Update: Hacking Team provided further comment to this release, which can be found here.
(New York, August 13, 2015) – The Italian spyware firm Hacking Team took no effective action to investigate or stop reported abuses of its technology by the Ethiopian government against dissidents, Human Rights Watch said today. A comprehensive review of internal company emails leaked in July 2015 reveals that the company continued to train Ethiopian intelligence agents to hack into computers and negotiated additional contracts despite multiple reports that its services were being used to repress government critics and other independent voices.
The Italian government should investigate Hacking Team practices in Ethiopia and elsewhere with a view toward restricting sales of surveillance technology likely to facilitate human rights abuses, Human Rights Watch said.
“The Hacking Team emails show that the company’s training and technology in Ethiopia directly contributed to human rights violations,” said Cynthia Wong, senior Internet researcher at Human Rights Watch. “Despite multiple red flags, Hacking Team showed a striking lack of concern about how its business could damage dissenting and independent voices.”
On July 5, 400 gigabytes (GB) of Hacking Team’s internal emails, documents, and source code that had been hacked were leaked online. The leaked emails confirm that the company had sold surveillance systems, training, and support and maintenance services to the Ethiopian Information Network Security Agency (INSA) as early as 2011, with contracts worth US$1 million in 2012. On November 5, 2012 Hacking Team congratulated INSA on infecting its first target.
Leaked Hacking Team emails showed that it reviewed independent reports published in 2014 and 2015 that presented findings that the government was targeting Ethiopian Satellite Television (ESAT) employees based in the United States using Hacking Team technology. Yet the company’s internal emails show only a superficial effort to investigate these findings and end the abuse.
Hacking Team states it sells exclusively to governments. Human Rights Watch first contacted Hacking Team in February 2014 after the Toronto-based research center Citizen Lab reported that the Ethiopian government had attempted to use Hacking Team’s spyware, Remote Control System, to hack into the computers of ESAT employees. ESAT is an independent, diaspora-run television and radio station. On December 20, 2013, a third party made three separate attempts to target two ESAT employees who live outside of Ethiopia. In each attempt, ESAT employees received a file through Skype.
Hacking Team’s surveillance tools are designed to be undetectable by commercial anti-virus programs and other analysis. According to internal emails, Hacking Team believed that the Ethiopian government’s flawed use of the tool put its covert nature in jeopardy, along with the confidentiality of the firm’s other customers.
In a leaked email, one staff member also expressed concern that if the company continued the relationship with the Ethiopian security agency, it would have “demonstrated that [Hacking Team doesn’t] take seriously [its] own policies” regarding customer misuse of its technology to violate rights. The leaked emails reflect that the government continued to have access to Hacking Team’s tools after March 2015 and the company issued a temporary license to Ethiopia while they began negotiations in April on a new contract worth at least $700,000. At the time Hacking Team was hacked in July, the Ethiopian security agency had allowed its previous license to expire and the agency and the firm had not yet finalized a new contract.
Hacking Team wrote to Human Rights Watch that its “software is operated by the client, not by Hacking Team, and the subjects of surveillance, the information gathered and the reasons for the surveillance” are not available to Hacking Team. Yet the leaked emails suggest that Hacking Team had multiple opportunities to assess whether the government’s surveillance activities violated human rights and take action to stop these abuses. As part of the company’s support and training services, it repeatedly asked Ethiopian officials for information about intended surveillance targets so that the company could better assist the government in carrying out a successful attack, including through more sophisticated “social engineering” techniques to gain access to a target’s computer.
Social engineering often involves sending highly personalized emails from seemingly trusted sources to entice surveillance targets to open documents infected with spyware, which requires knowledge of the target’s contacts and interests. The released emails show no indication that the company conducted any human rights due diligence based on this kind of information, which may have raised red flags about possible abuses. The new 2015 contract that the company was negotiating with Ethiopia at the time of the data breach included “many months of training combined to [sic] our continuous on-site presence -- in order to assist them, teach them, and supervise their investigative activities” according to leaked emails.
Previous reporting by Citizen Lab and others described how the Ethiopian government had used tools provided by FinFisher, a UK and Germany based competitor to Hacking Team, to target or monitor computers owned by other individuals in the Ethiopian diaspora in the US, UK, and Norway. In February 2014, the Electronic Frontier Foundation sued the Ethiopian government on behalf of one of the victims for violating US privacy laws.
Italy and other governments should ensure that all sales of Hacking Team systems and similarly controlled technologies are reviewed on a case-by-case basis, Human Rights Watch said. At a minimum, controls should require an inquiry into the human rights climate of the destination country, the end user and likely end use, technical specifications of the technology, and marketing materials employed by the companies to sell to government agencies.
“The Hacking Team leaks show this industry cannot be depended upon to regulate itself,” Wong said. “Italy and other governments should not turn a blind eye to these revelations, but should immediately investigate the practices of international spyware companies and impose real oversight and control over the exports of surveillance technologies.”
The sale of surveillance technologies is largely unregulated at the national and international level. In December 2013, countries participating in the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies added “intrusion software” to its multilateral export control list. As a result, the European Union and 41 member countries to the Wassenaar Arrangement have begun to introduce regulations to control the sale of systems like those sold by Hacking Team. The EU regulations, which apply to Italy, went into force in December 2014.
On February 25, Hacking Team released a statement saying it was “complying fully” with the Wassenaar’s intrusion software controls. The company stated that “under the procedures agreed to by Hacking Team and the Italian Ministry of Economic Development, HT will request from the Italian Government export authorization for its technologies.”
The company’s leaked emails show the company’s lobbying efforts to ensure that it would not be required to seek specific authorization to export its technologies for all countries, undermining the Italian government’s ability to exercise oversight over its sales. In October 2014, the Italian Ministry of Economic Development briefly halted Hacking Team’s exports and proposed a broad control on the firm’s sales that would require a case-by-case review to approve each export, citing “possible uses concerning internal repression and violations of human rights.”
Leaked emails showed that company executives lobbied top Italian officials and government contacts to intervene. As a result, the Economic Development Ministry rescinded the broad control in November 2014, and instead granted a one-time “global license” for exports to countries that were part of the Wassenaar Arrangement in April 2015. It is unclear whether the Italian government has required Hacking Team to seek specific authorization for services, updates, and support the firm continues to provide under contracts signed before April.
Properly implemented export controls can be a valuable tool to help curb the unregulated spread of these systems and promote responsible business and human rights norms. Controls also act as an essential accountability and transparency mechanism. Greater transparency can assist governments and nongovernmental organizations in monitoring the human rights impact of their businesses, improving policies to address abuses, and enhancing remedies where violations occur.