Andhra Pradesh: Alleged move to get snooping technology creates a flutter.
MIAMI — An Italian company that sells surveillance software to governments and law enforcement agencies worldwide is negotiating to provide a Florida police agency with spyware technology that infiltrates phones and computers, according to emails just released. Hyderabad: The revelation by the WikiLeaks website that the Andhra Pradesh government had tried to purchase spying technology to listen in to cellular phone conversations has sent ripples in political circles here.
In contrast to many of the private companies performing outsourced aggressive surveillance work for the world’s spy agencies, Hacking Team doesn’t try to hide behind a generic corporate identity.LONDON – Top Indian security agencies were secretly negotiating with Italian cyber-surveillance firm, Hacking Team, to procure software for intercepting communications through remote bugging of devices, reveals the purported internal Hacking Team e-mail exchanges released by WikiLeaks.The released data reveals that not only Indian intelligence agencies but several states’ police forces also were procuring powerful surveillance technology which can infect and target desktops, intercept mobile calls, steal files and even spy on emails.NEW DELHI: Several Indian government agencies and many state police forces had reportedly engaged, or are in talks to engage, the services of a controversial Italian hacking company that is notorious for making surveillance software and supplying them to oppressive regimes.
The technology, developed by Hacking Team, can monitor conversations and emails, and even turn phones and laptops into surveillance devices by remotely activating cameras and microphones. Gamma International, Academi and QintetiQ could be companies doing anything, but Hacking Team – well, it doesn’t take a genius to guess what line of work they are in. The emails are part of the 440-gigabyte (GB) internal data stolen this week through a major cyber attack on the firm, a major portion of which has been made public.
According to set of emails released by WikiLeaks on Italian surveillance malware-maker Hacking Team, Indian agencies seemed to have been an active client of the company for devices meant not just for targeted counter-terrorism operations but also for sweeping invasion of privacy. The brochure says the software “is invisible to the user, evades antivirus and firewalls, and doesn’t affect the devices’ performance or battery life.” The State Police scheduled a meeting with Hacking Team on Nov. 1, 2013. But the emails also disclose that one regional police force — Staffordshire Police in England’s Midlands — enquired about the purchase of intrusive surveillance products. The dealings with Staffordshire Police will raise concerns among civil liberties campaigners about the surveillance technology available to ordinary police units. A message on Hacking Team’s hijacked Twitter account read: “Since we have nothing to hide, we’re publishing all our e-mails, files, and source code.” The emails and files, which have since been catalogued by WikiLeaks, show that Hacking Team was selling its products to nations with records of human rights abuses, including Ethiopia, Bahrain, Egypt, Kazakhstan, Russia, Saudi Arabia, Sudan and Azerbaijan.
The revelation came at a time when the two Telugu states — Telangana and Andhra Pradesh — are locked in a raging controversy with AP charging Telangana with snooping and tapping the phones of its key political figures including the Chief Minister N Chandrababu Naidu. The communication chain revealed details of the company’s dealings with the Research & Analysis Wing (RAW), Intelligence Bureau and various state intelligence units. The leaked emails include one related to CABSEC (Cabinet Secretariat or R&AW, India’s external espionage agency) which HT claimed was one of their clients. It doesn’t provide security at all, really; none of their software will help clients avoid cyberattacks, tighten up their internal networks, or patch flaws in their software.
Hundreds of email communications between Hacking Team, its partner NICE — an Israeli company specializing in surveillance and data security — and Indian contacts show their active presence in India. Apparently the AP Intelligence Unit made the request for the snooping technology soon after an alleged audio tape of telephonic conversation between Naidu and a nominated Telangana MLA Elvis Stephenson came to light suggesting that somebody was listening and recording to the phone call. An email from Adam of Nice Systems to Marco of HT, Italy on August 21, 2011 said: “CABSEC is an Intelligence organisation, directly under the Prime Minister’s office. On April 22, Agent Randall Pennington of the Metropolitan Bureau of Investigation — a major-crimes task force that covers Orange and Osceola counties — emailed Hacking Team : “We are a law enforcement task force located in Orlando, Florida. The audio tape, certified as authentic by the forensic experts, has now become a crucial piece of evidence for the Telagnana authorities in the cash for vote scam involving Telugu Desam leaders.
It sells its Remote Control System (RCS) software to law enforcement and national security agencies around the world, letting them hack into targets’ computers and mobile devices, install backdoors, and monitor them with ease. Customers being addressed by SEMCO India in the e-mails include the Cabinet Secretariat and intelligence units in Delhi, Mumbai, Andhra Pradesh, Karnataka and Gujarat. Finlow added, however, that his force makes “regular enquiries to various companies to understand the functionality and capabilities of products on the market.” “The force is at the forefront nationally in terms of developing its capability to combat cyber crime and we do have a dedicated team to exploit digital technology,” he said. I would like to speak with someone regarding your products.” Within a month, a Hacking Team employee, Daniele Milan, flew from Italy to Orlando to meet with four MBI agents, including the director, Larry Zweig. According to sources, such a technology was very much available with the police force of unified Andhra Pradesh but following the bifurcation of the state it went to Telangana police intelligence unit leaving their AP counter part empty-handed.
There, his profile says, his job required him to “design, build, and install custom covert electronic surveillance devices and enclosures.” The emails stop after that. Britain’s police forces have only recently formed regional surveillance units with the power to carry out covert and intrusive investigations, which were previously overseen by the now-dissolved Serious Organised Crime Agency. Enter his wireless network and tackle tactical operations with ad-hoc equipment designed to operate while on the move … Remote Control System: the hacking suite for governmental interception. In an email sent in February 2014, the chief of Hacking Team’s office in Singapore refers to R&AW, NIA (National Investigation Agency), IB (Intelligence Bureau) and NTRO (National Technical Research Organisation) as “customers” , indicating the possibility of them already availing the company’ s services. At the same time, the HT and its associate companies were also selling snooping devices to agencies in Pakistan as email dated August 20, 2013 claimed that at least two other companies joined together to supply equipment to Pakistan’s ISI. “As Mostapha informed you, you will be your peer for the Pakistan activities.
The company demonstrated to Indian agencies ways to infect mobile phones with malware — the phone could be in the same room, or could even be infected by just knowing the number. Instead, the Orlando law enforcement agents were most concerned about laws that prevent bulk surveillance activities and the collection of information from people who are not targets of investigation. “The main concern was the federal legal framework they have to comply with (Title III of the Omnibus Crime Control and Safe Streets act of 1968) which imposes ‘minimization’ of the calls and messages (i.e., deleting portions which are not relevant to the speech),” Milan wrote to co-workers on May 21.
It didn’t disclose its clients, the technology behind its software, or the sort of work it was contracted to do, citing the need for privacy and security. As we informed Mostapha we currently awaiting the promotion of the new DGT of ISI, any action with the current one will be a waste of time as he will be out of the job soon.” Sources in the intelligence agencies, however, claimed that leaks will not compromise their strategic intelligence collection as all the equipment purchased are meant for lawful interception against terror outfits and elements inimical to the nation. “We are in touch with the Tamil Nadu Cyber Crime division and have been told that the division does not have enough strength to track and monitor mobile signals.” One of the major clients is Cabinet Secretariat (CABSEC), which was already a customer of Hacking Team’ s Israeli partner NICE, according to the emails. A confidential “Statement of Requirements” listed everything they wanted the tool to do: it would be secretly introduced to a phone or computer operating system, and would then “receive, record and playback the ‘Product’ retrieved from the third party.” Hacking Team seemed to impress the NCA. Hacking Team’s surveillance software, as originally designed, would have provided information about everyone with whom the target of the investigation communicated.
It occurred to me that I could perhaps propose using your solution, in addition to meet their needs”, Reddy wrote in the mail seeking a quotation of the cost. A demonstration in January this year was “extremely well received and proved to be a real eye opener for what can be achieved.” A follow up email in April shows the NCA attempting to build a business case for the keystroke-logging software.
The company said in a statement it has lost control of who can use the product: “Terrorists, extortionists and others can deploy this technology at will if they have the technical ability to do so. The NCA declined to confirm or deny to VICE News whether the deal ever went through, however. “The NCA deals with the most serious criminals who are doing the worst things,” the spokesperson said. “In order to disrupt their criminal activity effectively we look at all the tools and technology that might be available to us.
Reporters Without Borders (RSF) published an extensive report into “digital mercenaries” such as Hacking Team, who provide the technical expertise which underpins Snowden-era electronic surveillance. In it, the group named five “corporate enemies of the internet”: Hacking Team, Britain’s Gamma Group, Germany’s Trovicor, France’s Amesys, and America’s Blue Coat Systems.
Communications also show that one Indian client wanted the Italian firm to change the ” terms of the solution” so as to hide offensive capabilities of the software. The Hacking Team spreadsheet lists MBI’s “temperature” — the perceived interest in purchasing surveillance products — as green, with a smiley face emoticon. And if they didn’t directly sell to authoritarian regimes, they were almost as guilty, of letting dangerous tools fall into the hands of malicious actors.
If that happened, “their failure to keep track of the exports of their own software means they did not care if their technology was misused and did not care about the vulnerability of those who defend human rights,” the report said. In February, the American Civil Liberties Union released a report that documented how cell site simulators, known as StingRay, have become increasingly popular among Florida police. A report from CitizenLab, based at the University of Toronto, found that several journalists based in Washington DC, working for an Ethiopian diaspora news channel called ESAT, had been infected with what appeared to be Hacking Team’s RCS spyware.
Despite Hacking Team’s assurance that “we will refuse to provide or we will stop supporting our technologies to governments or government agencies that … we believe have used HT technology to facilitate gross human rights abuses”, it appears that it continued to provide the software to Ethiopia, even after CitizenLab unveiled abuses over a year earlier. In Tallahassee, the secret use of a StingRay device compromised the prosecution of Tadrae McKenzie, a 20-year-old who was charged with robbery with a deadly weapon. After a state judge ordered police to show the StingRay device to McKenzie’s defense lawyers, prosecutors offered a sweetheart deal — just six months probation after pleading guilty to a second-degree misdemeanor — to avoid having to turn over the surveillance device.
Now that Hacking Team’s email and source codes have spilled online, the company’s future business, including with Florida law enforcement, is uncertain. The company, which accepted that documents had been stolen in the attack, refused to comment on the validity of the dump as a whole, and a spokesman told the Guardian that “interpreting even valid documents without complete picture of why they were created or how they were used can easily lead to misunderstandings and even false conclusions”. A year ago, the same hacker made a public dump of documents belonging to Gamma International, another of the five firms highlighted by RSF in its report.
The tortured mess of regulations around the provision and export of spyware means it’s difficult to hold these companies to account, but slowly, public opinion seems to be turning against them. Because the hack revealed more than just the internal documents of Hacking Team: it also laid bare the code for their intrusion software, and even revealed a critical vulnerability in Adobe Flash that the group had been using to inject malware in targets’ computers.