The digital security community has been reacting this week to leaked documents from italian surveillance company Hacking Team. The documents, which include lists of contracts and sales pitches to some of the worst authoritarian regimes and countries with weak democracies, show a global industry of sales to states of software that can invade and spy on personal computers and mobile devices almost without limit. Buried in that data was information that reveals a disturbing trade in such technology across Latin America. EFF, Derechos Digitales, Fundacion Karisma, R3D and our colleagues in the region have issued a statement to Latin American governments, demanding more transparency on how Latin American states are using -- or misusing -- spyware like that sold by Hacking Team. This is only the beginning of a long-needed review of the use of this tools, not just in South America, but everywhere that countries deploy intrusive surveillance technology without oversight or accountability.
Sociedad Civil de América Latina rechaza software espía de Hacking Team
On Sunday, July 5, over 400GB of information was publicly exposed from the Italian firm Hacking Team, a company dedicated to the commercialization of government spying software. The documents include invoices, emails, tax data and source code, among other files. The revelations allow us to understand the global reach of Hacking Team, a company that was listed in 2013 by Reporters Without Borders as one of the "enemies of the Internet."
The spying software sold by Hacking Team, also known as DaVinci or Galileo, include software that infects the devices of the attacked person, allowing the harvesting of information, messages, calls, and emails. The attacker also gains access to their target's microphone, camera, and keyboard to record images, audio, or any other activity without the knowledge of the person concerned.
The leaks indicate that six countries in Latin America are clients of Hacking Team: Chile, Colombia, Ecuador, Honduras, Mexico, and Panama. Agencies like the Investigations Police of Chile (PDI), the Secretariat of Intelligence of Ecuador (SENAIN), the Directorate of Police Intelligence of Colombia (DIPOL), and the Center for Investigation and National Security of Mexico (CISEN) have all acquired software licenses remote control (RCS) from the Italian company. In the case of Mexico, the leak identifies 14 individual contracts between the company and federal and state governments, many of whom lack the legal authority to intercept private communications.
Latin American civil society groups reject the sale and purchase of these monitoring programs without adequate controls and that put human rights at risk in the region, for the following reasons:
The buying process was conducted in complete secrecy. We demand that the States concerned make efforts to ensure the transparency of their intelligence activities, in particular the purchase as well as the effective usage of the surveillance technology especially given the real possibility that this software is being used to spy on activists and dissidents without cause. (In 2013, the firm Kaspersky had already shown that DaVinci was used for spying on political activists in the Middle East.)
Given the poor standards of existing legal controls on the acquisition and use of surveillance technologies in the region, we need an open and public debate in Congress about the laws that govern and regulate surveillance activities, subject to public scrutiny. These activities have the potential to violate human rights, and so our laws must reflect the highest standards and require intelligence agencies to require prior authorization by an impartial and independent judicial body.
Government surveillance must abide by the principle of proportionality, exhausting all possible legal remedies before violating the privacy of an individual. It should pursue the least intrusive measures and have clear points of strict control. Otherwise, not only do we risk violations of the right to privacy, but we also undermine our right to freedom of expression, the right to information, freedom of movement and association, and the full exercise of all other human rights.
The company Hacking Team and the governments involved are responsible for this spying in the international arena. We demand that companies respect human rights. There should be no contracts to provide services with oppressive and abusive governments. We demand states respect the human rights of their citizens, to cease such illegal surveillance practices, and be transparent about the use of purchased surveillance software, the cost to taxpayer in each case, and the legal and procedural guarantees that are used to prevent a massive intrusion on people’s rights.
- ACI-Participa (Honduras)
- Asociación por los Derechos Civiles (ADC)
- Artículo 19 (México y Centroamérica)
- ContingenteMX México)
- Derechos Digitales (América Latina y Chile)
- Enjambre Digital (México)
- Hiperderecho (Peru)
- R3D - Red en Defensa de los Derechos Digitales (México)
- Fundación Karisma (Colombia)
- RedPato2 (Colombia)
- Fundación para la Libertad de Prensa - FLIP (Colombia)
- Fundación Acceso (Centroamérica)