US rolls out visa restriction policy on people who misuse spyware to target journalists, activists



The Biden administration announced Monday it is rolling out a new policy that will allow it to impose visa restrictions on foreign individuals involved in the misuse of commercial spyware.

The administration’s policy will apply to people who’ve been involved in the misuse of commercial spyware to target individuals including journalists, activists, perceived dissidents, members of marginalized communities, or the family members of those who are targeted. The visa restrictions could also apply to people who facilitate or get financial benefit from the misuse of commercial spyware, officials said.

“The United States remains concerned with the growing misuse of commercial spyware around the world to facilitate repression, restrict the free flow of information, and enable human rights abuses,” Secretary of State Antony Blinken said in a statement announcing the new policy. “The misuse of commercial spyware threatens privacy and freedoms of expression, peaceful assembly, and association. Such targeting has been linked to arbitrary detentions, forced disappearances, and extrajudicial killings in the most egregious of cases.”

Biden issued a executive order nearly a year ago restricting the U.S. government’s use of commercial spyware “that poses risks to national security.”

That order required the head of any U.S. agency using commercial programs to certify that they don’t pose a significant counterintelligence or other security risk, a senior administration official said. It was issued as the White House acknowledged a surge in hacks of U.S. government employees, across 10 countries, that had been compromised or targeted by commercial spyware.

A senior administration official who briefed reporters ahead of Monday’s announcement would not say if any particular individuals were in line to immediately be impacted by the visa restrictions. The official spoke on the condition of anonymity under ground rules set by the White House.

Officials said the visa restriction policy can apply to citizens of any country found to have misused or facilitated the malign use of spyware, even if they are from countries whose citizens are allowed entry into the U.S. without first applying for a visa.

Under U.S. law, visa records are confidential, so the State Department is not expected to publicly name individuals impacted by the policy.


Ron Deibert, the director of University of Toronto’s Citizen Lab, a pioneer in exposing spyware mercenaries, called the White House announcement an “important step towards accountability” given that makers of the malware can rebrand and avoid sanctions. He said he wishes the U.S. could publicly “name and shame” those involved,

Still, Deibert said he’s hopeful the measure would “bring some tangible pains to those people who profit from the horrific abuses of spyware, and the domestic and transnational repression that it facilitates. Other countries should follow the U.S. lead.”

While the use of commercial spyware by autocratic governments in the Middle East in particular has been rampant, its abuse in recent years in countries including Mexico, Poland, Greece, Spain, Thailand and Hungary against journalists, lawyers and political activists has alarmed the human rights community.

Perhaps the best known example of spyware, the Pegasus software from Israel’s NSO Group, was used to target more than 1,000 people across 50 countries, according to security researchers and a July 2021 global media investigation, citing a list of more than 50,000 cellphone numbers.

The U.S. has already placed export limits on NSO Group, restricting the company’s access to U.S. components and technology.

Pegasus spyware was used in Jordan to hack the cellphones of at least 30 people, including journalists, lawyers, human rights and political activists, the digital rights group Access Now announced last week.

The hacking with spyware made by Israel’s NSO Group occurred from 2019 until last September, according to Access Now. It did not accuse Jordan’s government of the hacking.

Amnesty International also reported that its forensic researchers had determined that Pegasus spyware was installed on the phone of Washington Post journalist Jamal Khashoggi’s fiancée, Hatice Cengiz, just four days after he was killed in the Saudi Consulate in Istanbul in 2018. The company had previously been implicated in other spying on Khashoggi.