Last week, The Intercept published manuals showing the workings of an invasive spyware tool made by the Italian company Hacking Team and sold to authorities in dozens of countries around the world.
Hacking Team’s CEO David Vincenzetti responded to our piece over the weekend with a letter addressed to The Intercept’s editors (and also sent to the company’s mailing list):
There is little new in the recent piece in The Intercept, Secret Manuals Show the Spyware Sold to Despots and Cops Worldwide. (Published Oct 29, 2014.)
Despite the headline, the “secret manuals” do not show that anything at all was “sold to despots” worldwide or elsewhere. That remains the conjecture of the authors. As most readers of this list know, Hacking Team voluntarily goes farther than any company in our industry to assure that our tools, powerful as they are, are not misused. See our Customer Policy.
Instead of a balanced look at a complex subject, this article is the familiar perspective of activists such as Morgan Marquis-Boire, one of its authors. The writers seem astonishingly unconcerned about or naively unaware of the criminal and terrorist uses of secret communications over mobile devices and the Web. In this case, they go so far as to begin by mocking the concerns of even the most respected law enforcement organizations (See FBI, Comey, Oct. 16, 2014). The manuals published by The Intercept appear to be stolen documents and are clearly out of date.
Mr. Marquis-Boire has been a tireless wolf-crier on the issue of privacy as he defines it – apparently requiring anyone to be allowed to do anything without fear of detection. That’s a perfect formula for criminals or terrorists who routinely use the Web, mobile phones and other devices. These law-breakers take advantage of encryption technology, anonymity tools and the “dark web” to engage in terrorism, pornography distribution, sex trafficking, fraud, ransom demands, drug distribution, abuse of women and children and so forth.
Rational thinkers would agree that there is a proper balance between the right to privacy and society’s need to be protected from crime and terrorism, a view that HT supports. However, we also strongly believe it is essential to the safety of us all that law enforcement have tools to protect the public from those who would abuse technology. We promise to work tirelessly to continue providing the best such tool available.
The “conjecture” that Hacking Team’s software has been used by repressive governments to spy on their citizens is backed up by a number of instances where the software implants have been identified and subjected to academic peer-review, not only by Marquis-Boire and other researchers with the University of Toronto’s Citizen Lab but also by security firms Arsenal Consulting and Kaspersky Labs. Documented cases of Hacking Team’s use include attacks against a Moroccan citizen-journalism site, an Emerati human rights activist, and Ethiopian journalists based in Washington D.C. Citizen Lab also identified suspected customers in several other countries with dubious human rights records, including Egypt, Saudi Arabia, and Kazakhstan, by tracing back the chain of proxy servers used in Hacking Team attacks to the endpoints in the countries in which they originated (the methodology is detailed here.)
There is no transparency in Hacking Team’s customer policy. The company will not say if they’ve dropped or denied a customer over human rights concerns, and the members of their advisory board are private.
Vincenzetti claims that in publishing these documents, we are being overly dismissive of law enforcement concerns about criminals using encrypted and anonymous communications. Doubtless, there are criminals who try to evade detection in their computer use. But officials have also publicly overstated the negative impact of widespread use of encryption on their investigations. As The Intercept has previously reported, there’s still plenty of data cops can get from even the new generation of encrypted phones. In three of the four cases cited by FBI director James Comey last month to illustrate how encryption would help criminals, phone data actually wasn’t essential to catching or convicting offenders. The fact that Hacking Team offers a commercial product to circumvent encryption only further undercuts the idea that the general public’s use of the technology — which may help keep their data safe from criminal hackers– will have a devastating impact on lawful investigations.
In any case, Vincenzetti’s assertions about Hacking Team as a legitimate tool for law enforcement depend on the assurance that those law enforcement agencies are using it properly. In the U.S., we have only glimpses of how malware gets used, and it’s not all confidence-inspiring. (Last week, it was revealed that the FBI had used a fake link to an Associated Press story to get a suspect to click on a spyware installer.) Abroad, there’s already convincing evidence that the spread of software like Hacking Team’s poses threats to innocent citizens.