Hacking Team failed to take effective action to investigate or stop reported abuses of its technology by the Ethiopian government against dissidents, according to Human Rights Watch.
A review of internal company emails leaked as part of a highly-publicised breach against the controversial spyware-for-government firm in July revealed that the company continued to train Ethiopian intelligence agents to hack – and even negotiated additional contracts, despite multiple reports that its services were being used to target government critics and expatriate journalists.
The Italian government should "investigate Hacking Team practices in Ethiopia and elsewhere with a view toward restricting sales of surveillance technology likely to facilitate human rights abuses", Human Rights Watch concludes.
More than 400GB of Hacking Team’s internal emails, documents, and source code leaked online following the breach of its systems. The leaked emails confirmed that the company had sold surveillance systems, training, and support to the Ethiopian Information Network Security Agency (INSA) as early as 2011, through contracts worth $1m in 2012. On November 5, 2012, Hacking Team congratulated INSA on infecting its first target.
Leaked emails document an internal review of reports from February 2014 by Toronto-based research centre Citizen Lab that the government was targeting US-based Ethiopian Satellite Television employees using Hacking Team’s Remote Control System spyware.
ESAT employees received an infected file through Skype in December 2013, which subsequent analysis suggested was filled with spyware that matched previously established characteristics of Hacking Team’s Remote Control System.
Hacking Team's internal emails show only a superficial effort to investigate these findings and end the abuse, according to HRW.
"Although Hacking Team point out that the leaked information is partial, arguing that it does not include a record of phone calls or discussions held during internal meetings at the company, the company’s leaked internal emails do not show that the company conducted a serious investigation in response to allegations that the security agency had misused the system in 2014," HRW said.
At the same time that Hacking Team's staff debated over email about how to respond to media reports of the Ethiopian government’s hacking activities, they were also discussing the security agency’s requests to upgrade its system and purchase additional services.
In March 2015, in response to follow-up reports from Human Rights Watch and Toronto-bsaed human rights organisation Citizen Lab, Hacking Team asked Ethiopian officials for a written response to allegations that it was conducting abusive surveillance. The government responded that its targets are members of Ginbot 7, a banned Ethiopian opposition organisation that the government considers to be a terrorist organisation. The emails show no follow-up inquiry by Hacking Team.
According to Human Rights Watch, the Ethiopian government has invoked “national security” to clamp down on core freedoms and human rights. "Individuals with perceived or tenuous connections to even registered opposition groups are arbitrarily arrested and interrogated based on their phone calls," according to Human Rights Watch. "Recorded phone calls with family members and friends – particularly those with foreign phone numbers – are often played during abusive interrogations in which people who have been arbitrarily detained are accused of belonging to banned organisations."
In internal discussions revealed by the leaked emails, Hacking Team staff appeared to accept the Ethipian government’s justification that the surveillance was “lawful.” Hacking Team briefly suspended service to Ethiopia in March 2015, though seemingly this was over concerns that the government’s “incompetent” and “reckless and clumsy” use of its spyware would expose Hacking Team’s technology to detection, rather than concerns over possible human rights abuses.
Previous reporting by Citizen Lab and others described how the Ethiopian government had used tools provided by FinFisher, a UK and Germany based competitor to Hacking Team, to target Ethiopian expats in the US, UK, and Norway. The Electronic Frontier Foundation sued the Ethiopian government on behalf of one of the victims for violating US privacy laws back in February 2014.
Hacking Team states it sells its wares exclusively to governments. This assertion has come under scrutiny since the leak but most of the heat has come from sales of spyware to governments with questionable human rights records, in particular Ethiopia and Sudan. Leaked emails provide evidence that Hacking Team sold its tech to Sudan in 2012 for 960,000 euros. Leaked emails reveal that Hacking Team stopped sales to Sudan in 2014, after pressure from a UN sanctions monitoring panel.
The firm maintains that it did nothing wrong in selling surveillance tech to Sudan or anywhere else. "At the time of the company’s only sale to Sudan in 2012, the HT technology was not classified as a weapon, arms or even dual use," Eric Rabe, the firm's chief marketing and communications officer, said in a post hack statement in late July.
Italy and other governments should ensure that all sales of Hacking Team systems and similarly echnologies are reviewed on a case-by-case basis, with particular emphasis on the human rights record of prospective buyers.
“The Hacking Team leaks show this industry cannot be depended upon to regulate itself,” said Cynthia Wong, senior Internet researcher at Human Rights Watch. “Italy and other governments should not turn a blind eye to these revelations, but should immediately investigate the practices of international spyware companies and impose real oversight and control over the exports of surveillance technologies.”
Hacking Team spokesman Eric Rabe told The Register: "Hacking Team investigated allegations of misuse of company technology and ultimately broke off all business relationships with Ethiopia. Ethiopia is not a client today, and Hacking Team has made no application (under new regulations that went into effect earlier this year in Italy) to provide any services to any Ethiopian entity whatsoever." ®