Buying Spying - How the commercial surveillance industry works and what can be done about it

Google’s Threat Analysis Group (TAG) has released an in-depth report titled “Buying Spying,” detailing the inner workings of the commercial surveillance vendor (CSV) industry and its significant threat to free speech, the free press, and the open internet. The report highlights the rise of private companies selling spyware technology to governments and other actors, enabling them to exploit vulnerabilities in consumer devices and monitor high-risk users such as journalists, human rights defenders, and political dissidents.

TAG actively tracks around 40 CSVs with varying levels of sophistication. The report outlines the structure of the spyware supply chain, identifying four primary groups: vulnerability researchers and exploit developers, exploit brokers and suppliers, commercial surveillance vendors (CSVs), and government customers. CSVs offer turnkey espionage solutions, bundling exploit chains, spyware, and necessary infrastructure for collecting data from targeted users. These solutions often involve zero-day exploits. CSVs are behind half of known zero-day exploits targeting Google products and the Android ecosystem. This means private sector firms are now responsible for a significant portion of the most sophisticated cyber tools, challenging the notion of governments having a monopoly on advanced cyber capabilities.

The proliferation of spyware by CSVs causes real-world harm. The report highlights the stories of high-risk users who attested to the fear felt when these tools were used against them, the chilling effect on their professional relationships, and their determination to continue their important work. The report emphasizes that while prominent CSVs receive public attention, numerous less-noticed entities play a crucial role in developing spyware.

Google is committed to disrupting the threat posed by CSVs and protecting its users. This includes discovering and patching vulnerabilities, sharing intelligence with industry peers, and publicly releasing information about disrupted operations. Google also utilizes its vulnerability rewards program (VRP) to recognize security researchers who help secure the digital ecosystem. Additionally, Google offers tools to protect high-risk users from online threats.

To combat the spyware industry, Google advocates for collective action and concerted international effort. The report supports recent momentum toward global action, including international commitments to limit government use of spyware. The report was released in conjunction with the Pall Mall Process conference, co-hosted by the governments of France and the UK, to build consensus and progress towards limiting the harms from this industry.

To read the complete article see: Buying Spying Report