Hacking Team and FinSpy Clients - map created using mapchart.net

This week’s document leak from surveillance software vendor Hacking Team provided new details on the burgeoning growth of a private surveillance industry which has spread globally without any meaningful oversight. While revealing many new and concerning aspects of Hacking Team’s activities, it also confirmed a number of theories we’ve long suspected about their operations.

These revelations, which Privacy International’s Deputy Director Eric King has called “the equivalents of the Edward Snowden leaks for the surveillance industry,” have clear geopolitical significance, and it’s likely the story will continue to unfold as journalists and researchers around the world begin to unpack the trove of documents and emails contained within the leak and put them in context.

At this early stage, however, there are a few new insights worth noting. We’ve learned that Hacking Team’s client list is much longer than previously thought: the Citizen Lab’s extensive research on Hacking Team identified twenty-one current or former government users of Hacking Team’s Remote Control System spyware. The new leaks indicate at least thirty-eight current or former government users.

This list of clients includes a number of regimes known for violating the human rights of their citizens: Azerbaijan, Bahrain, Egypt, Ethiopia, Russia, Saudi Arabia, and Vietnam. Most egregiously, Hacking Team provided spyware to Sudan, a violation of a UN embargo on the sale of arms to the country, and appears to have misled a UN representative as to whether it had business relations with the country. Sudan was also designated a state sponsor of terrorism throughout the 2012-2014 time period, which raises the question of whether Hacking Team (which has US operations) violated the US ban on material support for terrorism.

Despite claims that they go to great lengths to avoid selling software to governments blacklisted by international organizations, it’s apparent that the company has no meaningful oversight—the leaks demonstrate that Hacking Team is willing to sell invasive surveillance technologies to just about anyone. For instance, the US State Department notes that human rights are regularly stifled by Hacking Team clients Egypt, Eritrea, Ethiopia, Russia and Saudi Arabia. As the Intercept has stated, the company appears to “see ‘opportunity’ where others see repression.”

EFF has long worked to help individuals impacted by the surveillance industry. Next Tuesday we are going to be in court in Washington, DC representing an American citizen who was illegally wiretapped by Ethiopia using Hacking Team rival FinSpy in Kidane v. Ethiopia. Our goal in the case is to ensure legal accountability for the countries that misuse these technologies and to combat the idea that countries can spy on the citizens of other countries with impunity.

The leaks also provide new insight into the wider market in surveillance technologies: by comparing details from this leak with the trove of documents posted in August 2014 on the German company FinFisher as well as research by Citizen Lab, we gain a more comprehensive view of the international market for targeted surveillance tools.

In particular, there are an astonishing number of democratic nations using invasive spyware, despite the absence of any public debate on their use. As we note in our joint statement to Latin American states, many of those government organizations contracting with Hacking Team lack the legal authority to intercept private communications.

It’s also interesting to note which countries are not on this list. Of the Five Eyes countries, only New Zealand does not appear to contract with either company, and several other geopolitically-significant nations are also absent, including Brazil, China, France, and Israel (although Hacking Team did have a contract with a mysterious Brazil-based company called YasNiTech). Their absence from Hacking Team's client list does not of course mean they do not use other similar tools, and it's likely that the overall market for such capabilities is much larger and less visible than Hacking Team’s poorly protected client list. The leaks also suggest that some countries, including the US, purchased Hacking Team software as a backup for their own internal technologies. 

In the European Union, export controls on such technologies were implemented as of January 1, 2015. According to a February 25 press release, Hacking Team instituted the new procedures “immediately” and planned to request export authorization for its technologies from the Italian government. Spokesperson Eric Rabe told Motherboard once the company agreed to follow the export regulations imposed under the Wassenaar Arrangement, it determined its panel of “technical experts and legal advisors” were no longer needed. But its internal emails revealed that even when it did have such a panel, it was simply an arrangement with the law firm Bird & Bird, which did not review every sale. The fact that they've used Wassenaar as an excuse to disband their supposed internal controls demonstrates they've never taken their responsibilities seriously.

Would the procedures governing those export controls have caught Hacking Team as red-handed as this leak did? We will never know. But it's clear that Hacking Team's public statements have long been at variance with their real behavior, and the iceberg of the state spyware trade goes far deeper than we knew before these leaks.