RSA 2013: Hacking Team Defends Its Surveillance Software

Given how much flak Hacking Team has taken from the civil rights community, it was pretty brave of the firm to come to RSA 2013 to fend off accusations its surveillance software was sold to repressive regimes, who allegedly have a history of torturing and killing those they spy on.

A number of studies have linked Milan-based Hacking Team’s kit to snooping campaigns on activists in countries such as Morocco and the UAE. In Morocco, an activist group called Mamfakinch, which was awarded a Breaking Borders Award in 2012 by Google and Global Voices, claimed that the government used Hacking Team software to spy on it.

In October last year, Ahmed Mansoor, a blogger and part of a group of activists from the United Arab Emirates known as the UAE Five, who were imprisoned from April to November 2011 on charges of insult, claimed to have been targeted by the software.

Hacking Team surveillance

According to Jacob Appelbaum, a security researcher and core member of the Tor Project, the use of Hacking Team tools and similar software can be the difference between life and death.

“These people are tortured, some of them are murdered … the result of the things we are talking about here is a life and death matter,” Appelbaum said, during a session this morning at the RSA Conference. “We are also having to deal with companies in Palo Alto or Milan dealing in this.”

“This is a shameful thing and we shouldn’t be exporting it.”

Eric Rabe, senior counsel for Hacking Team (pictured), said most of the evidence Appelbaum had laid out during the panel session was “largely circumstantial”. He also said the company would investigate any cases where it believed clients had used the software to break laws, or go beyond its terms of service.

Where abuse is uncovered, Hacking Team can remotely access the software and make it considerably less useful, Rabe said. Or as Appelbaum put it, “you’ve got a backdoor for your backdoor”.

The firm will only sell to governments or public bodies, in nations not on official EU, US or related blacklists. Although, as Kurt Opsahl, senior staff attorney with the Electronic Frontier Foundation, noted, a number of countries who have allegedly committed human rights abuses are not on such blacklists: “The standard being proposed is blacklisting… but that’s too permissive.”

Hacking Team said it also keeps an eye on nations where there is a regime change, so it keeps in line with local laws. “One person’s activist is another person’s terrorist,” Rabe said.

Rabe even got some support from an employee of the US government, Dale Beauchamp, a security professional working at the US Transport Security Administration (TSA). Beauchamp said surveillance was useful in cases where a suspect needed targeting, although the US government had other methods for watching over people’s communications, namely installing boxes within ISPs to intercept communications.

Taking ‘stern action’ against human rights abusers

Despite the apparent safeguards, there remain plenty of ambiguities surrounding HackingTeam and its ethics. Rabe told TechWeekEurope the company’s software was modified depending on the country and how restrictive the laws were, implying that the software could go deeper into systems depending on where they were based.

Rabe said the company took “stern action” after investigating the cases in Morocco and the UAE, even though it didn’t come to the same conclusions as Appelbaum, but he could not go into any detail. Like Gamma International, a British firm accused of selling its FinFisher software to repressive regimes in the Middle East, it will not give away any information that might indicate who its customers are.

Little is known about Hacking Team, but TechWeek learned the company has three offices: Milan to sell into Europe, Washington DC for the Americas, and Singapore for Asia. Rabe would not be drawn on whether it sold to China. It was founded in 2003 and started making surveillance software in 2005, and now has close to 50 clients.

The software itself does what typical, highly-sophisticated malware does. It can log keystrokes, take screenshots, and intercept email, Skype or other Internet-based communications. There are believed to be mobile, Mac and Windows versions.  And it comes with rootkit technologies to hide itself from security software.

The problem for Hacking Team is that evidence of abuse of their software has been uncovered, but it is not able to provide proof it is taking those “stern actions” against those misusing its software to breach basic human rights. If it can’t improve its image amongst the more vocal civil rights lobbyists, it may lose out on business amongst the richer Western governments.

Are you a pedant on privacy issues? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

  • Shame on you Hacking Team, i was one of those who discovered your backdoor, you KNEW very well to who you were selling it. You knew that you were selling it to murderers and torturers, to people commiting crimes against humanity.
    Now you're not even able to say sorry, you just liked so much the money, that you're only planning to be "a bit more careful", nothing more.

    I wish and i hope you will all end up in jail, that's where you belong.

  • Well, the bottom line is that nearly every Security vendor sells tools to repressive police states that aid in monitoring and restricting the expression of citizens.

  • Thanks for your article covering a recent panel on legal surveillance software held then Feb. 28, 2013 RSA conference in San Francisco. There are a couple of important points about what was said there that your readers should understand.

    You describe photographs dramatically produced by fellow panelist Jacob Appelbaum. I would point out that there is no evidence and Appelbaum offered no evidence whatsoever that the torture victims whose shocking photographs he showed, or any other torture victims, were in an way related to the use of software our firm provides.

    Later in the story you note that Appelbaum referred to certain elements in our software as a “backdoor in (a) backdoor.” Appelbaum was misinterpreting a remark in which I said, “There are elements of the software that allow for checks on how it is used.” What I said is accurate and refers to certain auditing features of the software (e.g,. a cryptographic audit trail that cannot be tampered with by anybody) that allow our clients to prevent abuse. As is his style, Appelbaum chose to paint this remark as something sinister. Your reporter went along.

    As I said at the panel, Hacking Team takes very seriously the need to do all we can to be sure our software is not abused. For obvious reasons, we cannot describe the details of the software nor the location or identities of our clients. However, an independent board carefully reviews potential HT sales before they are final to evaluate the risk of abuse. We require our clients to operate lawfully and we investigate circumstances that may violate our contracts.

    Eric Rabe
    Hacking Team

    • If you don't want to be portrayed as sinister you should probably not knowingly enable people to do sinister things, you jacka$s.

  • Dear Eric,

    I asked you to address the specifics of my statements during my panel and you declined. Nearly all of your statements boil down to "trust us" or "we have a panel of people who advise us" - you refused to discuss their fiscal stake in Hacking Team, you refused to disclose your processes, you also refused to disclose the result of alleged investigations into possible human rights violations.

    Why is it that we should trust a company whose only hard line is a refusal to sell to North Korea? Your work speaks for itself.

    During my opening statements I showed photographs of a number of people from across the Middle East and North Africa. I included Egypt because while the creators of FinFisher weren't on the panel, I would be remiss to give your company credit for having such a large market share. Still, your company does seem to get caught more often than Gamma; so credit where credit is due!

    I named two specific cases with a relation to Hacking Team and showed photos of those people from Morocco and the UAE.

    The case from the UAE was covered by Bloomberg - "Spyware Leaves Trail to Beaten Activist Through Microsoft Flaw":
    http://www.businessweek.com/news/2012-10-10/spyware-leaves-trail-to-beaten-activist-through-microsoft-flaw

    The case from Morocco about the targeting of people involved with the journalist group Mamfakinch was covered by Citizen Lab - "Backdoors are Forever: Hacking Team and the Targeting of Dissent?":
    https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/

    The statement that I read was from Hisham, one of the primary persons targeted during the attacks on Mamfakinch. Allow me to reprint it here for all to read:


    Mamfakinch, which in local Arabic dialect means "we won't give up", has been spearheading the digital struggle in Morocco, offering a free platform for unscripted, uncensored speech and dissent. It was awarded the Breaking Borders Award in 2012 by Google and Global Voices. Then in the summer of
    2012 it was the target of a sophisticated, government-grade spyware attack.

    Research later showed that the spying technology used to attack the group was the product of an Italian company based in Milan called Hacking Team. We, at Mamfakinch, then realized that two years after the start of the Arab revolutions, we were facing a ruthless digital counter-revolution in which the governments in the region were developing sophisticated "cyber security" and surveillance tactics, working hand-in-hand with private western companies.

    This has incalculable consequences on the morale and belief of the netizens that we are and who believe in democracy and freedom but who find themselves today the target of a technology meant to free them all from the shackles of dictatorship. This must stop. Don't hand over the internet to governments.

    Hacking Team has been caught attacking Hisham - if you won't express that his situation is deplorable, won't you at least apologize for your sloppy trade craft?

    The impressive reverse engineering work by Morgan et al is even covered by the New York Times in the following article:
    http://bits.blogs.nytimes.com/2012/10/10/ahead-of-spyware-conference-more-evidence-of-abuse/

    A sample of one Hacking Team RCS backdoor is analyzed by drweb: http://news.drweb.com/show/?i=2604&lng=en&c=5

    Additional evidence about Hacking Team is available on the Blue Cabinet website:
    http://bluecabinet.info/wiki/Blue_cabinet/Hacking_Team

    As I said at the panel, Hacking Team is directly related to the suffering of a number of the people I mentioned. Hacking Team needs to address these specific cases and to do so in public without any hand waving or weasel words.

    Stop selling your software to dictatorships and governments that engage in torture - especially those regimes who torture people working for democratic reform peacefully.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago