Australian law enforcement and intelligence services have been in secret talks with an Italian-based surveillance company notorious for helping repressive states like Sudan spy on their own citizens, according to leaked emails published by Wikileaks.
The emails show company representatives identifying spy agency ASIO, the Australian Federal Police (AFP), the NT Police, NSW Police and Victoria’s anti-corruption watchdog IBAC in secret negotiations with Hacking Team, which publishes powerful electronic spying and surveillance software.
The leak emerged after the Milan-based cyber security company had itself fallen victim to a cyber attack earlier this week with nearly 440 gigabytes of their internal data uploaded to the internet.
For years, Hacking Team has been criticised by security researchers and international NGOs for supplying its intrusion and surveillance software to oppressive dictatorships like Sudan, which is subject to United Nations sanctions.
Hacking Team’s flagship product is called Remote Control System (RCS), and works by installing malicious software on a target’s phone or computer which can remotely activate microphones and cameras and send the data back for analysis.
Hacking Team’s own website promoted the software as “totally invisible to the target”, with the ability to “defeat encryption”, record Skype conversations, and obtain data like emails and text messages stored on a computer or phone.
Government agencies’ negotiations exposed
Victoria’s Independent Broad-based Anti-corruption Commission (IBAC) was considering signing a $500,000 contract for secret monitoring software from Hacking Team as recently as two weeks ago.
IBAC was given a live demonstration of Hacking Team’s flagship product in May.
The emails show IBAC’s Electronic Collections Unit and representatives from Hacking Team’s Singaporean office engaged in late-stage negotiations over a licence to access their digital intrusion and surveillance tools in late June.
Another leaked email chain shows a Canberra company called Criterion Solutions signing a non-disclosure agreement for access to confidential information about the RCS program in November 2014.
The Hacking Team’s Singaporean representatives later said Criterion Solutions was acting as a representative of ASIO.
The ABC has made several attempts to contact ASIO but has not yet received a response.
Andrew Windsor, from Criterion Solutions, told the ABC that the company did not represent Hacking Team in Australia.
“We have never sold their [Hacking Team] products to anyone including government agencies,” he said.
“We had some early discussions that were subject to an NDA but it did not lead to any further commercial relationship.”
The Northern Territory Police was also interested in the Hacking Team software, and received a demonstration from staff in late 2014.
After the demonstration, Hacking Team filed an internal report on the demonstration detailing what was discussed.
It included performing a hacking demonstration using the software, showing how it could store attempts to log in to Gmail and Facebook.
The NSW Police also expressed interest in the software, sending a confidential request to Hacking Team asking for a price list on their RCS software in July 2013.
Hacking Team asked to discuss the request in more detail via a Skype call. There is no indication the request went any further than the first request.
AFP declines to comment on or confirm transactions
The company accounts indicate the Australian Federal Police were also a client of Hacking Team with invoices from November 2009 and February 2010 for offensive spyware products, amounting to 245,000 euros.
When approached by the ABC, an AFP spokesperson declined to comment on or confirm the transactions.
“The AFP does not confirm or deny what may or may not form part of its operational or technical methodologies,” she said.
The emails show the AFP was a client of Hacking Team until 2011, when it cancelled the contract.
“The AFP no longer has a need for the capability you provide, hence our decision to withdraw from maintaining it,” an AFP officer wrote in an email to Hacking Team. “We wish to thank you for your support and wish you all the best.”
Other compromised documents detail Hacking Team’s participation in the 2014 National Security Conference in Sydney, where the group showcased its offensive technologies to Australian Government officials.
IBAC declined to comment on anything related to Hacking Team.
A spokesperson for IBAC said it “is not a client of Hacking Team and has never purchased any of its services”.
The leaked email chain also indicated a point of contention was the insistence of IBAC’s legal department to locate the servers hosting the spyware in Australia, against the views of Hacking Team employees.
Hacking Team ‘horrified by criminal attack’
The 440 gigabytes of leaked data includes email correspondence with clients, codes for infecting phones and computers with malware, and contracts with governments for access to their offensive interception technologies.
Eric Rabe, the chief marketing and communications officer for Hacking Team, told AM the attack was “reckless and dangerous”.
“I am horrified by the criminal attack on our company that has resulted in the ability to have those documents online”, he said.
“It shows that the criminals who did this have no regard for public safety.
“Police and investigators need to be able to do their work to keep the rest of us safe and the tool that Hacking Team provides is a step in that direction.”
UN investigating Hacking Team’s complicity in possible abuses
The hacked database showed that a United Nations Security Council (UNSC) investigation was underway into whether Hacking Team serviced the government of Sudan, who are subject to UN sanctions from a long and documented history of human rights abuses.
When the ABC asked Mr Rabe about the UN’s investigation into the sale of surveillance tools to Sudan against UN sanctions, he broadly defended his company’s conduct.
“Our view of whether Sudan was a reasonable place or not I think has changed, as has the United Nations and others over the last number of years, so we’ve adjusted to that,” he said.
The database also included correspondence showing that over the past year, Hacking Team’s CEO David Vincenzetti has stonewalled attempts by an UNSC Expert Panel to uncover the nature of its commercial relationship with Sudan, by initially denying it was a client, and then accusing the UNSC of “damaging” the company’s reputation in an “unjustified” manner.
Earlier this year, UK-based organisation Privacy International wrote a briefing to the Italian government, outlining their concerns about Hacking Team’s operations.
Matthew Rice from Privacy International said his organisation was blown away by what the hack revealed.
“There were 46 countries altogether that have purchased Hacking Team’s products,” he said.
“That goes to Egypt, Bahrain, Tunisia — which we had never known about before — Azerbaijan and Sudan.”
Hack exposes the failure of self-regulation: Privacy International
Privacy International has called upon the United Nations monitoring group to intensify its investigation into Hacking Team.
“The first thing that needs to happen is that what is left of Hacking Team, they need to answer the questions from the UN monitoring group truthfully,” Mr Rice said.
“What needs to come out of this kind of hack is a proper investigation into whether or not there was complicity in human rights abuses.”
Mr Rice said the Hacking Team leak exposed the failure of digital surveillance companies to self-regulate and that governments must do more to ensure the integrity of their contractors.
“I’m sure [Western governments] did not have a full picture at the time of who [Hacking Team] were selling to, but we hope that by looking at this information, they are seeing this is an industry that is not going to make massive distinctions between Western governments and governments from other parts of the world, or governments with strong human rights records and governments with awful human rights records,” he said.
“The question is whether we, as governments and democratic states, begin to make those distinctions ourselves about the kinds of companies we should be working with in procuring communications surveillance equipment.”