- The global rental surveillance industry targets people to collect intelligence, manipulate and compromise their devices and accounts on the Internet.
- While these “cyber-mercenaries” often claim that their services only target criminals and terrorists, our months-long investigation concluded that the targeting is in fact indiscriminate and includes journalists, dissidents, critics of authoritarian regimes, families. opponents and human rights activists.
- We disabled seven entities that targeted people on the Internet in over 100 countries; shared our findings with security researchers, other platforms and policy makers; issued cease and desist warnings; and also alerted people we believe were being targeted to help them strengthen the security of their accounts.
Recently, there has been a growing focus on NSO, the company behind the Pegasus spyware (software used to enable surveillance) against which we applied and sued in 2019. However, NSO is only ‘part of a much larger global cybersecurity industry. Today, as a separate effort, we’re sharing our findings on seven entities that we removed from our platform to engage in surveillance activities, and we will continue to take action against others as we go. as we find them.
What is rental surveillance?
The global rental surveillance industry targets Internet users to collect intelligence, manipulate it to reveal information, and compromise their devices and accounts. These companies are part of a sprawling industry that provides intrusive software tools and surveillance services indiscriminately to any customer, regardless of who they are targeting or what human rights violations they might allow. This industry “democratizes” these threats, making them available to government and non-government groups who otherwise would not have these capabilities.
We observed three phases of targeting activity of these commercial actors who constitute their “chain of surveillance”: Recognition, engagement and exploitation. Each phase informs the next. While some of these entities specialize in a particular stage of surveillance, others take charge of the entire attack chain.
- Acknowledgement: This step is usually the least visible to targets, who are silently profiled by cyber-mercenaries on behalf of their clients, often using software to automate data collection on the Internet. These providers pull information from all available online records such as blogs, social media, knowledge management platforms like Wikipedia and Wikidata, news media, forums and dark web sites.
- Commitment: This phase is generally the most visible for its targets and critical to spot to avoid any compromise. It aims to establish contact with targets or people close to them in order to build trust, solicit information and trick them into clicking on malicious links or files.
- Operation: The final stage manifests itself in what is commonly referred to as “hiring to hire”. Providers can create phishing domains designed to trick people into giving their credentials to sensitive accounts such as email, social media, financial services, and corporate networks or click on malicious links to compromise people’s devices.
Although the public debate has mainly focused on the exploitation phase, it is essential to disrupt the entire attack life cycle, as the first steps enable the last. If we could collectively tackle this threat earlier in the chain of custody, it would help stop evil before it reaches its final, most serious stage of compromising people’s devices and accounts. See more details about these stages of surveillance attacks in the Threats report.
Our enforcement measures
As a result of our multi-month investigation, we took action against seven different rental monitoring entities. They have provided services through all three phases of the chain of custody to indiscriminately target people in over 100 countries on behalf of their clients. These suppliers are based in China, Israel, India and North Macedonia. See the full list of entities we removed in the Threats report.
The “on-demand watch” entities we removed violated several community standards and terms of service. Given the seriousness of their violations, we have banned them from our services. To help disrupt these activities, we have blocked the associated internet infrastructure and issued cease and desist letters warning them that their targeting of people has no place on our platform. We have also shared our findings with security researchers, other platforms, and policy makers so they can take appropriate action.
We have alerted approximately 50,000 people who we believe were targeted by such malicious activity around the world, using the system that we launched in 2015. We recently updated it to provide people with more specific details about the nature of the targeting we detect, in accordance with the phases of the chain of custody. framework that we shared above.
Wider response to abuse by hiring watch groups
The existence and proliferation of these services around the world raises a number of important questions. While cyber-mercenaries often claim that their surveillance services and software are meant to focus only on criminals and terrorists, our own investigation, independent researchers, our industry and government peers have shown that targeting is indeed blind and includes journalists, dissidents, critics of authoritarian regimes, families of opponents and human rights activists. In fact, for platforms like ours, there is no scalable way to discern the purpose or legitimacy of such targeting. This is why we are focused on enforcing this behavior no matter who is behind it or who might be the target.
To support law enforcement work, we already have authorized channels where government agencies can submit requests for legal information, rather than resorting to the surveillance industry for hire. These channels are designed to ensure due process and we publicly communicate the number and origin of these requests.
Protecting people from cyber-mercenaries operating across many platforms and national borders requires a collective effort on the part of platforms, policy makers and civil society to counter the underlying market and its incentive structure. We believe that a public debate on the use of rental surveillance technology is urgently needed to deter the abuse of these capabilities both among those who sell them and those who buy them, grounded in the principles. following:
- More transparency and control: Strong international oversight is needed that sets transparency and “know your customer” standards for this market and keeps oversight entities for hire at those standards.
- Industrial collaboration: Surveillance efforts manifest themselves differently across various technology platforms, making collaboration with industry essential if we are to fully understand and mitigate conflicting surveillance efforts.
- Governance and ethics: We welcome national and international efforts to increase accountability through legislation, export controls and regulatory measures. We also encourage broader conversations about the ethics of the use of these surveillance technologies by law enforcement and private companies, as well as the creation of effective victim protection regimes.
We are encouraged to see our peers and governments begin to draw attention to this threat and take action against it. For our collective response to abuse to be effective, it is imperative that technology platforms, civil society, and democratic governments raise the costs of this global industry and discourage these abusive surveillance hire services. Our hope with this Threat Report is to contribute to this global effort and help shed light on this industry.
See the full threat report for more information on our findings and recommendations.