Trumputin-free zone: 8 stories of hacking and surveillance you may have missed in 2016

This piece was written by PI Research Officer Edin Omanovic.

While hacking of the Democratic National Committee and its consequences have dominated the headlines in recent weeks, we look at some other stories from 2016 about surveillance and hacking and the global industry which it fuels.

1. Macedonia

Macedonia is currently in the grip of a national crisis after a wiretapping scandal erupted in 2015, when the opposition party in Macedonia claimed that some 20,000 people had been illegally monitored by the interior ministry over a period of several years. Reported victims include lawyers, judges, opposition members, and even member of the ruling government. Intercepts released online by the opposition appeared to confirm the allegations, and highlighted incidents of blackmail and electoral rigging by the government. In 2016, we spoke to journalists and activists who had received evidence about being monitored in the form of audio recordings, and whose work and personal security had been put at risk.

A Special Prosecutor is currently undertaking an investigation into the scandal. At the time, Macedonian media reported that the surveillance technology used for the wiretapping was imported by the secret police from Israel via an intermediary. Our investigation found that a company from Slovenia had provided interception equipment to the country’s telecommunications operators. Ericsson, a large Swedish manufacturer of telecommunications equipment upon which networks function, was forced to deny allegations that they were involved in the wiretapping, and provided expert testimony to the Special Prosecutor to determine how the interception was carried out.

Nova TV reported that a relative of the Prime Minister was also being investigated by the Special Prosecutor for personally profiting by nearly €800,000 from a 2010 purchase of surveillance equipment, via intermediary companies in the UK and Macedonia. Nova TV alleged that the company in question was FinFisher, a high-profile hacking company based previously in the UK and now in Germany. FinFisher has appeared in several PI reports, including a report on Uganda, where a secret government memo obtained by PI said their hacking system was used to “crush” the opposition movement.

2. Albania

35 opposition MPs in Albania succeeded in securing a commission of inquiry after Italian police handed their Albanian counterparts a sophisticated mobile phone surveillance device during a training exercise.

Balkan Insight reports that former Prime Minister Sali Berisha, now an opposition MP, had alleged that 375 people were being monitored by the interior ministry, “including the heads of state institutions, leaders of political parties, businessmen and journalists.” The President of Albania also intervened, questioning the constitutionality of the device.

The interior ministry denies that the device is capable of intercepting calls.

The device, known as an IMSI catcher, is commonly used to identify mobile phones in a specific area, and is sold by a number of the 18 surveillance companies based in Italy. Advanced IMSI catchers can also intercept phone calls. An explainer on how such technology works is available here.

3. Nigeria

An investigation by the Premium Times in Nigeria charged that an aide to former President Goodluck Jonathan used personal intermediary companies and a series of offshore accounts to purchase advanced surveillance tools and services to influence the country’s 2015 election.

The purchases reportedly included a phone monitoring device (an IMSI Catcher) produced by Israeli-American company Verint (a brochure collected by PI is available here), as well as a fibre optic landing station tapping system, purchased for over $3.5 million. Fibre cable taps are used in mass internet surveillance systems to intercept the entirety of national internet traffic, including by the US’ NSA and UK’s GCHQ.

The Times also alleges the aide contracted the services of Packets Technologies, a company based in Bulgaria (profile here) which sells Distributed Denial of Service attacks as a service, to shut down unfriendly online media prior to the election. The Times itself claims it fell victim to such an attack prior to the election.

4. South Africa

Verint’s IMSI Catcher also featured in the news in South Africa last year, when three men appeared in Pretoria Magistrate’s Court, accused of illegally importing the surveillance device. The men, who reportedly bought the device for over $1 million from Israel via a South African agent, claimed that the purchase was part of an undercover government sanctioned operation.

One of the men alleged that representatives of Verint had informed them that they would need end-user documentation from the South African government before any sale was approved, and that the intelligence departments of the US and Russia would also have to approve any deal, according to a report by the Daily Maverick. Having forged a certificate, the device was imported in 2014 and installed in a car, allowing it to be easily transported. In 2015, the men were arrested after attempting to sell the kit to undercover police officers.

PI has an analysis of South Africa’s buoyant private surveillance industry here.

5. Mozambique

Independent media outlet @Verdade published details about the purchase of a monitoring centre in 2012, which is being used to carry out surveillance on the country’s phone and internet network. Under an agreement, the military would receive a system allowing direct access to the national network without judicial authorisation or the knowledge of network operators. The system, provided by large Chinese telecommunications company ZTE, was brokered by a company that was headed by the then President’s son. The deal specified that 8% of the $140 million cost would be paid to the company in commission, in to an offshore bank account. Mozambique’s parliament subsequently approved a new wiretapping law in 2016.

An English summary by Global Voices is available here.

6. Romania

In Romania, a former top intelligence official who was under investigation by the country’s anti-corruption body for influence peddling and money laundering was charged with hiring a private intelligence agency to hack into the head of the corruption body’s emails to defame her. Agerpress.ro reports that three employees of Black Cube, a private intelligence agency with offices in Israel, London and Paris, were also charged in the case.

Black Cube describes itself as “a select group of veterans from the Israeli elite intelligence units that specialises in tailored solutions to complex business and litigation challenges”, for example in one case “finding leverage points over [a] client’s counterparty that could be used in a settlement negotiation” and “locating assets belonging to the counterparty that were eligible for recovery.”

7. Mauritania

The preliminary hearing of Cristian Provvisionato, an Italian bodyguard arrested in in Mauritania, was held in May 2016. Provvisionato was accused by the state of involvement in a conspiracy to de-fraud the security forces during a botched surveillance deal.

An investigation by Stefania Maurizi recalls that Provvisionato, who was working for a Milan-based contractor, had travelled to the country believing it to be a straight forward personal security job accompanying a sales representative. The company, Wolf Intelligence, reportedly hoping to secure a deal with the Mauritanian security forces, sells a wide range of surveillance equipment and hacking tools and has offices in India and Germany.

After the deal broke down, Provvisionato, who has no expertise in surveillance, was arrested by Mauritanian authorities. Despite efforts by his family and Italian representatives, he remains detained at the time of writing.

8. Mexico

Mexico is a highly securitised country with a wide range of federal and state agencies empowered to carry out surveillance. There are more reports about imports of surveillance technology to Mexico than anywhere else in the world, according to data collated by PI. When the internal emails of Italian surveillance company Hacking Team were leaked in 2015, Mexico was revealed to be by far its most profitable destination with agencies there spending a combined $6.3 million.

Journalists and opposition members have been targeted by surveillance at the hands of government agencies. Mexican activists underline systematic human rights violations in the country, including forced disappearances, torture, violence against women, the murder of 99 journalists and repression of protests.

Ensuring transparency around surveillance capabilities is therefore essential. In December, a Mexican NGO and PI partner, R3D, did just that by forcing a federal agency to reveal statistical data about how many judicial authorisations were carried out in 2014. The agency had earlier in the year refused to disclose this data, and pushed the case to the Mexican supreme court, which ultimately sided with R3D. The data shows that in 2014 out of 1,165 applications by the agency, only 52 were rejected. Only two out of eight telecommunications operators reviewed by R3D in Mexico explicitly require judicial authorisation for cooperating with law enforcement surveillance demands.

The surveillance industry is a diverse set of companies ranging from some of the world’s largest defence contractors to individual brokers producing and selling a range of surveillance equipment. In conjunction with Transparency Toolkit, in 2016 we launched the Surveillance Industry Index, a fully searchable database detailing some 528 companies, their sales brochures, and data about their exports. It’s available here. An accompanying report describing the development of the industry since the 1970s with country case studies is available here.