Perhaps no massive hack of a private company has been met with such glee on Twitter as the one that occurred early Monday morning. A notoriously unethical Internet security firm called “Hacking Team” itself became the target of a hacker, resulting in an outpouring of LOLz from those who enjoy a healthy dose of schadenfreude, and a ready example of the universe’s occasional adherence to the rules of karma.
Having a bad day? Open up Twitter & load up on some well deserved HackingTeam schadenfreude. It’s worked every time this week.— Chris Adams (@mrchrisadams) July 7, 2015
Documents revealed on the company’s own Twitter account by an anonymous hacker laid bare what had long been widely suspected: The firm has been selling malware and intrusive mobile surveillance technology to repressive regimes known for systematically targeting human rights activists, independent journalists and political opposition groups. Among their customers were some of the world’s worst violators of human rights, such as Ethiopia, Sudan and Bahrain. Well-heeled autocratic regimes like Russia and Saudi Arabia were also on their client list, as were Azerbaijan, Turkey and Morocco.
While Twitter celebrated, the news was more personal for a different group — people like Endalk Chala, a 33-year-old Ethiopian journalist currently studying at the University of Oregon.
“I would say they are ruining people’s lives,” he says. “They are collaborating with people who are trying to control people’s lives. There must be some kind of moral responsibility for hackers who sell these kinds of tools.”
Provided by Endalk Chala.
As an independent journalist in Ethiopia and cofounder of the Zone 9 blog, Chala was subjected to the kind of state surveillance Hacking Team’s technology helps facilitate. After he left the country in 2013, six of his former colleagues at Zone 9 were arrested, along with three other journalists. They were all charged under Ethiopia’s broad anti-terrorism law, which the government has frequently uses to target journalists and members of opposition groups.
According to a report by Mohamed Keita, Advocacy coordinator for Committee to Project Journalists’ Africa Program, the law criminalizes writing about opposition groups as providing moral support to terrorism, and has caused a chilling effect within the country's media. Human Rights Watch denounced the legal proceedings against the Zone 9 bloggers as a “spurious prosecution before a court under the government’s thumb” and said “unreasonable delays, lack of access to lawyers, and various procedural irregularities raise serious concerns about the defendants’ rights to due process and a fair trial.” Just as we were preparing to publish this article, the Ethiopian government dropped charges against three of the nine and released them. A hearing for the remaining defendants is scheduled for later this month.
Ethiopia, which has been ruled by a coalition of ethnic parties known as the Ethiopian People's Revolutionary Democratic Front (EPRDF) since 1991, was ranked number four on a list of most censored countries for 2015 maintained by The Committee to Protect Journalists. According to Reporters Without Borders, the government stepped up its persecution of journalists in the run-up to May’s elections, with threats and arbitrary criminal proceedings.
Chala says the government submitted 30 pages of phone and surveillance records as evidence against the bloggers. The records covered a three-year time period when the group had been working on a human rights report they planned to submit to the United Nations. These records are the sorts of things that can be gathered using Hacking Team's tools.
“We never suspected that our phone was tapped the entire time,” Chala says. “We were calling other journalists across the country and trying to get people to validate the report. [The government] knew every bit of my communication, all my private information.”
Soliyana Gebremichael, 28, was among those charged. Like Chala, she was out of the country when the crackdown occurred.
“I was so shocked to know that these guys have been listening to my personal conversations, my conversations with my family, with my boyfriend for the last three years,” says Gebremichael, who currently resides in the Washington, DC, area. “If these kinds of actions are being supported by these kinds of companies and tools, I think someone should stop that because it relates directly to my privacy.”
Among the documents revealed in the Hacking Team hack was a bill the firm had sent the Ethiopian government for $1 million.
Who says selling surveillance tech to govs that spy on journalists doesn't pay well? $1 mil from Ethiopia. pic.twitter.com/I3HCxdl3Gl— Christopher Soghoian (@csoghoian) July 6, 2015
The exact figure was new, but human rights activists had already linked the firm with the Ethiopian government. An investigation last year by Citizen Lab researchers at the University of Toronto uncovered indications that Ethiopia’s intelligence agency, the INSA, had attempted to target journalists at Ethiopian Satellite Television, a diaspora run news outlet based in the US, using Hacking Team software. The case mirrors another one currently being litigated in US federal court, where the Ethiopian government is being sued, accused of installing a different spyware program on the computer of an American citizen. The man volunteered for an Ethiopian opposition party, Ginbot 7, which the Ethiopian government labeled a terrorist group in 2011. The suit, which is brought by the Electronic Frontier Foundation, seeks to “demonstrate that warrantless wiretapping is illegal and can be the basis of a lawsuit in the United States, regardless of who engages in it.”
The Citizen Lab report generated media coverage — coverage Hacking Team wasn’t comfortable with, as Monday’s document dump revealed.
According to internal company emails translated by The Intercept, while Hacking Team was publicly denying its technology had been used to hack journalists in the US, the firm privately confronted Ethiopian officials about the incident. The company’s main frustration wasn’t a human rights issue, however, but the fact that the Ethiopians had used the same email address in two separate phishing attempts, making them easy to track back to a single source.
From the Intercept:
Daniele Milan, Hacking Team’s operations chief, weighed in favor of closing the account, saying that INSA’s “reckless and clumsy usage of our solution caused us enough damage.”
Ultimately, the emails cited by The Intercept indicate Hacking Team reinstated Ethiopia's account after a brief suspension. The fact that they were well-paying customers appears to have weighed on Milan’s mind. “But I know that 700k is a relevant sum,” he said in another email.
It’s impossible to say to what extent the Ethiopian government has used Hacking Team software to target journalists — or if the government specifically used Hacking Team software to target Zone 9 bloggers, but the fact that the state was willing to use it to target Ethiopian journalists in the United States makes it highly likely they were also willing to use the tool to target journalists domestically.
“We don’t know the full scope of what the Ethiopian government has done with these kinds of intrusion tools, although judging from what we have found so far, it seems just part and parcel of the government’s complete crackdown on any kind of independent voices,” says Cynthia Wong, a senior researcher on the Internet and human rights for Human Rights Watch.
While Hacking Team’s future is uncertain, they are just a small player in the the private surveillance industry. The quickly growing field generates between $3 and $5 billion a year, according to a report from Bloomberg. A collation of human right organizations, including Human Rights Watch, Amnesty International and Reporters Without Borders, have banded together to start “The Coalition Against Unlawful Surveillance Exports” or CAUSE, which calls for better regulation of the 15 companies that produce large scale intrusive surveillance software, including Hacking Team.
In the United States and Europe, the rules governing the export of surveillance software will soon be covered under an arms control treaty called the Wassenaar Arrangement. The agreement was updated in 2013 in a way that might prevent companies like Hacking Team from selling surveillance software to repressive regimes, and both the US and the EU are in the process of updating their export laws to reflect that change. CAUSE has published a report detailing how the EU’s legal framework can be updated to ensure that export restrictions protect “both human rights and legitimate security research, while also bringing transparency and accountability over a trade in which none currently exist.”
Despite CAUSE’s efforts, Gebremichael doesn’t expect things to change anytime soon. She’s seen report after report published about human rights violations in Ethiopia with little effect. While she understands why people enjoyed reading about the details of the hack on Hacking Team, she thinks it can be too easy to forget that the real consequences of the company’s actions.
“I would tell [Hacking Team] that the transactions that they thought were easy have not been easy for me. It’s affecting my life. It’s my friends life,” Gebremichael says. “People have ended up in prison because of the tools that they gave the Ethiopian government. Nine young people are in jail for trying to change their country.”
Her family, including her parents and siblings, still live in Ethiopia. She’s careful what she says when she calls home.
“I have never called anyone except my mother for the last year,” she says. “I just don’t want to put anyone in danger.”