Facebook’s parent company Meta barred at least seven companies from the platform over the past year that were involved in surveillance-for-hire activities in an effort to disrupt an industry that’s made it increasingly easy to secretly track people online, the company said Wednesday.
“This industry effectively democratizes surveillance, making it available to many more government and nongovernment groups than could build them on their own so they’re exponentially increasing the supply of threat actors in the world,” said Facebook Head of Security Policy Nathaniel Gleicher in a briefing with reporters.
He called on democracies worldwide to step up actions to outlaw these types of firms and activities, saying, “No single company can tackle a society-wide challenge like this alone.”
Meta has made battling spyware on the platform a priority over the past several years. It has an ongoing lawsuit against NSO Group, the notorious Israeli spyware purveyor, alleging that the company violated federal anti-hacking law after deploying its spying software against 1,400 users of WhatsApp, which Meta owns. NSO Group disputes the allegations and has tried and failed to get the lawsuit tossed.
Meta revealed its latest actions in a report released Thursday that was accompanied by a policy paper offering 13 recommendations for confronting the surveillance-for-hire industry. Recommendations include banning the sale of surveillance software, establishing institutions to help victims seek legal recourse and using export control lists to limit the availability of surveillance technologies.
Meta’s research builds the company’s first surveillance-for-hire report released last year. That report revealed Meta had blocked the internet infrastructure of seven different surveillance-for-hire firms that may have targeted 50,000 Facebook and Instagram users.
The 2022 report did not name the number of users the surveillance-for-hire companies targeted. In an interview with CyberScoop, Meta’s Director of Threat Disruption David Agranovich said Meta alerts targeted users on a rolling basis. So far this year, he said, Meta has notified users in 200 countries that they’ve been targeted.
“We really think it’s important for not just us, but our industry partners, our partners in government, in civil society to work together to constrain the abuses,” Agranovich said.
One firm Meta named as carrying out spy operations on the platform is CyberRoot Risk Advisory Private, an Indian surveillance-for-hire company that has ties to BellTroX, a similar outfit that Meta banned last year, according to a Reuters investigation.
CyberRoot uses fake accounts to gain targets’ trust, according to Meta, in hopes of gathering intelligence on targets working within a variety of industries such as cosmetic surgery firms in Australia, pharmaceuticals in the U.S. and gambling in the United Kingdom. The firm also focused on activists, journalists and religious leaders in Kazakhstan, Djibouti, Saudi Arabia, South Africa and Iceland.
The company developed relatively sophisticated tactics to evade detection, even using a legitimate marketing tool called Branch to manage phishing links that would send users to a network of malicious websites.
CyberRoot is just one of the surveillance-for-hire firms that Meta named in its report. It also removed hundreds of accounts belonging to firms including included New York-based company Social Links, an Israeli company called Cyber Globes, a Russian firm called Avalanche and an unnamed Chinese entity.
Well-known spyware vendors also appear in the report. The Israeli firm Candiru is linked to a network of about 130 accounts that Meta removed from Facebook and Instagram, according to the company. Co-founded by a former employee of NSO Group, the notorious Israeli spyware company, the U.S. blacklisted Candiru from operating in the U.S. alongside NSO Group in 2021.
Gleicher said the surveillance-for-hire firms show unusual “persistence,” and have even rebranded entire companies under new names to evade detection after a rash of bad press.
“One of the things we’ve seen within this industry is that they are very ready to keep trying to come back, to keep trying to reestablish their businesses,” Gleicher said. “To counter that we need broader societal deterrence.”
Meta’s investigations showed that despite claims from spyware vendors that their technology is designed to focus on criminals and terrorists, many of the firms spied indiscriminately. Other firms offered customers intelligence on journalists, political opposition and human rights activists, the report said.
Meta’s recommendations come as the Biden administration gears up to release an executive order next year set to rein in the use of spyware by U.S. intelligence agencies. Agranovich told CyberScoop that Meta is aware of the interest around a potential executive order in the U.S. as well as the European Parliament’s inquiry into NSO Group’s Pegasus software, which Meta publicly testified about earlier this year.
“In general, we welcome these efforts to try and constrain the industry,” he said. “They align with some of the recommendations in our paper.”
Corrected Dec. 15, 2022: This story has been corrected to reflect that David Granovich’s title is director of threat disruption. An earlier version also stated the number of Facebook users potentially exposed to spyware in 2021 was 500,000. The correct number was 50,000.