March 7, 2015
Sorry for the delay in responding, but as you know we have only just received the Citizen Lab report, and we wanted to read it before getting back to you. Like other reports which have mis-identified Hacking Team technology, this one relies on what the authors believe “must be true” rather than what is actually proven to be the case.
Of course, as you and Citizen Lab both know, we cannot identify our clients since to do so could easily jeopardize ongoing law enforcement investigations. However, let me address your specific questions as follows:
1. To what extent has HT investigated allegations of Ethiopia’s alleged abuse of surveillance technology?
We do not disclose the identities of clients, as you know, because clients require confidentiality in order to conduct legitimate legal surveillance of suspects in cases of crime, terrorism or other wrongdoing.
However, at any time that we become aware of allegations of abuse of our software, we investigate. Sometimes we find that our technology is not involved as alleged. Other times we may find that circumstances exist that cannot be disclosed or known to the person or agency making the allegations. In other cases we may find a use of our software that violates our agreement with clients.
We take appropriate action depending on what we can determine. In cases where we find that an agency is misusing our technology, we can and will suspend support for the system which quickly renders it ineffective.
Of course, we take precautions with every client to do our best to assure that none abuses our system. However, as I’m sure you know, it can be quite difficult to determine facts particularly since we do not operate surveillance systems in the field for our clients. As a result, assertions that may seem “perfectly obvious” to some can be extremely difficult to actually prove.
2. What are the allowable end uses described in Hacking Team contracts? Have these
allowable uses been violated by the Ethiopian government, given evidence presented in
our human rights reporting in Ethiopia and evidence presented by Citizen Lab?
Has Hacking Team ever suspended support for any products or services in Ethiopia? What
steps, if any, has Hacking Team taken to address human rights harm allegedly linked to its
products or services in Ethiopia?
Our contracts include provisions consistent with our Customer Policy. Furthermore, the use of our technology is governed by the laws of the countries of our clients, and our sale of this technology is governed by the Italian Economics Ministry under the Wassenaar protocols.
We believe HackingTeam has gone further than any other company to address the concerns of human rights organizations not only through our own policies but also by complying with international standards including the Wassenaar Arrangement protocols which are now in place and administered in our case by the government of Italy. No other company has agreed to this or other oversight for surveillance technologies.
3. Please describe the specific laws (or categories of law) Hacking Team requires customers
to abide by. To what extent have you raised Ethiopia’s obligations under international human rights treaties to protect freedom of expression, the right to privacy, media freedom,
and other rights with government customers? How do you evaluate lawful use where local law is inconsistent with the government’s international human rights obligations?
We have described the obligations we expect customers to abide by in our Customer Policy and those obligations are reflected in our contracts. As we state in our Customer Policy, we do our own evaluation before we agree to accept a client, and, we consider the pubic record of a client at that time. In the past, we have declined to do business when we thought there was likely to be misuse our technology. Should questions arise after we contract with a client, we then reevaluate the situation. We take action when we believe it is warranted We do not report the results of our investigation to the press or other groups, because we consider this to be an internal business matter. Of course, we rely on the International community to enforce its standards for human rights protection.
March 6, 2015
From: Eric Rabe
Sent: Friday, March 06, 2015 8:42 AM
To: Cynthia Wong
Subject: Your request of HackingTeam
We’re taking a look at this letter and your questions, but until this morning we were missing the Citizen Lab report with allegations that purportedly connect our system to abuses by Ethiopia. Allegations of abuse of Hacking Team technology in the past have been based on elaborately presented suppositions. Indeed in your March 2014 report on Ethiopia, HRW acknowledges that software in question merely “appeared to be Hackng Team’s RCS.” For example, Citizen Lab has published a map of countries that CL believes are locations where our system is in use. Despite the frequent appearance of that map on Twitter, it is not accurate as we have publicly stated before. So the basis for CL’s latest allegations is important to understand.
Of course, as you know, we take precautions with every client to assure that they do not abuse our systems, and, we investigate when allegations of misuse arise. Inasmuch as you and now Citizen Lab have raised such allegations, we are attempting to understand the circumstances in this case. However, as I’m sure you know, it can be quite difficult to get to actual facts particularly since we do not operate surveillance systems in the field for our clients. As a result, assertions that may seem "perfectly obvious” to some can be extremely difficult to actually prove.
I am happy to get back to you after we have a chance to investigate although as you know customer confidentiality will almost certainly limit what I will be able to tell you.