The Washington PostDemocracy Dies in Darkness

Opinion Democracies’ flirtation with spyware raises dangers

(Washington Post staff illustration; Charlie Neibergal/AP/iStock)

If the United States hopes to stem the abuse of spyware by governments around the world, it is going to have to monitor its own behavior as well. That’s what makes a report by the New York Times suggesting the FBI came close to deploying one of the world’s most controversial hacking tools so concerning.

The Times pored over dozens of internal documents and court records about the FBI’s actions with regard to the technology known as Pegasus — the capability developed by Israeli firm NSO Group that can breach devices without a single click from the target. The revelations throw doubt on representations FBI Director Christopher A. Wray made to lawmakers during a closed-door session late last year. His agency, he claimed, purchased the technology only for research and development “to be able to figure out how bad guys could use it, for example.” The real story seems more troubling. The unveiled documents point to the possibility that officials believed Pegasus could play a role in criminal investigations.

That the FBI ultimately decided not to move forward with its plans is reassuring, but only to a point. The decision came after investigations by The Post and other journalists revealed how authoritarian regimes and democracies alike had exploited NSO’s technology to snoop on their citizens, including dissidents and journalists — among them, associates of Post columnist Jamal Khashoggi in the months before his murder in an operation authorized by Saudi Crown Prince Mohammed bin Salman. The Biden administration rightly added NSO along with other similar companies to a blacklist prohibiting it from receiving American technologies.

The problem is, the story doesn’t end here. The FBI has indicated its flirtation with spyware isn’t over. There are justifiable uses for the technology, in theory: to thwart terrorists, for instance, or crack open drug cartels. Yet in practice, even democracies have too often used it to skirt the limits of their constitutions or law. As the technology and its capabilities leap ahead of norms and legal strictures, the task for the United States and other democratic nations is to ensure they procure and employ third-party spyware in a way that avoids undermining civil liberties around the world, not to mention jeopardizing their own national security.

How to do this won’t be easy or always clear, but it is essential. The FBI’s experience underscores an obvious downside to the acquisition of these singularly invasive tools. Israel has been pushing for an end to the prohibition on NSO; its case is easier to make amid indications that the very government punishing the firm considered becoming one of its customers not so long ago. The same will be true if the United States involves itself with other technologies implicated in human rights abuses. President Biden was wise to take the fight to the mercenary spyware industry with its blacklist action, but a more comprehensive approach is necessary. Like-minded nations should be working together to deny exports to and refuse imports from any destination that has a record of abuse or lacks a framework to prevent it — as well as any one that allows its own products to spread to abusers around the world.

Such a strategy, of course, requires that the United States itself come up with a new framework against the abuse of spyware. Developing some rules of the road is especially essential for law enforcement as some departmental uses of spyware would likely focus on American citizens. Transparency is a bare minimum, starting with mandated reporting, both internally and to cleared lawmakers on relevant congressional committees, on what products have been purchased as well as when and how they’ve been used. The public also should know the broad strokes of how spyware is used. Limits on the employment of these tools, ideally to situations such as protecting national security and domestic terrorism investigations, are also important. So are approval requirements; authorities should have to go to court for a warrant as they do when they want to install a wiretap.

Even with all these protections in place, the United States would do well to weigh how much it really gains from buying spyware abroad. Doing so, even from relatively responsible actors, risks lending legitimacy to an industry that, as a whole, is pushing the globe closer to an era of limitless surveillance. The countries most likely to exploit the proliferation of these new spying technologies aren’t nations like this one, some of whose in-house capabilities can already rival anything NSO and its ilk have to offer. On the contrary, the powers that might use them most aggressively are nations, some of them authoritarian, that would otherwise be limited in their snooping capabilities. Before U.S. law enforcement contemplates how it might buy and use spyware, it must contemplate whether it — or any other country — should.

The Post’s View | About the Editorial Board

Editorials represent the views of The Post as an institution, as determined through debate among members of the Editorial Board, based in the Opinions section and separate from the newsroom.

Members of the Editorial Board and areas of focus: Opinion Editor David Shipley; Deputy Opinion Editor Karen Tumulty; Associate Opinion Editor Stephen Stromberg (national politics and policy, legal affairs, energy, the environment, health care); Lee Hockstader (European affairs, based in Paris); David E. Hoffman (global public health); James Hohmann (domestic policy and electoral politics, including the White House, Congress and governors); Charles Lane (foreign affairs, national security, international economics); Heather Long (economics); Associate Editor Ruth Marcus; and Molly Roberts (technology and society).