In the era of Edward Snowden, new revelations about government snooping may fall on deaf ears. “Of course the NSA is watching/listening/recording” goes a common refrain among the exposé-weary. But while the intrusive surveillance of the NSA and its British doppelganger, GCHQ, has been extensively documented, far less attention has been directed to private companies that hawk spyware, complete with sophisticated data-laundering features, to interested governments.
Now The Citizen Lab at the University of Toronto, a non-profit research organization that won a 2014 MacArthur Foundation grant, has begun to lift the veil of anonymity from these shadowy vendors. On March 4, the Lab released the third in a series of reports on Hacking Team, a Milan-based outfit that sells its premier Remote Control System (RCS) spyware to any government willing to meet its price.
Caption: A feel-good advertisement for Hacking Team’s RCS software [Source: YouTube]
According to the report, “RCS can record Skype calls, copy passwords, e-mails, files and instant messages, and turn on a computer or phone’s webcam and microphone to spy on nearby activity.”
Hacking Team markets its RCS program as “untraceable.” Computers infected with the stealth software are commanded to send data back to the snooping government through a chain of proxy servers located in other countries, so as to disguise the ultimate user of the hacked information.
Citizens Lab claims to have stripped away this disguise. In an earlier report, the Lab named 21 governments suspected of being former or current users of RCS. For example, the Ethiopian government has allegedly used the software to spy on journalists based in Washington, DC. Other purported targets have included reporters in Morocco, human rights activists in the United Arab Emirates (UAE), and a US-based critic of Turkish charter schools.
In its latest report, Citizens Lab has dug still deeper into the web of misdirection woven by the RCS program. It found that in at least 12 cases, crucial links in the proxy-server chains were supplied by US-based data centers, and these links have been tied to specific governments, including Azerbaijan, Colombia, Ethiopia, Korea, Morocco, Mexico, Poland, Uzbekistan, UAE, and Thailand.
A graphic shows the US-based servers used to spy on targets of foreign governments [Source: The Citizen Lab]
More disturbingly, the Lab identified several cases where US-based spyware servers impersonated the websites of US companies. Among them were a New York-based financial firm connected to an SEC investigation, a small Oregon newspaper, and ABC News. In each case, the “impersonation” was designed to divert suspicions about where the data was ultimately headed. The legal issues raised by such cyber deception are apparent.
In its sales pitches, Hacking Team claims to carry out due diligence to make sure a potential client will not use its “surveillance technologies to facilitate human rights abuses.” But Citizens Lab notes that many of the RCS users it has identified are notorious for violating the rights of their own people.
Using US-based servers to facilitate surveillance by human rights-violating governments may seem problematic in light of Washington’s bromides against such abuses. But the majority of worldwide Internet traffic transits through the US, and none of the human rights-violating governments are under sanction by the US Treasury (seeing as they’re geopolitical allies), Hacking Team quickly dismissed the report in comments made to the Washington Post.
American law is ambiguous on whether cloud-computing companies can be held accountable for the alleged transgressions of their users.
WhoWhatWhy has written previous stories about private-sector collaborators with state surveillance agencies, thanks largely to the work of imprisoned journalist Barrett Brown. Brown pioneered a wiki dedicated to researching hacked emails from cybersecurity contractor HBGary Federal and its parent company, HBGary. That initiative, ProjectPM, provides access to vast amounts of information on the nexus between public and private surveillance operations.
Click here to read the full report on Hacking Team from Citizen Lab.
[box]WhoWhatWhy plans to continue doing this kind of groundbreaking original reporting. You can count on it. But can we count on you? We cannot do our work without your support.
Please click here to donate; it’s tax deductible. And it packs a punch.[/box]
Where else do you see journalism of this quality and value?
Please help us do more. Make a tax-deductible contribution now.
Our Comment Policy
Keep it civilized, keep it relevant, keep it clear, keep it short. Please do not post links or promotional material. We reserve the right to edit and to delete comments where necessary.