By VINCENT OWINO

More by this Author

The business of unethically and illegally spying on people’s private digital lives through their devices is booming, and journalists, activists, and opposition politicians are now the main target, a new report by Google shows.

Commercial Surveillance Vendors (CSVs), businesses which exist only to develop and deploy spyware tools, have surged over the last decade, buoyed by governments from across the globe, which have become their main clients.

Google’s “Buying Spying” report published last week reveals how CSVs have silently been sprouting in the shadows, enabled by authoritarian governments seeking to keep dissidents in check and control the media.

The report reveals that these companies appear to be legitimate and market themselves as aiders of law enforcement agencies, claiming to help combat crime and counter terrorism plots.

Read: Ugandan broadcasters threaten to boycott state events

But in the background, they are illegally spying on specific targets, mostly journalists, human rights activists, dissidents and opposition politicians, and governments are now their main clients.

“While the number of users targeted by spyware is small compared to other types of cyber threat activity, the follow-on effects are much broader,” Google warned in the report.

“This type of focused targeting threatens freedom of speech, a free press, and the integrity of elections worldwide.”

The vendors exploit computer security vulnerabilities unknown to users – known technically as zero-day exploits – to plant a spyware into users’ devices, which they use to collect information and relay back to their clients.

The information they collect include passwords, text messages, emails, location, phone calls, and sometimes video and audio recordings, all of which are a breach of data privacy in most jurisdictions globally.

Read: Zimbabwe election disinformation spreads on WhatsApp

While the CSVs now take multiple approaches to accessing their targets’ devices, the most common way is by using fake mobile applications, disguised as apps of legitimate device manufacturers or network service providers.

However, since their applications are not allowed on official app stores, they deploy different techniques to trick their targets into installing them, after which they use them to gain access to their personal information, which is then shared with clients.

Google estimates that CSVs were responsible for slightly more than half of all zero-day exploits executed between 2014 and 2023 on Google products and Android devices. However, this is a conservative estimate and Google believes there could be more.

This means that CSVs, which act almost entirely on behalf of governments, according to the report, are now responsible for more spyware attacks than malicious cyber criminals, who mostly seek to extort targets by blackmailing them.

But while Google says it is doing all it can to keep the CSVs off its platforms, it says in the report that they cannot be stopped unless the demand for their services is curtailed.

“As long as there is a demand from governments to buy commercial surveillance technology, CSVs will continue to develop and sell spyware,” Google said.

Read: The dangers Somali journalist face

“We believe it is time for government, industry and civil society to come together to change the incentive structure which has allowed these technologies to spread so widely.”

“Demand from government customers remains strong and our findings underscore the extent to which CSVs have proliferated hacking and spyware capabilities that weaken the safety of the internet for all.”