AP Technology

US rolls out visa restriction policy on people who abuse spyware to target journalists, activists

WASHINGTON (AP) — The Biden administration announced Monday it is rolling out a new policy that will allow it to impose visa restrictions on foreign individuals involved in the misuse of commercial spyware.

The administration’s policy will apply to people who’ve been involved in the misuse of commercial spyware to target individuals including journalists, activists, perceived dissidents, members of marginalized communities, or the family members of those who are targeted. The visa restrictions could also apply to people who facilitate or get financial benefit from the misuse of commercial spyware, officials said.

“The United States remains concerned with the growing misuse of commercial spyware around the world to facilitate repression, restrict the free flow of information, and enable human rights abuses,” Secretary of State Antony Blinken said in a statement announcing the new policy. “The misuse of commercial spyware threatens privacy and freedoms of expression, peaceful assembly, and association. Such targeting has been linked to arbitrary detentions, forced disappearances, and extrajudicial killings in the most egregious of cases.”

Biden issued a executive order nearly a year ago restricting the U.S. government’s use of commercial spyware “that poses risks to national security.” That order required the head of any U.S. agency using commercial programs to certify that they don’t pose a significant counterintelligence or other security risk, a senior administration official said.

It was issued as the White House acknowledged a surge in hacks of U.S. government employees, across 10 countries, who had been compromised or targeted by commercial spyware — and after the Biden administration effectively blacklisted its most prolific purveyor, Israel’s NSO Group.


A senior administration official who briefed reporters ahead of Monday’s announcement would not say if any particular individuals were in line to immediately be impacted by the visa restrictions. The official spoke on the condition of anonymity under ground rules set by the White House.

Officials said the visa restriction policy can apply to citizens of any country found to have misused or facilitated the malign use of spyware, even if they are from countries whose citizens are allowed entry into the U.S. without first applying for a visa.

Under U.S. law, visa records are confidential, so the State Department is not expected to publicly name individuals impacted by the policy.

Ron Deibert, the director of University of Toronto’s Citizen Lab, a pioneer in exposing spyware mercenaries, called the White House announcement an “important step towards accountability” given that makers of the malware can rebrand and avoid sanctions. He said he wishes the U.S. could publicly “name and shame” those involved.

Still, Deibert said he’s hopeful the measure would “bring some tangible pains to those people who profit from the horrific abuses of spyware, and the domestic and transnational repression that it facilitates. Other countries should follow the U.S. lead.”

Citizen Lab senior researcher John Scott-Railton said the U.S. government, through its multi-pronged punitive strategy, “is constructing a model for the regulation of this industry.” And that should hopefully, he said, chill investment in the mercenary spyware industry — which has come from countries including the U.S. and U.K.

Regulation of the industry in Europe lags behind the U.S., a stark contrast in light of its more rigorous regulation of Big Tech. Critics note that some commercial spyware firms continue to operate in European Union countries.

While the use of commercial spyware by autocratic governments in the Middle East in particular has been rampant, its abuse in recent years in countries including Mexico, Poland, Greece, Spain, Thailand and Hungary against journalists, lawyers and political activists has alarmed the human rights community.

The best known spyware, NSO Group’s Pegasus, has been used to target more than 1,000 people across 50 countries, according to security researchers and a July 2021 global media investigation.

The Biden administration barred U.S. companies from supplying technology to NSO Group in November 2021. That same month, Apple sued the company, which claims it only sells Pegasus to government law enforcement and intelligence agencies for use against terrorists and criminals.

Pegasus was used in Jordan to hack the cellphones of at least 30 people, including journalists, lawyers, human rights and political activists, the digital rights group Access Now announced last week. The hacking with spyware made by Israel’s NSO Group occurred from 2019 until last September, according to Access Now. It did not accuse Jordan’s government of the hacking.

Amnesty International also reported that its forensic researchers had determined that Pegasus spyware was installed on the phone of Washington Post journalist Jamal Khashoggi’s fiancée, Hatice Cengiz, just four days after he was killed in the Saudi Consulate in Istanbul in 2018. The company had previously been implicated in other spying on Khashoggi.

___

Bajak reported from Boston.