Eight things we know so far from the Hacking Team hack
Here are eight things we have learned from this week's hack of some 400GB of internal company material and correspondence from Italian surveillance company Hacking Team.
The Citizen Lab was right
The Citizen Lab, who in 2014 identified some 21 countries that are potential customers of Hacking Team, were right about all of them. A 2015 report stated that there was likely to be more. In fact, at least 45 countries are purchasers of Hacking Team's RCS malware, including, Azerbaijan, Bahrain, Colombia, Egypt, Ethiopia, Kazakhstan, Morocco, Oman, Russia, Saudi Arabia, Sudan, Turkey, UAE, and Uzbekistan.
The USA has some explaining to do to Colombia
The US DEA and Army, as revealed by Privacy International and Motherboard earlier this year, are customers of Hacking Team. But what we didn't know at the time, was that the DEA, citing a stricter legal environment in the US, are actually using the technology out of their embassy in Bogota, Colombia. Their embassy also includes a room capable of intercepting traffic from all of Colombia's ISPs.
The Moroccan government was bluffing
The leaks underline the fact that the Moroccan government's intimidation of civil society in the aftermath of Privacy International's recent report is nothing more than an attempt to silence legitimate criticism.
Our report 'Their Eyes on Me' told the stories of journalists and activists targeted by Hacking Team and other surveillance technologies, and the impact this had on their lives. In the aftermath of the report, Moroccan state news agency MAP reported that the Ministry of Interior had launched an investigation into “a group behind a report that allegedly accuses the intelligence services of spying on rights activists and journalists”. The leak proves that Hacking Team has sold its technology to three agencies in Morocco. The first sale was some two years before the Arab Spring, in 2009. Two agencies in Morocco still currently have access to Hacking Team's technology.
Hacking Team have been obstructing UN investigations
In February last year, Privacy International contacted United Nations investigators monitoring the sanctions on Sudan asking them to launch an investigation into evidence published by Citizen Lab that Hacking Team had sold its technology to Sudan. Since then, it appears as though Hacking Team cancelled their contract with Sudan and have subsequently been evading legitimate questions from UN investigators and the Italian mission to the UN. The UN panel is mandated to investigate any breaches of the embargo which has been in place for over ten years, as well as any individuals interfering in the peace process. The UN investigation originally asked Hacking Team whether or not they have sold to Sudan in June 2014. After cancelling the contract, Hacking Team enetually replied saying that they had no active business contracts in place. The UN followed up by asking whether there have been any historical contracts. Hacking Team did not respond to several requests from the UN in this regard. The material confirms that Sudan was in fact a customer since 2012 before Hacking Team suspended the account in November 2014.
As an Italian company, Hacking Team is subject to EU restrictive measures which implement the UN sanctions, which exist in relation to the whole territory of Sudan. There is currently an embargo on “arms and related material of all type”. This is generally understood to mean the Common Military List in the EU, which does not include Hacking Team's technology. However, EU member states do have the authority to stop any transfer of non-listed dual use goods if it they are intended even in part for a military end-use in an embargoed country, and the exporter needs to inform the member state if they suspect that their goods could have a military end use.
Given that the UN investigators stipulate that RCS is ideally suited to support military electronic intelligence operations, it is now important that the European Commission, the Italian Government, and Hacking Team assist with any UN investigation. MEP Marietje Schaake has already called upon the European Commission to investigate.
NICE is selling Hacking Team to Uzbekistan
NICE Systems, a multinational Israeli based surveillance company, is a reseller for Hacking Team, and appears to have sold RCS to Azerbaijan, Uzbekistan, and Denmark. In a 2014 report, Private Interests: Monitoring Central Asia, Privacy International revealed that NICE Systems were operating in Uzbekistan and Kazakhstan. Our investigation revealed that NICE Systems, together with Verint, sold and have been maintaining monitoring centres in Uzbekistan and Kazakhstan. Companies reselling and distributing each others' technology is a common practice.
Hacking Team are pitching to “death squad” police
Hacking Team are trying to secure a sale to the Rapid Action Battalion (RAB), a Bangladesh police unit described by Human Rights Watch as a “death squad” involved in torture and extrajudicial killings, and gave them a demonstration of RCS.
The RAB have spent the past year on the hunt for a wide variety of surveillance equipment. In April 2014, Privacy International published restricted procurement documents showing that the RAB was in the market for a mobile phone monitoring device known as an IMSI Catcher or Stingray. The tender misleadingly called for an “UHF Transmitter & Surveillance Equipment (Vehicular Version)”.
After an investigation by Privacy International in conjunction with Swiss magazine WOZ, it was revealed that representatives from the RAB were being hosted in Zurich by a manufacturer of IMSI Catchers, Neosoft. Swiss authorities confirmed at the time that they had reason to believe that the RAB representatives were in Zurich to receive technical training from Neosoft on how to use the surveillance technology.
Because such training would require an export license, and they at the time believed that none had been sought by NeoSoft, the Swiss export authorities referred the company to federal prosecutors for a potential violation of export control laws. Although the prosecutors could not in the end prove that training was taking place, Additional Director General of RAB, Colonel Ziaul Ahsah subsequently reported to Bangladeshi media that the export had been stopped “just before the shipment of the materials” by Switzerland after allegations that the equipment could be used for human rights abuses. Since then, the Swiss Federal Council passed a major amendment to export control regulations to ensure that any exports of surveillance technology that present a risk to human rights are stopped.
The RAB, however, is still on the search for more surveillance technology. In March this year, they published even more procurement calls for surveillance technology, including calls for a Communication Equipment Group (location based social network monitoring), GSM Double Band Jammer, Voice Analyzer (Voice Matching Solution), and a CDR Analysis System. Hacking Team's salesperson in Bangladesh claims in an email found by Intercept journalist Ryan Gallagher that the tender that they are responding to is for 'social networking' surveillance equipment, implying that it too has been misleadingly advertised.
Hacking Team had no dealings with Ethiopia...for a couple of months
Citing reports by the Citizen Lab and Human Rights Watch, it appears as though Hacking Team decided to discontinue their contract with Ethiopian authorities, only to reinitiate support several months later. One email complains about the “clumsy” use of the technology by Ethiopian authorities.
The Human Rights Watch report, They Know Everything We Do, highlighted human rights abuses by Ethiopian security forces aimed at activists in Ethiopia, some of whom had been subjected to torture and have had transcripts of personal communications read out to them. The Citizen Lab report showed evidence that Hacking Team's technology was being used to target journalists based in the US who were part of the Ethiopian diaspora.
Hacking Team is not the only perpetrator in this regard; Privacy International is currently working with Tadesse Kersmo, an Ethiopian lecturer and activist based in the UK who has made a complaint that he may been targeted by Ethiopian authorities using technology developed by UK/Germany based FinFisher.
When Privacy International takes action, it works
Privacy International's lobbying of the Italian government on export controls was recognised as an an existential threat by Hacking Team, but was eventually somewhat mitigated by extensive lobbying by Hacking Team itself.
In March 2014, Privacy International learned that Hacking Team had received over €1 million in public financing. As a result, we wrote to the Italian region responsible for the funding, the Italian Ministry of Economic Development, and over 100 members of parliament, drawing their attention to evidence obtained by the Citizen Lab and others that Hacking Team's publicly funded technology was being exported to repressive regimes across the world and used to undermine human rights.
At the time, we asked that Italian authorities use a mechanism within European export control law known as a “catch-all” to subject Hacking Team's technology to export restrictions, prior to an EU-wide mechanism being adopted in January 2015. It appeared to work; as reported by the Intercept, by Autumn 2014 the Italian Ministry of Economic Development did subject the technology to a “catch-all” provision citing “possible uses concerning internal repression and violations of human rights”.
Hacking Team felt threatened enough to warn that the move could destroy the company, and began lobbying vigorously against the changes, soliciting intervention from top government officials, including from the Prime Minister's office. When the EU finally implemented measures agreed within the Wassenaar Arrangement, Hacking Team appeared to have agreed to a more liberal licensing agreement with Italian authorities, perhaps using a European General Export Authorisation, despite the fact that measures specifically prohibiting these licenses being used for surveillance technology exist.
Privacy International will be following up on this point to ensure that other companies cannot use expedited licenses in this way. Another interesting document uncovered by @CDA shows Hacking Team using an End User Certificate to stipulate that contractual obligations will be voided with customers in case there is evidence of human rights abuses. This is a specific measure called for in a recent paper by the Coalition Against Unlawful Surveillance Exports, a coalition of NGOs calling for better oversight over the surveillance trade for which Privacy International is secretariat.
Privacy International and the coalition have been advocating for the EU to take decisive action and update its Dual Use Regulation to ensure that member states prioritise human rights and not export surveillance technologies if there is a risk they will be used for human rights abuses. The EU is due to have a draft Regulation by the beginning of 2016. Privacy International calls on all member states, the Commission, the Parliament, and individuals across the world to ensure that the system is updated to protect human rights and stop companies such as Hacking Team operating with impunity.