Skip to main content

New US rules on spyware exports try to limit surveillance tech like Pegasus

New US rules on spyware exports try to limit surveillance tech like Pegasus

/

The rule is supposed to prevent governments from abusing technology to violate human rights

Share this story

A stock privacy image of an eye.
Illustration by Alex Castro / The Verge

The US Department of Commerce announced a new rule to prevent the sale of hacking tools to China and Russia, The Washington Post reports. The Commerce Department outlined the change in a press release on Wednesday, which requires US companies to have a license in order to sell spyware and other hacking software to countries “of national security or weapons of mass destruction concern.”

The rule is complex and purposefully so. If a US company wants to export spyware to a government that poses a national security concern, the company would need a license. But if the software is specifically for cyber defense and not sold to anyone associated with the government, no license would be needed. As The Post explains, companies will need a license to export hacking software and equipment to China, Russia, and other listed nations, whether for cyber defense or not.

“The United States is committed to working with our multilateral partners to deter the spread of certain technologies”

“The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights,” said Gina M. Raimondo, the US Secretary of Commerce.

The rule is set to go into effect in late January and targets tools and software like Pegasus. This intrusive software, made by Israel-based company NSO Group, was used by governments to spy on smartphones belonging to journalists and human rights activists. It’s able to steal data from mobile phones and even turn a device’s mic, all while going unnoticed.

Although the US is a member of the Wassenaar Arrangement, a voluntary export control regime that sets rules on the export of dual-use technologies, it’s one of the last of the 42 participating countries to impose restrictions on the sale of hacking tools. Security officials who spoke to The Post say that the US took so long to create the rule due to its complexity — if done incorrectly, having such a limitation could prevent cybersecurity specialists from collaborating with experts from other countries.

The Department of Commerce is allowing a period of 45 days for public comment and then another 45 days to make any additional changes before it officially goes into effect.