Your Privacy on Sale – the Commercial Spyware Market

When during the Arab Spring, protesters equipped with Facebook, Twitter and other social media applications began toppling authoritarian leaders all over the Middle East, commentators and political scientists alike hailed them as the new tools that would help protesters and activists throughout the world democratize their nations. However, the Arab Spring also exposed the darker side of Western technology that was coming to the developing world. In government buildings, protesters found the tools which those regimes used to spy on their own citizens – highly advanced spyware and tracking suites developed by for-profit Western companies and sold, perfectly legally, to Arab dictators for the express purpose of keeping tabs on political activists.

Egyptian pre-Arab Spring strongman Hosni Mubarak was a customer of the British-German Gamma International and their FinFisher spyware, while Lybia’s Muammar Qaddafi used software purchased from the French company Amesys to spy on journalists and human rights campaigners. Even more egregious were the actions of the Italian company Area SpA, which was installing new surveillance equipment for Syria’s Bashar al-Assad as late as March 2011 – at the same time as the Syrian army was killing protesters demonstrating against the regime.

Facebook connections mapMany of these applications entered development during the growth of government-sanctioned surveillance following the September 11th terrorist attacks against the United States. But the technology originally developed for the likes of the American NSA and the British GCHQ did not remain in the hands of governments for long and now a multi-billion dollar industry sells solutions for everything from cell-phone tracking to Skype call interception and Facebook Messenger hijacking to those who have the money to pay, including dictatorships and other authoritarian governments with histories of habitual human rights violations.

And this business has been growing steadily over the last 15 years. The whistleblower website WikiLeaks has started publishing a feature called Spy Files in 2011 detailing the booming market for digital surveillance. The intrusive digital surveillance industry even has its own trade show with a somewhat euphemistic name Intelligence Support Systems (ISS) that convenes every few months to match vendors with potential buyers and allow companies to show off new products at seminars like “Offensive IT Intelligence Information-Gathering” or “Tactical GSM Interrogation and Geo-Location System”.

That is not to say that these products do not have legitimate uses for governments and law-enforcement officials. Large-scale government uses of spyware such as the Stuxnet virus used to disable Iranian nuclear centrifuges or the PRISM mass metadata collection program tend to dominate the media discourse. However, the vast majority of the uses to which such surveillance has been put are far more banal. The US government relied on an as-yet-unnamed surveillance company to break into an iPhone of a terrorist-affiliated mass shooter, while the police in New South Wales, Australia use the same FinFisher software as Hosni Mubarak’s security services to covertly examine suspects’ computers for evidence of drug smuggling, money laundering or child pornography.

However, in the hands of repressive regimes, these surveillance tools pose an entirely new set of challenges. Of particular importance is the borderless nature of the Internet, which allows dictators to repress not just the activists within their own country, but to target political refugees and dissidents abroad as well. In 2011, a Bahraini political activist living in exile in the United Kingdom discovered with the help of a security expert that the government of Bahrain had infiltrated his computer with FinFisher software and was using his online identity to discredit him and collect information on other activists. Similarly, the Moroccan government hired the Italian company Hacking Team to get access to the computer of a France-based democracy activist to extract the contact info of his sources in Morocco. The activist and four of his contributors have now been arrested by the Moroccan government and are awaiting trial on national security charges. Even in Sweden, the national security service SäPo has listed foreign threats against refugees and asylum-seekers as an item of significant concern in both its 2013 and 2014 annual reports.

Some action is being taken by Western nations to limit the spread of such capabilities. The Wassenaar Agreement, signed by most nations in the developed world, mandates export controls on a number of goods, including telecommunications surveillance software, to states or groups engaging in armed conflicts or human rights violations. The EU, at the end of 2014, went even further, requiring all exports of intrusion software to have export licenses in the same way that exports of weapons or rocketry components do. The affected states, however, respond that they need such capabilities to combat terrorism and downplay the effects on civil society or political freedoms.

The software vendors themselves are also reluctant to give up the lucrative contracts available as more and more nations join the network surveillance arms race. Hacking Team’s founder David Vincenzetti tried to move his company to Saudi Arabia, which has not signed the Wassenaar Agreement. Another non-signatory – Israel – has also proven attractive as a home base to both current and new players in the cyber-security field and now accounts for 20% of all cyber-security investments in the world according to Tom Ahi Dror, a project leader at the Israeli National Cyber Bureau.

NSA HQ - the mission never sleepsThe debate and controversy around the topic reveals the fundamental duality of the relationship between society and technology. Just as social media has become an effective organizational tool for democratic reformers, so has it helped terrorists and criminals carry out their activities under a cloak of privacy. All across the world, in both developed and developing countries and in both democracies and dictatorships, ‘public safety’ is used as an excuse to violate the privacy of their own and other nations’ citizens; the differences are only in how different regimes define public safety. This shifts the problem from a technological one to a moral one: when we, as citizens of democratic states, approve our own governments’ use of spyware to protect us, we also approve the use of the same technologies by authoritarian states toward their own definitions of safety. This leaves us with a powerful question: is it really worth it?

 

By Yaroslav Mikhaylov

Image Credit:

Cover: Christiaan Colen, licensed under Creative Commons Attribution-ShareAlike 2.0 Generic.

Picture 1: Michael Coghlan, licensed under Creative Commons Attribution-ShareAlike 2.0 Generic.

Picture 2: CPOA, licensed under Creative Commons Attribution-NoDerivs 2.0 Generic.

Picture 3: National Security Agency, public domain.