(New York, August 13, 2015) – The Italian spyware firm Hacking Team took no effective action to investigate or stop reported abuses of its technology by the Ethiopian government against dissidents, Human Rights Watch said today. A comprehensive review of internal company emails leaked in July 2015 reveals that the company continued to train Ethiopian intelligence agents to hack into computers and negotiated additional contracts despite multiple reports that its services were being used to repress government critics and other independent voices.
The Italian government should investigate Hacking Team practices in Ethiopia and elsewhere with a view toward restricting sales of surveillance technology likely to facilitate human rights abuses, Human Rights Watch said.
“The Hacking Team emails show that the company’s training and technology in Ethiopia directly contributed to human rights violations,” said Cynthia Wong, senior Internetresearcher at Human Rights Watch. “Despite multiple red flags, Hacking Team showed a striking lack of concern about how its business could damage dissenting and independent voices.”
On July 5, 400 gigabytes (GB) of Hacking Team’s internal emails, documents, and source code that had been hacked were leaked online. The leaked emails confirm that the company had sold surveillance systems, training, and support and maintenance services to the Ethiopian Information Network Security Agency (INSA) as early as 2011, with contracts worth US$1 million in 2012. On November 5, 2012 Hacking Team congratulated INSA on infecting its first target.
Leaked Hacking Team emails showed that it reviewed independent reports published in 2014 and 2015 that presented findings that the government was targeting Ethiopian Satellite Television (ESAT) employees based in the United States using Hacking Team technology. Yet the company’s internal emails show only a superficial effort to investigate these findings and end the abuse.
Hacking Team states it sells exclusively to governments. Human Rights Watch first contacted Hacking Team in February 2014 after the Toronto-based research center Citizen Lab reported that the Ethiopian government had attempted to use Hacking Team’s spyware, Remote Control System, to hack into the computers of ESAT employees. ESAT is an independent, diaspora-run television and radio station. On December 20, 2013, a third party made three separate attempts to target two ESAT employees who live outside of Ethiopia. In each attempt, ESAT employees received a file through Skype.
The ESAT employees did not open the files, which were presented as and appeared to be a Word document or PDF file. However, if the employees had opened them, the files would have covertly installed a program that would have given the Ethiopian government access to files, emails, passwords, and Skype calls made on the infected computer. Testing by researchers at Citizen Lab found that the program appeared to be spyware that matched previously established characteristics of Hacking Team’s Remote Control System.
In response to a Human Rights Watch inquiry about this incident, the company stated that under its “Customer Policy,” “when questions about the proper use of our tools are raised either internally or come to our attention from outside the company, we investigate.” If a government agency is found to have misused its software, the company states, it will suspend support for the agency’s system, leaving it “vulnerable to detection and therefor useless”. However, until the firm’s recent data breach, the company has been unwilling to disclose any information on its clients or whether it opened an investigation into how the Ethiopian government has been using its technology under its customer policy.
A second report published in March 2015 by Citizen Lab further corroborated evidence that the Ethiopian security agency continued to use Hacking Team’s system to target ESAT journalists. It also showed that the company provided at least one software update to the agency in between the attacks, despite clear indications of abuse of the software. This raised considerable questions about whether the company took the action set out in its customer policy on earlier reports.
Although Hacking Team point out that the leaked information is partial, arguing that it does not include a record of phone calls or discussions held during internal meetings at the company, the company’s leaked internal emails do not show that the company conducted a serious investigation in response to allegations that the security agency had misused the system in 2014. As Hacking Team staff debated over email about how to respond to media reports of the Ethiopian government’s hacking activities, they were also discussing the security agency’s requests to upgrade its system and purchase additional services.
In March 2015, in response to reports from Human Rights Watch and Citizen Lab, Hacking Team asked Ethiopian officials for a written response to allegations that it was conducting abusive surveillance. The government responded that its targets are members of Ginbot 7, a banned Ethiopian opposition organization that the government considers to be a terrorist organization. The emails show no further inquiry by Hacking Team to the government’s response.
The Ethiopian government has invoked national security to clamp down on core freedoms and human rights. Human Rights Watch documented in a March 2014 report that the Ethiopian government uses its surveillance capacities to unlawfully monitor the activities of perceived political opponents inside the country and among the diaspora. Individuals with perceived or tenuous connections to even registered opposition groups are arbitrarily arrested and interrogated based on their phone calls. Recorded phone calls with family members and friends – particularly those with foreign phone numbers – are often played during abusive interrogations in which people who have been arbitrarily detained are accused of belonging to banned organizations.
The Hacking Team emails show that the company’s training and technology in Ethiopia directly contributed to human rights violations. Despite multiple red flags, Hacking Team showed a striking lack of concern about how its business could damage dissenting and independent voices.
Cynthia Wong
Senior Internet Researcher
Human Rights Watch and others have documented that the country’s anti-terrorism law has been used to target journalists and others critical of government policies. Dozens of journalists, bloggers, and media publishers have been criminally charged and at least 60 journalists have fled the country since 2010. The clampdown on dissent culminated in the ruling Ethiopian People’s Revolutionary Democratic Front (EPRDF) coalition taking 100 percent of parliamentary seats in the May federal election.
Human Rights Watch wrote to Hacking Team in July to request comment on these findings. The company stated that it “suspended the relationship [with Ethiopia] last year and terminated all relations with Ethiopia earlier this year.” The company also stated that since its stolen information is publicly available, “the record demonstrates that the company followed all laws and regulations as well as its own customer policy.”
The firm specified that it investigated allegations of abuse in 2014 raised by Citizen Lab by “interrogating the client,” but the facts were “inconclusive.” The firm however noted that “there were several within the company who argued that irrespective of the reasons for this particular surveillance attempt, the Ethiopian investigators were inept, and the relationship with the client should be suspended for that reason alone,” and Hacking Team suspended support to the Ethiopian security agency in the fall of 2014. According to statements from Hacking Team to the Washington Post, Hacking Team suspended support, but the government “would still have had some ability to collect data from existing surveillance.”
In internal discussions revealed by the leaked emails, Hacking Team staff appeared toaccept the government’s justification that the surveillance was “lawful.” Hacking Team briefly suspended service to Ethiopia in March 2015, though seemingly due to concerns that the government’s “incompetent” and “reckless and clumsy” use of the company’s system would expose Hacking Team’s technology to detection, rather than concerns over possiblehuman rights abuses.Hacking Team’s surveillance tools are designed to be undetectable by commercial anti-virus programs and other analysis. According to internal emails, Hacking Team believedthat the Ethiopian government’s flawed use of the tool put its covert nature in jeopardy, along with the confidentiality of the firm’s other customers.In a leaked email, one staff member also expressed concern that if the company continued the relationship with the Ethiopian security agency, it would have “demonstrated that [Hacking Team doesn’t] take seriously [its] own policies” regarding customer misuse of its technology to violate rights. The leaked emails reflect that the government continued to have access to Hacking Team’s tools after March 2015 and the company issued a temporary license to Ethiopia while they began negotiations in April on a new contract worth at least $700,000. At the time Hacking Team was hacked in July, the Ethiopian security agency had allowed its previous license to expire and the agency and the firm had not yet finalized a new contract.
Hacking Team wrote to Human Rights Watch that its “software is operated by the client, not by Hacking Team, and the subjects of surveillance, the information gathered and the reasons for the surveillance” are not available to Hacking Team. Yet the leaked emails suggest that Hacking Team had multiple opportunities to assess whether the government’s surveillance activities violated human rights and take action to stop these abuses. As part of the company’s support and training services, it repeatedly asked Ethiopian officials for information about intended surveillance targets so that the company could better assist the government in carrying out a successful attack, including through more sophisticated “social engineering” techniques to gain access to a target’s computer.
Social engineering often involves sending highly personalized emails from seemingly trusted sources to entice surveillance targets to open documents infected with spyware, which requires knowledge of the target’s contacts and interests. The released emails show no indication that the company conducted any human rights due diligence based on this kind of information, which may have raised red flags about possible abuses. The new 2015 contract that the company was negotiating with Ethiopia at the time of the data breach included “many months of training combined to [sic] our continuous on-site presence — in order to assist them, teach them, and supervise their investigative activities” according toleaked emails.
Previous reporting by Citizen Lab and others described how the Ethiopian government had used tools provided by FinFisher, a UK and Germany based competitor to Hacking Team, to target or monitor computers owned by other individuals in the Ethiopian diaspora in the US, UK, and Norway. In February 2014, the Electronic Frontier Foundation sued the Ethiopian government on behalf of one of the victims for violating US privacy laws.
Italy and other governments should ensure that all sales of Hacking Team systems and similarly controlled technologies are reviewed on a case-by-case basis, Human Rights Watch said. At a minimum, controls should require an inquiry into the human rights climate of the destination country, the end user and likely end use, technical specifications of the technology, and marketing materials employed by the companies to sell to government agencies.
“The Hacking Team leaks show this industry cannot be depended upon to regulate itself,” Wong said. “Italy and other governments should not turn a blind eye to these revelations, but should immediately investigate the practices of international spyware companies and impose real oversight and control over the exports of surveillance technologies.”
Background
The sale of surveillance technologies is largely unregulated at the national and international level. In December 2013, countries participating in the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies added “intrusion software” to its multilateral export control list. As a result, the European Union and 41 member countries to the Wassenaar Arrangement have begun to introduce regulations to control the sale of systems like those sold by Hacking Team. The EU regulations, which apply to Italy, went into force in December 2014.
On February 25, Hacking Team released a statement saying it was “complying fully” with the Wassenaar’s intrusion software controls. The company stated that “under the procedures agreed to by Hacking Team and the Italian Ministry of Economic Development, HT will request from the Italian Government export authorization for its technologies.”
The company’s leaked emails show the company’s lobbying efforts to ensure that it would not be required to seek specific authorization to export its technologies for all countries, undermining the Italian government’s ability to exercise oversight over its sales. In October 2014, the Italian Ministry of Economic Development briefly halted Hacking Team’s exports and proposed a broad control on the firm’s sales that would require a case-by-case review to approve each export, citing “possible uses concerning internal repression and violations of human rights.”
Leaked emails showed that company executives lobbied top Italian officials and government contacts to intervene. As a result, the Economic Development Ministry rescinded the broad control in November 2014, and instead granted a one-time “global license” for exports to countries that were part of the Wassenaar Arrangement in April 2015. It is unclear whether the Italian government has required Hacking Team to seek specific authorization for services, updates, and support the firm continues to provide under contracts signed before April.
Properly implemented export controls can be a valuable tool to help curb the unregulated spread of these systems and promote responsible business and human rights norms. Controls also act as an essential accountability and transparency mechanism. Greater transparency can assist governments and nongovernmental organizations in monitoring the human rights impact of their businesses, improving policies to address abuses, and enhancing remedies where violations occur.
