In a positive, albeit limited, step to address spyware abuse, the U.S. State Department has announced a new visa sanctions policy that will deny visas to any individuals who are involved in, facilitate, or derive financial benefit from the misuse of commercial spyware around the world.
Spyware is a scourge on democracy, and individuals who engage in or profit from spyware-enabled human rights violations must face consequences, including restrictions on their travel to the U.S. This new policy underscores once again that the U.S. will hold spyware abusers accountable. Yet without knowing who is being sanctioned, it is difficult to understand whether such programs have in fact been used appropriately or had any impact.Access Now U.S. Policy and Advocacy Manager Michael De Dora
The new policy was issued under Section 212 (a)(3)(C) of the Immigration and Nationality Act. It is an expansion of the February 2021 Khashoggi Ban, which allowed for visa sanctions on individuals, and their family members, acting on behalf of a foreign government and who engaged in counter-dissident activities — including the use of spyware. This new policy casts a wider net to encompass anyone involved in or financially benefiting from the misuse of spyware, as well as their family members.
Civil society can submit cases for consideration, but the U.S. government does not disclose the names of sanctioned individuals. In addition, the individuals sanctioned may not know they are flagged unless they attempt to travel to the U.S.
This is the latest in a series of actions against spyware taken by the Biden administration, including a March 2023 executive order that prohibited the U.S. government’s operational use of commercial spyware posing risks to national security or human rights; the addition of multiple spyware companies to the economic blocklist in November 2021 and July 2023; and leading an 11-country joint statement calling for strict controls on commercial spyware.
The secrecy of this visa restriction program reduces its ability to deter individuals from bad behavior or set precedent, including in other jurisdictions, for future actions. Nonetheless, the policy arsenal now at the U.S.’ disposal lays out a potential roadmap for ending spyware abuse, which other governments should follow.Access Now Surveillance Campaigns Lead, Rand Hammoud
As next steps, Access Now recommends that the Biden administration:
- Levy Magnitsky sanctions against notorious spyware companies, such as NSO Group;
- Apply this new policy retroactively to executives, partners, and investors of spyware companies added to the Department of Commerce Entity List, or flagged in accordance with the March 2023 executive order;
- Continue to add spyware companies to the Entity List; and
- Support Congressional efforts to codify the Biden administration’s executive order into law and empower the State Department to publicly name individuals sanctioned under Section 212 (a)(3)(C) authority.