Hacking Team officials are disputing reports that the company sold its surveillance and intrusion software to oppressive regimes in countries that were under sanction. The company said it sold its products “strictly within the law and regulation as it applied at the time any sale was made.”
The new statement from Hacking Team comes after two weeks of stories resulting from the compromise of the company’s network earlier this month. The Hacking Team breach was devastating, involving the release of 400 GB of data stolen from the company’s system, including emails, customer invoices, and some of the source code for the hacking Team Remote Control System platform. Some of the more damaging information to emerge from the cache includes documents showing the company sold its surveillance tools to government agencies in Ethiopia, Syria, Sudan, and other oppressive countries.
Hacking Team executives have now admitted to selling to these countries, but say that when Hacking Team sold to them, the sales were legal.
“The company has always sold strictly within the law and regulation as it applied at the time any sale was made. That is true of reported sales to Ethiopia, Sudan, Russia, South Korea and all other countries,” a statement from the company released Wednesday says.
A report from the Citizen Lab at the University of Toronto last year exposed the way that the Ethiopian government used Hacking Team’s RCS platform to target some Ethiopian journalists, among others. The company said it stopped selling to Ethiopia after the information was revealed.
The company’s statement walks a fine line, carefully asserting that any sales to questionable countries were technically legal at the time they were made. Hacking Team, which is based in Italy, is not subject to the same laws as similar companies in the United States, for example. However, they are subject to the Wassenaar Arrangement, which regulates the sale of weapons and some software that can be used for exploitation.
Hacking Team now says that, regardless of controversy, the company’s sales were all within the law, even its sale to Sudan in 2012. Sudan has been under United States sanctions for 10 years, including bans on the sale of arms.
“The sale of ‘weapons’ have been banned to certain countries. Hacking Team technology has never been categorized as a weapon. At the time of the company’s only sale to Sudan in 2012, the HT technology was not classified as a weapon, arms or even dual use,” the statement says.
“In fact, it is only recently that has Hacking Team technology been categorized under the Wassenaar Arrangement as a ‘dual use technology’ that could be used for both civil and military purposes. Dual use technologies are regulated separately from weapon technologies.”
Marietje Schaake, a Dutch member of the European Union Parliament who has been critical of Hacking Team and other companies that deal in exploits and intrusion software, said Wednesday on Twitter that perhaps laws need to be changed to deal with such sales.
“If #hackingteam acted legally, we must update laws but companies always have choice to act ethically and morally,” she wrote.
Schaake on July 7 sent written questions to European Commission about hacking Team and its sales to sanctioned countries.
“The company claims that their product not only relays what is happening on a target’s computer, but also enables surveillance of anything occurring within the range of the computer’s internal camera or microphone. This is extremely problematic when it comes to the human rights of internet users in Sudan,” she said.