyware exclusively for criminal investigations, but critics claim such spyware has purportedly been used for human rights abuses targeting journalists, human rights defenders, lawyers, and political dissidents. Moreover, the U.S. Government and its employees have been allegedly targeted by such spyware. To set an example for governments globally—both authoritarian and democratic—and to advance an international technology ecosystem protecting America’s security, privacy, and human rights, on March 27, 2023, President Biden issued an Executive Order broadly prohibiting executive departments and agencies of the U.S. Government from making operational use of commercial spyware where they determine, based on credible information, that such use poses significant counterintelligence or security risks to the U.S. Government or significant risk of improper use by a foreign government or foreign person. The Executive Order may also affect commercial entities.
According to the Executive Order, commercial spyware may pose counterintelligence or security risks to the U.S. Government when a foreign government or foreign person has used or acquired the commercial spyware to gain or attempt to gain access to U.S. Government computers or the computers of U.S. Government personnel without authorization from the U.S. Government or the commercial spyware was or is furnished by an entity that meets any of the following criteria:
- maintains, transfers, or uses data obtained from the commercial spyware without authorization from the licensed end-user or the U.S. Government;
- has disclosed or intends to disclose non-public U.S. Government information or non-public information about the activities of the U.S. Government without authorization from the U.S. Government; or
- is under the direct or effective control of a foreign government or foreign person engaged in intelligence activities, including surveillance or espionage, directed against the U.S.
The order broadly defines “commercial spyware” as “any end-to-end software suite that is furnished for commercial purposes, either directly or indirectly through a third party or subsidiary, that provides the user of the software suite the capability to gain remote access to a computer, without the consent of the user, administrator, or owner of the computer” in order to do any of the following:
- access, collect, exploit, extract, intercept, retrieve, or transmit content, including information stored on or transmitted through a computer connected to the Internet;
- record the computer’s audio calls or video calls or use the computer to record audio or video; or
- track the location of the computer.
In order to avoid being caught up in the net of restricted software, companies (especially government contractors) will want to ensure that if they are using or making available any type of tracking technology, they adequately disclose such activities to end users in a robust privacy policy and properly obtain consent for such use. Unfortunately, it is all too common for businesses to be unaware of the trackers and technologies on their websites and apps. As we have previously written, it’s important for companies to take technical steps to verify which third parties are present on their sites and apps, and the data transmitted to them, rather than relying on representations made by a vendor.