The big picture: The proliferation of commercial spyware tools created a lucrative global market for individuals and organizations developing software for surveillance and data theft. These are effectively malware that's hard to defend against, so it shouldn't come as a surprise that the US government wants to implement guardrails for their use - specifically, for situations where the US government is not the one using them.

President Biden has signed an executive order that should effectively prevent the US government and any federal agencies from acquiring or licensing commercial spyware tools that have been previously used by other countries for purposes such as systematic surveillance of key officials, journalists, academics, or dissident voices among the general population.

The move isn't a blanket ban but rather a way to deal with the recent explosion of spyware software used to extract (read: steal) sensitive information from a device by exploiting security flaws. These tools have a high risk for abuse, which is one of the reasons why the general public won't be notified about any bans made under the new executive order.

Criteria that can lead to an outright ban on a specific spyware tool include whether or not it has been used by a foreign government to access the private information of a US citizen or to suppress free speech from a person opposing or criticizing a certain regime. Another characteristic would be that a specific tool has clear ties or has been supplied to a government known to engage in political repression or human rights violations.

White House officials won't say what software is on the shortlist for a ban, but they note the order is a direct response to incidents that have led to the devices of roughly 50 US government personnel overseas being compromised in recent years. Examples of companies with mixed track records include NSO Group (known for the infamous Pegasus spyware), Candiru, and Cytrox, whose Predator software was used by the Greek government to spy on a US citizen for a year.

Also worth noting is the order applies to both domestic and foreign companies. Furthermore, any organization that's considered for a ban can take remedial steps to increase trust, such as proving its software hasn't been misused or introducing new safeguards to prevent abuse.

Overall, the new executive order seems to be designed only as a way to alleviate concerns about growing counterintelligence and security risks to the US. It doesn't say whether the US government or any federal agency uses commercial spyware tools on its citizens, nor does it explain how it will encourage "the development and implementation of responsible norms regarding the use of commercial spyware that are consistent with respect for the rule of law, human rights, and democratic norms and values."

Image credit: FLY:D