Documents obtained by hackers from the Italian spyware manufacturer Hacking Team confirm that the company sells its powerful surveillance technology to countries with dubious human rights records.
Internal emails and financial records show that in the past five years, Hacking Team’s Remote Control System software — which can infect a target’s computer or phone from afar and steal files, read emails, take photos and record conversations — has been sold to government agencies in Ethiopia, Bahrain, Egypt, Kazakhstan, Morocco, Russia, Saudi Arabia, South Sudan, Azerbaijan and Turkey. An in-depth analysis of those documents by The Intercept shows Hacking Team’s leadership was, at turns, dismissive of concerns over human rights and privacy; exasperated at the bumbling and technical deficiency of some of its more controversial clients; and explicitly concerned about losing revenue if cut off from such clients.
Ethiopia: “700k is a relevant sum”
Last year, researchers with the Citizen Lab at the University of Toronto identified traces of Hacking Team spyware on the computers of Ethiopian journalists living in Northern Virginia. Ethiopia’s government is ranked as one of the worst in Africa for press freedom, and regularly targets journalists under anti-terrorism laws.
The researchers believed that the journalists, who worked for Ethiopian Satellite Television (ESAT) — a network run largely by expatriates and seen as close to opposition parties — had been attacked by Ethiopia’s Information Network Security Agency, or INSA. (The Citizen Lab researchers included Morgan Marquis-Boire, First Look Media’s director of security and co-author of this article.) At the time, the Ethiopian government’s spokesperson in Washington denied using Hacking Team’s products, telling the Washington Post that Ethiopia “did not use and has no reason at all to use any spyware or other products provided by Hacking Team or any other vendor inside or outside of Ethiopia.”
Then last March, Citizen Lab again published evidence of Hacking Team’s malware, this time in an attachment to an email sent to Neamin Zeleke, ESAT’s managing director. The Ethiopian spokesperson said the county “acts in compliance with its own laws and with the laws of nations.”
Hacking Team refused to confirm its clients but repeated that the company investigated alleged human rights abuses. However, Rabe told the Washington Post, “It can be quite difficult to determine facts, particularly since we do not operate surveillance systems in the field for our clients.”
Emails and internal records clearly show that the incident set off a debate within the company about whether the bad press and potential exposure of Hacking Team technology was worth it.
“[Citizen Lab] found the source of the attack because these geniuses used the same email address they had used in the previous attack to send the doc with the exploit,” the chief technical author wrote in Italian, referring to the Ethiopian clients. Vincenzetti ordered them to temporarily suspend the account.
But the follow-up investigation appears to have consisted of a terse email to their INSA contact stating, “would you please give a detailed explanation regarding the following allegations?” with links to reports.
INSA’s representative replied that Zeleke was targeted as a member of Ginbot7, an opposition political party that the Ethiopian government declared a terrorist group in 2011. “To us, Nemene Zeleke is one of the top leaders of a terrorist organization, not a journalist,” the INSA agent wrote.
Hacking Team seemed placated, but still irritated. Chief Operating Officer Giancarlo Russo wrote to other executives that it “seems that from a legal point of view they are compliant with their own law.”
Rabe, meanwhile, argued that “the issue is their incompetent use of HT tools. They can argue about whether their target was a justified target or not, but their use of the tool several times from the same email address, and in repeatedly targeting and failing to get access is what caused the exposure of our technology.” (Indeed, emails to Hacking Team’s support system show clients complaining about the leak.)
Daniele Milan, Hacking Team’s operations chief, weighed in favor of closing the account, saying that INSA’s “reckless and clumsy usage of our solution caused us enough damage.”
“But I know that 700k is a relevant sum,” he adds in Italian in another email.
The executives eventually decided to reinstate Ethiopia’s license. In May, after a few weeks’ back-and-forth, the company proposed a new contract with more on-the-ground training and supervision — “additional services” that a business development executive noted could add hundreds of thousands of euros to the country’s bill.
An invoice leaked with the Hacking Team cache shows that Ethiopia paid $1,000,000 Birr (ETB) for Hacking Team’s Remote Control System, professional services, and communications equipment.
Human Rights Watch documented how the Ethiopian government uses foreign spyware to strengthen its widespread telecom surveillance of opposition activists and journalists – both in Ethiopia and abroad. The government has used foreign technology to record activists’ private phone conversations, and then arrest them for speaking about their political beliefs.