Hacking Team, a major Italian manufacturer of malware for governmental use, appears to have been hacked. It is unknown how or by whom, but in theory it is possible it was hacked with help of its own products. Ironically, Hacking Team sells systems that allow its customers to hack. This incident underlines the risk of a boomerang effect as a result of allowing the unregulated sales of intrusion and surveillance technologies. Additionally, it underlines the need for companies to take effective action to ensure protection of data and systems.
400 GB of internal documents, source code and e-mail communications are now publicly available, and they seem to confirm earlier evidence that the company sold software to repressive regimes. Customers including authorities in Azerbaijan, Bahrain, Egypt, Ethiopia, Kazakhstan, Morocco, Nigeria, Russia, Saudi Arabia, the UAE and Uzbekistan are mentioned as Hacking Team’s customers that have hacked devices of their citizens. These serious facts should not come as a surprise. Only two months ago, I asked a parliamentary question about how Hacking Team’s tools might have been used against Moroccan journalists and human rights defenders. I have addressed the harmful consequences of the market in surveillance and intrusion systems for the past years, and believe the EU should lead in ensuring greater transparency and accountability.
One particularly interesting invoice appears to demonstrate that Hacking Team sold a ‘Remote Control System’ (RCS) for 480.000 Euros to Sudan’s National Intelligence and Security Services in 2012. Before many people in Sudan have ever gone online, the surveillance network is already in place. Hacking Team’s RCS can covertly record emails, text messages, phone or Skype Calls, GPS location, and take screenshots, which are subsequently being sent to the RCS-user. Hacking Team has claimed that this system can be deployed “country-wide”. The company claims that their product not only relays what is happening on a target’s computer, but also enables surveillance of anything occurring within the range of the computer’s internal camera or microphone. This is extremely problematic when it comes to the human rights of internet users in Sudan. In fact, it seems this sale to Sudan would not only constitute a violation of the UN Sanctions Regime established by UN Security Council Resolutions 1556, 1591, 1945, 2091 and 2138, but the sale of this RCS would also violate Council Decision 2014/450/CFSP of 10 July 2014 concerning restrictive measures in view of the situation in Sudan.
Documents also suggest that Hacking Team – despite earlier claims – might have sold its technologies to non-governmental entities, such as a private Brazilian firm, YasNiTech. Other documents seem to demonstrate that Hacking Team had maintenance agreements with Sudan and Russia, which were ‘not officially supported’. Whether official or not, the proliferation of harmful systems presents a real risk in and of itself.
Since 2012 Hacking Team has been identified and associated with attacks on political dissidents, journalists and human rights defenders, and evidence has been published by organizations such as Citizen Lab, which confirm its suspected deployment in at least 21 countries. Hacking Team has consistently denied allegations that it sold its technologies to repressive regimes.
The best result we can seek of this hack, is that we finally take action to ensure we can practice what we preach in Europe. While on the one hand many European politicians want to ensure and achieve ‘cybersecurity’, and condemn human rights violations in third countries, the products at the source of these violations could have been sold without any problem. More transparency and accountability are needed around the sales of privacy-intrusive surveillance tools. Internal due diligence policies and self-regulation efforts are clearly not enough to prevent the marketing and sale of these systems from the EU to some of the world’s worst human rights abusers. Furthermore, without such transparency, any EU or UN sanctions-regime is bound to fail. The EU must ensure it is credible in its foreign policies and hold to account the violators within its own borders.
See also by Marietje Schaake:
17-06-2015 Written Questions on arms exports to Bahrain