A new report released today by Google LLC’s Threat Analysis Group warns of the dangers posed by the commercial surveillance industry and how those providers exploit vulnerabilities in consumer devices to install spyware for governments worldwide.

Commercial surveillance is a practice that allows for the clandestine monitoring of journalists, human rights defenders, dissidents and political figures. Some argue that it threatens the very foundation of individual freedoms and democratic principles.

Google TAG has identified about 40 commercial surveillance vendors, or CSVs, actively engaged in the trade. They sell sophisticated hacking tools that not only serve legitimate law enforcement purposes but are also misused to undermine freedom of speech, a free press and the integrity of global elections.

Although the direct targets of commercial surveillance spyware may be relatively few, Google TAG argues that they have ripple effects on society. The report details the end of an era where only governments possessed the most sophisticated cyber tools to a new era where the private sector now plays a significant role in their development and proliferation.

Google’s TAG has traced half of all known zero-day exploits — cyberattacks that target a previously unknown vulnerability in software or hardware — targeting its products and Android devices back to CSVs, highlighting the direct threat the vendors pose to user security.

“Of the 72 known in-the-wild 0-day exploits affecting Google products since mid-2014, TAG attributes 35 of these 0-days to CSVs,” the report notes. “This is a lower bounds estimate, as it reflects only known 0-day exploits where we have high confidence in attribution.”

In response, Google has dedicated teams working to detect, analyze and disrupt the operations of these vendors, with a commitment to user safety.

The report calls for a concerted effort to combat the spread of commercial spyware. “As long as there is a demand from governments to buy commercial surveillance technology, CSVs will continue to develop and sell spyware,” the report concludes. “We believe it is time for government, industry and civil society to come together to change the incentive structure which has allowed these technologies to spread so widely.”

Image: DALL-E 3