Google calls on US to do more to rein in spyware sales, misuse

Google is calling on the government to provide more action when it comes to combatting spyware sales and the misuse of surveillance software, according to a new report.

“The harm is not hypothetical,” Google’s Threat Analysis Group (TAG) said Tuesday in its report, which is titled “Buying Spying,” adding that “spyware vendors point to their tools’ legitimate use in law enforcement and counterterrorism.”

“However, spyware deployed against journalists, human rights defenders, dissidents, and opposition pay politicians — what Google refers to as ‘high risk users’ — has been well documented, both by analysis from Google, and by researchers from organizations like the University of Toronto’s Citizen Lab and Amnesty International,” the report reads.

The company specifically called out certain “commercial surveillance vendors” (CSVs), including NSO Group — an Israeli company that developed the notorious Pegasus spyware that grew to be a notable threat to human rights and human rights defenders. Others named in the report were Italian firms Cy4Gate and RCS Labs, Greek company Intellexa, and the lesser-known Italian company Negg Group and Spain’s Variston.

“We hope this report will serve as a call to action,” the TAG report continues. “As long as there is a demand from governments to buy commercial surveillance technology, CSVs will continue to develop and sell spyware.”

“We believe it is time for government, industry and civil society to come together to change the incentive structure which has allowed these technologies to spread so widely,” the group added.

The news comes as the U.S. unveiled a new program Monday to impose visa restrictions on foreign individuals involved in the misuse of commercial spyware, per The Associated Press.

Findings in 2021 concluded that a United Arab Emirates (UAE) agency downloaded Pegasus software on the phone of Hanan Elatr, the widow of the late Washington Post journalist Jamal Khashoggi, months before he was murdered. Elatr later sued NSO Group in 2023, accusing it of violating federal and Virginia hacking laws and negligence in selling the Pegasus spyware to hostile foreign actors. 

“Demand from government customers remains strong and our findings underscore the extent to which CSVs have proliferated hacking and spyware capabilities that weaken the safety of the Internet for all,” the TAG report reads.

“To meet the demand from government customers CSVs find and develop exploits, and have emerged as well-paying customers of exploit developers and brokers, incentivizing exploit sales at the expense of security,” the company wrote.