Global Alliance and Tech Titans Join Forces Against Commercial Spyware Misuse
February 7, 2024
In a move to curb human rights abuses through the misuse of commercial spyware, a coalition of countries, including the U.S., U.K., and France, along with tech giants like Google, Meta, Microsoft, and MDSec, have signed a joint agreement. This initiative, known as the Pall Mall Process, seeks to tackle the uncontrolled spread and irresponsible use of commercial cyber intrusion tools by creating guiding principles and policy options for States, industry, and civil society. The declaration highlights the risks posed by the uncontrolled distribution of spyware to cyber stability, human rights, national security, and digital security.
The U.K. government stated in a press release that malicious use of these tools can allow attackers to access victims' devices, listen to calls, obtain photos, and remotely operate a camera and microphone via 'zero-click' spyware, which requires no user interaction. The National Cyber Security Centre (NCSC) estimates that thousands of individuals are targeted globally by spyware campaigns each year. Deputy Prime Minister Oliver Dowden warned that as the commercial market for these tools grows, so too will the number and severity of cyber attacks.
Notably, Israel, home to several private sector offensive actors (PSOAs) or commercial surveillance vendors (CSVs) such as Candiru, Intellexa, NSO Group, and QuaDream, did not participate in the event. Hungary, Mexico, Spain, and Thailand, which have been linked to past spyware abuses, also did not sign the pledge. This joint action coincides with the U.S. Department of State's announcement to deny visas for individuals involved with the misuse of dangerous spyware technology.
Spyware like Chrysaor and Pegasus are licensed to government customers for use in law enforcement and counterterrorism. However, they have also been routinely misused by oppressive regimes to target journalists, activists, lawyers, human rights defenders, dissidents, political opponents, and other civil society members. Such intrusions typically use zero-click (or one-click) exploits to secretly deliver the surveillanceware onto the targets' Google Android and Apple iOS devices with the intention of harvesting sensitive information.
Google's Threat Analysis Group (TAG) stated that as long as there is a demand for surveillance capabilities, there will be incentives for CSVs to continue developing and selling tools, perpetuating an industry that harms high-risk users and society at large. TAG revealed in a report this week that it is tracking about 40 commercial spyware companies that sell their products to government agencies, with 11 of them linked to the exploitation of 74 zero-days. Unknown state-sponsored actors exploited three flaws in iOS (CVE-2023-28205, CVE-2023-28206, and CVE-2023-32409) as a zero-day last year to infect victims with spyware developed by Barcelona-based Variston. These flaws were patched by Apple in April and May 2023.
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.
By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.
Accelerate Security Teams
Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.