RegulationSecuritySurveillance-ITWorkspace

RSA 2013: Hacking Team Defends Its Surveillance Software

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Hacking Team’s software was allegedly used by repressive regimes to track down citizens for torture. We ask their lawyer Eric Rabe to explain

Given how much flak Hacking Team has taken from the civil rights community, it was pretty brave of the firm to come to RSA 2013 to fend off accusations its surveillance software was sold to repressive regimes, who allegedly have a history of torturing and killing those they spy on.

A number of studies have linked Milan-based Hacking Team’s kit to snooping campaigns on activists in countries such as Morocco and the UAE. In Morocco, an activist group called Mamfakinch, which was awarded a Breaking Borders Award in 2012 by Google and Global Voices, claimed that the government used Hacking Team software to spy on it.

In October last year, Ahmed Mansoor, a blogger and part of a group of activists from the United Arab Emirates known as the UAE Five, who were imprisoned from April to November 2011 on charges of insult, claimed to have been targeted by the software.

Hacking Team surveillance

Eric Rabe Hacking Team counselAccording to Jacob Appelbaum, a security researcher and core member of the Tor Project, the use of Hacking Team tools and similar software can be the difference between life and death.

“These people are tortured, some of them are murdered … the result of the things we are talking about here is a life and death matter,” Appelbaum said, during a session this morning at the RSA Conference. “We are also having to deal with companies in Palo Alto or Milan dealing in this.”

“This is a shameful thing and we shouldn’t be exporting it.”

Eric Rabe, senior counsel for Hacking Team (pictured), said most of the evidence Appelbaum had laid out during the panel session was “largely circumstantial”. He also said the company would investigate any cases where it believed clients had used the software to break laws, or go beyond its terms of service.

Where abuse is uncovered, Hacking Team can remotely access the software and make it considerably less useful, Rabe said. Or as Appelbaum put it, “you’ve got a backdoor for your backdoor”.

The firm will only sell to governments or public bodies, in nations not on official EU, US or related blacklists. Although, as Kurt Opsahl, senior staff attorney with the Electronic Frontier Foundation, noted, a number of countries who have allegedly committed human rights abuses are not on such blacklists: “The standard being proposed is blacklisting… but that’s too permissive.”

Hacking Team said it also keeps an eye on nations where there is a regime change, so it keeps in line with local laws. “One person’s activist is another person’s terrorist,” Rabe said.

Rabe even got some support from an employee of the US government, Dale Beauchamp, a security professional working at the US Transport Security Administration (TSA). Beauchamp said surveillance was useful in cases where a suspect needed targeting, although the US government had other methods for watching over people’s communications, namely installing boxes within ISPs to intercept communications.

Taking ‘stern action’ against human rights abusers

Despite the apparent safeguards, there remain plenty of ambiguities surrounding HackingTeam and its ethics. Rabe told TechWeekEurope the company’s software was modified depending on the country and how restrictive the laws were, implying that the software could go deeper into systems depending on where they were based.

Rabe said the company took “stern action” after investigating the cases in Morocco and the UAE, even though it didn’t come to the same conclusions as Appelbaum, but he could not go into any detail. Like Gamma International, a British firm accused of selling its FinFisher software to repressive regimes in the Middle East, it will not give away any information that might indicate who its customers are.

Little is known about Hacking Team, but TechWeek learned the company has three offices: Milan to sell into Europe, Washington DC for the Americas, and Singapore for Asia. Rabe would not be drawn on whether it sold to China. It was founded in 2003 and started making surveillance software in 2005, and now has close to 50 clients.

The software itself does what typical, highly-sophisticated malware does. It can log keystrokes, take screenshots, and intercept email, Skype or other Internet-based communications. There are believed to be mobile, Mac and Windows versions.  And it comes with rootkit technologies to hide itself from security software.

The problem for Hacking Team is that evidence of abuse of their software has been uncovered, but it is not able to provide proof it is taking those “stern actions” against those misusing its software to breach basic human rights. If it can’t improve its image amongst the more vocal civil rights lobbyists, it may lose out on business amongst the richer Western governments.

Are you a pedant on privacy issues? Try our quiz!