EU Lawmaker Wants Answers on Hacking Team Sales to Sanctioned Countries

A prominent member of the EU parliament, who has been outspoken on security and privacy issues, on Tuesday submitted a written list of questions to the European Commission about the actions of Hacking Team and whether the company had violated EU sanctions regarding sales to specific countries.

Marietje Schaake, a Dutch member of the European Union Parliament, expressed concern over many of the details of Hacking Team’s business that were revealed in the huge dump of documents on Sunday. Specifically, Schaake was worried about contracts and invoices that show the company sold its Remote Control System intrusion software to customers in countries that are under EU sanctions. Some of the documents released after the hack of Hacking Team show that the Italian company sold its software to government agencies in countries such as Sudan, Egypt, and Ethiopia, which are considered repressive regimes.

Hacking Team’s RCS software is a platform used by law enforcement agencies, intelligence agencies, and other customers to remotely compromise computers and mobile devices and monitor the communications of targets. Security researchers and human rights activists have assailed the company for doing business with repressive governments, something Hacking Team executives have denied in the past. However, the documents published in recent days include invoices that support these accusations.

Schaake said she worries about the consequences of sanctioned governments having such powerful intrusion and surveillance tools in their possession.

“The company claims that their product not only relays what is happening on a target’s computer, but also enables surveillance of anything occurring within the range of the computer’s internal camera or microphone. This is extremely problematic when it comes to the human rights of internet users in Sudan. In fact, it seems this sale to Sudan would not only constitute a violation of the UN Sanctions Regime established by UN Security Council Resolutions 1556, 1591, 1945, 2091 and 2138, but the sale of this RCS would also violate Council Decision 2014/450/CFSP of 10 July 2014 concerning restrictive measures in view of the situation in Sudan,” Schaake wrote in a blog post Monday.

“Documents also suggest that Hacking Team – despite earlier claims – might have sold its technologies to non-governmental entities, such as a private Brazilian firm, YasNiTech.”

In a submission to the European Commission, Schaake asked the commission to consider whether Hacking Team has violated EU sanctions by selling to controlled countries, among other things.

Her questions are:

1) Does the Commission believe Hacking Team has violated EU sanctions regimes?

2) Has the Commission been informed of any prior authorization given by the Italian authorities that would allow Hacking Team to export its products to Sudan or Russia, and is the Commission aware of a ‘global authorization’ that was given by the Italian authorities to Hacking Team that authorized the company to export its products freely in all countries of the Wassenaar agreement?

3) Has Hacking Team ever asked DG FPI any question regarding its interpretation of the EU sanctions regime against Sudan or Russia?

Schaake has been vocal about the topic of sales of intrusion software and other attack tools for some time. In 2013 she started an effort to control the sale of such software and published a petition.

“We believe in the empowerment of individuals via the internet and technologies but also acknowledge that technologies can become powerful arms in the hands of oppressors, or when companies and governments gain unchecked power or market share; we regret that globally opposition members, journalists, bloggers and citizens increasingly face repression through the use of technologies,” the petition said.

And last year, Schaake said during a panel discussion that there was a clear need for some sort of regulation of the way surveillance tools and intrusion software are sold.

“There’s virtually no accountability or transparency, while he technologies are getting faster, smaller and cheaper,” she said. “We’re often accused of over-regulating everything, so it’s ironic that there’s no regulation here. And the reason is that the member states [of the EU] are major players in this. The incentives to regulate are hampered by the incentives to purchase.

“There has been a lot of skepticism about how to regulate and it’s very difficult to get it right. There are traumas from the Crypto Wars. Many of these companies are modern-day arms dealers. The status quo is unacceptable and criticizing every proposed regulation isn’t moving us forward.”

Suggested articles