The intrusion at Italian security software firm Hacking Team, and the subsequent release of over 400 gigabytes of the company’s data, has focused new attention on the often shadowy world of firms selling sophisticated surveillance tools to government and law enforcement agencies, including those with dubious human rights records.
Hacking Team is one of several companies that have been in the spotlight over the past few years for selling spyware tools that many say have been used to conduct surveillance on ordinary citizens, journalists, and rights activists around the world. Earlier this week, unknown hackers broke into Hacking Team's network and looted executive e-mails, customer lists, and proprietary software from its systems in an astounding heist.
The leaked documents show its customers have included countries such as Sudan, Morocco, Saudi Arabia, and US agencies such as the FBI.
In 2013, Reporters Without Borders labeled the firm as a corporate enemy of the Internet for selling hacking products to governments that violate human rights. But Hacking Team is not alone. Other so-called Digital Era mercenaries identified by Reporters Without Borders include UK-based Gamma Group International, Trovicor of Germany, Amesys of France, and Blue Coat of the US. What's more, according to the watchdog group, its list is by no means exhaustive.
Most of these vendors are based in Western nations and their products are being used by governments around the world to spy on data in computer hard disks, recover usernames and passwords, access messaging content, and monitor conversations taking place on voice over Internet protocol services.
“In the hands of authoritarian regimes, it can be turned into formidable censorship and surveillance weapons against human rights defenders and independent news providers,” according to Reporters Without Borders.
In a statement Wednesday, Hacking Team said enough of its source code had been publicly posted by the hackers to allow anyone to deploy the company's surveillance tools against targets of their choice.
"Before the attack, Hacking Team could control who had access to the technology which was sold exclusively to governments and government agencies," the company said. "Now, because of the work of criminals, that ability to control who uses the technology has been lost."
For the moment at least, all of Hacking Team's customers have suspended use of the Remote Control System tool that was compromised in the breach, the statement said. But Hacking Team engineers are working to update the software so customers will be able to start using it again soon.
In a post Edward Snowden era, the activities of firms such as these have stirred considerable outrage among privacy and rights advocates. But there are few publicly available facts about these companies such as the revenues they generating from sales, who they are selling to, their profitability, and the overall size of the market opportunity.
Data leaked in the Hacking Team breach showed that at least some of the company’s customers paid or are paying in the middle to high six-figures for its products. But it's unclear how those numbers compare with that from other vendors of similar products.
The leaked details about Hacking Team’s operations are sure to fuel calls for stronger controls on the export and sale of hacking tools by software vendors. Growing concerns over the issue have already prompted changes in a multinational, multilateral export control regime called the Wassenaar Arrangement to which the US is a signatory.
The pact is designed to establish greater transparency and control over the export and transfer of certain weapons and dual-use technologies. It was amended in 2013 to include controls for surveillance software of the sort sold by the Hacking Team and others.
The European Union has agreed to implement the amendments, so tools such as those sold by Hacking Team are subject to stricter licensing restrictions. As an EU-based entity, Hacking Team is bound by these rules and the company could run into serious trouble if it is found to have deliberately flouted the law.
But more action is needed especially in the US where there is some concern over how the software subject to export restrictions will be defined, says Edin Omanovic, research officer at Privacy International in London. The EU, for example, exempts all software that is in the public domain from export restrictions. But the US has proposed taking away that exemption in the case of some software tools such as intrusion software.
As a result, there are broad and growing concerns that software used for legitimate security research purposes, such as penetration testing, will come under new export controls, Mr. Omanovic says.
The Department of Commerce’s proposed implementation of the changes to the Wassenaar Arrangement uses an overly broad description of the tools that need to come under export control, says the Electronic Frontier Foundation.
As proposed, the Commerce Department’s list of controlled technologies includes systems and software that can be use to conduct legitimate penetration tests for identifying hardware and software vulnerabilities. Many of the tools that vulnerability researchers routinely use to develop proof of concept attacks and exploits would be controlled and there would be new restrictions on how and what vulnerability research could be shared, the EFF notes.
A better approach would be to eschew sanctions and export control altogether, says Nate Cardozo, staff attorney at EFF.
"When companies turn a blind eye, there are already legal tools available to hold them accountable without increasing the export control load," Mr. Cardozo says. If Hacking Team for instance sold surveillance tools to Sudan, the company can already be held accountable under existing laws, he said.
Hacking Team describes its interception products as “offensive technology" for government agencies and law enforcement authorities. Among other things, the company’s tools can be used to stealthily monitor systems, remotely activate computer microphones and cameras and get around measures like encryption that people might use to protect their data and communications. The company has claimed that it has discretion in how its technology is used by customers and has previously insisted that it never sells to governments that are blacklisted by the US or the EU.
The leaked documents, however, suggest otherwise and show that Hacking Team’s clients may have included the government of Sudan, a country under heavy United Nations sanctions. In several tweets following the intrusion at the company, Hacking Team employee Christian Pozzi insisted that the leaked documents revealed little more than the sale of custom security software for its clients.
But to many within the security community, Hacking Team data dump offered a clear denouement of its practices. What they are doing, says Bruce Schneier, noted security expert and chief technology officer of Resilient Systems, "is like selling shock batons to South Africa in the 1980s."