Given how much flak Hacking Team has taken from the civil rights community, it was pretty brave of the firm to come to RSA 2013 to fend off accusations its surveillance software was sold to repressive regimes, who allegedly have a history of torturing and killing those they spy on.
A number of studies have linked Milan-based Hacking Team’s kit to snooping campaigns on activists in countries such as Morocco and the UAE. In Morocco, an activist group called Mamfakinch, which was awarded a Breaking Borders Award in 2012 by Google and Global Voices, claimed that the government used Hacking Team software to spy on it.
In October last year, Ahmed Mansoor, a blogger and part of a group of activists from the United Arab Emirates known as the UAE Five, who were imprisoned from April to November 2011 on charges of insult, claimed to have been targeted by the software.
“These people are tortured, some of them are murdered … the result of the things we are talking about here is a life and death matter,” Appelbaum said, during a session this morning at the RSA Conference. “We are also having to deal with companies in Palo Alto or Milan dealing in this.”
“This is a shameful thing and we shouldn’t be exporting it.”
Eric Rabe, senior counsel for Hacking Team (pictured), said most of the evidence Appelbaum had laid out during the panel session was “largely circumstantial”. He also said the company would investigate any cases where it believed clients had used the software to break laws, or go beyond its terms of service.
Where abuse is uncovered, Hacking Team can remotely access the software and make it considerably less useful, Rabe said. Or as Appelbaum put it, “you’ve got a backdoor for your backdoor”.
The firm will only sell to governments or public bodies, in nations not on official EU, US or related blacklists. Although, as Kurt Opsahl, senior staff attorney with the Electronic Frontier Foundation, noted, a number of countries who have allegedly committed human rights abuses are not on such blacklists: “The standard being proposed is blacklisting… but that’s too permissive.”
Hacking Team said it also keeps an eye on nations where there is a regime change, so it keeps in line with local laws. “One person’s activist is another person’s terrorist,” Rabe said.
Rabe even got some support from an employee of the US government, Dale Beauchamp, a security professional working at the US Transport Security Administration (TSA). Beauchamp said surveillance was useful in cases where a suspect needed targeting, although the US government had other methods for watching over people’s communications, namely installing boxes within ISPs to intercept communications.
Despite the apparent safeguards, there remain plenty of ambiguities surrounding HackingTeam and its ethics. Rabe told TechWeekEurope the company’s software was modified depending on the country and how restrictive the laws were, implying that the software could go deeper into systems depending on where they were based.
Rabe said the company took “stern action” after investigating the cases in Morocco and the UAE, even though it didn’t come to the same conclusions as Appelbaum, but he could not go into any detail. Like Gamma International, a British firm accused of selling its FinFisher software to repressive regimes in the Middle East, it will not give away any information that might indicate who its customers are.
Little is known about Hacking Team, but TechWeek learned the company has three offices: Milan to sell into Europe, Washington DC for the Americas, and Singapore for Asia. Rabe would not be drawn on whether it sold to China. It was founded in 2003 and started making surveillance software in 2005, and now has close to 50 clients.
The software itself does what typical, highly-sophisticated malware does. It can log keystrokes, take screenshots, and intercept email, Skype or other Internet-based communications. There are believed to be mobile, Mac and Windows versions. And it comes with rootkit technologies to hide itself from security software.
The problem for Hacking Team is that evidence of abuse of their software has been uncovered, but it is not able to provide proof it is taking those “stern actions” against those misusing its software to breach basic human rights. If it can’t improve its image amongst the more vocal civil rights lobbyists, it may lose out on business amongst the richer Western governments.
Are you a pedant on privacy issues? Try our quiz!
Thoma Bravo agrees to acquire Darktrace for $5.32 billion in cash, delivering some welcome news…
Customer adoption of AI services embedded in cloud services continues to deliver results for Microsoft,…
TikTok's 'secret source' algorithm is so core to ByteDance, it would rather shut down US…
After relocating from California to Texas in 2020, Oracle's Larry Ellison now reveals plan to…
Share price hit after Meta admits heavy AI spending plans, after posting strong first quarter…
For third time Google delays phase-out of third-party Chrome cookies after pushback from industry and…
View Comments
Shame on you Hacking Team, i was one of those who discovered your backdoor, you KNEW very well to who you were selling it. You knew that you were selling it to murderers and torturers, to people commiting crimes against humanity.
Now you're not even able to say sorry, you just liked so much the money, that you're only planning to be "a bit more careful", nothing more.
I wish and i hope you will all end up in jail, that's where you belong.
Well, the bottom line is that nearly every Security vendor sells tools to repressive police states that aid in monitoring and restricting the expression of citizens.
Thanks for your article covering a recent panel on legal surveillance software held then Feb. 28, 2013 RSA conference in San Francisco. There are a couple of important points about what was said there that your readers should understand.
You describe photographs dramatically produced by fellow panelist Jacob Appelbaum. I would point out that there is no evidence and Appelbaum offered no evidence whatsoever that the torture victims whose shocking photographs he showed, or any other torture victims, were in an way related to the use of software our firm provides.
Later in the story you note that Appelbaum referred to certain elements in our software as a “backdoor in (a) backdoor.” Appelbaum was misinterpreting a remark in which I said, “There are elements of the software that allow for checks on how it is used.” What I said is accurate and refers to certain auditing features of the software (e.g,. a cryptographic audit trail that cannot be tampered with by anybody) that allow our clients to prevent abuse. As is his style, Appelbaum chose to paint this remark as something sinister. Your reporter went along.
As I said at the panel, Hacking Team takes very seriously the need to do all we can to be sure our software is not abused. For obvious reasons, we cannot describe the details of the software nor the location or identities of our clients. However, an independent board carefully reviews potential HT sales before they are final to evaluate the risk of abuse. We require our clients to operate lawfully and we investigate circumstances that may violate our contracts.
Eric Rabe
Hacking Team
If you don't want to be portrayed as sinister you should probably not knowingly enable people to do sinister things, you jacka$s.
Dear Eric,
I asked you to address the specifics of my statements during my panel and you declined. Nearly all of your statements boil down to "trust us" or "we have a panel of people who advise us" - you refused to discuss their fiscal stake in Hacking Team, you refused to disclose your processes, you also refused to disclose the result of alleged investigations into possible human rights violations.
Why is it that we should trust a company whose only hard line is a refusal to sell to North Korea? Your work speaks for itself.
During my opening statements I showed photographs of a number of people from across the Middle East and North Africa. I included Egypt because while the creators of FinFisher weren't on the panel, I would be remiss to give your company credit for having such a large market share. Still, your company does seem to get caught more often than Gamma; so credit where credit is due!
I named two specific cases with a relation to Hacking Team and showed photos of those people from Morocco and the UAE.
The case from the UAE was covered by Bloomberg - "Spyware Leaves Trail to Beaten Activist Through Microsoft Flaw":
http://www.businessweek.com/news/2012-10-10/spyware-leaves-trail-to-beaten-activist-through-microsoft-flaw
The case from Morocco about the targeting of people involved with the journalist group Mamfakinch was covered by Citizen Lab - "Backdoors are Forever: Hacking Team and the Targeting of Dissent?":
https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/
The statement that I read was from Hisham, one of the primary persons targeted during the attacks on Mamfakinch. Allow me to reprint it here for all to read:
Mamfakinch, which in local Arabic dialect means "we won't give up", has been spearheading the digital struggle in Morocco, offering a free platform for unscripted, uncensored speech and dissent. It was awarded the Breaking Borders Award in 2012 by Google and Global Voices. Then in the summer of
2012 it was the target of a sophisticated, government-grade spyware attack.
Research later showed that the spying technology used to attack the group was the product of an Italian company based in Milan called Hacking Team. We, at Mamfakinch, then realized that two years after the start of the Arab revolutions, we were facing a ruthless digital counter-revolution in which the governments in the region were developing sophisticated "cyber security" and surveillance tactics, working hand-in-hand with private western companies.
This has incalculable consequences on the morale and belief of the netizens that we are and who believe in democracy and freedom but who find themselves today the target of a technology meant to free them all from the shackles of dictatorship. This must stop. Don't hand over the internet to governments.
Hacking Team has been caught attacking Hisham - if you won't express that his situation is deplorable, won't you at least apologize for your sloppy trade craft?
The impressive reverse engineering work by Morgan et al is even covered by the New York Times in the following article:
http://bits.blogs.nytimes.com/2012/10/10/ahead-of-spyware-conference-more-evidence-of-abuse/
A sample of one Hacking Team RCS backdoor is analyzed by drweb: http://news.drweb.com/show/?i=2604&lng=en&c=5
Additional evidence about Hacking Team is available on the Blue Cabinet website:
http://bluecabinet.info/wiki/Blue_cabinet/Hacking_Team
As I said at the panel, Hacking Team is directly related to the suffering of a number of the people I mentioned. Hacking Team needs to address these specific cases and to do so in public without any hand waving or weasel words.
Stop selling your software to dictatorships and governments that engage in torture - especially those regimes who torture people working for democratic reform peacefully.
if that was actually Jake, well put