For years, civil society groups, security researchers and human rights organizations have fought and warned against the use of commercial spyware to target activists, journalists, dissidents and other vulnerable groups, with limited success. Today, these organizations are calling on the United States intelligence community to step in and exercise its considerable power to remove the tools that mercenary spyware vendors provide to state actors and other clients.

Companies such as NSO Group and Candiru that sell commercial spyware advertise their wares as a way to keep tabs on suspected terrorists or criminals and often claim that they do not sell to repressive regimes and tightly monitor their systems. But researchers and activists have found many examples of these tools being used by governments and private organizations to target dissidents, journalists and others. Researchers from the Citizen Lab at the University of Toronto’s Munk School have documented the abuse of tools such as NSO Group’s Pegasus for many years, including the targeting of politicians in Catalonia, Poland, Thailand and elsewhere in recent years.

In a Wednesday hearingresearchers from Citizen Lab and Google detailed the extent of the use and abuse of these tools for members of the House Select Committee on Intelligence, and said the companies’ claims of control over their tools ring false .

“The facts do not confirm this. Abuse has been a feature of this technology since day one,” Citizen Lab senior researcher John Scott-Railton said during the hearing. “It is inevitable that non-state actors will get their hands on these capabilities and cause immeasurable damage.”

This harm was made abundantly clear during the testimony of Carine Kanimba, a Rwandan-born US citizen targeted by NSO Group’s Pegasus spyware last year. Kanimba’s adoptive father, a permanent US resident and Rwandan democracy activist, was abducted from Dubai and returned to Rwanda, where he was sentenced to 25 years in prison. Forensic analysis of Kanimba’s phone in the months following his father’s abduction revealed the presence of Pegaus.

“Reports show that the spyware was triggered when I was accompanying my mother to a meeting with the Belgian Foreign Minister. He was active in calls with the team of the US Presidential Envoy for Hostage Affairs and the US State Department, as well as in discussions with US human rights groups. This surveillance is illegal under US law and has allowed the Rwandan government to always stay one step ahead as we fight to keep our father alive and secure his release,” she said in her testimony. .

The use of these tools is no secret, and the federal government has recently taken steps to limit their use, especially in the United States. , effectively prohibiting American companies from doing business with them. And security researchers routinely expose the tools spyware vendors sell, and the exploits and vulnerabilities they use. In order to remain effective against modern devices such as iPhones and Android phones, spyware vendors must have access to zero-day vulnerabilities and exploits, bugs, and techniques that have not yet been publicly disclosed. Many vendors have their own teams of internal researchers who research new vulnerabilities and develop exploits for them, but they will also purchase new bugs from external researchers.

This zero-day and exploit offering is what keeps the bandwagons going for spyware vendors, and Scott-Railton and Shane Huntley, director of Google’s Threat Analytics Group, which tracks state and security actors. ‘Other high profile attackers have said that efforts by private researchers to limit this supply and its effectiveness can only go so far.

“Fighting them has to be a team sport. We all have our own visibility on this, but we don’t have some of the capabilities that the intelligence community has and the things that they are authorized to do,” Huntley said.

“There is very good cooperation in this community, and there has to be, because each of us sees part of the picture. We cannot let adversaries take advantage of any disconnection. We have a common enemy here. It’s not a competition.”

“If the US intelligence community identified those zero days – and they could – and submitted them to the big tech companies, you could burn down their houses.”