U.S. Congress takes additional steps to combat spyware

Access Now applauds the U.S. Congress for passing bipartisan legislation to counter foreign commercial spyware that poses a threat to human rights defenders around the world. This legislation will aid efforts to mitigate the threat posed by targeted surveillance technologies, like NSO Group’s notorious Pegasus spyware.

Sec. 6318 of the Intelligence Authorization Act, which was included in the broader 2023 National Defense Authorization Act (NDAA), is primarily aimed at creating protections for U.S. intelligence community personnel. But it could also generate new avenues to address the abusive use of spyware around the world by mandating the U.S. intelligence community report to Congress on dangerous companies and promoting international governmental coordination. President Biden signed the 2023 NDAA into law on Friday, December 23. 

“The proliferation and use of spyware is one of the greatest human rights challenges of our time, and bold U.S. action is critical to meeting this challenge,” said Michael De Dora, Senior Campaigner at Access Now. “While designed to protect the U.S. intelligence community, this legislation will also bolster efforts to restrict the spread of spyware and hold perpetrators accountable. It is an important step that should serve as a standard for governments around the world to emulate.”

This legislation would: 

  • require that the Director of National Intelligence (DNI) annually submit to Congress a classified “watchlist” identifying foreign spyware companies that pose a risk to the U.S. intelligence community;
  • give the Director the authority to prohibit any element of the intelligence community from engaging in business with a company that has acquired such spyware;
  • require the DNI to issue standards and best practices for U.S. intelligence personnel to protect their devices against spyware; 
  • require the DNI to alert Congressional intelligence committees when a U.S. intelligence community member’s device has been targeted or compromised; and
  • require the DNI to submit to Congress a report on the potential of the U.S. implementing, with allied countries, a common approach to mitigate risks posed by foreign commercial spyware. 

The 2023 NDAA also includes a bipartisan provision, Section 5589(b), that allows the President to prohibit Americans from providing support to any security agency around the world that has used surveillance technology against journalists, human rights defenders, and opposition politicians. Previously, the President could only block Americans from providing services to a foreign military intelligence agency, not to a civilian intelligence or police-type entity.

This is the second year in a row Congress has included spyware-related provisions in the annual NDAA. Last year, it included a measure directing the State Department to develop a list of spyware purveyors with whom the Department should avoid doing business because of their poor human rights records. Access Now supported that measure. However, the State Department has not yet complied with the law. 

In June, the House Permanent Select Committee on Intelligence held a public hearing on the threats posed by foreign commercial spyware like NSO Group’s Pegasus. NSO was added to the U.S. Department of Commerce’s Entity List in November 2021 along with Candiru. 

Access Now will continue to engage Congress and  the U.S. administration to take further action on spyware and ensure the protection of digital rights around the world.