March 25, 2014

Appendix 2: Correspondence

Correspondence with the Ethiopian Government

  • Human Rights Watch Letter to Dr. Shiferaw Teklemariam, Minister of Federal Affairs, Ministry of Federal Affairs, Government of Ethiopia, February 11, 2014
  • Human Rights Watch also sent similar letters to:
  • Dr. Debretsion G. Michael, Minister of Communications and Information Technology, Ministry of Communications and Information Technology, February 11, 2014
  • Dr. Getachew Ambaye, Minister of Justice, Ministry of Justice, February 11, 2014

Correspondence with Businesses

Orange:

  • Human Rights Watch Letter to Mr. Stéphane Richard, Chairman and Chief Executive Officer, Orange, October 28, 2013
  • Letter from Brigitte Dumont, Chief Officer, Group CSR, Orange, November 19, 2014
  • Letter from Human Rights Watch to Mr. Yves Nissim, VP, Head of Transformation and Operation in CSR, and Ms. Brigitte Dumont, Chief Officer, Group CSR, Orange, December 12, 2013
  • Letter from Mr. Yves Nissim, VP, Head of Transformation and Operation in CSR, Orange, to Human Rights Watch, January 14, 2014

Huawei:

  • Human Rights Watch Letter to Mr. Eric Xu, Acting CEO, Huawei, October 29, 2013
  • Letter from Mr. William Plummer, Vice President, External Affairs, Huawei, November 12, 2013

Sinovatio:

  • Human Rights Watch Letter to Sinovatio, October 29, 2013

ZTE:

  • Human Rights Watch Letter to Mr. Shi Lirong, President and Executive Director, ZTE Corporation, October 29, 2013

Hacking Team:

  • Human Rights Watch Letter to Mr. David Vincenzetti, President of the Board, Chief Executive, and Mr. Valeriano Bedeschi, Managing Director, Hacking Team, February 13, 2014
  • Response from Eric Rabe, Communications Counsel, Hacking Team, to Human Rights Watch, February 19, 2014

Gamma International:

  • Human Rights Watch Letter to Mr. Louthean Nelson, Director, and Mr. Martin J. Muench, Gamma International, February 13, 2014
  • Human Rights Watch also sent similar letters to:
    • —FinFisher GmbH (former subsidiary of Gamma), February 13, 2014
    • —Elaman (a retailer/distributor of Gamma/FinFisher products), February 13, 2014

Human Rights Watch Letter to Dr. Shiferaw Teklemariam, Minister of Federal Affairs, Government of Ethiopia

(Human Rights Watch also sent similar letters to Dr. Debretsion G. Michael, Minister of Communications and Information Technology and Dr. Getachew Ambaye, Minister of Justice)

February 11, 2014

Dr. Shiferaw Teklemariam

Minister of Federal Affairs

Ministry of Federal Affairs

PO Box 5718

Addis Ababa, Ethiopia

Re: Role of Telecommunications Vendors in Ethiopia

Dear Minister Shiferaw,

I am writing to request the government’s input and perspective regarding research that Human Rights Watch is conducting on the telecommunications sector in Ethiopia.

Human Rights Watch is an independent organization that monitors and reports on human rights in more than 90 countries. We produce reports on our findings to raise awareness about human rights issues and to promote policy recommendations for change.

Since November 2012, Human Rights Watch has been researching the impact on human rights of censorship and surveillance in Ethiopia’s telecommunications industry. Human Rights Watch is committed to producing material that is well-informed and objective. We hope you and your staff would be able to answer the following questions so that your views are accurately reflected in our reporting:

  1. Various federal laws require warrants to be obtained prior to searches or surveillance. What directives, policies or procedures guide judges in whether or not to grant warrants for electronic searches or surveillance? How often are court warrants obtained for electronic searches or surveillance? What regulations, policies, or procedures are in place that require security agencies or police to show the warrant to compel Ethio Telecom or other entities to assist with surveillance?
  2. What policies, directives, or procedures are in place to guide intelligence gathering and surveillance that ensure rights to privacy are respected? What policies, directives, or procedures are in place to guide Ethio Telecom or Ethiopian Telecommunications Corporation (ETC) employees when they are requested by National Intelligence and Security Service (NISS) or Information Network Security Agency (INSA to access customer call records or metadata?
  3. Human Rights Watch and other organizations have documented numerous cases of blocked websites, including those of opposition parties and Ethiopian news sites. On what legal basis does the Ethiopian government block websites?
  4. Human Rights Watch documented the intentional jamming of numerous radio stations and television stations in apparent contravention of International Telecommunication Union (ITU) regulations. On what legal basis did Ethiopia jam these stations? Does the apparent absence of jamming since April 2013 indicate a change in policy regarding jamming by the Ethiopian government?
  5. Has the Ethiopian government, Ethio Telecom or ETC ever contracted with ZTE Corporation to provide lawful intercept, deep-packet inspection, or other network filtering/management capabilities? If so, please describe the nature of the services, software or equipment provided, their capabilities, and the dates of relevant contracts. Please also describe whether such contracts were awarded as a stand-alone tender, or part of a multi-package vendor-financing contract.
  6. Which government departments are authorized to engage in interception of communications, whether through ZTE’s ZXMT system or some other system? What policies, procedures, and directives guide how lawful intercept systems may be used and who may be targeted?
  7. Who has access to ETC customer call records and metadata? What safeguards, if any, are in place to prevent unauthorized use or disclosure of customer call records and other metadata?
  8. What policies or procedures are in place to guide the government’s blocking of simcards? What is the legal basis for this practice?
  9. Documented evidence exists of the presence of Gamma’s FinFisher on ETC servers in 2012. Is the Ethiopian government using FinFisher or has ceased use of this product? What is the legal basis for use of these surveillance tools? What laws, regulations, or policies regulate the use of FinFisher to prevent arbitrary or unlawful interference with the right to privacy?
  10. Researchers at Citizen Lab analyzed and documented recent attempts by a third party to infect computers of the Ethiopian opposition in the diaspora using Hacking Team’s Remote Control System or a similar system. Remote Control System is a remote surveillance tool made for government agencies that allows them to infect and monitor activity on an individual’s computer or mobile device. Has Ethiopia acquired Hacking Team’s Remote Control system or a similar system? Is it still currently using this or other similar software? Which one? What laws, regulations, or policies regulate the use of Remote Control System or a similar system to prevent arbitrary or unlawful interference with the right to privacy?
  11. Please provide examples of any government officials including security personnel who have been investigated, suspended from duty, disciplined or prosecuted for the inappropriate acquisition and use of intercepted information.
  12. Please clarify what oversight role parliamentary committees or the executive play in ensuring security and law enforcement agencies are abiding by privacy safeguards when engaging in surveillance or collecting communications data.

Thank you for your consideration and we look forward to your responses to our inquiries. We would appreciate receiving your response to this letter by March 3, 2014, to ensure that it can be reflected in our final report. Alternatively, we would greatly appreciate the opportunity to meet with you in person to discuss these questions.

Should you have any questions, please do not hesitate to contact Leslie Lefkow, Deputy Director of the Africa Division.

Sincerely,

Leslie Lefkow

Deputy Director

Africa Division

CC:

Human Rights Watch Letter to Mr. Stéphane Richard, Orange

October 28, 2013

Mr. Stéphane Richard

Chairman and Chief Executive Officer

France Telecom - Orange Group

6 Place D'Alleray

Paris, Cedex 15

France

Cc: Mr. Yves Nissim, VP, Head of Transformation and Operation in CSR

Ms. Brigitte Dumont, Director of CSR

Re: Role of Telecommunications Companies in Ethiopia

Dear Mr. Richard,

Human Rights Watch is an independent international organization that monitors human rights in more than 80 countries around the world. I am writing to request your input and perspective regarding research that Human Rights Watch is conducting on telecommunications companies and equipment vendors in Ethiopia.

We are drafting a report that will include a discussion of the role of telecommunications services in Ethiopia and the impact of censorship and surveillance on human rights. It is our goal to present a thorough and objective report. To that end, we are soliciting information and views from your company.

We understand that France Telecom-Orange (FT) managed Ethio Telecom from 2010-2012, while also providing advice on how to modernize Ethio Telecom’s management and operations. We also understand that FT has continued its relationship with Ethio Telecom for an additional year through a “support framework agreement” signed in December 2012.

We would appreciate any comments you may have about FT’s business in Ethiopia, including the activities of any current and former subsidiaries. Specifically, we would appreciate responses to the following questions. This will greatly assist our understanding of FT’s business in Ethiopia, its approach to human rights risk, and the legal and regulatory environment in which it works.

1.We are pleased to see FT’s continued involvement in the Telecommunications Industry Dialogue and engagement with the Global Network Initiative. Please elaborate on any human rights policies and procedures it has in place to address and prevent human rights abuses associated with use of FT’s services, training, or equipment. Can you describe any specific policies and procedures that apply to FT’s operations in Ethiopia?

2. What human rights due diligence has FT conducted in relationship to its contracts and operations in Ethiopia? If so, please describe the findings and steps taken, if any, to prevent or address human rights abuses linked to FT’s business in Ethiopia.

3. We understand that there is Internet censorship and the use of deep packet inspection (DPI) monitoring equipment in Ethiopia. Mr. Jean-Michel Latute, former CEO of Ethio Telecom brought in by FT, confirmed use of DPI in a statement to the press.[331] Human Rights Watch has also documented the Ethiopian government’s use of counterterrorism and other security laws to censor journalists or against others who do not pose an apparent threat to national security. Has FT ever raised censorship or surveillance practices with Ethiopian authorities? What policies or procedures does FT have in place, if any, to address use of its products and services in ways that might facilitate human rights abuses?

4. Has the Ethiopian government or Ethio Telecom ever contracted with FT (or Orange University) to provide training, services, or equipment related to lawful intercept, DPI, or other network filtering/management capabilities? If so, please describe the nature of the services, software or equipment provided, their capabilities, and the dates of relevant contracts.

5. Has FT (or Orange University) ever provided training or consultation services to employees of the Ethiopian National and Intelligence Security Services, Information Network Security Agency, federal or regional police, or Ethiopian Defense Forces? If so, what was the nature of such training or consultation? Have such services covered implementation or use of lawful intercept or DPI software and equipment?

6. We understand that Ethio Telecom uses one of ZTE Corporation’s ZSmart solutions for customer billing and other purposes. To the extent possible, please describe whether and how ZSmart could be integrated and used with lawful intercept systems, either provided by ZTE or another vendor. Did FT assist with integration of ZSmart and a lawful intercept system in Ethiopia and, if so, what was the nature of the services provided?

We would appreciate a response by Friday, November 15th. If we do not receive a reply by then, we may be unable to include information you provide in our published report.

Thank you for your consideration and we look forward to your responses to our inquiries. We would also welcome the opportunity to discuss these issues with you further, in person or via teleconference. Should you have any questions, please do not hesitate to contact our Senior Internet Researcher, Ms. Cynthia Wong.

Sincerely,

Arvind Ganesan

Director, Business and Human Rights Program

Human Rights Watch

Letter from Ms. Brigitte Dumont, Orange to Human Rights Watch

Human Rights Watch Letter to Mr. Yves Nissim and Ms. Brigitte Dumont, Orange

Letter from Mr. Yves Nissim, Orange to Human Rights Watch

January 14, 2014

Points 1 &2 :

As already stipulated the ethic chart addresses all kind of conducts that are against Orange Group ethics. The consultants are invited to refer to Orange and Sofrecom Enterprise Social Responsibility organization if they are confronted to such behaviors.

Orange was managing ethio telecom, and has never been requested by the Ethiopian Government to act against ethic rules.

Orange was not up to recently facing this kind of problems. We have constructed the Telecom Industry Dialogue to try to answer the question on how to address these risks. We do have escalation processes for ethics and for Compliance. We are looking the compatibility of these escalation processes with the process needed for breaches made on freedom of speech and privacy

Point 3

No, neither Sofrecom nor Orange have been involved in the selection or implementation of such equipment.

Point 6

Every Customer Care and Billing System (CCBS) records the call information (calling number, called number, duration) which are information used for billing purpose. There is no need to record the calls and this is the only usage that Orange / Sofrecom are aware of.

Orange/Sofrecom was not involved in the selection of ethio telecom CCBS. Orange Sofrecom has participated in the CCBS implementation and has made sure that it was done according to industry best practices ensuring the respect of necessary security rules and firewalls in order to prevent any intrusion or misuse of the system by a third party.

Orange and Sofrecom have not been involved in any discussion with the Ethiopian government concerning law enforcement access to subscriber communication or data.

Human Rights Watch Letter to Mr. Eric Xu, Huawei

October 29, 2013

Mr. Eric Xu

Acting CEO

Huawei

Huawei Industrial Park

Bantian, Longgang District

Shenzhen, Guangdong

People's Republic of China, 518129

Cc: Mr. Deng Biao, Chairman of the Corporate Sustainable Development Committee

Mr. William Plummer, Vice President, External Affairs

Re: Role of Telecommunications Companies in Ethiopia

Dear Mr. Xu,

Human Rights Watch is an independent international organization that monitors human rights in more than 80 countries around the world. I am writing to request your input and perspective regarding research that Human Rights Watch is conducting on the role of telecommunications equipment companies in Ethiopia.

We are drafting a report that will include a discussion of the role of Huawei in Ethiopia and the impact of surveillance on human rights. It is our goal to present a thorough and objective report. To that end, we are soliciting information and views from your company.

We would appreciate any comments you may have about Huawei’s business in Ethiopia, including the activities of any current and former subsidiaries. Specifically, we would appreciate responses to the following questions. This will greatly assist our understanding of Huawei, the products and solutions it offers, its approach to human rights risk, and the legal and regulatory environment in which it works.

1. Can Huawei elaborate on any human rights policies and procedures it has in place to address and prevent human rights abuses associated with use of its services or equipment? Can you describe any specific policies and procedures that apply to Huawei’s operations in Ethiopia?

2. Has Huawei ever conducted human rights due diligence in relationship to its contracts and operations in Ethiopia? If so, please describe the findings and steps taken, if any, to prevent or address human rights abuses linked to Huawei’s business in Ethiopia.

3. We understand that there is Internet censorship and the use of deep packet inspection (DPI) monitoring equipment in Ethiopia. Human Rights Watch has also documented the Ethiopian government’s use of counterterrorism and other security laws to censor journalists or against others who do not pose an apparent threat to national security. Has Huawei ever raised censorship or surveillance practices with Ethiopian authorities? What policies or procedures does Huawei have in place, if any, to address use of its products and services in ways that might facilitate human rights abuses?

4. Has the Ethiopian government or Ethio Telecom/Ethiopian Telecommunications Corporation (ETC) ever contracted with Huawei to provide lawful intercept, DPI, or other network filtering/management capabilities? If so, please describe the nature of the services, software or equipment provided, their capabilities, and the dates of relevant contracts. Please also describe whether such contracts were awarded as a stand-alone tender, or part of a multi-package vender-financing contract.

5. Has Huawei ever provided training or consultation services to employees of Ethio Telecom/ETC or Ethiopian government employees on use of lawful intercept, DPI, or other network filtering/management equipment or software, whether provided by Huawei or another vendor? If so, please describe the nature and scope of services provided.

6. Has Huawei ever provided training or consultation services to the Ethiopian National Intelligence and Security Services, Information Network Security Agency, federal or regional police, or Ethiopian Defense Forces? If so, what was the nature and scope of such training or consultation? Have such services covered implementation or use of lawful intercept or DPI software and equipment?

We would appreciate a response by Friday, November 15th. If we do not receive a reply by then, we may be unable to include information you provide in our published report.

Thank you for your consideration and we look forward to your responses to our inquiries. We would also welcome the opportunity to discuss these issues with you further. Should you have any questions, please do not hesitate to contact our Senior Internet Researcher, Ms. Cynthia Wong.

Sincerely,

Arvind Ganesan

Director, Business and Human Rights Program

Human Rights Watch

Letter from Mr. William Plummer, Huawei to Human Rights Watch

Human Rights Watch Letter to Sinovatio

October 29, 2013

Sinovatio

ZTEsec Plaza

No.888 Zhengfang Road

Jiangning District

Nanjing, People’s Republic of China, 211153

Dear Sir/Madam,

Human Rights Watch is an independent international organization that monitors human rights in more than 80 countries around the world. I am writing to request your input and perspective regarding research that Human Rights Watch is conducting on the role of telecommunications equipment companies in Ethiopia.

We are drafting a report that will include a discussion of ZTESec’s/Sinovatio’s business in Ethiopia and the impact of surveillance on human rights. It is our goal to present a thorough and objective report. To that end, we are soliciting information and views from your company.

We would appreciate any comments you may have about Sinovatio’s business in Ethiopia, including activities conducted while a subsidiary of ZTE Corporation (for example, while operating as Shenzhen ZTE Special Equipment Company Ltd or Nanjing ZTE Special Software Company Ltd). Specifically, we would appreciate responses to the following questions. This will greatly assist our understanding of Sinovatio, the products and solutions it offers, its approach to human rights risk, and the legal and regulatory environment in which it works.

  1. Can Sinovatio elaborate on any human rights policies and procedures it has in place to address and prevent human rights abuses associated with use of Sinovatio’s services or equipment? Can you describe any specific policies and procedures that apply to Sinovatio’s operations in Ethiopia?
  2. Has Sinovatio ever conducted human rights due diligence in relationship to its contracts and operations in Ethiopia? If so, please describe the findings and steps taken, if any, to prevent or address human rights abuses linked to Sinovatio’s business in Ethiopia.
  3. We understand that there is Internet censorship and the use of deep packet inspection (DPI) monitoring equipment in Ethiopia. Human Rights Watch has also documented the Ethiopian government’s use of counterterrorism and other security laws to censor journalists or against others who do not pose an apparent threat to national security. Has Sinovatio ever raised censorship or surveillance practices with Ethiopian authorities? What policies or procedures does Sinovatio have in place, if any, to address use of its products and services in ways that might facilitate human rights abuses?
  4. Has the Ethiopian government or Ethio Telecom/Ethiopian Telecommunications Corporation (ETC) ever contracted with Sinovatio to provide lawful intercept, DPI, or other network filtering/management capabilities? If so, please describe the nature of the services, software or equipment provided, their capabilities, and the dates of relevant contracts. Please also describe whether such contracts were awarded as a stand-alone tender, or part of a multi-package vendor-financing contract.
  5. Specifically, has Ethio Telecom/ETC, the Information Network Security Agency, or any other government agency contracted with Sinovatio (or ZTE Corporation) to purchase ZTE’s ZXMT lawful intercept solution? If so, when was the system installed? Did Sinovatio customize installation or training for this product at the request of government agencies or Ethio Telecom/ETC, and how?
  6. We understand that Ethio Telecom uses one of ZTE’s ZSmart solutions for customer billing and other purposes. Please describe whether and how ZSmart can be used to record and store the content of phone calls. In addition, please describe whether and how ZSmart could be integrated and used with other lawful intercept systems, either provided by Sinovatio or another vendor. Did Sinovatio assist with integration of ZSmart and a lawful intercept system in Ethiopia and, if so, what was the nature of the services provided?
  7. Has Sinovatio ever provided training or consultation services to employees of Ethio Telecom/ETC or Ethiopian government employees on use of lawful intercept, DPI, or other network filtering/management equipment or software, whether provided by Sinovatio or another vendor? If so, please describe the nature and scope of services provided.
  8. Has Sinovatio ever provided training or consultation services to the Ethiopian National Intelligence and Security Services, Information Network Security Agency, federal or regional police, or Ethiopian Defense Forces? If so, what was the nature and scope of such training or consultation? Have such services covered implementation or use of lawful intercept or DPI software and equipment?
  9. ‪To what extent is Sinovatio subject to ‪China’s State-owned Assets Supervision and Administration Commission (SASAC) oversight and how often have you reported to SASAC? Have you ever been sanctioned by SASAC? If so, please describe the circumstances.

We would appreciate a response by Friday, November 15th. If we do not receive a reply by then, we may be unable to include information you provide in our published report.

Thank you for your consideration and we look forward to your responses to our inquiries. We would also welcome the opportunity to discuss these issues with you further. Should you have any questions, please do not hesitate to contact our Senior Internet Researcher, Ms. Cynthia Wong.

Sincerely,

Arvind Ganesan

Director, Business and Human Rights Program

Human Rights Watch

Human Rights Watch Letter to Mr. Shi Lirong, ZTE

October 29, 2013

Mr. Shi Lirong

President and Executive Director

ZTE Corporation

No. 55, Hi-tech Road South

Shenzhen, Guangdong Province

People’s Republic of China, 518057

Cc: Mr. David Dai Shu, Director of Global Public Affairs

Ms. Margrete Ma, Public Relations Spokesperson

Re: Role of Telecommunications Companies in Ethiopia

Dear Mr. Shi Lirong,

Human Rights Watch is an independent international organization that monitors human rights in more than 80 countries around the world. I am writing to request your input and perspective regarding research that Human Rights Watch is conducting on the role of telecommunications equipment companies in Ethiopia.

We are drafting a report that will include a discussion of ZTE Corporation’s business in Ethiopia and the impact of surveillance on human rights. It is our goal to present a thorough and objective report. To that end, we are soliciting information and views from your company.

We would appreciate any comments you may have about ZTE’s business in Ethiopia, including the activities of ZTE’s current and former subsidiaries. Specifically, we would appreciate responses to the following questions. This will greatly assist our understanding of ZTE, the products and solutions it offers, its approach to human rights risk, and the legal and regulatory environment in which it works.

1. Can ZTE elaborate on any human rights policies and procedures it has in place to address and prevent human rights abuses associated with use of ZTE’s services or equipment? Can you describe any specific policies and procedures that apply to ZTE’s operations in Ethiopia?

2. Has ZTE ever conducted human rights due diligence in relationship to its contracts and operations in Ethiopia? If so, please describe the findings and steps taken, if any, to prevent or address human rights abuses linked to ZTE’s business in Ethiopia.

3. We understand that there is Internet censorship and the use of deep packet inspection (DPI) monitoring equipment in Ethiopia. Human Rights Watch has also documented the Ethiopian government’s use of counterterrorism and other security laws to censor journalists or against others who do not pose an apparent threat to national security. Has ZTE ever raised censorship or surveillance practices with Ethiopian authorities? What policies or procedures does ZTE have in place, if any, to address use of its products and services in ways that might facilitate human rights abuses?

4. Has the Ethiopian government or Ethio Telecom/Ethiopian Telecommunications Corporation (ETC) ever contracted with ZTE to provide lawful intercept, DPI, or other network filtering/management capabilities? If so, please describe the nature of the services, software or equipment provided, their capabilities, and the dates of relevant contracts. Please also describe whether such contracts were awarded as a stand-alone tender, or part of a multi-package vendor-financing contract.

5. Specifically, has Ethio Telecom/ETC, the Information Network Security Agency, or any other government agency contracted with ZTE to purchase ZTE’s ZXMT lawful intercept solution? If so, when was the system installed? Did ZTE customize installation or training for this product at the request of government agencies or Ethio Telecom/ETC, and how?

6. We understand that Ethio Telecom uses one of ZTE’s ZSmart solutions for customer billing and other purposes. Please describe whether and how ZSmart can be used to record and store the content of phone calls. In addition, please describe whether and how ZSmart could be integrated and used with other lawful intercept systems, either provided by ZTE or another vendor. Did ZTE assist with integration of ZSmart and a lawful intercept system in Ethiopia and, if so, what was the nature of the services provided?

7. Has ZTE (or ZTE University) ever provided training or consultation services to employees of Ethio Telecom/ETC or Ethiopian government employees on use of lawful intercept, DPI, or other network filtering/management equipment or software, whether provided by ZTE or another vendor? If so, please describe the nature and scope of services provided.

8. Has ZTE (or ZTE University) ever provided training or consultation services to the Ethiopian National Intelligence and Security Services, Information Network Security Agency, federal or regional police, or Ethiopian Defense Forces? If so, what was the nature and scope of such training or consultation? Have such services covered implementation or use of lawful intercept or DPI software and equipment?

9. ‪To what extent is ZTE subject to ‪China’s State-owned Assets Supervision and Administration Commission (SASAC) oversight and how often have you reported to SASAC? Have you ever been sanctioned by SASAC? If so, please describe the circumstances.

We would appreciate a response by Friday, November 15th. If we do not receive a reply by then, we may be unable to include information you provide in our published report.

Thank you for your consideration and we look forward to your responses to our inquiries. We would also welcome the opportunity to discuss these issues with you further. Should you have any questions, please do not hesitate to contact our Senior Internet Researcher, Ms. Cynthia Wong.

Sincerely,

Arvind Ganesan

Director, Business and Human Rights Program

Human Rights Watch

Human Rights Watch Letter to Mr. David Vincenzetti and Mr. Valeriano Bedeschi, Hacking Team

February 13, 2014

Mr. David Vincenzetti and Mr. Valeriano Bedeschi

Hacking Team (HT S.r.l.)

Via della Moscova n.13

20121 - Milano

Italy

Cc: Mr. Eric Rabe

Re: Sale and Use of Hacking Team Solutions in Ethiopia

Dear Mr. Vincenzetti and Mr. Bedeschi:

Human Rights Watch is an independent international organization that monitors human rights in more than 90 countries around the world. I am writing to request your input and perspective regarding research that Human Rights Watch is conducting on the role of technology companies in Ethiopia.

We are drafting a report that will include a discussion of the possible use of Hacking Team products by Ethiopian authorities and the impact of surveillance on human rights. It is our goal to present a thorough and objective report. To that end, we are soliciting information and views from your company.

We would appreciate any comments you may have about Hacking Team’s business in Ethiopia, including the activities of any current and former subsidiaries or resellers. Specifically, we would appreciate responses to the following questions. This will greatly assist our understanding of Hacking Team, the products and solutions it offers, its approach to human rights risk, and the legal and regulatory environment in which it works.

1.Aside from the firm’s published “Customer Policy,” [332] please elaborate on any human rights policies and procedures Hacking Team has in place to address and prevent human rights abuses linked with use of its products or services.

2. To what extent do your Customer Policy or other human rights policies and procedures address the actions of your distributors, resellers, or other business partners? Please describe what, if any, human rights responsibilities your policies and procedures impose on your distributors, resellers, or other business partners.

3. Hacking Team’s Customer Policy states that through contract, the company “requires customers to abide by applicable law” and that Hacking Team will not sell or provide support to governments who “refuse to sign contracts that include requirements that [Hacking Team] software be used lawfully.” [333] Please describe the specific laws (or specific categories of law) Hacking Team requires customers to abide by. Do the applicable laws also include a government’s obligations under international human rights law?

4. Hacking Team’s Customer Policy states that the company will not sell or provide technical support to governments who “refuse to agree to or comply with provisions in [its] contracts that describe the intended use of [Hacking Team] software.” [334] When negotiating a contract for goods or services, to what extent does Hacking Team or its resellers inquire about the end use or end users of its products and services? What are the allowable end uses described in Hacking Team contracts?

5. Hacking Team’s Customer Policy states that if the company suspends support for its technology, the “product soon becomes useless.” [335] Hacking Team has also stated in its policy and in media reports that Hacking Team products include a mandatory “auditing feature” that allows agency officials or other administrators to monitor and identify unauthorized use of the tool. [336] How does Hacking Team monitor whether customers are complying with the terms of their contracts or otherwise using Hacking Team products to facilitate human rights abuses? To what extent can Hacking Team monitor who may be being targeted with its remote infection or intrusion tools?

6. Researchers at Citizen Lab have documented phishing attacks directed at employees of Ethiopian Satellite Television (ESAT), an independent, diaspora-run satellite television station. These attacks involved spyware that matched previously established characteristics of Hacking Team’s Remote Control System identified by Citizen Lab. [337] Has the Ethiopian government or Ethio Telecom/Ethiopian Telecommunications Corporation (ETC) ever contracted with Hacking Team to provide lawful intercept, IT intrusion, or remote monitoring and infection solutions? If so, please describe the nature of the services, software or equipment provided, their capabilities, and the dates of relevant contracts.

7. Has Hacking Team ever conducted human rights or Know-Your-Customer due diligence in relationship to sales (potential or completed) in Ethiopia? If so, please describe the findings and steps taken, if any, to prevent or address human rights abuses linked to use of Hacking Team’s products in Ethiopia or by Ethiopian authorities. Can you describe any specific human rights policies and procedures that apply to Hacking Team’s business in Ethiopia?

8. Hacking Team’s Customer Policy states that in reviewing potential customers before a sale, it examines the “potential customer’s laws, regulations, and practices regarding surveillance,” as well as credible third party reports about the risk of human rights abuses by the potential customer. Human Rights Watch has documented the Ethiopian government’s use of counterterrorism and other security laws against journalists or others who do not pose an apparent threat to national security. [338] If Hacking Team has engaged the government about its products and services, to what extent has Hacking Team ever raised illegal surveillance practices or misuse of lawful intercept/monitoring technology with Ethiopian authorities?

9. Has Hacking Team ever suspended support for any products or services in Ethiopia?

10. Has Hacking Team ever provided training or consultation services to employees of Ethio Telecom/ETC or Ethiopian government employees on use of lawful intercept, IT intrusion, or remote monitoring and infection solutions? If so, please describe the nature and scope of services provided.

11.Has Hacking Team ever provided training or consultation services to the Ethiopian National Intelligence and Security Services, Information Network Security Agency, federal or regional police, or Ethiopian Defense Forces? If so, what was the nature and scope of such training or consultation? Have such services covered implementation or use of lawful intercept, intrusion, or remote monitoring solutions?

We would appreciate a response by February 28, 2014. If we do not receive a reply by then, we may be unable to include information you provide in our published report.

Thank you for your consideration and we look forward to your responses to our inquiries. We would also welcome the opportunity to discuss these issues with you further. Should you have any questions, please do not hesitate to contact our Senior Internet Researcher, Ms. Cynthia Wong.

Sincerely,

Arvind Ganesan

Director, Business and Human Rights Program

Human Rights Watch

Email Response from Eric Rabe, Hacking Team to Human Rights Watch

Hi, Cynthia,

I serve as communications counsel to Hacking Team.  As the company has developed over the last several years, I have worked with Hacking Team to answer media questions and to develop public policies.

We have received your letter.  As I think you know, our statement regarding most of the information you request can be found on our website under Customer Policy.  Hacking Team believes this Customer Policy is the most extensive declaration by any company in the lawful surveillance industry of the expectations of a service provider regarding the conduct of clients.  

Despite the skepticism of some in the activist community, Hacking Team makes a diligent effort to assure that HT tools are not abused or misused.  As we make clear in our Customer Policy statement, we expect our clients to behave responsibly and within the law as it applies to them.  Obviously, Hacking Team is not itself a law enforcement agency.  However, when questions about the proper use of our tools are raised either internally or come to our attention from outside the company, we investigate.  We can and we have suspended support for our software in cases where we believed an agency has misused or may misuse the software.  When we do that, the software becomes vulnerable to detection and therefore useless.  We have refused to do business with prospective clients for the same reason.  

Of course, to be effective for legitimate law enforcement investigations, the agencies using the software HT provides must be able to conduct confidential investigations.  It is they, not Hacking Team, that operate the software in the course of those investigations.  In order to maintain their confidentiality, we do not confirm or deny the existence of any individual customer or their country location.

Hope that is helpful,

Eric Rabe

Human Rights Watch Letter to Mr. Louthean Nelson and Mr. Martin J. Muench, Gamma International

(Human Rights Watch also sent similar letters to FinFisher GmbH and Elaman GmbH)

February 13, 2014

Mr. Louthean Nelson and Mr. Martin J. Muench

Gamma International

Fellows House

46 Royce Close

West Portway Industrial Estate

Andover

Hants SP10 3TX

United Kingdom

Re: Sale and Use of Gamma/FinFisher Solutions in Ethiopia

Dear Mr. Nelson and Mr. Muench:

Human Rights Watch is an independent international organization that monitors human rights in more than 90 countries around the world. I am writing to request your input and perspective regarding research that Human Rights Watch is conducting on the role of technology companies in Ethiopia.

We are drafting a report that will include a discussion of the possible use of Gamma International’s FinFisher products by Ethiopian authorities and the impact of surveillance on human rights. It is our goal to present a thorough and objective report. To that end, we are soliciting information and views from your company.

We would appreciate any comments you may have about Gamma’s business in Ethiopia, including the activities of any current and former subsidiaries or resellers. Specifically, we would appreciate responses to the following questions. This will greatly assist our understanding of Gamma, the products and solutions it offers, its approach to human rights risk, and the legal and regulatory environment in which it works.

  1. Can Gamma elaborate on any human rights policies and procedures it has in place to address and prevent human rights abuses linked with use of its products or services?
  2. To what extent do your human rights policies and procedures address the actions of your distributors, resellers, or other business partners? Please describe what, if any, human rights responsibilities your policies and procedures impose on your distributors, resellers, or other business partners.
  3. When negotiating a contract for products or services, to what extent does Gamma or its resellers inquire about the end use or end users of its products and services? To what extent does Gamma review local laws and practices and third party reports on a prospective customer’s human rights record before completing a new sales or service contract?
  4. Has the Ethiopian government or Ethio Telecom/Ethiopian Telecommunications Corporation (ETC) ever contracted with Gamma to provide lawful intercept, IT intrusion, or remote monitoring and infection solutions? If so, please describe the nature of the services, software or equipment provided, their capabilities, and the dates of relevant contracts.
  5. Has Gamma ever provided training or consultation services to employees of Ethio Telecom/ETC or Ethiopian government employees on use of lawful intercept, IT intrusion, or remote monitoring and infection solutions? If so, please describe the nature and scope of services provided.
  6. Has Gamma ever provided training or consultation services to the Ethiopian National Intelligence and Security Services, Information Network Security Agency, federal or regional police, or Ethiopian Defense Forces? If so, what was the nature and scope of such training or consultation? Have such services covered implementation or use of lawful intercept, intrusion, or remote monitoring solutions?
  7. Has Gamma ever conducted human rights due diligence (or other human rights review) in relationship to a potential or finalized transaction in Ethiopia? If so, please describe the findings and steps taken, if any, to prevent or address human rights abuses linked to use of Gamma’s products in Ethiopia or by Ethiopian authorities. Can you describe any specific human rights policies and procedures that apply to Gamma’s business in Ethiopia?
  8. Human Rights Watch has documented the Ethiopian government’s use of counterterrorism and other security laws against journalists or others who do not pose an apparent threat to national security. To the extent Gamma has engaged the government about its products and services, has Gamma ever raised illegal surveillance practices or misuse of lawful intercept/monitoring technology with Ethiopian authorities?
  9. What policies or procedures does Gamma have in place, if any, to prevent use of its products and services in ways that might facilitate human rights abuses? For example, to what extent does Gamma place limits on the end uses or end users of FinSpy through licensing or other agreements (other than restricting the number of simultaneous targets)?
  10. To what extent can Gamma monitor who may be being targeted with its remote infection or intrusion tools?
  11. What policies or procedures does Gamma have in place, if any, to stop misuse of its products and services when uncovered? For example, does Gamma incorporate end use clauses in contracts that would enable Gamma to terminate a contract if its equipment or software is being misused to facilitate human rights abuses?

We would appreciate a response by February 28, 2014. If we do not receive a reply by then, we may be unable to include information you provide in our published report.

Thank you for your consideration and we look forward to your responses to our inquiries. We would also welcome the opportunity to discuss these issues with you further. Should you have any questions, please do not hesitate to contact our Senior Internet Researcher, Ms. Cynthia Wong.

Sincerely,

Arvind Ganesan

Director, Business and Human Rights Program

Human Rights Watch

[331] "En Éthiopie, France Télécom accompagne la censure d’Internet," La Croix, October 6, 2012, http://www.la-croix.com/Actualite/Monde/En-Ethiopie-France-Telecom-accompagne-la-censure-d-Internet-_NP_-2012-06-10-816727 (accessed October 28, 2013).

[332] Hacking Team, “Customer Policy,” 2013, http://www.hackingteam.it/index.php/customer-policy (accessed February 12, 2014).

[333] Ibid.

[334] Ibid.

[335] Ibid.

[336] Ibid; David Gilbert, "Hacking Team and the Murky World of State-Sponsored Spying," International Business Times, March 13, 2013, http://www.ibtimes.co.uk/hacking-team-murky-world-state-sponsored-spying-445507.(accessed February 12, 2014).

[337] Bill Marczak, Claudio Guarnieri, Morgan Marquis-Boire, and John Scott-Railton, “Hacking Team and the Targeting of Ethiopian Journalists,” Citizen Lab, February 12, 2014, https://citizenlab.org/2014/02/hacking-team-targeting-ethiopian-journalists (accessed February 12, 2014).

[338] See, for example, Human Rights Watch, “One Hundred Ways of Putting Pressure”: Violations of Freedom of Expression and Association in Ethiopia, March 2010, http://www.hrw.org/reports/2010/03/24/one-hundred-ways-putting-pressure-0 and “Stop Using anti-Terror Law to Stifle Peaceful Dissent,” Human Rights Watch news release, November 21, 2011, http://www.hrw.org/news/2011/11/21/ethiopia-stop-using-anti-terror-law-stifle-peaceful-dissent.