Over the weekend, an unidentified hacker breached the system of Hacking Team, an Italian company selling cyber-surveillance software to governments around the world. The hacker then dumped over 400GB of the company’s internal documents online. Inside that trove were revelations that Hacking Team had repeatedly sold its surveillance software to governments with less-than-stellar records on human rights and free expression.
The leaked documents showed Hacking Team had sold its products to the Sudanese intelligence service, which Amnesty International charged with systematically violating human rights through torture and widespread censorship. The company was also revealed to have lent its spying tools to ethically questionable governments in Turkey and Morocco.
This leak has brought a massive degree of attention onto Hacking Team, but the company is hardly one of a kind. It’s part of rapidly growing ecosystem of private firms providing surveillance software to government intelligence and law enforcement agencies.
In the years since the 9/11 attacks spurred the U.S. government to invest heavily in electronic surveillance tools to fight terrorism, other governments around the world have become interested in setting up their own similar systems. While the U.S. can afford to spend more than $52 billion annually on intelligence-gathering agencies like the National Security Agency and Central Intelligence Agency to create an omnipresent dragnet on the electronic communications of its citizens, other countries may be on more of a budget. The leaked documents showed that Hacking Team was charging its clients as little as $50,000 per year for access to its software, which is continually patched by the company to avoid detection.
In 2001, the private online surveillance industry barely existed. By 2014, it generated more than $5 billion in annual profits.
Hacking Team may be one of the highest-profile firms in this space, even before its secrets were spilled out onto the Web, but it’s only one of many companies with histories of selling technology that’s helped repressive regimes spy on their subjects.
The Coalition Against Unlawful Surveillance Exports is an international effort by eight nonprofit groups like Reporters Without Borders and Human Rights Watch to keep these kinds of surveillance and censorship technologies out of the hands of regimes that would use them for ill. The group’s website lists 22 firms, including Hacking Team, known for selling tech to unsavory governments.
Here is a partial rundown of some other companies in the same business as Hacking Team:
The Gamma Group, a formerly U.K.-based company now located in Germany, is best known for a program called FinFisher, a suite of commercial spyware tools snoops can use to monitor the electronic communications of the systems being targeted. Cybersecurity experts have found FinFisher deployed in dozens of countries around the world, including known human rights violators like Bahrain, Turkmenistan, and Ethiopia.
In 2013, researchers at Citizen Lab, a group at the University of Toronto working at the intersection of cybersecurity and international human rights, found a piece of FinFisher malware aimed at infecting the systems of members of an Ethiopian opposition party branded by the government as a terrorist group. Around the same time, the Ethiopian government was also caught using surveillance software made by Hacking Team, indicating that the government was actively shopping around for multiple vendors of surveillance technology.
Wikileaks has twice published data dumps revealing FinFisher’s inner workings. In 2011, the organization put out internal documents detailing the company’s products and then, in 2014, leaked full version of the software for security researchers to pull apart and analyze.
South Africa’s VASTech attracted international attention in 2011 when the Wall Street Journal revealed it had provided technology allowing the regime of now-deposed Libyan dictator Momar Gadhafi to intercept and record all of the telephone calls going in and out of the country. The revelation raised eyebrows in South Africa not only due to the Gadhafi regime’s lackluster record on human rights, but also because the development of VASTech’s monitoring tools was underwritten by a $4 million rand grant from the South African government.
Blue Coat is a U.S.-based firm that sells surveillance software. The U.S. has sanctions in place against trading with countries like Iran, Syria, and Sudan due to human rights abuses. Yet, French investigative news outlet Reflets revealed that Blue Coat’s monitoring systems were active in Syria and Iran. “This is a clear violation of the U.S.’s embargo law, and that technology is, without a shadow of a doubt, being used to violate human rights,” Reflets reporter Fabrice Epelboin told the Daily Dot in 2013.
A report later that year by Citizen Lab also found Blue Coat technology active in online networks in Sudan. For its part, Blue Coat asserted that it wasn’t selling directly to the prohibited governments and, instead, the government intelligence services had obtained the surveillance gear through an intermediary who resold it to them.
Valued at $28 billion-plus, Nokia is one of the most recognizable telecom companies on the planet. Despite its size and prominence, the company has gotten in trouble for providing technology used by the Iranian government to monitor cell phone networks and crack down on dissidents during the pro-democracy protests surrounding the contested 2009 elections in the country. Using technology primarily provided by Nokia subsidiary Trovicor, Iranian authorities were able to block international radio and television broadcasts, as well as censor social networking sites like Twitter and Facebook.
In 2010, the European Parliament passed a public resolution slamming the company for “providing the Iranian authorities with the necessary censorship and surveillance technology, thus being instrumental in the persecution and arrest of Iranian dissidents.”
Not all of the companies involved in this industry just do surveillance. In 2013, systems developed by Canadian firm Netsweeper were used by the Pakistani government to censor large swaths of content at the ISP level. Blocked sites included those covering human rights and free expression on the part of ethnic and religious minorities.
A subsidiary of aerospace engineering giant Boeing, Narus initially worked on creating systems to help ISP monitor the traffic on its network to increase billing efficiency. Post-9/11 the company has branched out. It sold deep-packet inspection technology to filter content and track users on the network of Egypt Telecom during the Arab Spring.
The company also sold systems to the government of Saudi Arabia to block VoIP traffic as a means of protecting the national telephone operator for competition and also to block access to websites the Saudi government deems dangerous. While groups like Amnesty International have catalogued a litany of human rights abuses in Saudi Arabia, calls by activists to block sales of online monitoring and filtering software fall on deaf ears when the U.S. government itself recently sold $30 billion-worth of fighter jets to Saudi Arabia.
Illustration by Max Fleishman