Meta

Taking Action Against the Surveillance-For-Hire Industry

Recently, there has been an increased focus on NSO, the company behind the Pegasus spyware (software used to enable surveillance) that we enforced against and sued in 2019. However, NSO is only one piece of a much broader global cyber mercenary industry. Today, as part of a separate effort, we are sharing our findings about seven entities that we removed from our platform for engaging in surveillance activity and we will continue to take action against others as we find them.

What Is Surveillance-For-Hire?

The global surveillance-for-hire industry targets people across the internet to collect intelligence, manipulate them into revealing information and compromise their devices and accounts. These companies are part of a sprawling industry that provides intrusive software tools and surveillance services indiscriminately to any customer — regardless of who they target or the human rights abuses they might enable. This industry “democratizes” these threats, making them available to government and non-government groups that otherwise wouldn’t have these capabilities.

We observed three phases of targeting activity by these commercial players that make up their “surveillance chain”: Reconnaissance, Engagement and Exploitation. Each phase informs the next. While some of these entities specialize in one particular stage of surveillance, others support the entire attack chain.

Although public debate has mainly focused on the exploitation phase, it’s critical to disrupt the entire lifecycle of the attack because the earlier stages enable the later ones. If we can collectively tackle this threat earlier in the surveillance chain, it would help stop the harm before it gets to its final, most serious stage of compromising people’s devices and accounts. See more details on these stages of surveillance attacks in the Threat Report.

Our Enforcement Actions

As a result of our months-long investigation, we took action against seven different surveillance-for-hire entities. They provided services across all three phases of the surveillance chain to indiscriminately target people in over 100 countries on behalf of their clients. These providers are based in China, Israel, India, and North Macedonia. See a full list of entities we took down in the Threat Report.

The “surveillance-for-hire” entities we removed violated multiple Community Standards and Terms of Service. Given the severity of their violations, we have banned them from our services. To help disrupt these activities, we blocked related internet infrastructure and issued Cease and Desist letters, putting them on notice that their targeting of people has no place on our platform. We also shared our findings with security researchers, other platforms, and policymakers so they can take appropriate action.

We alerted around 50,000 people who we believe were targeted by these malicious activities worldwide, using the system we launched in 2015. We recently updated it to provide people with more granular details about the nature of targeting we detect, in line with the surveillance chain phases framework we shared above.

Broader Response to Abuse by Surveillance-For-Hire Groups

The existence and proliferation of these services worldwide raises a number of important questions. While cyber mercenaries often claim that their services and surveillanceware are meant to focus only on criminals and terrorists, our own investigation, independent researchers, our industry peers and governments have demonstrated that targeting is indeed indiscriminate and includes journalists, dissidents, critics of authoritarian regimes, families of opposition and human rights activists. In fact, for platforms like ours, there is no scalable way to discern the purpose or legitimacy of such targeting. This is why we focus on enforcing against this behavior, regardless of who’s behind it or who the target might be.

To support the work of law enforcement, we already have authorized channels where government agencies can submit lawful requests for information, rather than resorting to the surveillance-for-hire industry. These channels are designed to safeguard due process and we report the number and the origin of these requests publicly.

Protecting people against cyber mercenaries operating across many platforms and national boundaries requires a collective effort from platforms, policymakers and civil society to counter the underlying market and its incentive structure. We believe a public discussion about the use of surveillance-for-hire technology is urgently needed to deter the abuse of these capabilities both among those who sell them and those who buy them, anchored in the following principles:

We’re encouraged to see our peers and governments begin to draw attention to this threat and take action against it. For our collective response against abuse to be effective, it is imperative for technology platforms, civil society and democratic governments to raise the costs on this global industry and disincentivize these abusive surveillance-for-hire services. Our hope with this threat report is to contribute to this global effort and help shine the light on this industry.

See the full Threat Report for more information about our findings and recommendations.