Meta calls on the EU to step up the fight against spyware

Meta is ramping up pressure on European officials to crack down on the burgeoning commercial spyware industry, after the company announced it had disrupted a number of Italian and Spanish firms that were advertising their surveillance services in plain sight. These firms were, in some cases, targeting people inside Europe, Meta says—surreptitiously accessing their devices and collecting data from them in violation of the government’s data privacy laws.

“EU data protection authorities have a unique opportunity here to regulate spyware companies operating in Europe by requiring that the spyware companies comply with existing data protection regulations,” David Agranovich, Meta’s director of global threat disruption, said on a call with reporters this week.

Meta’s call-to-action came Wednesday as part of its annual threat intelligence report, which revealed findings from the company’s investigations on eight separate spyware firms operating in Italy, Spain, and the United Arab Emirates. Meta said the firms—which employed a variety of underhanded tactics including phishing and social engineering to surveil targets—carried out their campaigns on more than a dozen tech platforms including Instagram, Facebook, TikTok, and YouTube.

While the company has kicked similar spyware purveyors off its platforms before, including those originating in Israel, China, India, Russia, and the U.S., Agranovich said Europe is uniquely poised to curtail its domestic spyware industry because of the strength of its privacy laws. That kind of government intervention is especially essential now that these vendors are  growing more sophisticated and are targeting so many different tech platforms at once. 

Last year, President Joe Biden issued an executive order placing new limits on government agencies seeking to use or even test spyware. Meta suggested that European regulators issue similar guidelines and enforce their privacy laws as already written. Beyond that, Meta also called on governments globally to help uncover who is actually paying for these services by requiring spyware vendors to retain information on their customers and audit how the technology is being used by those customers. Meta argues that people who have been targeted by these companies should also have a way to obtain information about who the end customers were.

The emergence of these firms in Europe reflects what a “global issue” this surveillance-for-hire industry has become, Agranovich said. Technology developed by these firms has been used to hack into the phones of journalists, activists, and political dissidents all around the world. Agranovich said keeping these potential targets safe—and informed that they’re being targeted in the first place—requires vigilance and action not just from the tech platforms where these campaigns are carried out, but from governments, too. “The cross-internet nature of this threat makes it significantly more challenging for targets to understand the full extent of the surveillance aimed at them online, and to hold the people targeting them accountable,” Agranovich said. “Industry and civil society can’t combat this problem alone.”

Meta is ramping up pressure on European officials to crack down on the burgeoning commercial spyware industry, after the company announced it had disrupted a number of Italian and Spanish firms that were advertising their surveillance services in plain sight. These firms were, in some cases, targeting people inside Europe, Meta says—surreptitiously accessing their devices and collecting data from them in violation of the government’s data privacy laws.

“EU data protection authorities have a unique opportunity here to regulate spyware companies operating in Europe by requiring that the spyware companies comply with existing data protection regulations,” David Agranovich, Meta’s director of global threat disruption, said on a call with reporters this week.

Meta’s call-to-action came Wednesday as part of its annual threat intelligence report, which revealed findings from the company’s investigations on eight separate spyware firms operating in Italy, Spain, and the United Arab Emirates. Meta said the firms—which employed a variety of underhanded tactics including phishing and social engineering to surveil targets—carried out their campaigns on more than a dozen tech platforms including Instagram, Facebook, TikTok, and YouTube.

While the company has kicked similar spyware purveyors off its platforms before, including those originating in Israel, China, India, Russia, and the U.S., Agranovich said Europe is uniquely poised to curtail its domestic spyware industry because of the strength of its privacy laws. That kind of government intervention is especially essential now that these vendors are  growing more sophisticated and are targeting so many different tech platforms at once. 

Last year, President Joe Biden issued an executive order placing new limits on government agencies seeking to use or even test spyware. Meta suggested that European regulators issue similar guidelines and enforce their privacy laws as already written. Beyond that, Meta also called on governments globally to help uncover who is actually paying for these services by requiring spyware vendors to retain information on their customers and audit how the technology is being used by those customers. Meta argues that people who have been targeted by these companies should also have a way to obtain information about who the end customers were.

The emergence of these firms in Europe reflects what a “global issue” this surveillance-for-hire industry has become, Agranovich said. Technology developed by these firms has been used to hack into the phones of journalists, activists, and political dissidents all around the world. Agranovich said keeping these potential targets safe—and informed that they’re being targeted in the first place—requires vigilance and action not just from the tech platforms where these campaigns are carried out, but from governments, too. “The cross-internet nature of this threat makes it significantly more challenging for targets to understand the full extent of the surveillance aimed at them online, and to hold the people targeting them accountable,” Agranovich said. “Industry and civil society can’t combat this problem alone.”