Google’s Threat Analysis Group, in collaboration with the Jigsaw Unit, has recently unveiled a detailed report titled ‘Buying Spying.’ This report sheds light on the concerning activities of commercial surveillance vendors, highlighting the risks they pose to individuals’ privacy. Despite Google’s extensive data collection, the company emphasizes that the dangers presented by these vendors are substantial and real.
The ‘Buying Spying’ report delves into the world of commercial spyware vendors, with Google tracking over 40 such entities. These vendors have created a niche market by developing, selling, and deploying spyware tools. Google warns that the repercussions of these tools extend beyond their initial targets, such as journalists and activists, to threaten broader societal values, including free speech and election integrity. Shane Huntley, a senior director at Google, emphasizes the cascading effects of these technologies on society, calling for a united front to reassess the incentives that have allowed spyware to proliferate.
Google’s research uncovers how commercial spyware vendors (CSVs) exploit security vulnerabilities to collect data from targeted individuals. These CSVs market comprehensive packages that bypass security protocols, enabling unauthorized data harvesting. The report identifies four main groups that foster the growth of the commercial spyware industry: vulnerability researchers, exploit brokers, CSVs, and government clients. Google’s TAG aims for this report to be a catalyst for action, urging collaboration between governments, industries, and civil society to address the challenges posed by CSV technologies.
To mitigate these risks, Google has taken proactive measures by identifying and patching vulnerabilities, particularly zero-day threats, and sharing intelligence with industry peers. Furthermore, Google encourages the discovery of such vulnerabilities through its rewards program. For high-risk users, Google offers the Advanced Protection Program, which includes the use of physical security keys to prevent sophisticated phishing attacks and unauthorized access to sensitive data across various Google services. This program is part of Google’s commitment to safeguarding user data and privacy.