Update: An open letter to Hacking Team following its statement on the Citizen Lab “Police Story” report

August 8, 2014

Dear Mr. Vincenzetti and team,

This letter is in response to a statement issued by Hacking Team that has recently come to our attention, concerning Citizen Lab’s report titled “Police Story: Hacking Team’s Government Surveillance Malware” (June 24, 2014). The statement[1] reads as follows:

Statement on Citizen’s Lab/Kaspersky report of June 24, 2014:

Hacking Team is aware of the ongoing efforts of Citizen’s Lab [sic] to attack our business by attempting to disclose confidential information, systems, and procedures that we use. This report is only their latest effort. It is evident that the primary complaint of the authors is about repressive government, however, Citizen’s Lab has chosen to target a private business operating in full compliance with all relevant law.

We believe the software we provide is essential for law enforcement and for the safety of us all in an age when terrorists, drug dealers, sex traffickers and other criminals routinely use the Internet and mobile communications to carry out their crimes. We sell only to government agencies such as police forces. We do not conduct digital investigations. Those are carried out by law enforcement and are, of course, entirely confidential as is any law enforcement investigation.

The June 24 report does not include our customer policy, however, we invite you to read the policy which describes the steps we take to avoid abuse of our software. We believe this policy is unique in our industry and a strong, good-faith effort to prevent misuse of our products. We have both refused to do business with agencies we felt might misuse our software, and we have investigated cases either discovered internally or reported in the press that suggest abuse. We can and have taken action in such cases, however, we consider the results of our investigations and the actions we take based on them to be confidential matters between us and our clients.

We write to address certain factual inaccuracies contained in this statement, as well as apparent misinterpretations by Hacking Team of the content and purpose of Citizen Lab’s report. We clarify those issues here, and present a few additional questions to Hacking Team that are raised by the statement:

  • Your reference to the “Citizen’s Lab [sic] / Kaspersky report of June 24, 2014” suggests that we authored the report jointly with Kaspersky (though we note that the complaints lodged in the statement are directed solely at Citizen Lab). We prepared and issued our report independently of Kaspersky.
  • Citizen Lab is an academic research institution housed at the Munk School of Global Affairs, University of Toronto, that engages in evidence-based research to document uses of technology with the potential to undermine human rights. We do not undertake our rigorous research, analysis, and reporting in order to “attack” the business of Hacking Team or any other company on which we have previously reported. Rather, we seek to provide concrete data that will inform discussions between civil society, policy makers, and the private sector, so that society can properly determine its stance on the capabilities and deployment of dual-use technologies that impact individuals around the world. While Hacking Team may “believe the software [it] provide[s] is essential for law enforcement and for the safety of us all,” in democratic societies, such a determination is best suited to an informed public debate rather than the closed-door deliberations of a private company. Unfortunately, equating efforts to promote such transparency and debate with an attack against the company only reinforces the impression that Hacking Team wishes to prevent human rights-related inquiries into its products and services.
  • We also take issue with Hacking Team’s assertion that “the primary complaint of the authors is about repressive government.” While Citizen Lab is certainly concerned with the use of technologies by repressive governments to undermine human rights, we are equally concerned with the role of companies in equipping those regimes and profiting from activities that threaten human rights. As the UN Guiding Principles on Business and Human Rights make clear, companies are independently obliged to respect human rights.[2] They have the responsibility to avoid causing or contributing to adverse human rights impacts, and to address such impacts when they occur.[3] Indeed, the European Commission (EC) ICT Sector Guide on Implementing the UN Guiding Principles on Business and Human Rights notes that companies may contribute to a harm, and therefore have a responsibility to cease such activity and engage in remediation, when they “provid[e] surveillance technology to a government that uses it to track and persecute human rights defenders, journalists or members of a minority group.”[4]

    We encourage Hacking Team and all companies involved in the surveillance technology industry to carefully consider the human rights impact of their products and services, the potential for complicity in government practices that violate human rights, and steps to address these concerns. The aforementioned EC ICT Sector Guide is one resource that companies can utilize in developing appropriate human rights policy commitments as well as due diligence and remediation measures.

  • The statement that Hacking Team is “operating in full compliance with all relevant law” raises certain questions to which we urge you to respond publicly.

    First, what precisely does Hacking Team consider to be the “relevant law”? Does the company include within that rubric international human rights law embodied in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and the International Covenant on Economic, Social and Cultural Rights, or the European Convention on Human Rights? With the laws of which state or states does Hacking Team comply? How does it account for national laws that may conflict with international human rights law?

    Second, does Hacking Team’s assertion of compliance with relevant law rely on the absence of precise law or regulations, given the novelty of the industry, that would control the production or sale of Hacking Team products? As articulated by United Nations Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression Frank La Rue in his April 2013 report to the UN Human Rights Council:


    Offensive intrusion software such as Trojans, or mass interception capabilities, constitute such serious challenges to traditional notions of surveillance that they cannot be reconciled with existing laws on surveillance and access to private information. These are not just new methods for conducting surveillance; they are new forms of surveillance. From a human rights perspective, the use of such technologies is extremely disturbing. . . . Although it is clear that many States possess offensive intrusion software, such as Trojan technology, the legal basis for its use has not been publicly debated in any State, with the exception of Germany.

    The lack of transparency and public debate surrounding the surveillance technology industry, and its close ties with the apparatus of state security, have resulted in legal and regulatory gray areas in which companies have thus far operated with relative impunity.

    It is essential to note, however, that:


    The responsibility to respect human rights is a global standard of expected conduct for all business enterprises wherever they operate. It exists independently of States’ abilities and/or willingness to fulfil their own human rights obligations, and does not diminish those obligations. And it exists over and above compliance with national laws and regulations protecting human rights.[5]

    Indeed, under the UN Guiding Principles on Business and Human Rights, “Where national law and human rights conflict, companies should respect the principles of internationally recognised human rights to the greatest extent possible in the circumstances. They should also be prepared [to] explain their efforts to do so.”[6] We encourage Hacking Team and other companies in this industry to take a proactive and long-term view of legal compliance, particularly given that initiatives are currently underway at international, regional, and domestic levels to develop suitable controls for the surveillance technology trade.

  • We applaud Hacking Team’s efforts to develop a customer policy that incorporates human rights considerations. The policy states that Hacking Team (HT) reviews potential customers before sales are made, assisted by “a panel of technical experts and legal advisors,” and that it will refuse to provide or cease providing products or services to entities that Hacking Team believes use its products to violate human rights. The policy also states: “Should questions be raised about the possible abuse of HT software in human rights cases, HT will investigate to determine the facts to the extent possible.”

    While these are admirable commitments, we remain concerned that Hacking Team provides no further information regarding its implementation of the customer policy. In order to credibly invoke the customer policy, more transparency surrounding implementation is necessary (which could take any number of forms and need not identify clients). For example, what procedure is employed for customer reviews? Who sits on the review panel? Does that panel include civil society actors? The Hacking Team statement notes that the company has “refused to do business with agencies we felt might misuse our software”; can you elaborate on the reasons for and frequency of those refusals? And what investigation, if any, has Hacking Team undertaken concerning reports of misuse of the software in Saudi Arabia, the United Arab Emirates, Morocco, and against Ethiopian journalists in the United States?

    To further strengthen respect for human rights in its business operations, Hacking Team may also wish to consider establishing an operational-level grievance mechanism (as enumerated in the UN Guiding Principles on Business and Human Rights[7] and the EC ICT Sector Guide[8]) for individuals that have experienced adverse human rights impacts caused or facilitated by Hacking Team technology. Such an effort could set an industry-leading positive example that may generate long-term success for your company.

  • Additionally, if Hacking Team is in fact confident that its methods are beyond reproach, opening such methods to independent inspection should only strengthen the company and promote respect for human rights in the surveillance technology industry. We urge Hacking Team to enhance the transparency of its operations by publishing in full on its website the Hacking Team user manuals described in Citizen Lab’s report; all internal policies and procedures related to human rights; statistics regarding the sales and deployment of Hacking Team products as well as sales discontinued out of concern for misuse of the software; and an export control matrix indicating the product classifications relevant to Hacking Team. We note that your company has in the past sought patents worldwide — with the World Intellectual Property Organization under the Patent Cooperation Treaty, as well as in Europe, Canada, the United States, Singapore, Mexico, and Korea — thereby making public details regarding the operation of certain Hacking Team software. Confidentiality is therefore not an obstacle to beginning a public discussion of, at a minimum, those details.

Both Citizen Lab’s report and our ongoing research are intended to provide information that will advance the transparency and accountability that is sorely lacking from this industry. It cannot be denied that surveillance technologies have the potential to seriously impact individual human rights. If Hacking Team wishes to profit from such a business, we urge it to also accept its responsibility for the human rights impacts that business entails. We invite Hacking Team to contact us to discuss these issues in greater depth, and would welcome the opportunity for dialogue around measures to safeguard human rights.

Sincerely,

Professor Ronald Deibert
Director, The Citizen Lab
Munk School of Global Affairs
University of Toronto

________________
[1] Hacking Team did not publicly release this statement; rather, it appears to have sent the statement in response to specific inquiries made to the company regarding Citizen Lab’s June 24 report. See, e.g., Doug Bernard, “Saudi App Appears to Target Residents With Surveillance,” Voice of America, June 27, 2014, http://www.voanews.com/content/saudi-app-appears-to-target-residents-with-surveillance/1946570.html.
[2] Principle 11.
[3] Principles 11 and 13.
[4] Shift and the Institute for Human Rights and Business, European Commission ICT Sector Guide on Implementing the UN Guiding Principles on Business and Human Rights, June 17, 2013, http://www.shiftproject.org/publication/european-commission-ict-sector-guide, at pp. 74-75.
[5] See UN Guiding Principles on Business and Human Rights, Commentary to Principle 11.
[6] Shift and the Institute for Human Rights and Business, European Commission ICT Sector Guide on Implementing the UN Guiding Principles on Business and Human Rights, June 17, 2013, http://www.shiftproject.org/publication/european-commission-ict-sector-guide, at p. 53
[7] Principle 29.
[8] Section 3-VI.