Earlier this year, it was reported that Elliott Broidy, previously known for his conviction in a state bribery case and his role as a top Donald Trump fundraiser, proffered meetings with the president to foreign regimes who were also potential clients of his defense firm Circinus. Little is known about Circinus, but purported company documents obtained by The Intercept contain plans to peddle social media surveillance software to repressive regimes.
The Circinus website paints the contractor as a red-blooded defender of U.S. national security: “Are you a patriot determined to keep our country — both government and private industry — safe?” its careers page reads. Circinus’s executive roster boasts experience in U.S. special forces, Homeland Security, and military intelligence. But the documents, a series of pitch decks, indicate that the company was prepared to sell what’s described as a suite of sophisticated internet-mining tools to the governments of Cyprus, Romania, Tunisia, and the United Arab Emirates, touting the ability to detect and identify online “detractors.” The recent histories of Tunisia and the UAE are rife with human rights abuses, including crackdowns against political dissent.
It is not clear if the pitches were actually presented to any or all of the countries in question, but the New York Times in March identified Romania, Tunisia, and the UAE as prospective Circinus clients. The newspaper described meetings between Broidy and officials from Romania and Tunisia, as well as reporting that Broidy wrote to others about efforts to win business from the UAE.
The Tunisian pitch claimed that Circinus’s software could detect online “detractors” of the state.
The presentations obtained by The Intercept, dated 2016 and 2017, focus on the collection of so-called open source intelligence, referred to as “OSINT” throughout. This is a flashy way of describing information that can be freely accessed online, such as tweets, blog posts, and any other content not locked behind a password. Although typically not as sensitive as the content people keep stored privately, internet users frequently leave trails of “open source” breadcrumbs across the web that can be used for compromising purposes. Harvesting social media sites like Facebook and LinkedIn en masse is generally frowned upon as invasive by users and web companies alike, especially given how difficult it is for most people to properly configure the privacy settings on a service like Facebook. But this is no issue, according to the documents: “If it is on the World Wide Web,” reads a pitch to the government of Cyprus, “it can be ingested by the Circinus Open Source Analytics Center’s analytical platform.”
According to the materials, Circinus’s ingestion of online information often involved a process known as scraping, in which content is anonymously downloaded and information of interest is filtered from it. The documents further claimed Circinus could “scrape the entire web, including blogs, newsfeeds, video, comments on news sites and a range of other sources in all languages and from all countries.” But, unlike the myriad marketing firms that advertise their ability to scrape Twitter and sell you some sort of “insight,” Circinus is a defense contractor and in the documents is positioned as a potential partner to intelligence agencies and policymakers, both foreign and domestic.
In a lawsuit filed this past March, Broidy alleged that he is the victim of a politically motivated hacking campaign executed by the government of Qatar and that files stolen from him by the hackers were subsequently distributed to members of the press. The suit alleges the hackers have “doctored or wholly forged” some of these documents, though it cites zero examples, nor have any faked or altered materials been reported by the press.
Circinus would not comment on the authenticity of the documents without being provided with full copies, but did characterize the pitches as having been “stolen.” The Intercept was unable to verify the authenticity of the documents, but the services described are exactly the sort of offerings Circinus markets publicly. A company spokesperson also answered questions about the substance of the documents without dispute, confirming that “three of the countries listed received capabilities briefs based on interest,” but that “the other one was built for consideration to determine if there was a compelling case but never gained interest.” The spokesperson also said that the aforementioned countries “had key events in their recent past that clearly could benefit from the analysis of Publicly Available Information,” and that such analysis “could be tailored to the customer’s interest.”
The embassies of Cyprus, Tunisia, Romania, and the UAE did not return requests for comment.
The buzzword-laden presentations are at once ominous and vague: The Cypriot pitch claims Circinus could help that government’s “influence” and “targeting” abilities, while a social media geolocation feature could help at a “tactical level” by letting “agents in the field [identify] Social Media traffic in real-time, on the street where they are operating.” The Tunisian pitch went further, claiming that Circinus’s software could detect online “detractors” of the state, as well as “identify not just the nature of the Information but also significant information about the individual from whom the relevant Open Source Information originated.” Elsewhere, that same document expands on this “identity resolution” feature, what it defines as “the ability to resolve multiple online identities or personas to assist the government in conducting background investigations and for vetting applicants seeking legal immigration status”:
A government will be able to use meta-data and a complex “fuzzy matching” process to match online personas, both real and alias, to provide a quantifiable level of confidence that two “data-supported” identities are the same. By accumulating identity context over time, a government will be able to use various sources of information to determine whether individuals really are who they say they are. Once identified, Circinus’ software can determine the links between individuals and organizations. Linking individuals, organizations and addresses enables the discovery and analysis of both loosely and tightly-coupled networks, providing a more complete intelligence view that multiplies the effectiveness of conventional Open Source Information collection and analysis.
These capabilities were ostensibly offered in service of what remains an oppressive state. Tunisian civil liberties have changed radically since the overthrow of dictator Zine El-Abidine Ben Ali in 2011, but as recently as last year, a Tunisian blogger was imprisoned for making “defamatory” statements against the government on Facebook. The human rights watchdog Freedom House rates the country’s internet policies as only “partly free,” owing to concerns over anti-dissent crackdowns. “Torture and other ill-treatment of detainees continued in an environment of impunity,” Amnesty International wrote of the country, heading into 2018. “Prosecutions of peaceful protesters increased in several regions.”
The contents of the presentation made for the government of the UAE are unknown; The Intercept was provided with only a cover page. But the formatting and file name of this document suggests it contained similar services related to the processing of online information. Dissent of any kind, whether online or off, is even more brutally punished in the UAE than in Tunisia: In March 2017, the same date as the UAE pitch document, Emirati academic Nasser bin Ghaith was sentenced to a 10-year prison term for comments he made on Twitter. Earlier this month, the award-winning Emirati human rights advocate Ahmed Mansoor was sentenced to his own 10-year term for “insulting the UAE and its leaders” online, reported The National, a newspaper based in Abu Dhabi.
“Whether Circinus is selling advanced analytics or snake oil, it still raises a number of serious concerns.”
It’s common for defense and security firms around the world to sell their wares to less-than-upstanding regimes and immediately dust their hands of any further culpability. Defenders of such software will claim it’s up to the customer to use or abuse what they say is a neutral tool that can’t be policed by its makers. But what was sold in the pitches wasn’t just the power of Circinus software, but also the formation of an ongoing collaboration between the foreign customer and a dedicated team of Americans working out of Virginia — what the pitches call the “Circinus OSINT Center.” One page in the Cyprus document notes that the use of a U.S.-based team would effectively mask the Cypriot government’s use of its technology, shielding the government from “the risk of being exposed to Google analytics or compromising the IP addresses of the machine or network originating the search.” The pitch here appears to be advertising the ability to essentially launder web-based surveillance through the United States, a feature the document refers to as a “misattributed environment.”
This apparent collision of Trumpism, surveillance, and repressive governance is naturally worrying to privacy advocates. Edin Omanovic, head of the State Surveillance program at Privacy International, told The Intercept that although “Trump came into power promising to drain the swamp … the biggest personal winners from his presidency so far are well-connected business and military people who make up the U.S. military-industrial complex.” Omanovic added, “That large security companies can auction off access to him in such a way should be telling for anyone who still believes he is in any way different to the deep state he pretends to rail against.”
Nonetheless, Omanovic issued a note of caution. “Claims by surveillance companies always need to be taken skeptically,” he said. “Whether Circinus is selling advanced analytics or snake oil, it still raises a number of serious concerns.”
Some signs in the documents certainly point toward snake oil. The materials are self-aggrandizing and over the top, needlessly deploying spook-speak acronyms — PAI, for Publicly Available Information, for instance — and capitalizing random words for apparent dramatic effect, such as “Open Source Information.” Barely intelligible phrases — like “analyze Open Source Information in order to get the most actionable OSINT from the Open Source Information and the other proprietary data” — are the norm, with such an emphasis on empty jargon and buzzwords that the convoluted frequently veers into the incoherent. The language makes it difficult to assess how realistic anything in the pitches really was.
According to Chris Parsons, a research associate at the University of Toronto’s Citizen Lab, ineffective or outright fraudulent intelligence software can be just as dangerous as the real thing. “Many automated OSINT tools are as much snake oil as they are useful,” Parsons said. “It may actually be more worrying if the product is bad, should it produce information that is highly inaccurate, analyses which are deeply deficient, or inferences of threats which are grossly exaggerated.” If Circinus is selling software that doesn’t work or grossly overstates its effectiveness, Parsons added, it’s all the more likely that “individuals may be detrimentally affected by subsequent state activities regardless of their innocence or noninvolvement in activities that state authorities are monitoring.”
In response to questions about potential human rights implications of its software sales, the company spokesperson said, “Circinus maintains a rigorous compliance program with continuous review,” and that “there are policies and practices in place that ensure all regulations are met as well as a quality assurance program that prevents the disclosure of protected or guarded information.” This spokesperson continued:
Circinus focuses on the themes being spread via social and publicly available broadcast media, focusing specifically on trending topics and the locations those topics are most prominent. While our analysts do identify influencers and their networks, Circinus does not provide the client with user-associated personally identifiable information (PII), which might be used for targeting purposes. Furthermore, our analytic lines of effort are oriented against external actors with the intended purpose of providing indications and warning of potential threats planned by hostile nations states and violent extremist organizations against our clients and their interests.
The company did not respond when asked how the purported Circinus “Identity Resolution” feature described in the documents — specifically as giving the ability to let a government “determine whether individuals really are who they say they are” online — is not an instance of at least offering to “provide the client with user-associated personally identifiable information.”
Correction: June 23rd, 2018
An earlier version of this article incorrectly described Broidy as a convicted felon. Although he pleaded guilty to a felony charge, a judge later allowed him to plead to a lesser, misdemeanor charge before his conviction.