US intelligence bill takes aim at commercial spyware makers

A newly released draft intelligence bill, passed by the Senate Intelligence Committee last week, would require the government to detail the threats posed by commercial spyware and surveillance technology.

The annual intelligence authorization bill, published Thursday, would take aim at private sector spyware makers, like NSO Group and Hacking Team, who build spyware and hacking tools designed to surreptitiously break into a victim’s devices for conducting surveillance. Both NSO Group and Hacking Team say they only sell their hacking tools to governments, but critics say that its customers have included despotic and authoritarian regimes like Saudi Arabia and Bahrain.

If passed, the bill would instruct the Director of National Intelligence to submit a report to both House and Senate intelligence committees within six months on the “threats posed by the use by foreign governments and entities of commercially available cyber intrusion and other surveillance technology” against U.S. citizens, residents and federal employees.

The report would also have to note if any spyware or surveillance technology is built by U.S. companies and what export controls should apply to prevent that technology from getting into the hands of unfriendly foreign governments.

Sen. Ron Wyden (D-OR) was the only member of the Senate Intelligence Committee to vote against the bill, citing a broken, costly declassification system, but praised the inclusion of the commercial spyware provision.

Commercial spyware and surveillance technology became a mainstream talking point two years ago after the murder of Washington Post columnist Jamal Khashoggi, which U.S. intelligence concluded was personally ordered by Saudi crown prince Mohammed bin Salman, the country’s de facto leader. A lawsuit filed by a Saudi dissident and friend of Khashoggi accuses NSO Group of selling its mobile hacking tool, dubbed Pegasus, to the Saudi regime, which allegedly used the technology to spy on Khashoggi shortly before his murder. NSO denies the claims.

NSO is currently embroiled in a legal battle with Facebook for allegedly exploiting a now-fixed vulnerability in WhatsApp to deliver its spyware to the cell phones of 1,400 users, including government officials, journalists and human rights activists, using Amazon cloud servers based in the U.S. and Germany.

In a separate incident, human rights experts at the United Nations have called for an investigation into allegations that the Saudi government used its spyware to hack into the phone of Amazon chief executive Jeff Bezos. NSO has repeatedly denied the allegations.

John Scott-Railton, a senior researcher at the Citizen Lab, part of the Munk School at the University of Toronto, told TechCrunch that the bill’s draft provisions “couldn’t come at a more important time.”

“Reporting throughout the security industry, as well as actions taken by Apple, Google, Facebook and others have made it clear that [spyware] is a problem at scale and is dangerous to U.S. national security and these companies,” said Scott-Railton. “Commercial spyware, when used by governments, is the ‘next Huawei’ in terms of the security of Americans and needs to be treated as a serious security threat,” he said.

“They brought this on themselves by claiming for years that everything was fine while evidence mounted in every sector of the U.S. and global society that there was a problem,” he said.

A passwordless server run by spyware maker NSO sparks contact-tracing privacy concerns