WASHINGTON — The Biden administration announced this week it was rolling out a new policy that will allow it to impose visa restrictions on foreign individuals involved in the misuse of commercial spyware.
The administration’s policy will apply to people who’ve been involved in the misuse of commercial spyware to target individuals including journalists, activists, perceived dissidents or their family members. The visa restrictions could also apply to people who facilitate or get financial benefit from the misuse of commercial spyware, officials said.
“The United States remains concerned with the growing misuse of commercial spyware around the world to facilitate repression, restrict the free flow of information, and enable human rights abuses,” US Secretary of State Antony Blinken said in a statement announcing the new policy. “The misuse of commercial spyware threatens privacy and freedoms of expression, peaceful assembly, and association. Such targeting has been linked to arbitrary detentions, forced disappearances, and extrajudicial killings in the most egregious of cases.”
Biden issued a executive order nearly a year ago restricting the US government’s use of commercial spyware “that poses risks to national security.” That order required the head of any US agency using commercial programs to certify that they don’t pose a significant counterintelligence or other security risk, a senior administration official said.
It was issued as the White House acknowledged a surge in hacks of US government employees, across 10 countries, who had been compromised or targeted by commercial spyware — and after the Biden administration effectively blacklisted its most prolific purveyor, Israel’s NSO Group.
The Haaretz daily said the new regulations could target workers, administrators and even investors in companies like NSO.
The paper quoted an Israeli source in the industry as saying that the move appeared to be another step by the Biden administration to pressure Israel regarding the war in Gaza and called the timing “dramatic and concerning.”
“Just like the reports about the withholding of ammunition, just like sanctions on settlers, this is another lever of pressure on Israel to agree to the American conditions,” the source said. “The US understands that these tools are critical to the war and therefore Israel, which cannot afford to completely lose cyber, will be forced to turn to the Americans and talk to them.”
The Israeli industry official also expressed concern that the sanctions could destroy Israel’s commercial spyware industry.
Asked for comment by The Times of Israel, a State Department spokesperson said: “This visa restriction policy is global and can apply to citizens of any country. However, under US law, visa records are confidential, and we cannot provide details as to which individuals are, or will be, affected under this visa restriction policy.”
A senior administration official who briefed reporters ahead of Monday’s announcement would not say if any particular individuals were in line to immediately be impacted by the visa restrictions. The official spoke on the condition of anonymity under ground rules set by the White House.
Officials said the visa restriction policy can apply to citizens of any country found to have misused or facilitated the malign use of spyware, even if they are from countries whose citizens are allowed entry into the US without first applying for a visa. Israel entered the US visa waiver program last year.
Israel launched its war against Hamas in Gaza after thousands of terrorists crossed the border on October 7, killing some 1,200 people and taking another 253 hostages. In response, Israel launched an air and ground offensive aimed at destroying Hamas and freeing the hostages.
While the US has firmly supported Israel’s goal of destroying Hamas, it has been critical of the high number of civilian casualties and repeatedly pressed Israel to act to improve the humanitarian situation in the Strip.
Under US law, visa records are confidential, so the State Department is not expected to publicly name individuals impacted by the policy.
Ron Deibert, the director of University of Toronto’s Citizen Lab, a pioneer in exposing spyware mercenaries, called the White House announcement an “important step towards accountability” given that makers of the malware can rebrand and avoid sanctions. He said he wishes the US could publicly “name and shame” those involved.
Still, Deibert said he’s hopeful the measure would “bring some tangible pains to those people who profit from the horrific abuses of spyware, and the domestic and transnational repression that it facilitates. Other countries should follow the US lead.”
Citizen Lab senior researcher John Scott-Railton said the US government, through its multi-pronged punitive strategy, “is constructing a model for the regulation of this industry.” And that should hopefully, he said, chill investment in the mercenary spyware industry — which has come from countries including the US and UK.
Regulation of the industry in Europe lags behind the US, a stark contrast in light of its more rigorous regulation of Big Tech. Critics note that some commercial spyware firms continue to operate in European Union countries.
While the use of commercial spyware by autocratic governments in the Middle East in particular has been rampant, its abuse in recent years in countries including Mexico, Poland, Greece, Spain, Thailand and Hungary against journalists, lawyers and political activists has alarmed the human rights community.
The best known spyware, NSO Group’s Pegasus, has been used to target more than 1,000 people across 50 countries, according to security researchers and a July 2021 global media investigation.
The Biden administration barred US companies from supplying technology to NSO Group in November 2021. That same month, Apple sued the company, which claims it only sells Pegasus to government law enforcement and intelligence agencies for use against terrorists and criminals.
Pegasus was used in Jordan to hack the cellphones of at least 30 people, including journalists, lawyers, human rights and political activists, the digital rights group Access Now announced last week. The hacking with spyware made by Israel’s NSO Group occurred from 2019 until last September, according to Access Now. It did not accuse Jordan’s government of the hacking.
Amnesty International also reported that its forensic researchers had determined that Pegasus spyware was installed on the phone of Washington Post journalist Jamal Khashoggi’s fiancée, Hatice Cengiz, just four days after he was killed in the Saudi Consulate in Istanbul in 2018. The company had previously been implicated in other spying on Khashoggi.