Google has just published a comprehensive report titled ‘Buying Insights’ that provides critical insights into commercial surveillance vendors. This report is the outcome of the joint efforts of both the Threat Analysis Group and the Jigsaw Unit at Google. The report unequivocally affirms that these vendors pose a real and significant threat to Google users, notwithstanding the massive amounts of data collected by Google itself.
What Do Google TAG And The Jigsaw Unit Do?
Perhaps best known for uncovering zero-day threats in Google’s own products and those of other vendors, the Threat Analysis Group has a remit to “counter government-backed hacking and attacks against Google and our users.” So, it should come as no real surprise that spyware vendors, specifically commercial spyware vendors, are in the crosshairs. Less well known, but equally as important, is the work done by the Jigsaw Unit within Google. This unit “explores threats to open societies’ and so is also firmly in the tracking of global spyware vendors space.
The ‘Buying Spying: Insights Into Commercial Surveillance Vendors’ Report
The February 6 report, Buying Spying: Insights into Commercial Surveillance Vendors, uncovers those commercial spyware vendors, of which TAG actively tracks 40, that develop, sell and deploy spyware. This lucrative market niche is one of import to both Google users and anyone who values their privacy as Google warns: “The harm is not hypothetical,” and rather than just being deployed to counter-terrorism and within law enforcement boundaries, such spyware is “deployed against journalists, human rights defenders, dissidents, and opposition pay politicians.” The report goes as far as suggesting that such vendors are “enabling the proliferation of dangerous hacking tools.”
Although such spyware is “typically used to monitor and collect data from high-risk users,” Shane Huntley, senior director at Google’s Threat Analysis Group, says, “Its wider impact ripples across society by contributing to growing threats to free speech, the free press, and the integrity of elections worldwide.”
Spyware Exploit Chains Revealed
“CSVs offer pay-to-play tools that bundle an exploit chain designed to get past security measures,” Huntley says, “along with the spyware and the necessary infrastructure, in order to collect the desired data from the targeted user.” Using such tools, the Google research suggests that there are four groups that have found it to be profitable to help evolve the commercial spyware industry: Vulnerability researchers and exploit developers, exploit brokers and suppliers, commercial surveillance vendors or private sector offensive actors and government customers. “TAG hopes this report will serve as a call to action,” Huntley concludes, “as it believes it is time for government, industry and civil society to come together to change the incentive structure which has allowed CSV technologies to spread so widely.”
Google Disrupts Spyware Ecosystem
Google intelligence, gathered by TAG among others, is used to uncover and fix the kind of vulnerabilities, often of the zero-day type, that are used by CSVs. Beyond this, Google also shares the intelligence it has with industry peers, not to mention the publication of information about those spyware campaigns it disrupts. Since November 2010, Google has also used the vulnerability rewards program to encourage and recognize security researchers who help in this regard.
The Google Advanced Protection Program
If you fall into any of the high-risk user categories mentioned earlier, then Google has you covered with something called the Advanced Protection Program. This requires the use of physical security keys which greatly reduce the risk of falling victim to even the most sophisticated of phishing attacks. The APP also protects against malicious downloads when using Chrome and Android, as well as unauthorized access to account data held in Gmail, Drive and Photo accounts. You can learn more about how Google protects high-risk users here.
