by Nomad
One hacker's explosive information leak revealed the dark side of surveillance software and companies that sell them. It sends a warning about authoritarian regimes using anti-terrorism software to target opposition and human right activists.
In early July last year, a hacker who went by the name of Phineas Fisher claimed responsibility for an astounding information dump.
The Hacking Team Dump
In all, 500 GB of client files, contracts, financial documents, and internal emails of Milan-based surveillance company called Hacking Team were made available to the public.
The company sells sophisticated computer surveillance software to countries around the world, some nations with very doubtful human rights records.
It’s unclear exactly how much the hackers got their hands on, but judging from the size of the files, it’s certainly a large collection of internal files. A source who asked to speak anonymously due to the sensitivity of the issue, told me that based on the file names and folders in the leak, the hackers who hit Hacking Team "got everything."
So basically, a hacker hacked the Hacking Team. In doing so, he walked away with vital and incriminating information including emails between employees, a list of customers, which included the FBI.
He or she also managed to find the source code of the surveillance software itself. The whole kit and caboodle.
It wasn't the first time a surveillance company has been exposed by a hacker. A year earlier, Hacking Team's competitor, Gamma International, a British-German surveillance company that sells the spyware software FinFisher, was similarly hacked, resulting in a leak of 40 Gb of internal files. (The hacker Phineas Fisher has actually claimed to be behind both attacks.)
The Software
The FinFisher software is a gift for law enforcement agencies around the world. Once covertly installed on a target's cell phone or computer, FinFisher (FinSpy) allows undetectable remote monitoring of communications, such as phone calls, text messages, Skype calls and emails. It is also capable of file extraction and presumably insertion.
In addition, the targeted computer's webcam can be opened without the owner's knowledge. In short, the targeted computer in transformed into a perfect and undetectable surveillance device.
FinSpy has been proven successful in operations around the world for many years, and valuable intelligence has been gathered about Target Individuals and Organizations. When FinSpy is installed on a computer system it can be remotely controlled and accessed as soon as it is connected to the internet/network, no matter where in the world the Target System is based.
In theory, it would be an excellent tool for tracking terrorists. However, it doesn't take an expert to understand how dangerous this software could be in the wrong hands and especially if those hands belong to an authoritarian government.
Before the leak, the Hacking Team had been claiming:
We take precautions to assure our software is not misused and we investigate cases suggesting it may have been.Many internet activists refused to put much faith in that line. The company responded to criticism with assurances like this:
Software developed by Hacking Team is sold exclusively to government agencies, and it is never sold to countries that international organizations including the European Union, NATO and the US have blacklisted. An external committee of legal experts reviews each proposed sale to assure compliance with our policies. Contracts with the government purchasers limit the permissible uses of our software. We monitor news media and other public communications such as blogs and Internet comment for reports of abuses and investigate when appropriate.
As it turned out, the leak revealed a very different situation. And that ran contrary to what the company had claimed. Its client list included corporations too.
As the hacker Phineas Fisher tweeted:
As the hacker Phineas Fisher tweeted:
Dyplex, Trovicor, Elaman, Cobham, and PCS Security Pte Ltd are all happy customers!
In an understatement, one researcher on the leak said:
More importantly, where was the evidence of any of the company's claims of self-policing? That assurance of self-policing does not come with hard evidence because it's privileged information. Hacking Team pointed out that, due to the nature of its business, full disclosure was impossible.
You would simply have to take the company's word for it.
“They’re not very, shall we say, conservative about who they sell to.”
False Assurances of Accountability
The leak confirmed beyond doubt that the corporation was saying one thing but its client list said another. Even before this exposure, there were doubts about the corporation's system of accountability.
Did these alleged limitations and safety checks, activists asked, include third party sales of the software? Explain how.
More importantly, where was the evidence of any of the company's claims of self-policing? That assurance of self-policing does not come with hard evidence because it's privileged information. Hacking Team pointed out that, due to the nature of its business, full disclosure was impossible.
You would simply have to take the company's word for it.
Even if we accept the assurances there were plenty of other problems. How the company could initiate any kind of investigation of misuse of its software, by what authority and what could be done if cases of abuse could be verified?
What researchers sorting through the leaks found suggests that the company had no means and little desire to regulate how foreign governments actually used the program.
Rather laughably, since the leak, the Hacking Team has requested that all of its clients temporarily stop using the company's software.
Rather laughably, since the leak, the Hacking Team has requested that all of its clients temporarily stop using the company's software.
The software could easily be used against journalists, against human rights activists (and quite possibly against opposition leaders) just as easily as against dangerous terrorists plotting an attack.
In that event, it would become a very frightening tool for dictators to retain control over people.
A Client List from Hell
The earlier Gamma International leak revealed that this fear was, by no means, an idle one. Evidence emerged that the Bahraini government had infected the computers of "some of the country’s most prominent lawyers, activists, and politicians" with the malicious spy software. If Bahrain was doing it, why not other governments too?
That new data seemed to directly contradict earlier Gamma claims that it did not do business with Bahrain and that its software is used primarily to target criminals and terrorists.
* * *
At the top of their Hacking Team's client list in terms of revenue, were the governments of Mexico, Italy, and Morocco. The company, however, has also worked with Saudi Arabia, Malaysia, the United Arab Emirates, Singapore, Kazakhstan, Sudan, Uzbekistan.
So let's just take a look at that last country: the Central Asian nation and former Soviet republic of Uzbekistan.
It's officially a democratic, secular, unitary, constitutional republic. At least that's what it calls itself.
However, Human Rights Watch has this to say:
It's officially a democratic, secular, unitary, constitutional republic. At least that's what it calls itself.
However, Human Rights Watch has this to say:
Uzbekistan’s human rights record is atrocious. Thousands are imprisoned on politically-motivated charges. Torture is endemic in the criminal justice system. Authorities continue to crackdown on civil society activists, opposition members, and journalists.
Human rights violations are not merely politically motivated.
Muslims and Christians who practice their religion outside strict state controls are persecuted, and freedom of expression is severely limited.
Even outside of political and religious activity, there are human rights abuses.
The president of the Uzbek Republic only 3 days ago condemned homosexuality, calling it a “vulgar” Western invention In 2013, President Karimov was quoted as saying “Western-style” democracy is linked to homosexuality. Same-sex activity carries a three-year jail sentence for sex between men and that law keeps many people living in real fear.
The very existence of the law creates a source of income for the Uzbek police and a source of trouble for gay people. “If there is a need to set someone up or pressure someone, this law is a good instrument,” says a former criminal investigator who works as an attorney now. “Faggots are also milked, extorted under the threat of a [criminal] examination.”
It doesn't take too much imagination to see how spying software could be used against the gay and lesbian community.
Allies of the West
Since the leak, Hacking Team spokesman, Eric Rabe, has had to come up with some kind of new defense. Here's what he said in an interview.
Well let’s take Saudi Arabia. Now Saudi Arabia a lot of people would argue is a repressive regime and that their human rights record is not good and they oppress women and so on and so forth.
Yet, he points out, Saudi Arabia is an ally of the west. Shouldn't we offer them, Rabe says, the means to stay ahead of the terrorist threat? It's what allies normally do.
You know the US sells F15 fighter jets to Saudi Arabia as a backbone of their air force and I think It’s generally considered to be an ally of the west and furthermore I think in a country like that you could argue that there’s a real good reason to have the capabilities that we provide because those places have issues with terrorists who are developing their networks and setting up shop and they need to be dealt with.
And yet, the Saudi Arabian Kingdom's human rights record is abysmal. There's no other word for it. Human Rights Watch noted two years ago:
Saudi Arabia continued in 2014 to try, convict, and imprison political dissidents and human rights activists solely on account of their peaceful activities....Authorities failed to enact systematic measures to protect the rights of 9 million foreign workers. As in past years, authorities subjected hundreds of people to unfair trials and arbitrary detention. New anti-terrorism regulations that took effect in 2014 can be used to criminalize almost any form of peaceful criticism of the authorities as terrorism.
Terrorism is a threat to peace in the world. However, the definition of what terrorism is has always been the problem. We have reported here on the Saudi arrests and publicly flogs poets and a blogger whose only crime was questioning Islam or advocating secularism.
Is that really terrorism? Saudi security treats it as such.
Is that really terrorism? Saudi security treats it as such.
And remember, this was an example nation that was offered by the Hacking Team spokesman.
This was their defense.
This was their defense.
* * *
For good reason, the software has therefore been called "the most evil technology in the world." Its' nothing less than a perfect tool for demolishing hope for fledgling democracies.
The subject was investigated by journalists who produce the podcast Reply All. There is a transcript of the podcast at this link.