wordpress blog stats
Connect with us

Hi, what are you looking for?

Google’s Threat Analysis Group Publishes Report on How Commercial Surveillance Vendors Operate

Google’s TAG exposes the dark market of spyware, revealing how privacy is traded for surveillance.

Google’s Threat Analysis Group (TAG) has published a report detailing the operations of commercial surveillance vendors (CSVs) that provide spyware tools to governments for spying on journalists, human rights activists, politicians, and dissenters, among other groups.

The report ‘Buying Spying: How the commercial surveillance industry works and what can be done about it’, released on February 6, 2024, underlined that increasing demand for surveillance capabilities by governments across the world incentivizes the development of spyware tools, which gravely impact privacy rights and freedom of speech and expression of the affected individuals as well as society at large.

What is spyware?

The paper defines spyware, also known as an implant or agent, as “surveillance software that is surreptitiously installed on a device to collect the user’s data and send it back to the attacker.” Unlike cybersecurity threats, spyware is generally used to target a small number of individuals.

As the report pointed out, while spyware vendors may point to the use of such tools for law enforcement or to counter terrorist activities, spyware is often abused by governments for objectives that do not fit well within the construct of a free society. This mainly includes snooping on journalists, human rights activists, political opponents, etc., who are categorized as high-risk targets in the TAG report. For example, in October 2023, multiple Indian politicians, mainly from the opposition parties, and journalists reported that they had received an alert from Apple that their iPhones were subjected to a state-sponsored attack. The alert was then probed by the Indian Computer Emergency Response Team (CERT-In).

How do Commercial Surveillance Vendors operate?

Commercial Surveillance Vendors (CSVs) are essentially private companies involved in the development, trade, and deployment of surveillance infrastructure to governments. The report informed that CSVs not only sell spyware to government customers but also the “infrastructure needed to communicate with the spyware, referred to as command-and-control (C2), and the ability to monitor and collect data from the targeted device.”

Advertisement. Scroll to continue reading.

The data that governments look for include passwords, SMS messages, emails, location, phone calls, and even record audio and video. The entire process of delivering spyware into a target’s device and communicating the extracted data to the attacker requires technical expertise, a greater understanding of the user’s device, applications, and tools. CSVs, big and small private companies based all over the world, have been able to offer governments easy access to spyware for a price.

“Like any other software product company, they have websites and marketing materials, sales and engineering teams, job openings listed on their websites, publish press releases, and even attend conferences. The number of CSVs around the globe is impossible to count, with new companies opening each year and existing ones reincorporating under new names. TAG currently tracks approximately 40 CSVs developing and selling exploits and spyware to government customers,” the report noted.

In addition to government customers, the report identified three main actors that make up for the CSV industry:

  • Individual vulnerability researchers and exploit developers: These act as a source for exploits, which are mainly ways to leverage a vulnerability to gain additional access on a system such as operating systems, browsers, and messaging apps. These actors can monetize their work by improving the security of these products or by selling to exploit brokers or directly to CSVs.
  • Exploit brokers and suppliers:These are individuals or companies specialized in selling exploits, located all over the world.
  • Commercial surveillance vendors (CSV): These are also known as Private Sector Offensive Actors (PSOAs) that develop and sell spyware as a product, including the initial delivery mechanisms, exploits, the C2 infrastructure, and tools for organizing the collected data.

The report found that CSVs have different approaches towards spyware development and for pitching their products. To illustrate these, the report also provides an overview of five spyware product companies like Cy4Gate and RCS Lab, Intellexa, Negg Group, NSO group, and Variston.

Among these, the capabilities of spyware products by Intellexa Alliance provided to countries like France, Egypt, Saudi Arabia, Libya, Vietnam, etc., were recently documented in detail by Amnesty International in its recent report ‘Predator Files: Caught in the Net’. Further, several media organizations have widely reported on government espionage carried out using the Israeli NSO Group’s Pegasus spyware, under the Pegasus Project. Over 300 Indians including journalists, activists, politicians, bureaucrats, and businessmen were reported to be on the list of people to be targeted by the NSO Group’s Pegasus spyware, the New York Times revealed in 2021. Read more about the developments in India regarding the Pegasus revelations here  and here.

What causes proliferation of spyware tools?

“CSVs enable the proliferation of dangerous hacking tools worldwide. Surveillance tools are expensive to develop and maintain, and the CSV market allows any entity to “pay-to-play” and have a full remote surveillance capability instead of (or in addition to) developing the tools themselves,” the paper noted, adding that as long as there is demand for surveillance capabilities, there will be incentives for CSVs to continue developing and selling tools. Further, as governments continue to buy “off-the-shelf capabilities from the CSV industry,” the paper highlighted that the use of spyware becomes increasingly normalized.

Advertisement. Scroll to continue reading.

According to Google’s analysis, public reporting and direct legal actions have proved to be inadequate in restricting the activities of the CSVs. The report cited the popular example of the NSO Group, whose surveillance operations were exposed as early as 2015, but the group continues to sell its tools. The report also stated that to avoid public scrutiny, these companies may change their names multiple times. However, TAG emphasized on public scrutiny that can be instrumental in causing temporary cessations or disruption of their activities.

“This both prevents attacks against users, and makes it harder for CSVs to advertise and sell their products. In addition to public scrutiny, we welcome the actions of governments to contain the proliferation of dangerous tools and capabilities which threaten the safety of the Internet ecosystem and threatens the trust on which a vibrant and inclusive digital society depends,” the paper noted.

Read the complete report by Google’s Threat Analysis Group here.

Also Read


STAY ON TOP OF TECH NEWS: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!


Advertisement. Scroll to continue reading.
Written By

Curious about the intersection of technology with education, caste and welfare rights. For story tips, please feel free to reach out at sarasvati@medianama.com

Free Reads


Paytm has tried to distance itself from Paytm Payments Bank due to the regulatory scrutiny.


This amendment widens the scope of those allowed to delete records pertaining to the direction of interception from law enforcement bodies to other authorities...


Pensioners can now use bank passbooks instead of mobile or Aadhaar for identity verification.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Notably, Indus Appstore will allow app developers to use third-party billing systems for in-app billing without having to pay any commission to Indus, a...


The existing commission-based model, which companies like Uber and Ola have used for a long time and still stick to, has received criticism from...


Factors like Indus not charging developers any commission for in-app payments and antitrust orders issued by India's competition regulator against Google could contribute to...


Is open-sourcing of AI, and the use cases that come with it, a good starting point to discuss the responsibility and liability of AI?...


RBI Deputy Governor Rabi Shankar called for self-regulation in the fintech sector, but here's why we disagree with his stance.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ