The U.S. government should prohibit federal agencies from purchasing commercial spyware products in order to address the counterintelligence threat posed by foreign firms, a key witness told lawmakers.
“Right now, doing business with the federal government, getting acquired by a U.S. company or doing business with an American police department is the golden prize for many in the spyware industry,” Citizen Labs’ John Scott-Railton, a senior researcher at the tech savvy human rights group, told members of the House Intelligence Committee. “As long as that remains a possibility for problematic actors, they’re going to get support from investors.”
Scott-Railton testified before the committee Wednesday on the proliferation of tools made by firms like the now-infamous NSO group. Citizen Lab has found the Israeli firm’s Pegasus spyware—which is capable of revealing the contents of a victim’s device without needing them to click on a phishing link—being used to spy on U.S. citizens, despite claims to the contrary.
Reporting from the Washington Post and others has also shed light on a host of public officials, journalists and dissidents from around the world being surveilled with spyware, the market of which has been growing exponentially, and is predominantly tapped by authoritarian governments.
“When we first started working on this, we saw a handful of companies working with a handful of states, now it’s totally out of control,” Scott-Railton said.
Among the firms marketing hacking tools to questionable regimes are Cellebrite—another Israeli firm—and the Swedish firm Micro Systemation AB (MSAB), according to a report the Atlantic Council issued in November.
It’s “shocking to read about abuses of this technology from democratic governments and others, even those that we consider allies,” ranking member Mike Turner, R-Ohio, said.
Cellebrite and MSAB are both on the General Services Administration’s list of approved commercial services, with Cellebrite openly promoted under the services of government contractor Carahsoft. And in February, the FBI acknowledged it had acquired and was testing NSO Group’s hacking tool.
Committee Chairman Adam Schiff, D-Calif., began the hearing by touting the panel’s recent passage of the Intelligence Authorization Act, which he said gives “sweeping new authorities for the [Director of National Intelligence] to prohibit the intelligence community from acquiring and using foreign spyware … [and] block Intelligence Committee contracts with US companies that acquire in whole or in part any foreign spyware tool.”
But the bill’s language doesn’t instruct the director to use the new authorities, saying instead they “may” prohibit such acquisitions. It also allows intelligence community leaders to request the director waive any such prohibitions, particularly for national security reasons.
The legislation also defines “foreign commercial spyware” as a tool “that provides a purchaser remote access to information stored on or transiting through an electronic device connected to the internet,” something Cellebrite points out is not within its specific offerings. The company’s hacking tool—unlike the NSO Group’s—requires customers to have physical access to a device in order to access the contents of end-to-end encrypted messaging apps like Signal and Whatsapp installed on it.
But such capabilities are also cause for concern, according to privacy advocates like the Electronic Frontier Foundation and Access Now, who say governments should hold each other accountable for applying appropriate limits, including for law enforcement or national security purposes.
Editor’s Note: This story has been updated to reflect comments from Cellebrite.