Under a new U.S. policy, the State Department will be able to impose visa restrictions on individuals that are involved with the misuse of commercial spyware.
The policy, which is issued under the Immigration and National Act, is only the latest effort by the U.S. government to curb the sale and usage of spyware tools. It will impact people that have been involved with spyware - either using it or financially benefiting from the use of it in various capacities - to target, spy on or intimidate journalists, activists, and dissidents, or their family members.
“It has quite the blast radius, targeting not just the individuals who develop spyware, but everyone else employed by spyware companies, those companies' C-suites, boards, and investors, even their family members,” Riana Pfefferkorn, a research scholar at the Stanford Internet Observatory, said. “It allows the U.S. to exclude people from traveling to America (be it for vacation, work, study, etc.) without first being put on any sanctions lists, criminally indicted, or convicted.”
Beyond the visa restrictions, the U.S. government is trying to crack down on spyware in a number of other ways. The government previously blacklisted a number of spyware companies - including the well-known vendor NSO Group, as well as ones called Candiru, Intellexa and Cytrox - and last year it released an executive order that prohibits U.S. government use of commercial spyware.
“The United States remains concerned with the growing misuse of commercial spyware around the world to facilitate repression, restrict the free flow of information, and enable human rights abuses,” according to the State Department’s Monday announcement. “The misuse of commercial spyware threatens privacy and freedoms of expression, peaceful assembly, and association. Such targeting has been linked to arbitrary detentions, forced disappearances, and extrajudicial killings in the most egregious of cases.”
A number of challenges still exist, however, in addressing the problem of spyware. These types of tools are widely used by law enforcement and government agencies at a global scale (even reportedly by the U.S. government itself in the past), and the impact of the government’s efforts so far has largely been within the confines of the U.S.
For instance, the executive order applied primarily to agencies within the federal government, and while export controls restrict the export by U.S. companies of technology to these foreign firms, this still has a somewhat limited impact on the organizations as their developers are located abroad. Privacy experts have also said that efforts to contain the spyware market have been a “whack-a-mole” situation, where even if one company is blacklisted, others exist or pop up with similar offerings.
Monday’s visa restrictions policy, however, might be more impactful by helping the U.S. government better target the individuals behind these companies - including developers, operators, investors and buyers - instead of the organizations themselves. The policy is imposed on a case-by-case basis, and that may open the door up for exceptions, but the State Department did not on Monday give further details on how these qualifications will be measured. Still, said Pfefferkorn, “keeping everyone even glancingly related to spyware out of the U.S. is a powerful way to exert pressure.”
“This is a novel and creative measure of imposing costs on spyware companies for their activities that violate the human rights of journalists, dissidents, and others,” said Pfefferkorn.