WASHINGTON — President Biden on Monday signed an executive order restricting American government use of a class of powerful surveillance tools that have been abused by both autocracies and democracies around the world to spy on political dissidents, journalists and human rights activists.
The tools in question, known as commercial spyware, give governments the power to hack the mobile phones of private citizens, extracting data and tracking their movements. The global market for their use is booming, and some U.S. government agencies have studied or deployed the technology.
Commercial spyware, including Pegasus, made by the Israeli firm NSO Group, has also been used against American government officials overseas. On Monday, a senior administration official said that at least 50 U.S. government personnel in at least 10 countries had been hacked with spyware, a larger number than was previously known.
The executive order prohibits federal government departments and agencies from using commercial spyware that might be abused by foreign governments, could target Americans overseas or could pose security risks if installed on U.S. government networks. The order covers only spyware developed and sold by commercial entities, not tools built by American intelligence agencies.
The order is not a blanket prohibition, and it allows for American agencies to use commercial spyware in some cases.
For instance, the Drug Enforcement Administration has deployed an Israeli-made tool called Graphite, made by the firm Paragon, as part of its counternarcotics operations. American officials have indicated they have no plans to terminate the D.E.A.’s use of the tool, but would revisit the decision if evidence emerges that Paragon’s hacking tools have been abused by other governments.
In December, Representative Adam B. Schiff, Democrat of California and the chairman of the House Intelligence Committee at the time, wrote to the head of the D.E.A. requesting more information about the agency’s use of the tool.
How Times reporters cover politics. We rely on our journalists to be independent observers. So while Times staff members may vote, they are not allowed to endorse or campaign for candidates or political causes. This includes participating in marches or rallies in support of a movement or giving money to, or raising money for, any political candidate or election cause.
That month, Congress passed a bill that gave the director of national intelligence the power to prohibit the intelligence community from purchasing foreign spyware, and required the director of national intelligence to submit to Congress a “watch list” identifying foreign spyware firms that pose risks to American intelligence agencies.
The executive order signed by Mr. Biden on Monday states that for an American government agency to use commercial spyware, officials must determine that the tools do not “pose significant counterintelligence or security risks to the United States government or significant risks of improper use by a foreign government or foreign person.”
Administration officials said that the executive order would be central to a message Mr. Biden plans to bring to a White House-sponsored gathering, the Summit for Democracy, later this week. A White House news release said the order “demonstrates the United States’ leadership in, and commitment to, advancing technology for democracy, including by countering the misuse of commercial spyware and other surveillance technology.”
Last week, the director of national intelligence issued new restrictions on former American intelligence operatives from taking lucrative jobs with foreign governments, including some that are developing advanced technologies to spy on their citizens.
In September 2021, three former American intelligence officers who had worked for DarkMatter, a hacking firm in the United Arab Emirates, admitted to hacking crimes and violating U.S. export laws. Prosecutors said that the men helped the Emirates gain unauthorized access to “acquire data from computers, electronic devices and servers around the world, including on computers and servers in the United States.”
The most prominent seller of spyware is NSO Group. Numerous governments, from Mexico to India to Saudi Arabia, have deployed NSO’s Pegasus spyware against political dissidents and journalists. In November 2021, the Biden administration put NSO and another Israeli spyware company on a Commerce Department blacklist.
In addition, several American government agencies have either purchased or deployed Pegasus. In 2018, the Central Intelligence Agency bought the surveillance tool for the government of Djibouti, which used it inside that country. The next year, the F.B.I. purchased Pegasus and tested the tool for two years, before ultimately deciding not to deploy it.
Documents produced as part of a Freedom of Information Act lawsuit brought by The New York Times against the bureau show that F.B.I. officials made a push in late 2020 and the first half of 2021 to deploy Pegasus as part of its criminal investigations, including developing guidelines for federal prosecutors about how the F.B.I.’s use of hacking tools would need to be disclosed during criminal proceedings.