As the commercial spyware market explodes, the security industry and the U.S. government alike are exploring a number of ways to curb the sale and usage of surveillance tools.
However, they face an array of challenges. Though spyware tools violate privacy and human rights, they are used widely by law enforcement, intelligence and government agencies – even reportedly by the U.S. government itself – and it’s difficult to contain something at such a global scale. At this point there are also more and more companies offering up spyware tools and capabilities. Privacy experts describe a “whack-a-mole” situation where, even if one company is blacklisted, sued or otherwise, there are numerous others with the same offerings.
In its latest move against spyware on Tuesday, the U.S. government added two entities – Intellexa and Cytrox – to the Department of Commerce’s export control list “for trafficking in cyber exploits used to gain access to information systems, thereby threatening the privacy and security of individuals and organizations worldwide.” Intellexa and Cytrox (which, according to Cisco Talos, is owned by Intellexa) are known for providing law enforcement and intelligence agencies with the Predator spyware, which has various information stealing, surveillance and remote-access capabilities.
The export control listing is one way the U.S. government is trying to crack down on spyware. In order to export software or hardware to entities on this list, U.S.-based companies must apply for a license from the Department of Commerce’s Bureau of Industry and Security – and, based on the license review policy, they will likely be denied. Cisco Talos researchers, who have previously analyzed the Predator spyware, said that the news is “an important step” in curbing spyware.
“This decision prevents these companies from acquiring exploits used to deploy their spyware – which is the more volatile component of the whole spyware ecosystem,” said Nick Biasini, head of outreach and Vitor Ventura, lead security researcher with Cisco Talos. “Every time a patch is released for iOS or Android platforms, an exploit becomes useless pretty quickly depending on how fast users apply the updates. Most notably, this decision shows the will and action by the Biden administration against those that have shown willingness to abuse these technologies against their own citizens, activists and dissidents.”