Google is warning Congress that the sale of spyware tools is fueling the growth of a commercial surveillance industry that enables governments to track people around the world in unprecedented ways.
Google’s Shane Huntley recently told the House Intelligence Committee that the commercial surveillance industry is thriving and should concern Americans.
“These vendors are enabling the proliferation of dangerous hacking tools, arming nation-state actors that would not otherwise be able to develop these capabilities in-house,” Mr. Huntley said in written testimony. “While the use of surveillance technologies may be legal under national or international laws, they are found to be used by some state actors for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers, and opposition party politicians.”
Spyware, malicious software that facilitates the monitoring of someone’s smartphone or other electronic devices, can give criminals access to people’s messages, microphones and cameras, often without any indication of the snooping.
The spyware is readily available in the high-tech marketplace, and cyberattackers, hackers and governments are all customers of these products.
Americans have become ensnared by these surveillance tools.
SEE ALSO: Biden administration to tap into $1T infrastructure package to extend high-speed internet access
Carine Kanimba, a naturalized U.S. citizen from Rwanda, told intelligence committee lawmakers that the Rwanda government used spyware tools against her family after facilitating the kidnapping of her father.
Ms. Kanimba said the Rwandan government targeting her has relied upon American taxpayers’ money.
“I am told that my surveillance would cost the Rwandan government millions of dollars,” Ms. Kanimba said at an intelligence committee hearing on Wednesday. “Rwanda is the third-most aid-dependent country in the world, foreign aid makes up to 70% of national expenditure, and the U.S. provided 160 million dollars in aid to Rwanda last year. All of you, members of Congress and American taxpayers themselves deserve to know how the government of Rwanda is spending humanitarian aid.”
Lawmakers expressed horror at Ms. Kanimba’s experience. Democratic Reps. Jim Himes of Connecticut and Jackie Speier of California suggested the U.S. should reconsider giving foreign aid to Rwanda.
Among the most pernicious forms of digital surveillance is spyware that relies on “zero-click” flaws, which do not require someone to click on anything for a hacker to gain access to a victim’s device.
Creating tools to protect Americans from surveillance products is difficult.
“Short of not using a device, there is no way to prevent exploitation by a zero-click exploit,” Mr. Huntley wrote. “It’s a weapon against which there is no defense.
Mr. Huntley is part of Google’s Threat Analysis group, a team of about 50 people focused on state-sponsored malware attacks and other threats from major hacking groups. He said 7 of 9 previously unknown vulnerabilities his team discovered last year were created by commercial providers and then sold to state-backed hackers and attackers.
Determining when someone falls victim to spyware is difficult. Mr. Huntley said Google uses a range of tools to detect surveillance and gathers information from outsiders and Google users.
The Toronto-based research group Citizen Lab uncovered an NSO Group exploit last year affecting Apple devices, which captured public attention. Apple later issued a security update. The Biden administration also blacklisted the technology by adding NSO to a Commerce Department list, placing restrictions on the group’s business.
Citizen Lab’s John Scott-Railton told the lawmakers that he finds victims by connecting with people his group believes are likely to become targets of repressive regimes and through work with other companies.
He said Citizen Lab found one exploit on the phone of a woman advocating for women’s rights to drive in Saudi Arabia and in another case a man’s phone was running hot because it was infected with multiple spyware products.
“Typically, with this pretty sophisticated stuff, there would be no sign,” Mr. Scott-Railton said. “There are exceptions.”
Mr. Himes said American public officials are not beyond the reach of commercial spyware customers.
“You can imagine that if this can be in a warehouse in Ghana that nobody, not Mike Pence, not Nancy Pelosi, not Kevin McCarthy, not Adam Schiff … are immune from having their most private deliberations watched,” Mr. Himes said. “And that may be just enough to interfere in our elections, just enough to end our democracies.”