WikiLeaks, show that Hacking Team was selling its products to nations with records of human rights abuses, including Ethiopia, Bahrain, Egypt, Kazakhstan, Russia, Saudi Arabia, Sudan and Azerbaijan. An Italian company that sells surveillance software to governments and law enforcement agencies worldwide was negotiating to provide an Orlando police agency with spyware technology that infiltrates phones and computers, according to emails just released. The technology, developed by Hacking Team, can monitor conversations and emails, and even turn phones and laptops into surveillance devices by remotely activating cameras and microphones.
Leaked emails show Orlando’s MBI sought spyware from recently hacked Italian company
Hacking Team was compromised in a data breach on July 5, when unknown hackers posted a link to download more than 400 gigabytes of company data. A message on Hacking Team’s hijacked Twitter account read: “Since we have nothing to hide, we’re publishing all our e-mails, files, and source code.” The emails and files, which have since been catalogued by WikiLeaks, show that Hacking Team was selling its products to nations with records of human rights abuses, including Ethiopia, Bahrain, Egypt, Kazakhstan, Russia, Saudi Arabia, Sudan and Azerbaijan.
This year, according to the leaked emails, Hacking Team was looking to enter the large market of local police agencies in the United States. One of the most promising areas for Hacking Team’s expansion was Florida.
On April 22, Agent Randall Pennington of the Metropolitan Bureau of Investigation — a major-crimes task force that covers Orange and Osceola counties — emailed Hacking Team: “We are a law enforcement task force located in Orlando, Florida. I would like to speak with someone regarding your products.” Within a month, a Hacking Team employee, Daniele Milan, flew from Italy to Orlando to meet with four MBI agents, including the director, Larry Zweig. According to an email Milan sent his co-workers, MBI wanted to increase its surveillance capability. Budget wasn’t a concern, the MBI officials said, even though a leaked company invoice shows Hacking Team services can cost more than $400,000.
Instead, the Orlando law enforcement agents were most concerned about laws that prevent bulk surveillance activities and the collection of information from people who are not targets of investigation.
“The main concern was the federal legal framework they have to comply with (Title III of the Omnibus Crime Control and Safe Streets act of 1968) which imposes `minimization’ of the calls and messages (i.e., deleting portions which are not relevant to the speech),” Milan wrote to co-workers on May 21.
Zwieg told the Orlando Sentinel on Thursday the task force never bought anything from Hacking Team. He declined to say what exactly MBI was trying to purchase from the company. But Zwieg did say MBI wants to have programs that are able to track drug and human trafficking organizations who use apps such as Snapchat to communicate.
Hacking Team’s surveillance software, as originally designed, would have provided information about everyone with whom the target of the investigation communicated. To comply with a search warrant, MBI needed Hacking Team to prevent the transfer of information they are not allowed to receive under the law — to minimize the data.
“We tried to identify ways to go around this,” Milan explained in the email.
If Hacking Team was to enter the state and local law enforcement market in the United States, the company needed to develop a minimization system, Milan added.
Milan and the MBI employees agreed that they would meet again during an upcoming industry conference in North Carolina so that Hacking Team could demonstrate the modified software. That meeting, according to a company spreadsheet labeled “U.S. Action Plan,” was scheduled for July 21. The Hacking Team spreadsheet lists MBI’s “temperature” — the perceived interest in purchasing surveillance products — as green, with a smiley face emoticon.
MBI referred Florida Center for Investigative Reporting’s questions to Lt. Mike Gibson, who was among the four agents to meet with Hacking Team in May, according to the leaked emails. Gibson did not respond to requests for comment.
While this is the first documented contact between Florida law enforcement and Hacking Team, Florida agencies have not been shy about deploying aggressive surveillance technologies.
In February, the American Civil Liberties Union released a report that documented how cell site simulators, known as StingRay, have become increasingly popular among Florida police. The technology, which is manufactured by Harris Corporation of Melbourne, fools a cell phone into thinking it is communicating with a service tower. The cell phone then sends location and other data to law enforcement agencies, allowing police to track someone’s movements. This type of surveillance does not require a warrant or probable cause.
The Orange County Sheriff’s Office conducted 558 investigations from 2008 to 2014 in which StingRay technology may have been used, and the Miami-Dade Police Department used StingRay in 59 closed criminal cases during a one-year period ending in May 2014, according to the ACLU report.
In Tallahassee, the secret use of a StingRay device compromised the prosecution of Tadrae McKenzie, a 20-year-old who was charged with robbery with a deadly weapon. After a state judge ordered police to show the StingRay device to McKenzie’s defense lawyers, prosecutors offered a sweetheart deal — just six months probation after pleading guilty to a second-degree misdemeanor — to avoid having to turn over the surveillance device.
Now that Hacking Team’s email and source codes have spilled online, the company’s future business, including with Florida law enforcement, is uncertain. That outcome is something the company’s chief executive officer joked about in an email last month when he instructed an employee not to allow a demonstration to be recorded.
“Imagine this: a leak on WikiLeaks showing you explaining the evilest technology on earth!” David Vincenzetti wrote to several employees on June 7.
He ended the sentence with a smiley face emoticon, then added:
“You would be demonized.”
What it took for Ethiopia to lose access to hacking tools it used against journalists in the U.S.
Now we know what it takes to get your hacking tools taken away if you’re a repressive government.
It’s not enough to get caught spying on U.S.-based journalists — or even to have the story plastered on the front page of a major U.S. newspaper. But if you get caught doing it again because of your own sloppiness, that may just be enough to shame your vendor into cutting you off.
That’s what the public is now learning from a massive trove of e-mails and documents released online this week from Italian company Hacking Team, which was itself hacked.
Hacking Team is part of a burgeoning commercial surveillance industry that critics allege sells hacking tools once reserved for the most advanced intelligence agencies to any country that can pay. The company has long had a policy of not identifying its customers and has responded to previous reports of abuse by saying it has an internal process for responding to allegations of human rights abuses.
The e-mail cache, now archived by WikiLeaks, appears to show that the company relied on a biannual report from an international law firm to determine which countries it can legally sell its products and faced pressure from the United Nations and the Italian government over business relationships with repressive regimes. Last fall, the company briefly faced a ban on the export of its products by the Italian government, according to the e-mails. Around the same time, the company’s chief operating officer wrote in an e-mail that it had suspended Sudan as a client and that it was a “sensitive” time for the company.
But e-mails sent in the aftermath of a March report about Hacking Team tools being used by the Ethiopian government to target journalists based in the United States appear to show that the sloppiness of their Ethiopian customers, which exposed the use of the company’s technology, was a bigger concern for the company than potential human rights violations. And later, the company tried to secure a new contract with the country.
Researchers with Citizen Lab at the University of Toronto’s Munk School of Global Affairs discovered traces of Hacking Team’s tools on the computers of U.S.-based Ethiopian journalists, as reported in a front-page story by The Post in February of 2014. The Ethiopian government has a notoriously poor track record on freedom of the press, and Ethiopians living abroad play a significant role in providing independent news coverage of the country’s domestic situation.
At the time, Ethiopia denied using Hacking Team’s products. The government did not respond to a request for comment for the story.
This March, Citizen Lab published evidence that Hacking Team spyware had again been used to target Ethiopian journalists in the United States — and the software appeared to have been updated since the earlier attacks were disclosed, suggesting that the company had continued to support the Ethiopian government as a client even after reports of abuse.
Hacking Team declined to confirm its relationship with the company at the time, telling The Post that “assertions that may seem perfectly obvious to some can be extremely difficult to actually prove.” But internally, there was little debate about the accuracy of the Citizen Lab report.
“[T]hey know they are right,” wrote one software architect for the company, according to the e-mails. “[E]very technician reading the report will come to the same conclusions.” The “infrastructure” supporting Ethiopia was shut down after Hacking Team reviewed the report, according to the e-mails.
But the ensuing internal investigation appeared limited. The company did send an inquiry to their contact with Ethiopia’s Information Network Security Agency about the allegations, according to the e-mails. The Ethiopian agent argued that the target was a member of an opposition political movement that the government had declared a terrorist group and that the government did not consider him a journalist, the e-mails said.
The response seemed to satisfy Hacking Team, with Chief Operating Officer Giancarlo Russo writing that it “seems that from a legal point of view they are compliant with their own law.”
Still, concerns remained about the financial fallout from Ethiopia’s use of the Hacking Team products. “I think that we all agree that we should interrupt any business with them due to the recurring media exposure and resulting technical issues,” Operations Manager Daniele Milan wrote in an e-mail.
“The issue is their incompetent use of [HackingTeam] tools,” wrote Hacking Team communications chief Eric Rabe, who is also affiliated with the University of Pennsylvania, in the e-mails. “They can argue about whether their target was a justified target or not, but their use of the tool several times from the same email address, and in repeatedly targeting and failing to get access is what caused the exposure of our technology.”
The internal reaction reveals a lot about the company’s priorities, said Bill Marczak, one of the researchers who worked on the Citizen Lab reports. “Their primary concern seems to have been not getting caught again,” he said.
The e-mails represent only part of the company’s discussion, Rabe told The Post in a statement, and the company was “justifiably concerned” by the Citizen Lab reports that Ethiopia was using its technology for political rather than law enforcement purposes. “While many opinions were expressed reaching a decision, the fact is that Hacking Team suspended the use of our system by this client in late 2014 and then ended our relationship altogether in 2015,” he said. “The company rejected [a] subsequent argument that a new restricted contract could be reached.”
But the e-mails suggest that Ethiopia did not lose access to spying capabilities until March. Pressed on the apparent discrepancy, Rabe said that the suspension meant that the Ethiopian government “would still have had some ability to collect data from existing surveillance” but could not select new targets and that a complete cutoff did not occur until this year.
Hacking Team, he said, was concerned after the February 2014 Citizen Lab report on Ethiopia’s use of its tools and had a “protracted series of discussions” with the client. “Ultimately, we were unable to determine the actual facts of the case,” Rabe said.
But the company realized “the client’s activity risked exposing our system not just for this client, but also possibly for others,” so it took steps to protect the systems from detection, he said. Hacking Team also warned Ethiopia to use the system only for law enforcement purposes and required additional training for operators of the system, according to Rabe.
There does appear to have been a contract dispute in late 2014, with more training and a new user agreement being promoted by Hacking Team and the Ethiopian contact complaining about the “bad performance” of the company’s system, according to the e-mails.
However, the messages also show that Hacking Team continued to negotiate with Ethiopia before and after the March 2015 Citizen Lab report.
In May, the company offered Ethiopia a contract with more on the ground training and supervision at a hefty price tag, according to the e-mails. The country continued to have at least some limited access to data within Hacking Team’s systems until June, when a “read-only” license provided to Ethiopia expired, according to the e-mails — and as recently as the beginning of July, some inside the company were hoping to keep it on board as a client.
“I would like them to renew,” an account manager wrote in a July 1 e-mail checking on the country’s status.
Source: heraldrecorder.org
No comments:
Post a Comment