Leaked Documents Show Need to Regulate Surveillance Sales
Internet café in Lalibela, Amhara Region, Ethiopia. © 2010 Hemis.fr/AFP Photo
(New York, August 13, 2015) – The Italian spyware firm Hacking Team took no effective action to investigate or stop reported abuses of its technology by the Ethiopian government against dissidents, Human Rights Watch said today. A comprehensive review of internal company emails leaked in July 2015 reveals that the company continued to train Ethiopian intelligence agents to hack into computers and negotiated additional contracts despite multiple reports that its services were being used to repress government critics and other independent voices.
The Italian government should investigate Hacking Team practices in Ethiopia and elsewhere with a view toward restricting sales of surveillance technology likely to facilitate human rights abuses, Human Rights Watch said.
“The Hacking Team emails show that the company’s training and technology in Ethiopia directly contributed to human rights violations,” said Cynthia Wong, senior Internetresearcher at Human Rights Watch. “Despite multiple red flags, Hacking Team showed a striking lack of concern about how its business could damage dissenting and independent voices.”
On July 5, 400 gigabytes (GB) of Hacking Team’s internal emails, documents, and source code that had been hacked were leaked online. The leaked emails confirm that the company had sold surveillance systems, training, and support and maintenance services to the Ethiopian Information Network Security Agency (INSA) as early as 2011, with contracts worth US$1 million in 2012. On November 5, 2012 Hacking Team congratulated INSA on infecting its first target.
Leaked Hacking Team emails showed that it reviewed independent reports published in 2014 and 2015 that presented findings that the government was targeting Ethiopian Satellite Television (ESAT) employees based in the United States using Hacking Team technology. Yet the company’s internal emails show only a superficial effort to investigate these findings and end the abuse.
Hacking Team states it sells exclusively to governments. Human Rights Watch first contacted Hacking Team in February 2014 after the Toronto-based research center Citizen Lab reported that the Ethiopian government had attempted to use Hacking Team’s spyware, Remote Control System, to hack into the computers of ESAT employees. ESAT is an independent, diaspora-run television and radio station. On December 20, 2013, a third party made three separate attempts to target two ESAT employees who live outside of Ethiopia. In each attempt, ESAT employees received a file through Skype.
The ESAT employees did not open the files, which were presented as and appeared to be a Word document or PDF file. However, if the employees had opened them, the files would have covertly installed a program that would have given the Ethiopian government access to files, emails, passwords, and Skype calls made on the infected computer. Testing by researchers at Citizen Lab found that the program appeared to be spyware that matched previously established characteristics of Hacking Team’s Remote Control System.
The sale of surveillance technologies is largely unregulated at the national and international level. In December 2013, countries participating in the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies added “intrusion software” to its multilateral export control list. As a result, the European Union and 41 member countries to the Wassenaar Arrangement have begun to introduce regulations to control the sale of systems like those sold by Hacking Team. The EU regulations, which apply to Italy, went into force in December 2014.
On February 25, Hacking Team released a statement saying it was “complying fully” with the Wassenaar’s intrusion software controls. The company stated that “under the procedures agreed to by Hacking Team and the Italian Ministry of Economic Development, HT will request from the Italian Government export authorization for its technologies.”
The company’s leaked emails show the company’s lobbying efforts to ensure that it would not be required to seek specific authorization to export its technologies for all countries, undermining the Italian government’s ability to exercise oversight over its sales. In October 2014, the Italian Ministry of Economic Development briefly halted Hacking Team’s exports and proposed a broad control on the firm’s sales that would require a case-by-case review to approve each export, citing “possible uses concerning internal repression and violations of human rights.”
Leaked emails showed that company executives lobbied top Italian officials and government contacts to intervene. As a result, the Economic Development Ministry rescinded the broad control in November 2014, and instead granted a one-time “global license” for exports to countries that were part of the Wassenaar Arrangement in April 2015. It is unclear whether the Italian government has required Hacking Team to seek specific authorization for services, updates, and support the firm continues to provide under contracts signed before April.
Properly implemented export controls can be a valuable tool to help curb the unregulated spread of these systems and promote responsible business and human rights norms. Controls also act as an essential accountability and transparency mechanism. Greater transparency can assist governments and nongovernmental organizations in monitoring the human rights impact of their businesses, improving policies to address abuses, and enhancing remedies where violations occur.