Privacy advocates and anti-surveillance activists have been taking a close look at the way that some vendors of so-called lawful intercept and surveillance software and hardware systems conduct their business and which customers and governments they sell their wares to. Now, some of those vendors–and the customers they work with–are mounting their own criticisms of the researchers and their tactics.
FBI Director James Comey said last month that mobile device encryption could “lead us to a very, very dark place.” Yesterday , in a Financial Times op-ed, Robert Hannigan, the director GCHQ, the British equivalent of the NSA, wrote that the U.S. tech giants are “the command-and-control networks of choice for terrorists.” Finally, over the weekend, David Vincenzetti, CEO of the controversial Hacking Team, penned a letter blasting a recent report in First Look’s The Intercept and accusing one of its authors, Morgan Marquis-Boire, of seeming “astonishingly unconcerned about or naively unaware of the criminal and terrorist uses of secret communications over mobile devices or the Web.”
Hacking Team is an Italian company that develops and sells surveillance equipment and spyware to government clients.
Marquis-Boire is a well-known security researcher and privacy advocate. However, there’s a level of bad blood between him and Hacking Team over a series of reports made public by the University of Toronto’s Citizen Lab, for which Marquis-Boire serves as a senior security researcher and technical adviser. The reports allege various levels of malfeasance on the part of Hacking Team, which Citizen Lab, Marquis-Boire and The Intercept claim is in the business of selling surveillance equipment to despotic regimes with less-than-perfect human rights records.
Hacking Team says on its website that it can “defeat encryption,” offering clients “in-the-clear” access to “thousands of encrypted communications per day.” What is up for debate, Vincenzetti said, is to whom the firm sells its products.
Particularly, a rebuttal, sent in a mailing list to Hacking Team clients and The Intercept’s editors, is in response to The Intercept’s publication of “secret manuals” purportedly showing how the company sells its wares to “despots and cops worldwide.”
“Despite the headline, the secret manuals do not show that anything at all was ‘sold to despots’ worldwide or elsewhere,” Vincinzetti said. “That remains the conjecture of the authors. As most readers of this list know, Hacking Team voluntarily goes farther than any company in our industry to assure that our tools, powerful as they are, are not misused. See our Customer Policy.”
Hacking Team’s customer policy asserts that the company does not sell its gear to governments or countries blacklisted by the U.S., E.U., U.N., NATO or ASEAN. Furthermore, it claims to review all deals prior to sale to ensure that its products will not be used to to facilitate human rights violations and that users of Hacking Team tools abide by applicable laws. A suspension of support from Hacking Team following a breach of contract by its customers would quickly render Hacking Team tools useless, they say. Much of this, however, is at the discretion of a private advisory board.
In turn, Marquis-Boire and The Intercept’s Cora Currier argue that what Vincenzetti describes as “the conjecture of the authors” is actually backed up by a number of instances where the Hacking Team software implants have been identified on victim machines. These instances, the two said, have been backed up by extensive peer review on the part of other researchers with the University of Toronto’s Citizen Lab and private security firms. They go on to claim that there have been documented cases of Hacking Team tools deployed against a Moroccan citizen-journalism site, an Emerati human rights activist, and Ethiopian journalists based in Washington D.C.
Citizen Lab has also identified additional suspected Hacking Team customers in countries with troubling human rights records, such as Egypt, Saudi Arabia, and Kazakhstan.
Interestingly, Vincenzetti does not directly say in his letter that his company does not sell products to despots. Instead he states that the secret manuals published by The Intercept do not show what they claim to show. In fact, the letter is as much a personal attack on Marquis-Boire, who is described as “a tireless wolf-crier on the issue of privacy as he defines it.” Vincenzetti characterizes Marquis-Boire’s definition of privacy as allowing anyone to do anything without fear of detection.
“Instead of a balanced look at a complex subject, this article is the familiar perspective of activists such as Morgan Marquis-Boire, one of its authors,” Vincenzetti writes. He goes on to describe Marquis-Boire’s privacy stance as the “perfect formula” for criminals and terrorists. He then claims that rational thinkers agree that there is a proper balance between privacy and protection, which Hacking Team supports.
“In any case, Vincenzetti’s assertions about Hacking Team as a legitimate tool for law enforcement depend on the assurance that those law enforcement agencies are using it properly,” Marquis-Boire and Currier wrote. “In the U.S., we have only glimpses of how malware gets used, and it’s not all confidence-inspiring. (Last week, it was revealed that the FBI had used a fake link to an Associated Press story to get a suspect to click on a spyware installer.) Abroad, there’s already convincing evidence that the spread of software like Hacking Team’s poses threats to innocent citizens.”