(The Washington Post) — Now we know what it takes to get your hacking tools taken away if you’re a repressive government.
It’s not enough to get caught spying on U.S.-based journalists — or even to have the story plastered on the front page of a major U.S. newspaper. But if you get caught doing it again because of your own sloppiness, that may just be enough to shame your vendor into cutting you off.
That’s what the public is now learning from a massive trove of e-mails and documents released online this week from Italian company Hacking Team, which was itself hacked.
Hacking Team is part of a burgeoning commercial surveillance industry that critics allege sells hacking tools once reserved for the most advanced intelligence agencies to any country that can pay. The company has long had a policy of not identifying its customers and has responded to previous reports of abuse by saying it has an internal process for responding to allegations of human rights abuses.
The e-mail cache, now archived by WikiLeaks, appears to show that the company relied on a biannual report from an international law firm to determine which countries it can legally sell its products and faced pressure from the United Nations and the Italian government over businessrelationships with repressive regimes. Last fall, the company briefly faced a ban on the export of its products by the Italian government, according to the e-mails. Around the same time, the company’s chief operating officer wrote in an e-mail that it had suspended Sudan as a client and that it was a “sensitive” time for the company.
But e-mails sent in the aftermath of a March report about Hacking Team tools being used by the Ethiopian government to target journalists based in the United States appear to show that the sloppiness of their Ethiopian customers, which exposed the use of the company’s technology, was a bigger concern for the company than potential human rights violations. And later, the company tried to secure a new contract with the country.
Researchers with Citizen Lab at the University of Toronto’s Munk School of Global Affairs discovered traces of Hacking Team’s tools on the computers of U.S.-based Ethiopian journalists, as reported in a front-page story by The Post in February of 2014. The Ethiopian government has a notoriously poor track record on freedom of the press, and Ethiopians living abroad play a significant role in providing independent news coverage of the country’s domestic situation.
At the time, Ethiopia denied using Hacking Team’s products. The government did not respond to a request for comment for the story.
This March, Citizen Lab published evidence that Hacking Team spyware had again been used to target Ethiopian journalists in the United States — and the software appeared to have been updated since the earlier attacks were disclosed, suggesting that the company had continued to support the Ethiopian government as a client even after reports of abuse.
Hacking Team declined to confirm its relationship with the company at the time, telling The Post that “assertions that may seem perfectly obvious to some can be extremely difficult to actually prove.” But internally, there was little debate about the accuracy of the Citizen Lab report.
“[T]hey know they are right,” wrote one softwarearchitect for the company, according to the e-mails. “[E]very technician reading the report will come to the same conclusions.” The “infrastructure” supporting Ethiopia was shut down after Hacking Team reviewed the report, according to the e-mails.
But the ensuing internal investigation appeared limited. The company did send an inquiry to their contact with Ethiopia’s Information Network Security Agency about the allegations, according to the e-mails. The Ethiopian agent argued that the target was a member of an opposition political movement that the government had declared a terrorist group and that the government did not consider him a journalist, the e-mails said.
The response seemed to satisfy Hacking Team, with Chief Operating Officer Giancarlo Russo writing that it “seems that from a legal point of view they are compliant with their own law.”
Still, concerns remained about the financial fallout from Ethiopia’s use of the Hacking Team products. “I think that we all agree that we should interrupt any business with them due to the recurring media exposure and resulting technical issues,” Operations Manager Daniele Milan wrote in an e-mail.
“The issue is their incompetent use of [HackingTeam] tools,” wrote Hacking Team communications chief Eric Rabe, who is also affiliated with the University of Pennsylvania, in the e-mails. “They can argue about whether their target was a justified target or not, but their use of the tool several times from the same email address, and in repeatedly targeting and failing to get access is what caused the exposure of our technology.”
The internal reaction reveals a lot about the company’s priorities, said Bill Marczak, one of the researchers who worked on the Citizen Lab reports. “Their primary concern seems to have been not getting caught again,” he said.
The e-mails represent only part of the company’s discussion, Rabe told The Post in a statement, and the company was “justifiably concerned” by the Citizen Lab reports that Ethiopia was using its technology for political rather than law enforcement purposes. “While many opinions were expressed reaching a decision, the fact is that Hacking Team suspended the use of our system by this client in late 2014 and then ended our relationship altogether in 2015,” he said. “The company rejected [a] subsequent argument that a new restricted contract could be reached.”
But the e-mails suggest that Ethiopia did not lose access to spying capabilities until March. Pressed on the apparent discrepancy, Rabe said that the suspension meant that the Ethiopian government “would still have had some ability to collect data from existing surveillance” but could not select new targets and that a complete cutoff did not occur until this year.
Hacking Team, he said, was concerned after the February 2014 Citizen Lab report on Ethiopia’s use of its tools and had a “protracted series of discussions” with the client. “Ultimately, we were unable to determine the actual facts of the case,” Rabe said.
But the company realized “the client’s activity risked exposing our system not just for this client, but also possibly for others,” so it took steps to protect the systems from detection, he said. Hacking Team also warned Ethiopia to use the system only for law enforcement purposes and required additional training for operators of the system, according to Rabe.
There does appear to have been a contract dispute in late 2014, with more training and a new user agreement being promoted by Hacking Team and the Ethiopian contact complaining about the “bad performance” of the company’s system, according to the e-mails.
However, the messages also show that Hacking Team continued to negotiate with Ethiopia before and after the March 2015 Citizen Lab report.
In May, the company offered Ethiopia a contract with more on the ground training and supervision at a hefty price tag, according to the e-mails. The country continued to have at least some limited access to data within Hacking Team’s systems until June, when a “read-only” license provided to Ethiopia expired, according to the e-mails — and as recently as the beginning of July, some inside the company were hoping to keep it on board as a client.
“I would like them to renew,” an account manager wrote in a July 1 e-mail checking on the country’s status. —————— Andrea Peterson covers technology policy for The Washington Post, with an emphasis on cybersecurity, consumer privacy, transparency, surveillance and open government.