Hacking Team Denies Selling Spyware to Sketchy Governments


What's This?


Hacking-mapThe map of 21 countries where cyber sleuths have found traces of Hacking Team's spyware.

Image: Mashable composite. Wikimedia commons



Surveillance-technology company Hacking Team denied selling its spyware to 21 countries, including those that suppress civil liberties, following a damning report published last week.


Cyber sleuths at the University of Toronto' Citizen Lab reported that they had found traces of Hacking Team's software in 21 countries, including some with poor human-rights records such as Sudan, Azerbaijan and Saudi Arabia.



Hacking Team is an Italian company that develops a powerful surveillance software called Remote Control System, a "hacking suite" that when surreptitiously installed on a target's computer, can intercept emails and Skype communications, as well as allow operators to access data on the infected computer.


RCS is marketed specifically — and exclusively — for government and law-enforcement use. But it's unclear who Hacking Team's clients are, although the company has claimed it doesn't sell to "any repressive regime."


Company spokesperson Eric Rabe said Hacking Team does not identify its customers because that would "jeopardize the confidentiality necessary for effective law-enforcement and intelligence investigations," and added that the reported list of countries is inaccurate.


"Citizen Lab appears to be using research based on old technology, and the list they have produced is not an accurate list of nations where Hacking Team clients are located," he told Mashable in an email.


Citizen Lab found traces of RCS by mapping the spyware's network of proxy servers, challenging Hacking Team's claim that RCS is "untraceable." When asked about the proxy servers, Rabe explained that the "variety" of techniques they use to protect the identities of their clients are "effective," but declined to specify what they are.


In response to Hacking Team's statements, the four researchers at Citizen Lab — Bill Marczak, Morgan Marquis-Boire, Claudio Guarnieri and John Scott-Railton — said in a statement that they are "not surprised" about the company's denial.


"We invite Hacking Team to provide evidence to back up the claims they have made about our report," the researchers told Mashable. However, Rabe declined to be more specific.


Hacking Team's Safeguards Against Abuse


To defend against the accusation that it sells to countries that have a record of breaching human rights, Rabe explained how Hacking Team ensures its spyware doesn't end up in the wrong hands.


"We rely on our own due diligence, published reports, international black lists and conversations with potential clients to assure ourselves to the extent possible that our software will be used legally and responsibly," Rabe said.


But experts, who have been investigating Hacking Team and other companies that sell surveillance technology for years, remain skeptical.


"If they can't confirm or deny whether any of these countries have been their clients, then they don't really have an oversight process that anyone should trust to prevent their technologies from being used as part of human-rights abuses," said Eva Galperin, an activist with digital-rights advocacy group the Electronic Frontier Foundation.


Hacking Team has always claimed that its software is intended only for legitimate criminal investigations, but Citizen Lab said it found a few instances where that doesn't seem to be the case.


Last year, RCS was reportedly used against a group of citizen journalists who are critical of Morocco's government, as well as against a pro-democracy activist in the United Arab Emirates. More recently, journalists in the U.S. and Europe have reportedly been targeted, possibly by the Ethiopian government.


These reports caused Reporters Without Borders to name Hacking Team one of its five "corporate enemies of the Internet" last year.


To prevent abuses, Hacking Team claims in its customer policies to have "an outside panel of technical experts and legal advisors" that reviews any potential sale.


When asked to disclose the identities of panel members, how the panel works and whether it has blocked a potential sale, Rabe declined to provide specifics.


"We cannot identify members of our vetting panel, nor can we specifically describe in detail its work," he said. "However, in our pre-sale negotiations, we look for red flags that might indicate a risk that our product might be used improperly either in activities that could violate the law, or simply due to sloppy deployment that might expose our software. After a sale, should we discover abuse or misuse of our products, we can suspend support, which renders the software liable for detection and therefore makes it useless."


Rabe refused to elaborate on whether Hacking Team has ever suspended a client, saying only that the company has "both suspended support, and refused to do business in the first place with clients or potential clients we believed had or might abuse the software."


"These are internal business decisions," he added. "However, this does happen, and is generally the result of information coming to our attention from either internal or external sources that leads us to believe our software is not being used properly."


Rabe also underscored the important role of tools like RCS. "I trust you’ll make note of the need for tools such as Hacking Team provides, given the easy and facile use of Internet, computer and mobile technologies by criminals of all kinds from various scam artists to drug smugglers to child abusers."


For Galperin, however, Hacking Team's explanations are not enough.


"Hacking Team cannot simultaneously ask people around the world to trust them, while also failing to provide any information that would allow people to do so," she said.




Hacking Team's commercial for its "hacking suite" Remote Control System Da Vinci.


Other Surveillance-Tech Companies


In the latest Citizen Lab report, researchers mentioned companies like FinFisher or Vupen that could theoretically be used by governments that purchase Hacking Team software in order to covertly implant it on a target's computer. One was Vupen, a French company that sells computer exploits (weaponized software bugs) and zero-days (unknown vulnerabilities), which allow an attacker to covertly install malware on a target's computer.


Vupen sells its products to governments around the world, reportedly for hundreds of thousands of dollars. But it denied any association with Hacking Team.


"We do not have any relationship with Hacking Team, as we only work with end-user government agencies," Vupen CEO Chaouki Bekrar told Mashable.


Rabe echoed Bekrar, when asked about Hacking Team's relationship with Vupen.


"Hacking Team has no special business relationship with Vupen," he said, adding that it's the "investigating agency" that is responsible for deploying Hacking Team's RCS spyware against a target. "These agencies have a number of techniques they can deploy including use of exploits from Vupen or elsewhere, or they may be able to get physical access to a subject’s devices."


To understand why the two companies might be linked, it's important to explain how their technologies work. A government can install Hacking Team's malware in a variety of ways, one of which is via an exploit. In that scenario, a government might buy a Vupen exploit, which allows it to deploy Hacking Team's spyware against its target.


Despite both companies denying a special relationship with each other, some including Eric King, head of research at advocacy group Privacy International, are skeptical of their claims.


King, who has investigated companies like Hacking Team, FinFisher and Vupen for years as part of his organization's Big Brother Inc. project, said he remembered attending two surveillance trade shows three years ago. During the conferences, Hacking Team's sales representatives referred to Vupen as a company that sold exploits that would work well with Hacking Team's products, he told Mashable. However, King emphasized that he isn't suggesting there are formal agreements between the companies.


Chris Soghoian, a technologist at the American Civil Liberties Union and a prominent surveillance expert, is also unconvinced by the companies' denials.


"Does it really matter if the guns and bullets are sold by different companies, when you don't use one without the other?" he tweeted.


For the sake of transparency, we're embedding the full email exchange that we had with Hacking Team and its spokesperson Eric Rabe, embedded below. The questions and answers were not edited, but simply re-ordered for clarity.


Mashable Interview with Hacking Team's Eric Rabe


Have something to add to this story? Share it in the comments.


Topics: hackers, hacking, malware, surveillance, US & World, World




0 comments: