Venice Commission - Report on a rule of law and human rights compliant regulation of spyware
www.venice.coe.int
Disclaimer: this information was gathered by the Secretariat of the Venice Commission on the basis of contributions by the members of the Venice Commission, and complemented with information available from various open sources (academic articles, legal blogs, official information web-sites etc.).
Every effort was made to provide accurate and up-to-date information. For further details please visit our site : https://www.venice.coe.int/
1. Does your legal framework allow for the use of spyware as a tool of targeted surveillance either in criminal or intelligence investigations or is there an explicit prohibition on the use of spyware? If so, how does your domestic legal framework define spyware?
U.S. law governs and constrains the use of surveillance technologies, including technologies that might be defined as spyware, in criminal and intelligence investigations. The Fourth Amendment of the U.S. Constitution, statutory obligations, regulatory measures, and jurisprudence developed by U.S. courts together create a web of constraints, even if there is no specific prohibition of the domestic use of spyware qua spyware in U.S. law. In recent years, some states and local entities have taken action to further constrain certain intrusive surveillance technologies, but this response and its Annex generally focus on federal law and policy.
2. Are there specific rules (covering notably the scope ratione materiae, temporis and personae) in place or do the general rules on targeted surveillance (interception of communications) apply (could you please provide us with such specific or general rules)?
General rules of communication interception apply, as described in the criminal law context in the previous section. The Electronic Communications Privacy Act (1986) is a federal statutory regulation which limits the use of electronic surveillance methods and, in keeping with Fourth Amendment principles, requires most surveillance – such as pen registers and wiretaps – to be warranted by a “court of competent jurisdiction.”
3. What kind of data, if any, could be collected with spyware?
U.S. law imposes a burden on authorities to demonstrate that collection meets the kinds of standards articulated in the jurisprudence arising under the Fourth Amendment and potentially other fundamental rights protections in U.S. law.
4. Has there been any official evaluation of the need for, or added value of, spyware?
The United States has evaluated commercial spyware and concluded, in the 27 March 2023 Executive Order, that “[t]he growing exploitation of Americans’ sensitive data and improper use of surveillance technology, including commercial spyware, threatens the development” of an international technology “ecosystem,” and added further:
5.Who authorises/approves measures of targeted surveillance in criminal and intelligence investigations (judiciary, executive, expert bodies, security services)?
In criminal investigations, judicial authorities provide authorization for targeted surveillance.
6. What are the national oversight mechanisms in place in your country for the activities of the security services (are they judicial, parliamentary, executive, or expert)? Do these bodies have (binding) remedial powers?
Executive, judicial, and legislative bodies oversee surveillance activities. For an example of the overlapping oversight, Section 702 of FISA is subject to oversight by the Department of Justice (DOJ), the Office of the Director of National Intelligence (ODNI) and other intelligence agencies, the Foreign Intelligence Surveillance Court (FISC), and Congress.
7. Does a post-surveillance notification mechanism exist? Are there any other remedies available for individual targeted by measures of targeted surveillance?
While Fourth Amendment jurisprudence has determined that certain types of criminal surveillance require government warrants, this notice is not required to coincide with the timing of the search or seizure. Under the Electronic Communications Privacy Act, the government may acquire information via surveillance without notice. Warrants are not, in other words, equivalent to a post-surveillance notification system. Additionally, there is no notification mechanism under FISA– the law only requires that the government give notice when the information collected will be used against them.
United States of America
A. Definition of Spyware
U.S. law provides a definition of spyware in the context of “foreign commercial spyware.” 50 U.S. Code § 3232a (“Measures to mitigate counterintelligence threats from proliferation and use of foreign commercial spyware”) defines “spyware” as:
“. . . a tool or set of tools that operate as an end-to-end system of software to provide an unauthorized user remote access to information stored on or transiting through an electronic device connected to the Internet and not owned or operated by the
unauthorized user, including end-to-end systems that—
(A) allow an unauthorized user to remotely infect electronic devices with malicious software, including without any action required by the user of the device;
(B) can record telecommunications or other audio captured on a device not owned by the unauthorized user;
(C) undertake geolocation, collect cell site location information, or otherwise track the location of a device or person using the internal sensors of an electronic device not owned by the unauthorized user;
(D) allow an unauthorized user access to and the ability to retrieve information on the electronic device, including text messages, files, e-mails, transcripts of chats, contacts, photos, and browsing history; or
(E) any additional criteria described in publicly available documents published by the Director of National Intelligence, such as whether the end-to-end system is used outside the context of a codified lawful intercept system.“
A 2023 Executive Order concerning spyware, described in the previous informal response and further below, provides a similar definition for “commercial spyware”:
“The term ‘commercial spyware’ means any end-to-end software suite that is furnished for commercial purposes, either directly or indirectly through a third party or subsidiary, that provides the user of the software suite the capability to gain remote access to a computer, without the consent of the user, administrator, or owner of the computer, in order to:
(i) access, collect, exploit, extract, intercept, retrieve, or transmit content, including information stored on or transmitted through a computer connected to the Internet;
(ii) record the computer’s audio calls or video calls or use the computer to record audio or video; or
(iii) track the location of the computer.”
B. Legal Framework in Criminal Context
As noted in the 8 March response, the Fourth Amendment to the United States Constitution provides the foundation for the U.S. legal framework governing surveillance in the criminal justice system, which would include spyware. The Fourth Amendment provides:
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
The protections against unreasonable searches and seizures apply in the digital context, even if the extent to which the Fourth Amendment applies or may apply to specific uses of spyware and other surveillance technologies remains subject to further judicial evaluation. Even so, general principles of Fourth Amendment law suggest such technologies would face the same kind of constraints applied to other law enforcement surveillance tools.
The 8 March response noted a series of Supreme Court cases that indicate how Fourth Amendment protections would apply to spyware. Generally speaking, when deployed by law enforcement authorities, spyware clearly involves activity addressed by the Fourth Amendment. Early cases indicated that the use of digital technologies to conduct surveillance would be governed by Fourth Amendment principles. See, e.g., United States v. Jones (finding that the warrantless use of a tracking monitor on a suspect’s vehicle violated the Fourth Amendment) and Riley v. California (finding a warrantless search of a suspect’s mobile phone to be a violation of the Fourth Amendment). The Supreme Court’s landmark 2018 decision in Carpenter v. United States found unconstitutional the warrantless use of cell site location information, thus providing individuals with protections against the government seeking personal data from third parties. Carpenter provided a set of factors to assess the constitutionality of such surveillance practices when conducted without a judicial warrant, including factors of particular relevance to spyware, such as inter alia the revealing nature of the information collected and the amount of data sought by the government. Since 2018, applying Carpenter even in situations less intrusive than spyware, “lower courts have applied the Fourth Amendment’s protections to novel surveillance practices in cases involving pole cameras, real-time location tracking, drones, smart utility meters, medical data, social media surveillance, cell site simulators, and more." Lower courts have found Fourth Amendment protections constrain government use of technologies that may be similar to spyware as defined above. For instance, in United States v. Wilson, the court found that law enforcement installation of surveillance malware on a defendant’s computer without a warrant was an illegal search and seizure. The court in United States v. Saboonchi held that law enforcement use of malware to remotely activate the defendant's laptop webcam was an unconstitutional search. These cases lead to the conclusion that spyware, given its intrusiveness, would likely be governed strictly by warrant requirements and scope of use. That said, the law’s applicability generally to digital surveillance may be in some flux. For instance, an appellate court in Tuggle v. United States found the long-term use of a pole camera to monitor a person’s home to be reasonable under the Fourth Amendment.
C. Legal Framework in the Intelligence Context
The Foreign Intelligence Surveillance Act (FISA) sets out rules for the collection of foreign intelligence through surveillance technologies under the U.S. Foreign Intelligence Surveillance Courts (FISC) and the U.S. Foreign Intelligence Surveillance Court of Review. Section 702 of FISA authorizes collection of electronic communications of non-Americans located outside of the United States without the need for a warrant. In the context of U.S. persons, including citizens, permanent resident aliens, and U.S. corporations, FISA requires demonstration of probable cause to believe that the “target of the surveillance is a foreign power or agent of a foreign power,” that “a significant purpose” of the surveillance is to obtain “foreign intelligence information," and that appropriate "minimization procedures" are in place." Authorities are not required to demonstrate the “imminent” commission of a crime.
In a signal of how spyware is disfavored in U.S. policy because of the “counter-intelligence” risks, Public Law 117-263 (50 USC §3232a) authorizes the Director of National Intelligence to prohibit intelligence agencies from entering into contracts with companies that have acquired foreign commercial spyware.
Under the current legal framework in the United States, the most notable explicit prohibition of spyware use by law enforcement agencies is the one imposed by the Executive Order 14093 on Prohibition on Use by the United States Government of Commercial Spyware that Poses Risks to National Security. The Executive Order is applicable to federal agencies’ (including law enforcement, military, and intelligence) use of certain foreign commercial spyware. As a matter of policy, the Executive Order states that the US “has a fundamental national security and foreign policy interest in countering and preventing the proliferation of commercial spyware” and intends to advance these interests by establishing “robust protections and procedures to ensure that any United States Government use of commercial spyware helps protect its information systems and intelligence and law enforcement activities against significant counterintelligence or security risks.” To do this the Executive Order establishes “the policy of the United States Government that it shall not make operational use of commercial spyware that poses significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person.” The Executive Order prohibits operational use of commercial spyware by agencies if they determine that such use “poses significant counterintelligence or security risks to the United States”.
The 8 March response noted that the Computer Fraud and Abuse Act (CFAA) provides private individuals or entities with causes of action against the use of spyware, currently the subject of Meta’s lawsuit against Pegasus-manufacturer NSO Group in federal court in the United States. The Electronic Information Privacy Act (EIPA) makes it illegal to “intentionally intercept [...] any electronic communication” and to “use” and/or “disclose” any information which has been intercepted illegally. Further, the EIPA holds that anyone who intentionally “sends through the mail, or sends or carries in interstate or foreign commerce, any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications,” or “manufactures, assembles, possesses, or sells any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications, and that such device or any component thereof has been or will be sent through the mail or transported in interstate or foreign commerce,” shall be fined or imprisoned.
Some states have introduced specific binding rules with respect to surveillance. The California electronic Communications Privacy Act, for instance, requires law enforcement to obtain warrants before attempting to access electronic devices and prohibits the use of spyware and malware without a warrant other than in limited circumstances. The state of Illinois has a similar rule, and other states may follow similar restrictions.
The CFAA is applicable to unauthorized computer access. Such access is unauthorized when it involves “information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954."
In the context of criminal investigations, case law concerning communications interception suggests a few principles that apply to certain categories of sensitive information. First, the Supreme Court has found that there is no expectation of privacy under the Fourth Amendment for IP addresses. Accordingly, this data may be collected by law enforcement without a warrant and used in criminal investigations. Second, the government may collect a wide array of information about an individual from a third party, often beyond the scope of the Fourth Amendment. Thus, the government has enjoyed the ability to obtain an individual’s financial records from a bank and phone records of an individual.
In the intelligence context, FISA provides the framework under which intelligence agencies may gather phone calls, text messages, emails, and other electronic communications. It is relevant, though not specifically for the use of spyware, that FISA also provides federal authority to compel third parties to hand over data on national security grounds.
The United States has a fundamental national security and foreign policy interest in countering and preventing the proliferation of commercial spyware that has been or risks being misused for such purposes, in light of the core interests of the United States in protecting United States Government personnel and United States citizens around the world; upholding and advancing democracy; promoting respect for human rights; and defending activists, dissidents, and journalists against threats to their freedom and dignity.
In terms of the national security and foreign policy interests, the Executive Order noted that there is value in “ensuring that technology is developed, deployed, and governed in accordance with universal human rights; the rule of law; and appropriate legal authorization, safeguards, and oversight, such that it supports, and does not undermine, democracy, civil liberties, and public safety."
As explained in the 8 March note, the U.S. Government has also evaluated spyware and specifically designated several foreign companies “for their role in developing, operating, and distributing commercial spyware technology used to target Americans, including U.S. government officials, journalists, and policy experts."
Electronic surveillance is considered to be a search in certain circumstances, requiring a warrant.
To obtain such a warrant, the law enforcement agency must show probable cause to believe that the search in question is justified, and they must provide a detailed description of the activities to be surveilled among other requirements. In the intelligence context, the FISA courts serve as an approval body for the use of surveillance tools.
Oversight Applicable to Targeted Surveillance in General
A. Executive Oversight
Under Executive Order 14086 (October 2022) (“Enhancing Safeguards for United States Intelligence Activities”), the Privacy and Civil Liberties Oversight Board (PCLOB) is responsible for reviewing new policies and procedures implemented by intelligence agencies and conducts an annual review of the Data Protection Review Court’s redress process.
B. Judicial Oversight
The FISC and the Data Protection Review Court (DPRC) are mandated to provide oversight. FISC proceedings are closed due to their classified nature and conducted ex parte. However, when FISC issues significant opinions, they are provided to Congress and thereafter declassified and released to the public. The DPRC provides a mechanism for redress through independent and impartial review of specific complaints from individuals who allege violations of U.S. law in the conduct of U.S. intelligence activities. The DPRC reviews decisions of the ODNI Civil Liberties Protection Officer (CLPO), according to which individuals may submit a complaint when there is an allegation of a violation in “collecting or handling their data through signals intelligence activities." The DPRC works as a panel of three judges who review and decide, based on the CLPO’s findings, whether a violation occurred and what the appropriate remedy should be. The DPRC’s decisions are final and binding.
C. Legislative Oversight
The House Permanent Select Committee on Intelligence (HPSCI) and the Senate Select Committee on Intelligence (SSCI) provide congressional oversight of intelligence activities, including surveillance practices. The HPSCI is responsible for overseeing the United States Intelligence Community and the Military Intelligence Program. The HPSCI has legislative and oversight responsibilities over Intelligence Community programs, policies, budgets, operations, all covert actions, and the collection, exploitation, and dissemination of human intelligence. The SSCI provides legislative oversight concerning the intelligence activities of the US government. They do this by inter alia conducting hearings with high-ranking intelligence agency officials; conducting investigations and review of intelligence programs; and reviewing and collecting intelligence activities/analysis. US law also “specifically obligates the President to ensure that intelligence agencies keep the committees ‘fully and currently informed’ of their activities, including all "significant anticipated intelligence activities" and all "significant intelligence failures," and make available any information requested by either of the two committees." However, the law does not define the
categories of information that must be reported, allowing intelligence agencies to choose what information they report. The Congressional committees cannot disapprove of “covert action findings” but can “prohibit the expenditure of funds for such activities in subsequent years.” Also, through the National Security Act of 1947, Congress must be kept “fully informed” of intelligence activities of significance.
Oversight Applicable Specifically to Spyware
Public Law 117-263 (50 USC §3232a) (2022) requires U.S. intelligence agencies to provide annual reports assessing counterintelligence threats and “other risks to national security” that “foreign commercial spyware” poses to the United State. The reports are to include “an assessment of the counterintelligence threats and other risks to the national security of the United
States posed by the proliferation of foreign commercial spyware." The law also authorizes the Director of National Intelligence to prohibit intelligence agencies from “entering into any contract or other agreement for any purpose with a company that has acquired, in whole or in part, any foreign commercial spyware." Public Law 117-81 (22 USC §2679e) (2021) requires the Secretary of State to prepare a list of contractors that have “knowingly assisted or facilitated a cyberattack or conducted surveillance” against the United States or against:
"[i]ndividuals, including activists, journalists, opposition politicians, or other individuals for the purposes of suppressing dissent or intimidating critics, on behalf of a country included in the annual country reports on human rights practices of the Department for systematic acts of political repression, including arbitrary arrest or detention, torture, extrajudicial or politically motivated killing, or other gross violations of human rights."
As noted in the 8 March note, the Secretary of State acted under the Immigration and Nationalization Act to restrict visa issuances to those involved in the abuse of commercial spyware. Further, the 27 March 2023 Executive Order discusses the importance of federal oversight of commercial spyware to advance national security and foreign policy interests by “mitigating, to the greatest extent possible, the risk emerging technologies may pose to United States Government institutions, personnel, information, and information systems."
State Level Oversight on Surveillance
State and local authorities may impose further restraints on surveillance technologies than required under existing federal law. The California Electronic Communications Privacy Act (CalECPA), for instance, requires law enforcement and government entities to obtain a warrant, based on probable cause and supported by an affidavit, before accessing any electronic communications from an individual’s service provider or their electronic device(s). CalECPA provides judges with the discretion to confine warrants to relevant information and calls for the sealing and destruction of irrelevant information collected through the warrant. Additionally, the warrant must be specific as to the information sought. Through its warrant requirement, CalECPA regulates all individuals within governmental agencies including the criminal justice system, public school, and hospital officials. CalECPA also “requires the government to furnish notice, in all cases [even emergencies], to the target of the investigation, and provides a
suppression remedy for evidence gathered in violation of its terms."
Post-surveillance notification systems do exist in the California legal system. CalECPA has notice requirements pre-surveillance and post-surveillance in cases of delayed notification or emergencies. CalECPA requires government entities, seeking to obtain information through a warrant, to provide contemporaneous notice with a copy of the warrant to identified targets. If the government entity is seeking information through an emergency order, they must notify the targeted individual within three days of receiving the information. Government entities may provide a delayed notice (with court approval) and must provide a court statement detailing the court’s determination and either a copy or summary of the electronic information collected. When an individual cannot be notified, CalECPA requires government entities to provide notice and delayed notice information to the California Department of Justice (CaDOJ). Within ninety days of receiving that information, the CaDOJ must publish their reports on their website.
Available Remedies
FISA provides for individual remedies for the unlawful acts of individual government officers against data subjects. If said officer conducts surveillance on a data subject without obtaining official authorization and/or the data collected is misused or disclosed, the said officer may be subject to suit in US court by the victim. Under Section 702, “a data subject who succeeds in suing an individual for conducting unauthorized surveillance may receive actual damages of not less than $1,000 USD, statutory damages of $100 USD per day of unlawful surveillance, and the award of additional punitive damages and attorney’s fees where appropriate."
Under the ECPA, a suppression remedy is available when there is an interception of wire and oral communications. Individuals may also sue U.S. companies for remedies if said companies engage in activity that violates federal and/or state privacy laws and said lawsuits are available notably under the SCA or Wiretap Act. Under the SCA, victims may bring a claim for damages against a service provider if they violated the act in disclosing their communications data and did not act in good faith.
As mentioned above, the Data Protection Review Court (DPRC) is another avenue where individuals can submit complaints of alleged violations of the US government’s surveillance activity in collecting or handling an individual's data. The DPRC is a part of a two-level redress mechanism working alongside the ODNI’s CLPO. To be reviewed by the court, the complainant must be verified by the appropriate public authority, be from a designated country, and satisfy the criteria for a complaint. Once the criteria are satisfied, the public authority submits the complaint to the CLPO for review. If the complaint qualifies, the CLPO
investigates if a violation occurred and what the remedy should be. The CLPO then informs the complainant of its complete review. If the individual is not satisfied with the results, they can request a DPRC review. The CLPO or the DPRC can take appropriate remediation measure including: (1) administrative measures to remedy procedural or technical violations relating to
otherwise lawful access; (2) terminating acquisition of data where collection is not lawfully authorized; (3) deleting data acquired without lawful authorization; (4) deleting results of inappropriate queries on lawfully collected data; and (5) restricting access to data.
California’s CalECPA makes available remedies for victims, including that “any person in a trial, hearing, or proceeding may move to suppress any electronic information obtained or retained in violation of the Fourth Amendment to the United States Constitution or of [CalECPA]." CalECPA also allows, “individuals, service providers, and others involved in investigations to petition the issuing courts to ‘order the destruction of any information obtained in violation of [CalECPA], or the California Constitution, or the United States Constitution."