While the National Security Agency has been getting a lot of attention for its global surveillance endeavors, a small army of private and often secretive companies is quietly peddling spyware with NSA-like capabilities to governments around the world. Among their clients; the NSA.
Many of these products go beyond simple monitoring of huge amounts of traffic or stealing files. These new programs can target individuals, infect their computers, phones, web cameras or other devices to watch and record the every move of people targeted.
The software does have legitimate uses such as gathering data about criminal activities, but critics say it too often used by authoritarian regimes to spy on their own people.
The most recent public case involves an American citizen who goes by the alias “Mr. Kidane.”
According to the Electronic Frontiers Foundation, or EFF, which is representing Mr. Kidane, he is suing the Ethiopian government “for infecting his computer with secret spyware, wiretapping his private Skype calls, and monitoring his entire family’s every use of the computer for a period of months.”
“We have clear evidence of a foreign government secretly infiltrating an American’s computer in America, listening to his calls, and obtaining access to a wide swath of his private life,” EFF attorney Nate Cardozo said in a statement.
“The current Ethiopian government has a well-documented history of human rights violations against anyone it sees as political opponents,” he said. “Here, it wiretapped a United States citizen on United States soil in an apparent attempt to obtain information about members of the Ethiopian diaspora who have been critical of their former government. U.S. laws protect Americans from this type of unauthorized electronic spying, regardless of who is responsible.”
The Ethiopian Embassy in Washington did not respond to calls seeking comment on the case.
‘Lawful Intercept’ Spyware
The spyware allegedly used against Mr. Kidane is something called FinSpy, EFF said. FinSpy is a suite of programs marketed to governments by the Gamma Group of Companies, a U.K.-based software company.
Gamma is one of a growing number of companies offering sophisticated surveillance software and support to governments and law enforcement around the world.
Infection is as easy luring a target to click a mouse, analysts say. The most common way computers and other devices are infected with the spyware is through bogus email attachments which contain the hidden spyware. Once infected, the software is capable of a wide variety of surveillance and is very hard to detect.
Many of the companies boast about how off-the-shelf security software can’t detect their products.
Bill Marczak, a researcher for Citizen Lab, which conducts research on the intersection of communication technologies and human rights, called these kinds of software “a new trend in repression.” He added that the $5 billion industry is “large and secretive” and “until recently, it was in the shadows.”
He’s not the only one concerned. Reporters Without Borders (RWB), a press freedom watchdog group, went so far as to call Gamma among 2013’s “enemies of the Internet.” It named other companies including Hacking Team.
Eric Rabe, a spokesman for Hacking Team, called the accusation “absurd” in an email, adding that the company’s “products are significant tools to prevent Internet users from becoming Internet victims.”
“The products that Hacking Team offers serve to protect users from the abuses that can be extremely serious,” he said. “For example, there have been many examples of economic crime — fraud, holding computer operating systems for ransom, stealing financial data and so forth.”
Hacking Team is alleged to have provided offensive “legal intercept” surveillance software to 21 countries, according to a recent report by Citizen Lab.
Among the countries Citizen Lab said Hacking Team software was found are several with questionable human rights records such as Azerbaijan, Kazakhstan, Saudi Arabia, Uzbekistan and Sudan. The report also alleges that Hacking Team software was used to spy on Ethiopian journalists based in the Washington area.
The Gamma Group also has broad international reach. It was trying to sell one of its products, FinFisher, to the government of deposed Egyptian president Hosni Mubarak, according to documents uncovered by protesters. The company was trying to sell its FinFisher spyware to Egypt’s security forces for over $300,000 and even offered a free trial.
Gamma told the Guardian newspaper it had not sold products or provided any training to the Egyptian government and that it complies with relevant import and export regulations when selling to governments. Like Hacking Team, the company keeps its client list confidential.
According to Citizen Lab, spyware has been used against activists in Bahrain and the United Arab Emirates and against an Ethiopian journalist in the UK. There have also been reports of spyware being used against citizen journalists in Morocco and against an American who appears to have been targeted by someone in Turkey connected to the powerful Gülen Movement.
Attempts to regulate the industry have fallen short. Reporters Without Borders says spyware like that sold by Hacking Team and Gamma have been included in the Wassenaar Arrangement, which promotes “transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies.”
However, the press advocacy group says governments have “not yet put these negotiations into force.”
Researcher Marczak is skeptical about the ability to regulate.
“We’re just relying on the company’s word,” he said. With regard to Hacking Team, Marczak adds that “what we’ve seen so far when we uncover their products, the first thing we hear is that they didn’t sell it.”
“The confidentiality of their clients is a primary goal,” he said. “I’m not optimistic that compliance can be verified.”
Rabe said Hacking Team is aware of the recent change in the Wassenaar Arrangement and is studying it.
Similar to the NSA surveillance programs, there are legitimate uses for software made by companies like Gamma and Hacking Team, such as infiltrating cyber criminal rings or finding underground pedophile networks.
“We work to keep our products out of the hands of government agencies that would abuse them,” Rabe said. “We have refused to deal with clients we believe might abuse our products. We have suspended support for our software (making it ineffective) in the past when we have discovered misuse of our software, however, we do not disclose details of such actions.”
The company said it reviews potential customers to make sure their technology will not be “used to facilitate human rights violations” by establishing outside panel of technical experts and legal advisors, unique in our industry, that reviews potential sales.”