Monday, July 20, 2015

#Hacking Team and Its Clients in Low Places

#HackedTeam and Colombia: How Surveillance Helps a Violent State

by Justin Podur - TelesurEnglish


A series of 2013 emails discuss a US$60M deal with Colombia's directorate of police intelligence (DIPOL). 

In the past few years, debates about universal surveillance, software and internet freedom, privacy and civil liberties have opened through the efforts and sacrifices of people like Wikileaks, Chelsea Manning, Edward Snowden, and Anonymous. The governments and private security industry that have been exposed through leaks, hacks, and whistleblowing, have been forced to respond. Some of these responses involved attacking and prosecuting the messengers. Others have involved denial, apology, and the perpetually fresh doctrine of the "change of course": "yes, we used to violate people's rights, but that's all over now".

Some public figures attempted to argue against privacy on principle: "If you have nothing to hide, why should you need privacy?" But, as Glenn Greenwald wrote, none of these anti-privacy people were willing to give him their email passwords on television, despite having nothing to hide.

A small number of those implicated in surveillance violations took a defiant stance, as in: "yes, we violate privacy, and we are very good at it." One security company, dedicated to offensive hacking, stood out as particularly defiant: The Italy-based Hacking Team, headed by David Vincenzetti. Go to their website today and watch the banners flash along: "DEFEAT encryption." "Total control over your targets." "Thousands of encrypted communications per day. Get them. In the clear." While many of Hacking Team's competitors were more sheepish, or at least discrete, about their violations of people's privacy rights, Hacking Team staked out a marketing space based on flamboyance.

With such a casual attitude to violating citizens privacy on behalf of their clients, the hack against Hacking Team that occurred on July 5 was almost inevitable, and it is very difficult to find any sympathy for Hacking Team's cries that their privacy has been violated. The hashtag #HackedTeam trended for quite a while, along with others like #IsHackingTeamAwakeYet.

The hackers released into the public domain the specialized software that Hacking Team uses to violate people's systems, exploits HT had discovered and were keeping secret to sell, as well as 400GB of email archives, presentations and documents. Wikileaks speedily made the email archives searchable online.

The main piece of software, Remote Control System or RCS, that Hacking Team sells, allows the client to monitor someone else's computer. Such a system is of great interest to repressive governments and agencies of all types, and that's why Hacking Team's client list includes Egypt, Sudan, Ethiopia (about which University of Toronto's Citizen Lab wrote a report) and many other human rights violators.

In the Americas, Mexico is the biggest client, but HT does substantial business both with, and in Colombia. In Bogota, HT works with the US Embassy and the DEA. Much of the RCS business with Colombia is done through the Israeli surveillance firm, NICE. A series of 2013 emails discuss a US$60M deal with Colombia's directorate of police intelligence (DIPOL). Many emails report on the success of demonstrations of the software. A 2009 email discusses the demo method that later became standard:

"Anti Narcotics Police is very interested in the product. Have you been able to advance on the demo over the Internet. As we discussed the idea would be to infect a computer (and maybe a phone) here in Colombia and have it connected to the > Internet. We would be watching your server using Adobe Connect, we let the customer play with the infected computer, write documents, email, surf the web, chat, Skype, etc, and at the same time we are showing them the info come up on the server. I would really like to be able to do a demo soon, please let me know." 

HT has promised that they don't sell their systems to anyone responsible for gross human rights violations (how they define gross is unknown). Their job is to sell software, in any case, so they presumably don't track or know what is done with their systems once sold – even if, like the machines IBM custom-built for the Nazis (see "IBM and the Holocaust" by Edwin Black) the technology is hardly neutral. Because HT is just selling the software and not running it for their clients, we probably won't be able to tell from their email archives what exactly Colombia (or any other government) has done with HT's software, and who they are doing it to.

But we have other information that can provide us with some ideas. What would Colombia do with the Remote Control System? Will they be using it to catch cyber criminals? What kind of regime is Colombia? It has elections, after all. It has elected politicians from across the political spectrum. It is currently in negotiations to end its long civil war. Its 1991 Constitution is progressive in many ways. So, why shouldn't Colombia's police get some help trying to catch cyber criminals?

Unfortunately, Colombia's civil war is not a 19th-century civil war of armies battling against each other on a field. It's a modern war of a state and paramilitaries killing civilians and controlling territories for profit, and guerrillas that took up arms defensively decades ago and have turned them against the people far too many times since.

The targets of state violence (and surveillance) in Colombia - when state violence is targeted at all, and not generalized - are unionists, human rights defenders, journalists; indigenous, afro-Colombian, women, and peasant leaders. If it were possible to find out whose computers were infected by HT's malware, I would wager that most of the infected devices would belong to such people.

But, as Human Rights Watch documented again just last month, violence isn't always targeted. The 'false positives' scandal in Colombia involved military units capturing ordinary people, killing them, and dressing them up as guerrilla combatants to present high casualty numbers. It is hard to imagine a more evil, statistics-driven exercise. The commanders in charge of the units committing these atrocities are still in charge, and some have risen through the ranks on the bodies of those killed as false positives.

The Colombian state didn't need HT's software to murder peasants and dress them up as guerrillas. But to anticipate and prepare for human rights criticism? To stay one step ahead of the FARC at the negotiating table? To target and surveil the country's many remarkable unarmed movement activists - and put targets on them for murderous paramilitaries? For any of these - all proven tactics of the Colombian regime - HT's systems sure would come in handy.

No comments: