Spyware can be defined as any software that meets the following cumulative conditions:

• It compromises the integrity of the device;
• Its deployment is primarily facilitated by exploiting existing or created vulnerabilities;
• After installation, its operation (i.e. giving commands) is performed either automatically or remotely;
• It can be targeted to individual or groups, or deployed indiscriminately;
• In addition, software that serves to install spyware as defined above equally falls into the definition;

In addition to its core characteristics, spyware must be defined by what it enables. It is spyware if it enables at least one of the following:

• Accessing and monitoring the device (real-time data) to observe activity, intercept communications, track location, etc.
• Gathering or processing user data (historical data), such as retrieving messages, call logs, browsing history, stored files, biometric information, etc.;
• Exfiltrating data for the purpose of sharing that information with a third party;
• Controlling or manipulating the device, such as activating microphones or cameras, altering system settings, de-activating security features, etc.;
• Altering or fabricating information, modifying, deleting, or fabricating messages, files, or logs to obscure or alter – or even plant – evidence.

1. Full ban on spyware. In particular, the European Commission should propose a full ban on the development, production, marketing, sale, export, and use of spyware, as a matter of urgency.
2. Legally robust definition of spyware. This ban must be based on a clear and enforceable definition of spyware, focused on its core characteristics and functionalities rather than its marketing or intended use. Only such a comprehensive approach can prevent abuse, ensure legal certainty, and uphold the fundamental rights guaranteed by the Charter of Fundamental Rights of the European Union.
3. Comprehensive scope covering all actors. The prohibition must cover all public and private actors operating within the EU or subject to its jurisdiction. It should not be limited to tools used by states in law enforcement or national security contexts, but must also encompass commercial spyware marketed for other uses, including corporate or private surveillance.

1. Total ban on commercial spyware. The European Commission must prohibit the development, production, marketing, sale, export, and use of commercial spyware by private companies, as demanded by civil society organisations working in digital rights.1
2. Ban on the vulnerabilities and exploits market. The EU Commission should enforce a ban on the commercial trade of vulnerabilities for any purpose other than strengthening systems’ security. In parallel, it should mandate the responsible disclosure of vulnerability research findings, through a uniform reporting process, and forbid outsourcing vulnerability research use by states for offensive purposes to private for-profit vendors.
3. Protections for ethical cybersecurity research and responsible disclosure. The EU should invest in research institutions and initiatives that focus on cybersecurity for public good, prioritising digital rights, privacy, and democratic security. At State level, whistleblower protections should be expanded, and governments and industry actors should establish strong incentives, such as well-funded bug bounty programmes, for ethical disclosure of security flaws to developers. Security researchers must be free from criminal and civil liabilities when they do research and when they share vulnerability information with software vendors and other security researchers.
4. End financial incentives driving spyware proliferation. European Member States must prohibit public procurement from commercial spyware vendors, and ban public and private investment in spyware companies at any level of their corporate structures.
5. Targeted sanctions against commercial spyware actors. The High Representative of the Union for Foreign Affairs and Security Policy and the Council should immediately agree on the following sanctions: ban entry for third-country nationals and entities involved in the commercial spyware industry, including executives and investors; targeted visa removals – for those already based in Europe – and travel bans for those based elsewhere; asset freezes to both companies and individuals, including EU citizens working abroad; blacklist those vendors involved in any spyware scandal; and ban exports to any country from any commercial spyware company based in the EU.
6. Accountability for vendors, investors, and enabling states. Commercial spyware vendors must face legal consequences for enabling human rights abuses. Investors who knowingly fund these firms must also be held liable. Foreign states that facilitate spyware export and deployment for repressive purposes must face diplomatic and economic sanctions.
7. Mandate retrospective transparency: Commercial spyware vendors, their clients, and their investors must be subject to mandatory, retrospective public disclosure of all its owners/shareholders, contracts, sales, and end-user agreements.

1. Full access to legal and non-legal remedies for all victims
   1. EU Member States must ensure that all legal and non-legal remedies outlined in this chapter are accessible to any individual affected by spyware, regardless of nationality or status. This includes:
   2. Legal remedies: the right to know, the right to data protection and information on storage, judicial redress, independent investigation, compensation, and guarantees of non-repetition.
   3. Non-legal remedies: psychological support, protection mechanisms for asylum seekers, public awareness campaigns, and facilitated access to victim support
2. Remove judicial barriers for existing victims
   1. The Council of the EU and Member States must mandate binding obligations for prosecutors to investigate spyware complaints by victims, remove discretionary inaction, and ensure support to courts with specialised units or independent investigators equipped to handle such complex cases
   2. Establish independent, adequately resourced independent investigative bodies to examine spyware abuse cases beyond political influence, and to avoid victims having to hand their devices to authorities they might not trust.
   3. Guarantee support for victims already entangled in lengthy, obstructed or stalled legal proceedings, including expedited review, procedural support, and access to digital forensics assistance, and reform jurisdictional rules to allow EU-based victims to bring transnational spyware cases, especially where vendors operate across multiple states.
3. Ensure political accountability and structural reform
   1. The EU Commission must push for the enforcement of the PEGA Committee recommendations. It should particularly urge EU Member States to conduct immediate, independent, transparent and impartial investigations of any cases of unlawful surveillance, if needed with the impulse of their State prosecutors, under the threat of application of the Rule of Law mechanism in case it is not enforced;
   2. The EC should require Member States to provide full transparency in public procurement and deployment of spyware tools by Member States, including mandatory public reporting on spyware use.
   3. Member States affected by scandals should convene Parliamentary Inquiry Committees with enough powers to assess the scale, cost, and legal grounds of state use of spyware, as well as public procurement details.
   4. Member States should also reform secrecy laws that shield unlawful surveillance data – basic for the victims right to know – behind “secrecy” justifications, particularly when used to deny remedies to victims.
   5. Member States should hold enabling public officials politically accountable for the scandals perpetuated across Europe through removal from public service.
4. Protect HRDs, journalists, lawyers and CSOs

1️⃣ Meet the “quality of law” requirements

Hacking must be explicitly provided for by law that is clear, accessible, publicly available, and sufficiently precise; it must specify narrowly under which circumstances hacking is allowed.

2️⃣ Demonstrate strict necessity and proportionality

Authorities must show that hacking is the least intrusive means to achieve a legitimate aim; target(s), device(s), and data must be individually identified ex-ante, and the intrusion must be proportionate to the seriousness of the crime.

3️⃣ Prohibit unrestricted or bulk hacking

Hacking operations must target specific individuals/devices; bulk or mass hacking (of many devices/users) must be banned, and operations should be limited in time and scope.

4️⃣Ensure adequate safeguards for privileged or sensitive communications

Hacking must not undermine rights attached to confidentiality: e.g. legal privilege (lawyers), medical confidentiality, journalistic sources, etc.

5️⃣Judicial authorisation with full information

Authorisation must be given by an independent judge or court, with access to all relevant technical and operational details required to assess legality, necessity and proportionality.

6️⃣Strict targeting and minimisation of collateral impact

The operation must be carefully tailored: only the specified device/account/data should be targeted; data belonging to third parties must be protected, and any non-relevant data must be excluded or deleted.

7️⃣Transparency and accountability, including post-operation remedies

There must be oversight mechanisms, audit trails, reporting obligations, and the possibility for affected individuals to seek redress (judicial or other) if rights are violated.

8️⃣Prohibition of altering, fabricating or deleting data

Hacking tools must not be allowed to modify, falsify or erase data on the device, as this undermines evidentiary integrity and due-process rights.

9️⃣Time-limited operations and strict expiration of scope

The hacking operation must have a clear time frame; once the authorised goal is achieved, any further access must be terminated.

🔟No targeting of critical infrastructure or service providers

Hacking must be limited to the user’s device/account — states must not weaponise cybersecurity vulnerabilities at systemic level or mandate providers to weaken security.

1️⃣1️⃣ Protection of the security of encryption and the general public’s safety

Exploiting vulnerabilities or zero-days must be regulated carefully — the risk of broader harm (for example from making vulnerabilities public or available) must be weighed, ensuring that state hacking does not undermine overall cybersecurity.

A broad coalition of civil society and journalism organisations called on the EU institutions to urgently end their political inertia on spyware. In an open letter of 3 September 2024, we demanded a full ban on the production, sale and use of commercial spyware. The letter warns that spyware undermines democratic values by enabling secret surveillance, generating a chilling effect, undermining journalims and activism, and shielding human rights abuses from any meaningful oversight or accountability.

Read our statement here:

The PEGA Committee, in 2021-2023, exposed the scale of spyware abuses across the EU, demonstrated the lack of willingness of national systems to prevent rights violations, and called for both legislative action and enforcement.

Institutional documents

• European Parliament’s resolution on the lack of legislative follow-up by the Commission to the PEGA Resolution, 24 July 2024
• European Commission’s response to the text adopted in Plenary, 15 November 2023
• PEGA Committe Reccomendations, 15 June 2023

EDRi analysis & commentary

• EU: Final vote on spyware inquiry must lead to stronger regulation, Amnesty Tech, 19 June 2023
• PEGA Committee does not go all the way on spyware regulation, 9 May 2023
• PEGA Committee must call for an EU-wide ban on spyware, 21 February 2023
• EDRi’s ammendments to the PEGA Draft Recommendations, February 2023

The European Media Freedom Act (EMFA) was intended to protect journalists from surveillance. The general prohibition of the use of spyware on journalists in its article 4 was paired with very broad exceptions that, in practice, has legalised the use of spyware against journalists on very vague claims, like public safety or some petty crimes.

Institutional documents

• European Media Freedom Act

EDRi analysis & commentary

• Intervention in the debate “Spying on Journalists: Will the EMFA Be the Turning Point?”, 16 November 2025
• Challenges ahead: European Media Freedom Act falls short in safeguarding journalists and EU fundamental values, 17 January 2024
• Open Letter: European Parliament must protect journalists and ban spyware in the European Media Freedom Act, 27 September 2023

Despite known abuses, EU money has repeatedly flowed to spyware companies through programmes such as Horizon, the EDF, or EIF. Investigations revealed that some of the beneficiaries were spyware vendors. Alongside its inaction, therefore, the Commission has directly fueled the spyware market with EU tax-payers money.

Investigations that revealed the issue

• Spyware industry pockets EU subsidies while snooping on its citizens, Follow the Money, 16 September 2025
• European Investment Fund financed Israeli spyware company Paragon, Apache, 1 October 2025

Institutional documents

• Commission replies to CONT Committee questions regarding public funding to spyware, 6 November 2025

Despite Commission’s inaction, the European Parliament continues the work: the LIBE Committee has devoted hearings to the topic, several MEPs keep pushing the topic into plenary debates, and the creation of a spyware-focused Interest Group marks a new phase of political scrutiny.

Institutional documents

• MEP Questions for Written Answer to the Commission
  • EU funding of companies linked to spyware and illegal surveillance, 20 November 2026
  • Infiltration and surveillance: risks to fundamental rights, democracy and political pluralism in Italy, 23 July 2025
  • Digital protection against digital transnational repression, 8 April 2025
  • Violations of the confidentiality of communications in Greece, 26 Februrary 2025
  • Illegal use of spyware in Serbia, 13 February 2025
  • The use of Paragon Solutions spyware against journalists, 11 February 2025
  • Paragon spyware scandal and the surveillance of European journalists and civil society organisations, 10 February 2025
  • Use of Paragon Solutions spyware against journalists and civil society representatives, 10 February 2025
  • Commission communication on spyware, 31 January 2025
  • Use of Pegasus and other types of spyware in Slovakia, WQ, 1 October 2024
  • Responsibilities of the EU and the Greek Government in the wiretapping and spyware scandals, WQ, 29 August 2024
• Other
  • Open letter signed by 39 MEPs urging the Commission to stop funding spyware companies, to transparency and following up PEGA reccomendations, 1 October 2025

At least 65 Catalan politicians and public officials were targeted with Pegasus spyware by Spanish authorities. Investigations revealed that the spyware was deployed without judicial authorization, specifically against members of the Catalan independentist movement, including activists, journalists, lawyers and politicians. 4 years after, victims have found no justice in a judicial system that is posing many obstacles.

• NGO Reports of the scandal:
  • Would you click? A story by The Citizen Lab, May 2022
  • CatalanGate: Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru, The Citizen Lab, 18 April 2022
• Recent news:
  • Catalonia reignites its court fight with Spain over spyware, Politico, May 8 2025
  • Lawyer allegedly hacked with spyware names NSO founders in lawsuit, TechCrunch, November 2024
• Institutional documents
  • Five member states must investigate spyware abuse, says PACE, October 2023
  • Spain: UN experts demand investigation into alleged spying programme targeting Catalan leaders, 2 February 2023

In a scandal known as “Predatorgate”, dozens of journalists, politicians, and entrepreneurs were targeted by the Greek secret services, with evidence of at least 92 people being targeted with Predator. Judicial inquiries are still ongoing, while spyware use has tried to be legalised in the country.

• NGO Reports & EDRi work
  • Homo Digitalis Submits Urgent Letter to the Council of Europe’s Commissioner for Human Rights, Homo Digitalis, August 13 2024
  • We requested from the Hellenic DPA and the Hellenic Authority for Communication Security and Privacy to issue an Opinion on the Draft Presidential Decree for the procurement of spyware by Greek authorities, Homo Digitalis, July 30 2024
• News
  • Predatorgate: Τι έγραφαν τα SMS-παγίδα που έλαβαν επιχειρηματίες, υπουργοί και δημοσιογράφοι, Inside Story, 27 July 2023
  • “Predatorgate”, dozens of Greek ministers and journalists under surveillance, Osservatorio Balcani e Caucaso, 11 September 2022

The Órban administartion has used Pegasus spyware in hundreds of cases, according to official reporting, targeting journalists, political opponents, and activists. Notably, German MEP Daniel Freund was a victim, leading to a lawsuit against the Hungarian government. The scale and scope of deployment illustrate systemic misuse and serious risks to political rights and privacy.

• NGO Reports & EDRi work
  • Nach Spyware-Angriff: Gesellschaft für Freiheitsrechte und Europaabgeordneter Daniel Freund erstatten Strafanzeige gegen Viktor Orbán, GFF, 15 October 2025
  • Hungary: The government must provide a meaningful response to the Pegasus scandal, Amnesty International, 21 July 2021
• News
  • Hungary employed Pegasus spyware in hundreds of cases, says government agency, Euractiv, 1 February 2022

According to Whatsapp, Citizen Lab and IrpiMedia, Italian authorities used Paragon spyware to surveil journalists, political figures, and business executives. Reports indicate dozens of targets affected, with misuse extending beyond national security purposes.

• Investigations that revealed the scandal and EDRi members work
  • Paragon colpisce ancora: anche l’ad di Unicredit tra i bersagli, IrpiMedia, 11 October 2025
  • Anche Caltagirone tra i bersagli dello spyware di Paragon, IrpiMedia, 9 October 2025
  • Open Letter – Paragon: stop spyware abuse and deliver justice to victims, Access Now, 19 June 2025
  • Italy: New case of journalist targeted with Graphite spyware confirms widespread use of unlawful surveillance, Amnesty International Security Lab, June 13 2025
  • Graphite Caught: First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted, The Citizen Lab, June 12 2025
  • Italy’s intelligence oversight committee (COPASIR) report on Graphite spyware raises more questions than it answers, Osservatorio Nessuno, 7 June 2025
• News
  • Journalist targeted on WhatsApp by Paragon spyware: ‘I feel violated’, TechCrunch, 3 February 2025
  • Critic of Italy-Libya migration pact told he was target of Israeli spyware, The Guardian, 3 February 2025
• Institutional documents
  • RELAZIONE SULL’UTILIZZO DELLO SPYWARE « GRAPHITE » DAPARTE DEI SERVIZI DI INFORMAZIONE PER LA SICUREZZADELLA REPUBBLICA, Copacir, 5 June 2025

At least tens of high-level officials, judges, and opposition figures were targeted with commercial spyware, including Pegasus and RCS Lab tools, reportedly deployed by Polish government agencies. The Polish Senate declared such use illegal in 2023, yet enforcement remains limited, and judicial proceedings are still ongoing, as well as a committee of inquiry.

• NGO Reports & EDRi work
  • Surveillance in Poland under scrutiny of court. Step by step changes inspired by civil society organisations, Panoptykon Foundation, 16 October 2025
  • Panoptykon Foundation challenges the data retention regime in Poland: Telecom companies requested to delete activists’ data, Panoptykon Foundation, 16 April 2025
  • Polish Senate calls Pegasus illegal and demands scrutiny over secret services, Panoptykon Foundation, 27 September 2023
• News
  • Polish Senate says use of government spyware is illegal in the country, TechCrunch, 8 September 2023
• Institutional documents
  • Amicus Curiae by Amnesty International in the Krzysztof Brejza v Poland case, 26 February 2025
  • Admission of the case Brezja v Poland, ECHR, 15 September 2022

Slovak authorities reportedly purchased Pegasus spyware, though public reporting does not detail specific targets or numbers, nor any use has been registered.

• NGO Reports & EDRi work
  • Slovakia: Use of Pegasus a threat to democracy and human rights, 9 November 2024
• Institutional documents
  • Use of Pegasus and other types of spyware in Slovakia, Parliamentary question, 1 October 2024

State authorities deployed Novispy and Cellebrite forensic extraction tools against journalists, human rights defenders, and opposition figures. At least 5 targets were affected, with the aim of monitoring activism and political dissent. Victims are being denied justice.

• NGO Reports and EDRi work
  • Serbia: BIRN journalists targeted with Pegasus spyware, Amnesty International – Security Lab, 27 March 2025
  • Open Letter by 50 organisations: Serbian authorities must prosecute illegal hacking of journalists and activists, SHARE Foundation, 19 December 2024
  • Serbia: “A Digital Prison”: Surveillance and the suppression of civil society in Serbia, Amnesty International, 16 December 2024
  • Serbia: Authorities using spyware and Cellebrite forensic extraction tools to hack journalists and activists, Amnesty International – Security Lab, 10 December 2024

• The global spyware industry is estimated to be worth on the order of 12 billion euros per year.
• More than 80 governments have contracted commercial spyware, according to the UK’s cybersecurity agency.
• Growing proliferation: in 2023, there were at least 49 distinct vendors, along with dozens of subsidiaries, partners, suppliers, holding companies, and hundreds of investors across the supply chain.
• 56 of the 74 governments identified by the Carnegie Endowment procured commercial spyware from firms either based or connected to Israel.
• The Israeli firm Paragon was
  acquired in 2024 by an investment firm in a deal worth up to
  900 million euros.

• A 0-day vulnerability costs, via brokers, between 5 and 7 million dollars for exploits targeting iPhones; up to 5 million for Android phones; up to 3 and 3.5 million for Chrome and Safari respectively; and 3 to 5 million dollars for WhatsApp and iMessage. 
• In 2024 the Google Threat Analysis Group reported that
  20 out of the 25 vulnerabilities found on their products (Android, Gmail), in 2023 were used by Spyware vendors to perform their attacks. 
• As of June 2025, more than 21,500 new vulnerabilities had already been published (133 new vulnerabilities per day).

Technical Reports and investigations on particular spyware

• To Catch a Predator: Leak exposes the internal operations of Intellexa’s mercenary spyware, Amnesty International Security Lab, 4 December 2025
• BADBAZAAR and MOONSHINE: Spyware targeting Uyghur, Taiwanese and Tibetan groups and civil society actors, NCSC, 9 April 2025
• Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations , The Citizen Lab, March 15 2025
• Tech Guide: Detecting NoviSpy spyware with AndroidQF and the Mobile Verification Toolkit (MVT), Amnesty International Security Lab, 16 December 2024
• The Predator Files, European Investigative Collaborations, 5 October 2023 (a repository of all featured articles)
• Predator Files: Technical deep-dive into Intellexa Alliance’s surveillance products, Amnesty International Security Lab, 6 October 2023
• Hooking Candiru: Another Mercenary Spyware Vendor Comes into Focus, The Citizen Lab, July 15 2021
• The Pegasus Project, Amnesty International Security Lab, 2021

Market reports:

• From Export Control to Unknown Exports: How the EU’s Dual-Use regime falls short on tackling spyware, CDT Europe, December 2025
• Mythical Beasts and where to find them: Mapping the global spyware market and its threats to national security and human rights, Atlantic Council, September 2024
• Price of zero-day exploits rises as companies harden products against hackers, TechCrunch, 6 April 2024
• Why Does the Global Spyware Industry Continue to Thrive? Trends, Explanations, and Responses, Carnegie Endowment, March 2023
• Global Inventory of Commercial Spyware & Digital Forensics, Mendeley Data, 2 March 2023
• Pegasus: The cost of spying with one of the most powerful spyware in the world, Freemindtronic, 20 October 2021

Investigations and journalistic revelations.

• Spyware maker Paragon confirms US government is a customer, TechCrunch, 4 February 2025
• How Barcelona became an unlikely hub for spyware startups, TechCrunch, 13 January 2025
• How Italy became an unexpected spyware hub, The Record, 12 November 2024
• ICE Signs $2 Million Contract With Spyware Maker Paragon Solutions, Wired, 1 October 2024
• Apple alerts users in 92 nations to mercenary spyware attacks, TechCrunch, 10 April 2024
• Italian spyware on the international market, IrpiMedia, 21 March 2023
• Wine, Weapons and WhatsApp: A Skopje Spyware Scandal, Balkan Insight, 6 January 2022

Pall Mall Process

• The Pall Mall Process Code of Practice for States, 15 October 2025
• The Pall Mall Process declaration, 6 February 2024

US Government executive order

• Executive Order 14093—Prohibition on Use by the United States Government of Commercial Spyware That Poses Risks to National Security, 27 March 2023

• The Fight to Protect Our Phones, EPIC Data, December 2025
• Spyware Shield initiative, GFF, 2025-2026
• How Danes je nov dan helped stop dangerous spyware in Slovenia, Danes je nov dan, December 2025
• A Privacy Nightmare: Understanding Spyware, SHARE Foundation, 29 October 2025
• “Being ourselves is too dangerous”, Digital violence and the silencing of women and LGBTI activists in Thailand, Amnesty International, 2024

• EDPS Preliminary Remarks on Modern Spyware, EDPS, 15 February 2022
• Setting spyware standards after the Pegasus scandal, EPRS | European Parliamentary Research Service, November 2024
• Report on a rule of law and human rights compliant regulation of spyware, Venice Commission, December 2024
• Pegasus and similar spyware and secret State surveillance, Parliamentary Assembly of the Council of Europe (CoE), October 2023
• Global Regulation of the Counter-Terrorism Spyware Technology Trade: Scoping Proposals for a Human-Rights Compliant Approach, UN Special Rapporteur on the Promotion and Protection of Human Rights and Fundamental Freedoms while Countering Terrorism, April 2023
• Highly intrusive spyware threatens the essence of human rights, High Commissioner for Human Rights Dunja Mijatovic (CoE), January 2023
• The impact of PEgasus on fundamental rights and democratic processes, requested by PEGA Committee, January 2023
• The right to privacy in the digital age, United Nations High Commissioner for Human Rights, 2 August 2022
• Pegasus spyware and its impacts on human rights, Council of Europe, 2022
• Europe’s PegasusGate: Countering spyware abuse, European Parliamentary Research Service, July 2022

• Attack vector: a method or “way” used to deliver spyware to a target, such as malicious links, decep tive ads, physical access or a particular vulnerability.
• Brute force: A method of circumventing security protections by systematically and automatically attempting all possible combinations of credentials, passwords, access codes, or other authentication factors until access to the device is gained.
• Bug bounty: a bug bounty programme is a deal offered by websites, organisations, governments and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.
• Commercial spyware vendors: private companies that develop and provide offensive cyber capabilities (enabling disruption or surveillance) for profit. They are also referred to as “commercial surveillance vendors” or “cyber mercenary firms”, which may offer a variety of surveillance technologies including (or not) spyware. Hence we use the specific term of “commercial spyware vendors” for the purpose of this paper in order to designate those among the industry that sell spyware as a commercial product.
• Exploit: a segment of code or a program that maliciously takes advantage of vulnerabilities or security flaws in software, often used to install spyware.
• Intrusion-as-a-Service: a commercial model in which private actors sell intrusion capabilities – including spyware – on demand.
• Logging: the process of recording any activity on a device. Spyware often disables or avoids logs to make its presence and use undetectable.
• Mandated encryption backdoor: a deliberately inserted vulnerability that allows third-party access to encrypted data – undermining trust and security for all users.
• Remote access: the capability to monitor or control a device from afar, without direct physical contact with the device.
• Telemetry: data collected by software or systems – such as location or usage stats – often repurposed for surveillance without clear user consent.
• Vulnerability: a software vulnerability is a structural or design flaw present in a software application that can be exploited by attackers to compromise the security and functionality of the system, network or data with which it interacts.
• Zero-days: security vulnerabilities that hackers can use to attack systems. The term “zero-day” refers to the fact that the vendor or developer is not yet aware of the flaw and therefore had “zero days” to fix it.