The week of December 7, 2014

The unstoppable rise of the global surveillance profiteers

By Aaron Sankin

Imagine if your government put a price tag on your privacy, acquiring shadowy surveillance technology that exploited your personal vulnerabilities.

Earlier this year, journalists at the Ethiopian Satellite Television Service (ESAT) were sent something sketchy. The Amsterdam-based TV channel holds itself up as an alternative to the country’s tightly controlled state-run media and regularly runs programming critical of Ethiopia’s ruling regime. As such, the station’s broadcasts in the country are regularly jammed by government censors, and a recent documentary aired on state-run TV urged Ethiopians not to participate in ESAT’s programming.

The first suspicious message arrived one afternoon via Skype to an ESAT employee in Belgium who was managing a company account. The message supposedly came from from Yalfalkenu Meches, a former contributor who had been out of contact for some time, and it included an attached file titled “An Article for ESAT” that raised a litany of red flags. It contained a veiled .exe file—the kind that triggers programs to start running on Windows machines and is the primary carrier of viruses—whose name included a long string of spaces designed to hide its true identity.

Suspecting that something was amiss, the employee refused to open the file, but Meches tried again—this time sending over a Microsoft Word document. Less than two hours later, Meches reached out to another ESAT employee, this one based in the company’s northern Virginia office, with a similar offer of an interesting article. Once again, Meches, or whoever had assumed his online identity, was rebuffed.

ESAT forwarded the emails to Citizen Lab, a multidisciplinary group at the University of Toronto’s Munk School of Global Affairs working on Internet freedom issues like censorship and surveillance, with a focus on the actions of repressive governments. Activists from around the world send files to Citizen Lab that they suspect contain viruses, and the group’s programmers will download them, rummage through the source code, and determine if there’s foul play involved.

Citizen Lab found that one of the ESAT messages exploited a bug in Microsoft Word that would make the infected system covertly download a virus from a remote server as soon as it was opened. The virus was one of the tendrils of something called Remote Control System, which was developed by a Milan, Italy-based company called Hacking Team.

Hacking Team is part of a new breed of companies that have sprouted up in the years since 9/11 sparked a global war on terror and a wired technological revolution. As the U.S. developed the online surveillance tools that, over a decade later, would eventually be revealed to the world by National Security Agency whistleblower Edward Snowden, savvy businesses across the globe realized there were plenty of countries that might not be able to afford to develop such sophisticated technology in-house but still had money to burn.

Third-party surveillance tools have grown from a virtually nonexistent industry in 2001 to one raking in over $5 billion annually. It’s also enabled countries around the world to cheaply establish a crude surveillance state, one that manipulates citizens and threatens their privacy.

Citizen Lab knew that the operator of the Meches account was working for the Ethiopian government because Hacking Team only sells its products to governments. And Hacking Team wasn’t alone in giving the Ethiopian government precisely what it needed to spy on the people whose activities it didn’t like.

“The systems we are talking about are getting smaller, faster and cheaper every day.” —Marietje Schaake

One year earlier, Citizen Lab came across a piece of malware circulating through the wilds of the Internet that hid itself behind pictures of Ethiopian opposition party Ginbot 7, which the government had designated a terrorist group. When researchers examined the virus, they discovered it was designed to send information to a server in Ethiopia that had been previously identified as being associated with a private surveillance software called FinFisher, made by company called Gamma International.

This map shows all of the countries where Citizen Lab has identified servers running FinFisher. (Note: The presence of a FinFisher server in a country doesn’t necessarily mean that the government of that country is using the program; some of the servers listed here are undoubtedly acting as intermediaries to disguise the intercepted data’s ultimate endpoint.)

FinFisher map

The implication here is fascinating, noted Kenneth Page of the nonprofit Privacy International. Not only is the Ethiopian government outsourcing the construction of its surveillance technology, but it’s actively shopping around—using different programs made by different companies. 

“We couldn’t tell if it was a result of two different departments in the same government working independently or if it was just the government buying two different products to determine which one worked better,” said Page, whose group is part of the Coalition Against Unlawful Surveillance Exports (CAUSE), which advocates to control the flow of this type of surveillance technology. “Even within the industry itself, there’s a healthy competition.”

There’s a major demand for electronic surveillance equipment and a thriving ecosystem of companies from Canada from to Israel willing to sell off-the-shelf surveillance solutions to any government with a few hundred thousand dollars to spare. Since the market for these goods is both opaque and truly global, for groups like CAUSE, halting the flow of this technology is an uphill battle.

The balance between safety and privacy

There are very good reasons why a government might legitimately depend on this type of surveillance software. On the most basic level, governments need to track terrorists and hardened criminals—two groups of people that, like pretty much everyone else, use the Internet to communicate.

“There are a lot of bad people in the world who are relying on these systems—telephones, mobile phones, Skype, Tor, tablets, and computers—to do what they do, and that is a threat to all of us,” insisted Hacking Team spokesman Eric Rabe. “There is a real question here about the public’s need for privacy and our need for security. If we come down 100 percent on the side of privacy, which seems to be in vogue in tech right now, we are putting ourselves at very legitimate risk. And to ignore that is foolhardy. I think, by and large, we and the other people who are protecting this software are working to keep people safe.”

Rabe insisted that Hacking Team goes to great lengths to ensure that the governments it sells to won’t use the products for ill, including an independent review process that exists outside of the company’s commissioned sales staff. Additionally, he noted, if a country were found to be using Hacking Team’s software to violate human rights, the company could stop sending over the updates necessary for its programs to bypass regularly updated commercial virus-detection software. Rabe declined to specifically state if this type of revocation has ever occurred. Even if it does happen, the programs would still be functional and effective to everyone who doesn’t has patched to the latest version of antivirus software.

Actually stopping a company from selling this technology is far tougher than it seems.

Representatives from Gamma did not respond to a request for comment.

Nevertheless, for many Ethiopians, the government’s use of these surveillance technologies can be a matter of life and death. A report released by Human Rights Watch earlier this year detailed how widely electronic surveillance in the country was used to keep the government’s critics in check:

Recorded phone calls with family members and friends—particularly those with foreign phone numbers—are often played during abusive interrogations in which people who have been arbitrarily detained are accused of belonging to banned organizations. Mobile networks have been shut down during peaceful protests and protesters’ locations have been identified using information from their mobile phones. 

A former opposition party member told Human Rights Watch: “One day they arrested me and they showed me everything. They showed me a list of all my phone calls and they played a conversation I had with my brother. They arrested me because we talked about politics on the phone. It was the first phone I ever owned, and I thought I could finally talk freely.”

The report noted that much of the technology used to monitor the country’s entire telecom network was provided by a Chinese firm called ZTE. But there are a litany of other options Ethiopian officials could have chosen from to meet their snooping needs.

WikiLeaks has been tracking the ecosystem of surveillance companies in a project called Spy Files since 2011. Spy Files hosts leaked documents from nearly 100 different companies in the surveillance technology business.

Since the industry is so active, and demand for the products is so enormous, the likelihood that one of these companies will sell to autocratic regimes is high. South African firm VASTech was found to have sold a system to former Libyan dictator Muammar Gaddafi that was used to track and record every single phone call coming into and out of the country, a practice that allegedly amounted in over 30 million minutes of phone conversations every month. Not only did VASTech maintain a relationship with Libya for years, but the South African government approved hundreds of thousands of dollars worth of grants to the company, knowing full well that the funds would be going toward the production and sale of surveillance technology.

Professionally produced software isn’t the only option available to a government looking for a virus that can infect a target and report back everything that person does online. If it wanted to, a government could employ the same tools cybercriminals around the world use to steal credit card information and hack personal email accounts every day. In fact, during Syria’s civil war, government affiliates used the Blackshades Remote Access Tool (RAT), a powerful cyberweapon developed in the U.S.

Third-party surveillance tools have grown from a virtually nonexistent industry in 2001 to one raking in over $5 billion annually.

However, companies like Hacking Team and Gamma International provide a complete package with their specialty products. Customers can ring technical support if something goes wrong. The programs are designed to display data in a way that’s easily readable and specifically customized to meet that government’s needs. Most importantly, the software is constantly updated to avoid firewalls and antivirus programs because what’s untraceable today may be easily defended against tomorrow.

Marietje Schaake, a member of the European Parliament who has long advocated the implementation of strict international controls on the export of surveillance technology, argues that, even outside of the context of authoritarian regimes, the proliferation of these types of Orwellian technology is problematic.

“I think people have a legitimate reason to be concerned about the spread of intrusion and mass surveillance technologies on the broadest sense,” Schaake insisted. “This is very much a discussion we must also have in our own societies—for example, when it comes to the powers of intelligence services. The many cases of abuse indicate the massive impact they have on human rights.”

Schaake has been interested in the issue since her first days in the European Parliament, when she saw how the Iranian government used surveillance technology provided by Nokia Siemens Networks to intercept the communications of and track down dissidents during widespread public demonstrations that erupted following Iran’s disputed 2009 presidential election. The willingness of a well-respected European company like Nokia Siemens Network to help a repressive government like Iran crack down on its own people really struck a nerve. 

“These systems are used to intercept communications, access people’s devices, and track down dissidents,” she explained. “It demonstrates the devastating impact the unregulated trade in technologies can have on human rights.”

The Wassenaar Arrangement

Actually stopping a company from selling this technology is far tougher than it seems. For one thing, banning the sale of all surveillance software may ultimately do more harm than good.

“If you draw restrictions that are overly broad, you catch up technologies that have legitimate uses and harm the country’s business interests,” explained Danielle Kehl, a policy analyst at the New America Foundation’s Open Technology Institute, which is also part of the CAUSE coalition. “It could have a negative impact on the free flow of information and severely hinder research.” 

What makes the problem even more difficult is there’s little a single country can do on its own. 

The United States, for example, has a complex set of export controls that require companies selling surveillance technologies abroad to first receive specific approval from the Departments of Commerce, Defense, and State to do so.

Even with these controls in place, the system has been known to break down. In 2011, California-based surveillance tech firm Blue Coat admitted that 13 of its Internet filtering systems, which a spokesperson insisted the company had initially sold to Iraqi authorities, ended up in the hands of Syrian President Bashar al-Assad, who used them as censorship mechanisms in the midst of the nation’s brutal civil war.

Over the last few years, the international community has gotten together and started seriously addressing the global trade of surveillance equipment in an effort to ensure that these programs don’t fall into the wrong hands. The mechanism for doing that is called the Wassenaar Arrangement.

“There is a real question here about the public’s need for privacy and our need for security.” —Eric Rabe, Hacking Team

A few years after the end of Cold War, world leaders met in a suburb of the Hague called Wassenaar and struck a deal to control the flow of conventional military technology. The agreement wasn’t binding like an official treaty; instead, it was more like a gentleman’s agreement by which each of the 41 participating nations agreed to do their best to subsequently ratify in their individual national legislatures whatever the diplomats in Wassenaar agreed upon.

Wassenaar has been in place since 1996, but it’s only been in the past two years that surveillance technologies have been added to the list. Updates to Wassenaar occur once a year; the 2014 plenary meeting was held last week, so the process is slow. Transferring those updates to individual member states is even slower—especially in the case of the European Union, whose process for adoption is positively glacial. 

Without a comprehensive, international system of controls preventing companies in virtually every country from supplying surveillance technology to bad actors, it’s relatively easy for a firm that wants to sell surveillance technology to do so—or to simply set up a subsidiary in the next country over and sell to whomever it wants. Since the Wassenaar Arrangement only covers 41 out of the world’s 196 countries, finding a nation to set up shop in that lacks any kind of surveillance tech export controls likely isn’t all that difficult.

One problem that advocates of stricter regulations like Schaake have with the way Wassenaar functions is that the controls, which give countries the ability to decide whether to grant specific export licenses, are enacted at the level of each individual government and aren’t necessarily consistent. That opens a window for companies to shop around. Just because one government denies a license, that doesn’t mean the company couldn’t just apply in another jurisdiction that’s more forgiving.

While Europe has been slow in establishing a consistent set of export controls, at least one country has elected to take strong, unilateral action. Earlier this year, German Economy Minister Sigmar Gabriel announced the country was placing a moratorium on the sale of all surveillance technology to a handful of nations it viewed as problematic—including Russia and Turkey—until a comprehensive solution is implemented by the E.U. as a whole.

There’s a major demand for electronic surveillance equipment and a thriving ecosystem of companies willing to sell off-the-shelf surveillance solutions to any government with a few hundred thousand dollars to spare.

“Supporters of Internet freedom are not supposed to deliver corresponding technology to the hands of such regimes which monitor Internet users and thus violate the most basic human rights,” Gabriel told Turkish English-language newspaper the Daily Sabah.

In addition, deciding precisely what qualifies a country as undeserving of surveillance technology is a tricky question in and of itself. It’s a simple decision not to allow an American company to sell malware to the government of North Korea, which seems to be doing pretty well on its own. The issue gets far thornier, however, when it comes to countries whose human rights records might not be stellar but aren’t quite bad enough to justify being ostracized by the international community. 

Take Saudi Arabia, for example. The Saudi government has received considerable criticism for how it treats religious minorities and political dissidents; yet the country sat on the United Nations’ Human Rights Council as recently as 2012. In March, a group of 52 members of Congress wrote an open letter urging President Obama to advocate for reform during a then-upcoming meeting with Saudi Arabia’s King Abdullah, but the U.S. government recently sold the country $30 billion worth of F-15 fighter jets. In that context, making the argument that the U.S. should prohibit, or even significantly limit, the sale of surveillance equipment explicitly designed to catch terrorists to one of its prime strategic allies in the Middle East is a difficult one to make. As a result, privately designed surveillance software designed by former-Boeing subsidiary Narus has been identified in Saudi Arabia.

The issue of speed is also huge. Right now, Wassenaar only covers a few types of surveillance technology.

Last year, Wassenaar added two more technologies to its export control list. The first type, called “Advanced Persistent Threat Software,” is essentially malware designed to circumvent the security features on a given device and then exact information from it. The category consists of viruses that log every button typed onto a computer keyboard and ones that use a phone’s GPS to record everywhere its owner travels. The second type includes systems that monitor telecommunications networks for the purposes of mass surveillance and intercepts information like emails, Google searches, and voice over Internet protocol (VoIP) calls via programs like Skype. The year before, the group started regulating tech that can be used to impersonate cell towers and allow governments to monitor communications using man-in-the-middle attacks.

These are the only technologies even theoretically controlled across participating countries in a coordinated fashion. It leaves an enormous gap for other types of systems that haven’t yet been added to the list.

For many Ethiopians, the government’s use of these surveillance technologies can be a matter of life and death.

Kenneth Page of human rights group Privacy International gives the example of a Dubai-based company called Advanced Middle East Systems, which sells a superhero-inspired product called Cerebro. It can be used to tap into fiber-optic cables carrying Internet traffic and intercept all of the data being passed through without the need for the cooperation of the telecom company that owns the pipe. 

Advanced Middle East Systems’ marketing materials state that the export of Cerebro is subject to the United Arab Emirates licensing controls. Page argues, however, that decision is left up to authorities in the U.A.E., and there’s nothing in Wassenaar that could stop it.

The Wiretapper’s Ball 

Like any major industry, the companies in the business of selling surveillance technology have conferences. Those trade shows, which are held a few times a years in locations like Mexico and Dubai are called ISS World, more commonly known as the “Wiretapper’s Ball.”

ISS World gives everyone involved in the government surveillance business, from the vendors of surveillance technology to the government intelligence agents themselves, the chance to talk shop. The list of talks the conference held in Kuala Lumpur, Malaysia, earlier this year include: 

  • How to intercept wireless communications on 3G, 4G and LTE networks mobile networks
  • How to carry out remote stealth surveillance on encrypted traffic networks
  • How to use encryption to avoid remote stealth surveillance
  • How to use facial recognition technology and gathering metadata on images posted on Facebook
  • How to defend your networks against zero-day attacks—meaning, ones exploiting previously unknown holes in digital security systems

From what public accounts do exist, the events themselves seem like profoundly weird experiences.

A Bloomberg News report about an ISS World conference in Kuala Lumpur in 2011 noted that, unlike almost every other business conference in existence, there are no cocktail parties. Attendees try to avoid even being seen talking congregating with each other in public. That kind of socialization isn’t encouraged when the stated profession of nearly everyone in attendance is stealing secrets and the events are potential recruiting grounds for double agents.

At a previous iteration of the conference in Prague, one telecom regulator from an African government looked up from his tablet to see the action being displayed on his monitor also being projected on a screen at the front of the room in real time. He had logged the hotel’s wireless Internet and someone had quickly hacked his system to teach him an important lesson about what happens when one is insufficiently paranoid in a room packed with spies.

ISS World’s organizer, a Virginia-based company called TeleStrategies, is notoriously secretive. It doesn’t allow journalists into its conventions and, when contacted by the Kernel, a representative said the company has a policy of not granting interviews with the press. 

The software is constantly updated to avoid firewalls and antivirus programs because what’s untraceable today may be easily defended against tomorrow.

However, the organization has apparently let in representatives from Sudan, Iran, and Syria—nations whose repressive governments have earned them a place on the list of countries sanctioned by the U.S. government. According to a report by independent researcher Colin Anderson, TeleStratagies requires that attendees register under the umbrella of larger, pre-screened organizations.

“In the case of Sudan, TeleStrategies has indicated knowledge of the participant’s nationality through its disclosed attendance records,” Anderson wrote. “Six of the listings are entities of the Government of Sudan, and three of which, recorded as ‘Governmental LEA,’ ‘Sudan Ministry of Interior,’ and ‘Sudan National Telecommunication Authority’, are directly cited within the State Department’s Human Rights Reports as parties in the country’s online and offline human rights abuses.”

For their part, the conference’s organizers say they do what they can to block representatives from some of the world’s most notorious governments from attending. Other than that, as TeleStratagies President Jerry Lucas charges, ethical concerns are “not our responsibility.”

It’s a sentiment echoed by Hacking Team spokesman Eric Rabe. He insists that, outside of building and helping set up the technology, his company plays no part in whatever investigations its governmental customers decide to carry out. “I don’t think you want Hacking Team to be the universal arbiter of what countries are good and what countries are bad,” he noted. “That’s why we rely on blacklists; that’s why we rely on governments to help us.”

In one sense, that shirking of moral responsibility is a dodge. But in another, it’s hard logic to argue with. If governments don’t set up clear rules about the sale of these technologies, there’s going to be nothing stopping companies from selling whatever they want to the highest bidder—even if the intentions of that highest bidder are less than honorable.

“The systems we are talking about are getting smaller, faster and cheaper every day,” Schaake told the Kernel. “Technologies that are sold as law enforcement tools can easily be abused in countries where the rule of law is not upheld, and where journalists, human rights defenders, opposition politicians, and ordinary citizens are attacked by their governments through these tools.”

If government regulators and activists want to have any hope of ensuring Internet freedom for billions of people around the world, they’re going to have to act fast.

Illustration by J. Longo