In what has been labelled as poetic justice by some, the Hacking Team, an Italian company that sells mass computer and mobile device surveillance software has itself been hacked. The alleged hackers, tweeting as Phineas Fisher, uploaded 500GB of internal files stolen from the Hacking Team’s systems and made them publicly available.
Details of the Hacking Team’s operations and its customers quickly started to emerge. The Hacking Team has sold software to infect, and spy, on around 6,500 devices, by 64 different government security and law enforcement agencies. These governments include those of countries like Chile, Morocco, Tunisia, Sudan, Ethiopia and even Australia and the US.
Statements form Hacking Team representatives have highlighted an ambivalent attitude to who they should, or shouldn’t sell software to. Company spokesperson Eric Rabe has claimed both that they do vet their clients and follow international trade restrictions and at the same time declared that it is not their job to make judgements about a country’s record of human rights abuses.
Even claims that they are no longer “servicing” countries like Sudan whose government has a long history of human rights violations shows up in a letter from the United Nations asking whether they Sudan were still using their software and the nature of their contracts with that country. The Hacking Team avoided responding but eventually argued that as a private company they couldn’t reveal the nature of their contracts with organisations and besides, their software was not a “weapon” and therefore did not contravene any arms embargo placed on the Sudanese government.
Companies selling tools for spying on computers and phones have been around as long as there have been those devices. There are a large number of these companies selling billions of dollars worth of surveillance software to government security agencies and law enforcement relatively indiscriminately.
The software that they sell is capable of getting around encrypted communications and record conversations, use the cameras on phones and computers and remain undetected by antivirus software.
In fact the rise in use of secure communications like SSL and encryption by default by companies like Google and Apple have been used as a sales technique by stoking fears that this will be used by terrorists to avoid detection by security and law enforcement agencies. They have stoked these fears further by suggesting that through the hack, their software would now be in the hands of “Terrorists, extortionists, and others” leading to an “extremely dangerous situation”.
It is probably not an exaggeration on their part to state that we are in a dangerous situation as a result of the use of this type of software. However, software based “weaponry” is much harder to guard than its physical counterpart and it is inevitable that through one means or another it will fall into the “wrong hands”. This is made much easier the more widespread the use of this software becomes. The eagerness of agencies to use this method of surveillance inadvertently increases the risk that it will in turn be used against themselves and others.
None of these considerations matter much to the spyware industry. They will thrive in an environment of increased fear and the desire of governments to control opposition and dissent of any kind. The more cyberattacks there are on their customers and companies in their customers’ countries, the more their products can be sold as a means of “offensive security”.
Despite questions being raised in the European Parliament about the activities of the Hacking Team, it will presumably be back in operation and resuming operations soon. The hack of their documents at least provides a transparency of their modes of operation that perhaps will reign in their activities with governments with poor human rights records. Given that ultimately, this is all about making money, it is unlikely that they will do this voluntarily.
David Glance is director of the UWA Centre for Software Practice at the University of Western Australia.