Buying Spying: How the commercial surveillance industry works and what can be done about it

Updated April 18, 2024: A PDF of "Buying Spying: Insights into Commercial Surveillance Vendors" with updated graphics was uploaded. There are no substantive changes to the text of the report.

Spyware is typically used to monitor and collect data from high-risk users like journalists, human rights defenders, dissidents and opposition party politicians. These capabilities have grown the demand for spyware technology, making way for a lucrative industry used to sell governments and nefarious actors the ability to exploit vulnerabilities in consumer devices. Though the use of spyware typically only affects a small number of human targets at a time, its wider impact ripples across society by contributing to growing threats to free speech, the free press and the integrity of elections worldwide.

To shine a light on the spyware industry, today, Google’s Threat Analysis Group (TAG) is releasing Buying Spying, an in-depth report with our insights into Commercial Surveillance Vendors (CSVs). TAG actively tracks around 40 CSVs of varying levels of sophistication and public exposure. The report outlines our understanding of who is involved in developing, selling, and deploying spyware, how CSVs operate, the types of products they develop and sell, and our analysis of recent activity.

Key findings

1. While prominent CSVs garner public attention and headlines, there are dozens of others that are less noticed, but play an important role in developing spyware.
2. The proliferation of spyware by CSVs causes real world harm. We partnered with Google's Jigsaw unit to highlight the stories of three high-risk users who attested to the fear felt when these tools were used against them, the chilling effect on their professional relationships, and their determination to continue their important work.
3. If governments ever claimed to have a monopoly on the most advanced cyber capabilities, that era is over. The private sector is now responsible for a significant portion of the most sophisticated tools we detect.
4. CSVs pose a threat to Google users, and Google is committed to disrupting that threat and keeping our users safe. CSVs are behind half of known 0-day exploits targeting Google products as well as Android ecosystem devices.

The business of 0-days and spyware supply chain

Private sector firms have been involved in discovering and selling exploits for many years, but there is a rise in turnkey espionage solutions. CSVs offer pay-to-play tools that bundle an exploit chain designed to get past security measures, along with the spyware and the necessary infrastructure, in order to collect the desired data from the targeted user. Four primary groups have found it profitable to work together — thereby further enabling this industry:

1. Vulnerability researchers and exploit developers: While some vulnerability researchers choose to monetize their work by improving the security of products (e.g., contributing to bug bounty programs, or working as defenders), others use their knowledge to develop and sell exploits to brokers, or directly to CSVs.
2. Exploit brokers and suppliers: Individuals or companies located all over the world, specialized in selling exploits to customers which are often, but not always, governments.
3. Commercial Surveillance Vendors (CSVs) or Private Sector Offensive Actors (PSOAs): Businesses focused on developing and selling spyware as a product, including the initial delivery mechanisms, the exploits, the command and control (C2) infrastructure, and the tools for organizing collected data.
4. Government customers: Governments who purchase spyware from CSVs and select specific targets, craft campaigns that deliver the spyware, then monitor the spyware implant to collect and receive data from their target’s device.

International efforts to combat spyware

Community efforts to raise awareness have built momentum towards an international policy response. Today, we joined representatives from industry, governments and civil society at the conference, The Pall Mall Process: Tackling the Proliferation and Irresponsible Use of Commercial Cyber Intrusion Capabilities. The event was co-hosted by the governments of France and the UK and designed to build consensus and progress towards limiting the harms from this industry. These efforts build on earlier governmental actions, including steps taken last year by the US Government to limit government use of spyware, and a joint statement by eleven governments committing to similar efforts. We hope to see these initial steps followed by more concrete actions from a broader community of nations to reform the industry and shine more light on abuses.

Disrupting the spyware ecosystem to protect users

CSVs have proliferated hacking and spyware capabilities that weaken the safety of the internet for all. This is why we discover and patch vulnerabilities used by CSVs, share intelligence strategies and fixes with industry peers and publicly release information about the operations we disrupt. Since November 2010, we have also used our vulnerability rewards program (VRP) to recognize the contributions of security researchers who invest their time and skills in helping secure the digital ecosystem. Additionally, Google offers a range of tools to help protect high-risk users from online threats. Though these steps help protect users and the internet at large, meaningfully curtailing this market will require collective action and a concerted international effort.

We hope our detailed analysis on CSVs and recommended solutions will support the recent momentum toward global action.

Special thanks to TAG's Aurora Blum for her contribution to this report.