March 5, 2015

Sent via e-mail: [email protected]

Dear Mr. Vincenzetti and team,

Pursuant to the procedure outlined in your customer policy,1 the Citizen Lab at Munk School of Global Affairs, University of Toronto, is submitting the attached report regarding apparent misuse or abuse of Hacking Team systems and solutions.

As detailed more fully in the report, journalists at the Ethiopian Satellite Television Service (ESAT) in the United States were again targeted in late 2014, with what appear to be two updated versions of Hacking Team’s Remote Control System (RCS) spyware. Our research suggests that the attacker is the same governmental entity as that implicated in December 2013 attacks using RCS against ESAT journalists, on which we previously reported.2 The attacker may be the Ethiopian Information Network Security Agency.

Hacking Team’s customer policy suggests that the company is capable of exercising wide discretion in ensuring its customers do not employ the technology in a manner that undermines human rights. The policy references contractual restrictions on misuse, as well as “auditing features built into HT software that allow administrators to monitor how the system is being used.”3 The policy also notes Hacking Team investigates potential rights abuses involving its software and “take[s] appropriate action.”4 Should Hacking Team decide to cease supporting a particular customer’s installation, “the product soon becomes useless.”5

The new incidents we have documented, however, suggest that rather than restricting the capabilities provided to the governmental attacker targeting ESAT, Hacking Team may have continued to provide support for RCS software used by that attacker, including in the form of updates to the software to evade detection.

Quite simply put, after all of the prior reporting surrounding the use of RCS against ESAT journalists in December 2013 and its human rights implications, how has it come to pass that RCS is again linked in late 2014 to the same activity? What steps will Hacking Team take to control such apparent misuse of its technology and prevent the continued targeting of ESAT journalists?

We request that you provide clarification regarding the apparent repeated misuse of RCS against ESAT journalists as soon as possible. The United Nations Guiding Principles on Business and Human Rights detail effectiveness criteria for operational-level grievance mechanisms established by business enterprises, including transparency: “keeping parties to a grievance informed about its progress, and providing sufficient information about the mechanism’s performance to build confidence in its effectiveness and meet any public interest at stake.”6 We encourage Hacking Team to, at a minimum, inform the journalists affected by these attacks of concrete action taken by the company to address the concerns raised in the attached report.

We also note that on February 25, 2015, Hacking Team published a press release regarding its compliance with Wassenaar Arrangement export controls covering certain surveillance technologies.7 Given that these controls are manifested in the form of a licensing regime implemented at the national level,8 what specific Italian regulations govern Hacking Team’s exports? Under which export control classification numbers do Hacking Team products fall (e.g., 4A005, 4D004, 4E001.c, 5A001.j)?9 To which countries are exports of Hacking Team products prohibited outright? What, if any, license exceptions apply to Hacking Team products? How many requests for export authorization has Hacking Team made to date?

Finally, we take this opportunity to remind you that we have not yet received any reply from Hacking Team to our letter of August 8, 2014.10 We reiterate the questions raised in that letter, and request that your response to this correspondence address said questions as well.

Thank you in advance for a timely reply.

Sincerely,
Professor Ronald Deibert
Director, The Citizen Lab
Munk School of Global Affairs
University of Toronto

 

Footnotes

1 Hacking Team, “Customer Policy,” http://www.hackingteam.it/index.php/customer-policy.
2 Bill Marczak, Claudio Guarnieri, Morgan Marquis-Boire, and John Scott-Railton, “Hacking Team and the Targeting of Ethiopian Journalists,” Citizen Lab, February 12, 2014, https://citizenlab.ca/2014/02/hacking-team-targeting-ethiopian-journalists/.
3 Hacking Team, “Customer Policy,” http://www.hackingteam.it/index.php/customer-policy.
4 Ibid.
5 Ibid.
6 See United Nations Guiding Principles on Business and Human Rights, 2011, Principle 31, http://www.ohchr.org/Documents/Publications/GuidingPrinciplesBusinessHR_EN.pdf; see also Shift and the Institute for Human Rights and Business, European Commission ICT Sector Guide on Implementing the UN Guiding Principles on Business and Human Rights, June 17, 2013, pp. 73-82, http://shiftproject.org/sites/default/files/ECHRSG.ICT_.pdf.
7 Hacking Team, “Hacking Team Complies With Wassenaar Arrangement Export Controls on Surveillance and Law Enforcement/Intelligence Gathering Tools,” February 25, 2015, available at http://www.hackingteam.it/index.php/about-us (accessed March 4, 2015).
8 Council of the European Union, Council Regulation (EC) No 428/2009 setting up a Community regime for the control of exports, transfer, brokering and transit of dual-use items, May 5, 2009, Article 9, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:134:0001:0269:en:PDF.
9 European Commission, Commission Delegated Regulation (EU) No 1382/2014 of 22 October 2014 amending Council Regulation (EC) No 428/2009 setting up a Community regime for the control of exports, transfer, brokering and transit of dual-use items, OJ L 371, December 30, 2014, p. 1–212, at Annex, http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:JOL_2014_371_R_0001&from=EN.
10 Ronald Deibert, “Open letter to Hacking Team,” August 8, 2014, https://citizenlab.ca/2014/08/open-letter-hacking-team/.