Commercial surveillance vendors (CSVs), known to some as unscrupulous companies who sell spyware to anyone willing to pay them enough, are a growing pestilence online that threatens freedom of speech. Nothing new? Perhaps – but this time, the accusation comes from Google, of all entities.
The tech giant, routinely criticized for its intrusive and non-consensual data tracking and hoarding policies around the world, appears not to be concerned with the old adage, “When you point the finger, there’s three more pointing back at you.”
Nonetheless, the findings of its in-house threat intelligence analysis department serve to highlight the growing urgency of the problem, with CSVs proliferating on the internet at a rate previously unremarked.
“Spyware is typically used to monitor and collect data from high-risk users like journalists, human rights defenders, dissidents, and opposition party politicians,” said Google in a blog post released February 6th.
“These capabilities have grown the demand for spyware technology, making way for a lucrative industry used to sell governments and nefarious actors the ability to exploit vulnerabilities in consumer devices.”
This leads to a knock-on effect, the tech giant warns, because while spyware may only be aimed at select targets at the outset, “its wider impact ripples across society by contributing to growing threats to free speech, the free press and the integrity of elections worldwide.”
What’s more, Google fears there are dozens of such actors buzzing away under the radar while the more high-profile spyware firms garner most of the ‘limelight’ – in other words, the problem is likely bigger than most realize.
Bandwagon or genuine concern?
Perhaps Google is merely jumping on a timely bandwagon with its words of warning over the rise of CSVs. The day before it issued its statement, the US State Department took to social media with one of its own, in which it declared the government would henceforward slap sanctions on individuals linked to commercial spyware.
Speaking on behalf of US Secretary of State Anthony Blinken, spokesperson Matthew Miller posted on X that his boss “is announcing a new visa restriction policy to address the misuse of commercial spyware.”
In the same tweet, Miller added: “This action will promote accountability for individuals who target or enable the targeting of journalists, activists, dissidents, and marginalized communities.”
But visa ban or no visa ban, Google fears the government is already behind the curve on the issue of CSVs – and, it seems, web-based threats generally.
“If governments ever claimed to have a monopoly on the most advanced cyber capabilities, that era is over,” it said. “The private sector is now responsible for a significant portion of the most sophisticated tools we detect.”
Not only that, but private spyware outfits are responsible for half the zero-day exploits – a data vulnerability that security professionals have to patch on the spot without any due warning – on Google products.
“Private sector firms have been involved in discovering and selling exploits for many years, but there is a rise in turnkey espionage solutions,” it added.
Disturbingly, the word “turnkey” is typically applied to describe a cybersecurity tool that is easy to use – but here Google appears to be turning the key full twist by using the term to refer to offensive tools that can be just as easily wielded by the unscrupulous.
“CSVs offer pay-to-play tools that bundle an exploit chain designed to get past security measures, along with the spyware and the necessary infrastructure, in order to collect the desired data from the targeted user,” it added.
They aren’t acting alone
Google says that private surveillance vendors are finding it profitable to work with vulnerability researchers and exploit developers, brokers, and suppliers of the same, and – once again, an unsettling trend – government actors.
“Governments who purchase spyware from CSVs and select specific targets, craft campaigns that deliver the spyware, then monitor the spyware implant to collect and receive data from their target’s device,” said Google.
This naturally suggests that while state actors may be falling behind on cyber-expertise, as asserted by Google, they are more than happy to make up this shortfall by outsourcing to their savvier private-sector rivals.
In an effort to tackle the problem, Google flexed its considerable muscles to crack some heads together at a cyber seminar co-hosted by France and the UK on February 6th, attended by “representatives from industry, governments, and civil society.” At the event, 35 nations signed up to a declaration of intent to use spyware in a more responsible manner and encourage more transparency within the commercial surveillance industry.
“These efforts build on earlier governmental actions, including steps taken last year by the US to limit government use of spyware, and a joint statement by eleven governments committing to similar efforts,” said Google. “We hope to see these initial steps followed by more concrete actions from a broader community of nations to reform the industry and shine more light on abuses.”
More from Cybernews:
Subscribe to our newsletter