Two commercial surveillance companies were caught exploiting access to the global cellular network backbone to covertly track the physical locations of individuals across multiple countries, according to new research published Wednesday by the University of Toronto's Citizen Lab.
Researchers at the Citizen Lab have uncovered two separate surveillance vendors that abused legitimate access to telecommunications infrastructure to secretly monitor the locations of people around the world, raising fresh concerns about the largely unregulated commercial spyware industry and the vulnerability of global mobile networks.
The findings, reported by TechCrunch on April 23, 2026, reveal that the vendors exploited systems built into the backbone of cellular networks — protocols designed to allow carriers to coordinate services across borders — to pinpoint the whereabouts of surveillance targets without their knowledge or consent.
How the Abuse Works
Mobile networks rely on a set of interconnected signalling protocols — most notably SS7 (Signalling System No. 7) and Diameter — that allow carriers worldwide to route calls, send messages, and hand off connections as subscribers travel internationally. Access to these systems is typically restricted to licensed telecom operators, but the protocols have long been known to contain exploitable weaknesses.
Surveillance vendors, according to the Citizen Lab's findings, obtained or leveraged access to these networks and used the underlying protocols to query the location of targeted handsets without triggering alerts to the device owner or, in many cases, to the carriers themselves. The technique can produce approximate real-world location data, effectively turning ordinary mobile phones into tracking devices.
Victims Identified Across Multiple Countries
The Citizen Lab identified several victims of the surveillance operations spanning multiple countries, though the organisation has not publicly named all targets, consistent with its practice of protecting at-risk individuals. The research did not identify the clients who commissioned the surveillance, meaning it remains unclear whether the tracking was conducted on behalf of governments, corporations, or private parties.
The Citizen Lab, which is housed within the Munk School of Global Affairs and Public Policy at the University of Toronto, has a long track record of exposing commercial spyware abuse, having previously documented the operations of firms including NSO Group, Candiru, and Predator's developers.
Industry and Regulatory Context
The commercial surveillance industry operates in a legal grey zone in many jurisdictions. While some vendors market their products exclusively to law enforcement and intelligence agencies, the Citizen Lab and other researchers have repeatedly documented cases of these tools being directed at journalists, activists, lawyers, and political opponents.
Telecom regulators in several countries have acknowledged SS7 vulnerabilities for years, but comprehensive global reform of the signalling architecture has proved difficult to implement given the complexity and age of the infrastructure underpinning the world's mobile networks.
Neither of the two surveillance vendors named in the research had issued public statements at the time of publication. TechCrunch reported the findings based on the Citizen Lab's full report.
Analysis
Why This Matters
- Commercial surveillance vendors exploiting telecom infrastructure threatens the location privacy of ordinary mobile users globally — not just high-profile targets — since the underlying vulnerabilities exist in networks used by billions of people.
- The findings add pressure on regulators and carriers to accelerate reform or replacement of ageing signalling protocols such as SS7, which were designed for an era when telecom network access was tightly controlled.
- Exposure of two vendors simultaneously suggests the practice may be more widespread than previously documented, potentially prompting legislative or sanctions responses in the US and EU.
Background
SS7, the signalling protocol at the heart of this investigation, was developed in 1975 and became the global standard for coordinating mobile and landline networks. Security researchers first publicly demonstrated serious SS7 vulnerabilities in 2014, when German researchers showed it was possible to intercept calls, read messages, and track locations using only a target's phone number.
Despite widespread awareness of these flaws, wholesale replacement of SS7 has been slow. The protocol is deeply embedded in global telecoms infrastructure, and the successor protocol, Diameter, has itself been found to carry similar weaknesses. Regulators in the United States, United Kingdom, and European Union have issued guidance and in some cases mandated carrier-level mitigations, but enforcement has been inconsistent.
The Citizen Lab has been a central force in documenting the commercial spyware ecosystem since at least 2012. Its investigations have led to US government sanctions against NSO Group and contributed to growing international scrutiny of the industry, including a joint statement by 11 nations in 2023 pledging to curb the misuse of commercial surveillance tools.
Key Perspectives
Citizen Lab and Digital Rights Researchers: The findings illustrate that access to telecom signalling infrastructure is being commodified by surveillance vendors, undermining the privacy expectations of mobile users regardless of national borders. Researchers argue that without binding international rules and meaningful carrier accountability, abuse will continue.
Telecommunications Industry: Carriers have historically framed SS7 vulnerabilities as a known but difficult-to-resolve legacy issue, pointing to technical complexity and the need for global coordination. Some operators have deployed filtering systems to detect anomalous SS7 queries, but implementation is uneven across the industry.
Critics and Skeptics: Civil liberties advocates warn that framing this as a purely technical problem obscures the commercial incentives driving the surveillance industry. They argue that as long as vendors can sell location-tracking capabilities with limited legal exposure, technical fixes alone will be insufficient without robust regulation and criminal accountability for misuse.
What to Watch
- Whether telecommunications regulators in the US (FCC), EU, or UK respond to the Citizen Lab report with formal investigations or new compliance requirements for carriers.
- The identity of the two surveillance vendors and any legal, financial, or sanctions consequences that may follow public disclosure.
- Whether the vendors' telecom access partners — the carriers or intermediaries that enabled the network queries — face scrutiny or penalties for failing to prevent the abuse.
