Editor’s note: What you will read below is the result of Mari Bastashevski’s year-long investigation into the trade of cyber-surveillance systems to oppressive nation states. 12 months of searching for trails of paper work, filing freedom of information requests, interviewing and protecting sources, and corroborating their statements.
This is a narrative built upon information that’s incredibly difficult to verify. Outside of the community of privacy advocates and cyber-surveillance researchers, no-one really saw this story, or necessarily knew what it was or why it mattered. That’s because everything that Bastashevski was looking at — or looking for — is invisible, confidential or both.
On July 5th, when Hacking Team (a company that manufactures surveillance technologies) was itself hacked and the identities of its clients were posted online, Bastashevski felt vindicated. Not only did the hack confirm the presence of Hacking Team in countries she investigated, it also confirmed the presence of other companies she knew were providing surveillance to those countries. The lies and questionable dealings of a catastrophic industry were laid bare.
“To photograph or to look at what exists on the verge of catastrophe,” critic Ariella Azoulay once wrote, “the photographer must first assume she has a reason to be in the place of the nonevent or event that never was, which no one has designated as the arena of an event in any meaningful way. She, or those who dispatch her, must suspend the concerns of the owners of the mass media regarding the ratings of the finished product and with her camera begin to sketch a new outline capable of framing the nonevent. Photographing what exists on the verge of catastrophe thus is an act that suspends the logic of newsworthiness.”
By virtue of hackers’ actions, and not the logic of the news industry, I find myself in a position to publish Bastashevski’s remarkable findings. A condensed version of this work was exhibited at Musee de Elysee and published in the Prix Elysee catalogue (Musee de Elysee, December 2014). It has since been expanded to include a review of targets and surveillance in Azerbaijan, and cross references of the recent evidence obtained through Hacking Team leak.
This is not a photo essay but rather an essay with photos. Bastashevki makes photographs, in many ways, to show her stories cannot be photographed. These images are way-markers along roads of discovery.
In case you missed it, last Sunday night, the surveillance research community had one hell of a Twitter party, waiting for Hacking Team to wake up. The reclusive provider of malware to government and corporate clients worldwide, got a rude awakening when a 400GB body of evidence from its server was placed onto the company’s own hacked Twitter account.
In the sea of day-to-day platitudes and pictures of cats, the huge trove of e-mails, annual reports, invoices, contracts, offered new evidence of a firm aiding Human Rights violators, something long since argued by Citizen Lab, and others tracking the company.
The files don’t just disclose information about Hacking Team operations in Uzbekistan, Kazakhstan, and Azerbaijan, Ethiopia, Bahrain, Mexico, Sudan (to name a few) they also offer glimpses about other surveillance companies operating worldwide in a similar way. Set free were 21 pages of Verint mentions. In the leak, there are 939 hits for ‘Uzbekistan.’ When you search ‘Verint + Uzbekistan’ 29 hits are returned. There are 4,286 returns for a search of ‘NICE Systems’ and 1,768 for ‘NICE + Azerbaijan.’ NICE was contracted by Hacking Team as its “fulfilment vehicle” (distributor) in at least half a dozen countries.
Verint and NICE are the two company names I’ve come across most, while traveling through Central Asia, Caucasus, Europe and the Middle East, researching the relationship mass internet surveillance industry has in the CIS (Commonwealth of Independent States) region.
This publication is about these companies at work, their products and victims, and why the hacking of Hacking Team was inevitable and necessary.
Inside the Marriage of Convenience Between Cyber-Surveillance Industry and Paranoid Rulers
by Mari Bastashevski
There is hardly a hint of a tightly monitored, repressive state inside the Dedeman Silk Road Radisson Sas Hotel in Tashkent, Uzbekistan. Jazz music flows through the beige, air-conditioned lobby. The concierge and valets operate at ease, and in almost fluent English. The glass elevator invites a panoramic view of the city square, interrupted only by a reflection of an advertisement for a European-style spa. The cleaning ladies knock and smile before entering the room. In the hotel shop, national heritage carpets are sold with the appropriate certificates. The receptionists make the wake-up calls at the agreed hour. And, all the while, the car is ready, waiting.
National Security Service of Uzbekistan (SNB) agents are stationed at the hotel to monitor the invited guests. They wear civilian clothing and spend most of their days outside, only occasionally pacing around the lobby, switching among its many leather couches.
The guests are engineers — IT specialists — from world’s leading electronic surveillance firms, Verint Israel and NICE Systems. They stay at Dedeman at least twice a year. They come here to set up new contracts and to fix and manage the complex sets of devices they’ve previously installed inside Uzbekistan’s telecommunication and Internet monitoring center. While in Uzbekistan, they’re looked after by Eugeniy Ilyasov, SNB’s surveillance project manager and the only person in the monitoring center to speak English.
Sometimes, Ilyasov picks up the engineers in a minibus with tinted windows. Other times, the engineers just take a cab to the Muslim cemetery, leaving the driver flummoxed: “Why does a bunch of Hebrew-speaking tourists want to go to a Muslim cemetery?” But the locations of the monitoring centers, much like the rest of national security sites in Tashkent’s Gazalkent neighborhood, are a strict secret. The engineers make the rest of their way on foot.
The monitoring center, made to resemble a US embassy, has impenetrable, gray concrete walls spotted with heat detectors and cameras. Armed guards pace around the perimeter, smoking. Long-term data storage devices are stocked in the basement, a room covered in wires and with hard disks stacked from floor to ceiling. Monitors and control devices are nested a floor above. This is where most of the human labor is performed.
The engineers add new features and fix bugs, usually just in time to monitor readers of new and particularly sensitive articles about Islam Karimov, the Uzbek president who has been in power for twenty-five consecutive years. They help to add and remove surveillance targets, roughly five hundred for each of the four Uzbek telecoms providers.
The rest of the visit is spent on the recurring routine — engineers explaining to the poorly-versed SNB technologists what is obtainable within the realm of modern technology and what cannot be further simplified.
Verint and NICE Play Nice
At breakfast, the engineers of Verint and NICE that mostly pretend to be competitor companies, nod in the direction of each other. They take snapshots of their food and joke about the local customs.
The SNB usually hires a number of competing companies simultaneously, allowing comparison of results and keeping prices stalled through competition. The two companies understand that and play along to ensure long lasting mutual benefit. By week’s end, everyone gets paid whatever expenses are due, often in bags of local cash (SNB agents offer to exchange these expenses taking a hefty commissions for themselves). The engineers fly back to Tel Aviv or to wherever their skills are needed next.
In the cities of Astana and Almaty, Kazakhstan, the two companies share office space and tend to the monitoring centers in open view of one another. Both are managed by a Kazakh National Security Committee (KNB) technical expert Alexander Luzyanin who serves as both a minder for the engineers while in the country and a point of contact for the business managers of Verint and NICE.
The collaborative relationship between Verint Israel and the KNB began in the early 2000s. NICE attempted to sign contracts with the KNB in the past decade, but did not succeed until 2013, when they were offered a DPI (deep packet inspection) project identical to Verint’s.
The engineers prefer Kazakhstan to Uzbekistan, and say Kazakhs don’t argue as much over money, speak better English, and are more qualified.
In Azerbaijan, Verint Israel was the primary provider of the state-of-the-art monitoring centers in the country from the early 2000s onwards. NICE eventually caught up and won smaller tenders which included Hacking Team products.
One of Verint’s monitoring centers is located in Baku on Parliament Street, right next to presidential compound inside the National Security Ministry (MNS) offices. The other is in the military zone of Nakhchivan. The engineers are restricted from traveling to the disputed territory of Nakhchivan, managing instead a front end of the monitoring centre from Baku. An Azerbaijani company, Risk, has been contracted by the MNS to set up the equipment on location.
A polite employee of the Ministry of Foreign Affairs, assigned as a “state assistant” to foreign journalists, makes no secret about the application of this monitoring.
“We know what they are up to and what they need,” referring to independent journalists. “We offered free apartments to all the journalists displeased with the president, most accepted the offer. It won’t be too difficult to deal with the few who didn’t.”
When I ask if this is a joke, he laughs.
Jokes aside, Azerbaijan is treated by both NICE and Verint as one of the most lucrative prospects in the region and one that buys multiple products with identical functions in order to test them against each other.
The rest of the CIS countries take cues on surveillance and upgrade their projects to the best of their ability following the developments in Azerbaijan.
What can the monitoring centers monitor?
Data operations within the monitoring centers in Central Asia and Caucasus are split into the two main categories: active and passive monitoring.
Active monitoring targets a specific user/entity using identifiers such as IP addresses or unique signatures. Automated requests initiated by the state will return full data package on said user/entity. Having made available their cables to the state, telecoms providers know monitoring is taking place, but know not what is being monitored.
Passive monitoring is a process by which the center collects all of the telecom provider’s data: this process includes filtering on the basis of the specific parameters set in place by the national security services. Passive monitoring is intended to be invisible; telecoms providers may not know it is in operation.
Uzbek’s SNB employ both active and passive monitoring. In addition, local agents can respond to local circumstance with asking companies to create filters on specific keywords.
Verint Israel also provides them with a SSL interception tool, a device put together by Netronome, owned by Blue Coat. The device sits online between the provider and the router, meaning several servers (SGSN) are connecting to one server (GGSN, or first generation serving gateway). For Verint this is a legally complicated product as it requires a replacement of the SSL certificate. The replacement of most major international certificates (such as Google and Facebook certificates) is a criminally liable offense for a US-registered company. And while Verint itself does not replace the certificates, it gives clues to the SNB on where to purchase these.
An “HTTP aggregator” is also in place in all countries, curtesy of Verint. A feature that allows the government to see who reads the content hosted on any specific link. In Uzbekistan, the aggregator is used to identify potential future user/entities for target-based interception. As a fairly small side product, Verint Israel also offers an IMSI catcher, an eavesdropping device used for intercepting mobile phone traffic and tracking the movements of mobile phone users.
And if all else fails, NICE provides the Hacking Team malware, under a code name OMEGA, as part of a package that cost the Uzbeks almost US$1 million between 2011 and 2015.
In Kazakhstan, the authorities have a similar set up as that in Uzbekistan, but rely on multiple points of data collection throughout the country and prefer passive monitoring whenever possible to prevent other entities from knowing about who or what the KNB is monitoring.
Hacking Team is also in the KNB surveillance shopping basket. It buys the product directly from Hacking Team and has paid $1,012,500 for it to date.
Azerbaijan MNS, much like NatSec in Uzbekistan and Kazakhstan, has both Verint’s target-based (active) and data-based (passive) modes of monitoring, although in practice, Azerbaijan’s National Security Ministry (MNS) relies primarily on active, target-based monitoring. The monitoring centers in Azerbaijan provide a state-of-the-art PTSN- and IP-based surveillance.
Verint’s first project in Azerbaijan was a circuit switch monitoring system — something they put in place over ten years ago, and that it still maintains. The large second project, although not implemented on a significant scale, was a very basic DPI system in place since 2009, and has been modernized several times since.
Like the others, MNS purchases Hacking Team services through partnerships with NICE and a one-man U.S. registered firm called Horizon Global Group, managed by an Azerbaijani Abik Charuhchev. The contract has cost the MNS US$349,000 to date.
Azerbaijan is the only country in the former Soviet Union that has invested in an expensive satellite Internet communications monitoring project, a project also tended by Verint.
Where do components of a total surveillance system come from?
The monitoring centers do not operate in vacuum. At least in Central Asia and the Caucasus, they would not work if it weren’t for the compliance of local and international telecoms that often rely on European, American, and Chinese products to make their equipment suitable for the local security protocol, SORM. Literally a sum of its parts, SORM is a system for which no-one has buck-stop accountability.
SORM is a collective term coined in 1995 in the Russian Federation for phone and Internet interception. The system was adopted by all of the neighboring countries that had gained independence from the USSR in 1991. Since then, a hundred international technology companies have in one way or another engaged in contracts related to SORM and SORM components with local brokers or telecoms directly. Some have also collaborated with the local security agencies directly.
The Uzbek SORM certification department has collaborated with a large number of European telecommunications and surveillance companies through the Uzbekistan State Unitary Enterprise Scientific Engineering and Marketing Researches Center (UNICON), a state sponsored cyber security research and development center created in 1992 by decree of the Ministry of Communication, which allocated a hefty proportion for SORM projects and overseeing SORM contracts, as well as for related development work. The collaboration, in turn, secured a number of long-term contracts for European, Russian, and Asian companies specialized in providing system components and optimizing some of the Western equipment for SORM standards.
Between 2007 and 2010, UNICON was involved in all SORM-related projects in the country, and issued SORM consultancy contracts to Nokia Siemens Networks (NSN), Huawei Technologies, and Iskratel, among others. In 2009, the number of certifications of SORM-related equipment increased 340% from the 2008 number.
When SORM for telecoms in Uzbekistan was first adopted for SMS/text messaging surveillance, the components for the projects were provided by a Shanghai branch of Alcatel-Lucent, a France-based technology company that offers phone and Internet surveillance with deep packet capabilities. Back then it was an investment worth US$4 million, local technology magazine InfoCom reported.
Since 2009, the Alcatel S-12 solution has been further employed in SORM developments, and installed on 76 additional telecom ports throughout the country. They are used by all telecoms there, including the joint Swedish- and Norwegian-owned telecom TeliaSonera.
In Kazakhstan, brokers connect Western component manufacturers — such as Alcatel, Juniper Systems, and BroadSoft — with telecom providers. The telecoms may only go online in Kazakhstan when its equipment is SORM-operational. But telecoms do not stop at compliance; much like surveillance industry, they actively pursue new surveillance-related contracts in these countries.
The number of targets for each country and each telecom varies throughout the years. In 2012–13, the number of targets for IP-based interception in Uzbekistan at the Verint monitoring center alone was fluctuating between 300–600 (per each of the four telecomes in the country) close to the systems’ maximum and unusually high for a country with a total population of about 30 million people, only 38.2% of which are online.
Azerbaijan, likewise, has reached the systems maximum. In the more lax kleptocracy of Nursultan Nazarbayev in Kazakhstan, where citizens enjoy some degree of freedoms by comparison to neighboring republics, the number of targets for SORM-Telefonia interception ranges in the thousands.
In all of these countries, most of the targets include either high-ranking businessmen with enough wealth to influence the local politics or local activists, human rights employees, journalists, and members of minority religious groups and the LGBT community.
While businessmen and international organizations expect this level of surveillance and can afford, at least in part, to protect against state surveillance, it is the minorities, journalists, and activists who are the most vulnerable. Social networking tools — initially much anticipated and promoted by the activists in the region as means of empowerment and uncensored speech — have left citizens completely exposed.
In Uzbekistan, where the systems have most definitely been used to crush opposition, advocacy and journalism, the number of confirmed victims of surveillance is in the hundreds, most of them too terrified to engage with international monitoring bodies or to testify.
But you would be wrong to think it stops within the borders of the regime. Uzbeks who are relatives of, or in contact with, prominent activists and human rights defenders who live outside Uzbekistan, will be summoned to the Uzbekistan’s national security offices after each and every visit and/or contact with the family and friends abroad.
In 2013, when the SNB arrested an activist Nabidzan Dzurabaev for allegedly attempting to topple the government, his wife enlisted the help of Mamur Azimov, a local human rights lawyer, who in turn contacted a human rights activist in France. The SNB immediately summoned Dzurabaev’s wife and ordered her to stop all communication, or face jail time. Azimov, too, was summoned to the SNB offices, where it was made abundantly clear the SNB has been recording his movements online for weeks.
The family of former First Deputy Assistant Treasurer of the Uzbek National Treasury, Alex Sherm, was confronted with the same issues. After accusing several officials of corruption in 2002, Sherm received multiple threats and came to suspect that his phone calls and emails were being monitored. In 2004, he decided to move to the U.S. Sherm’s remaining family were then issued summons by the SNB and ordered to inform on Sherm whenever he got in touch with them. Sherm, in turn, made the disturbing decision to cut off correspondence with his relatives, for their own safety.
In Azerbaijan, hundreds of people have been jailed for speaking against the ruling power of Aliyev’s family. Those who remain free have grown so frustrated with mentioning privacy that they have either given up attempting to secure their correspondence, or left their practice and home country altogether. Their testimonies of encountering state surveillance are harrowing.
In February 2009, the Freedom and Security Institute assigned a journalist, Idrak Abbasov, to produce a report on human rights and freedom of speech and press in the Nakhchivan Autonomous Republic. He travelled to the contested region and tried to interview official and unofficial sources, as well as civilians whose rights were being violated.
During this trip, Abbasov’s personal Gmail correspondence was being read. As a result of the information garnered, he was subjected to physical and emotional abuse by the Ministry of National Security (MNB) and was pressured to drop the initiative. Abbasov was hospitalized with stenocardia upon returning to Baku.
On February 20, 2009, Abbasov received a phone call from the Minister of National Security for the Nakhchivan region summoning him to a meeting. Abbasov was excited, assuming that they were granting him permission to conduct an interview, and prepared detailed questions. It was a natural conclusion, given the two men had already been through several formal meetings with other state officials. However, when the pair entered the premises of the MNB, they were immediately separated. Abbasov was instantly handcuffed, blindfolded with a black hood, and dragged into a basement room with one chair.
The interrogation into Abbasov’s email correspondences continued for several hours, after which Abbasov was released and asked never to return to Nakhchivan again.
For Abbasov, the incident marked a start of continuous physical and electronic surveillance, and a long campaign of detentions and interrogations. Abbasov and his family were forced to leave Azerbaijan in September 2014, when his colleagues decided the threat had become too serious for them to remain.
The Companies: Verint
Verint Israel is part of the U.S.-registered corporation Verint, headquartered in Melville, NY. Verint offers a large array of surveillance products from video equipment to ready-to-use monitoring centers for lawful interception based on both IP and PSTN (public switched telephone network). Verint has offices or subsidiaries in over 30 countries.
Verint’s paranoid clients are not limited to the rules of post-Soviet space. A couple of years back, Verint Israel set up a full-service monitoring center as well as necessary maintenance services at the Government of South Sudan, a country that recently took to deporting international UN personnel with little or no explanation. The company is said to have provided technology and services worth hundreds of thousands free of charge in exchange for a data sharing agreement that permits Verint’s employee to remain on premises and access all data at all times.
In addition, Verint Israel is servicing a monitoring center it has installed at the request of the local security services in Bahrain. The Government of Israel forcefully suggested Verint take the contract, and Verint obliged. This created considerable logistical difficulties for everyone involved. The risk involved in pacing about Bahrain undercover and at the protection of Bahraini intelligence is a subject of heated debate within Israeli national security circles.
In 2014, Verint signed a contract with the Government of Saudi Arabia for a full-service monitoring center, one of the largest contracts in their corporate history. The firm avoided the logistical quagmire of travel bans by sending Indian professionals on their behalf. This is a textbook example of the pernicious business of convenience between states that publicly portray themselves as ideological opponents.
Verint Israel leadership has extensive ties to the Israeli national security apparatus and state-funded R&D programs. Over the years, it and its former parent, Comverse, have reportedly been the target of FBI investigations for financial misconduct as well as corporate espionage in the U.S. Despite this, Verint has worked with Verizon, the FBI, and the Department of Justice. Clients of Verint CCTV surveillance products include the Mall of America, the U.S. Capitol Building, and the Pentagon.
The Companies: NICE Systems
NICE Systems openly calls itself one of the world leading providers of all forms of surveillance, including lawful interception based on IP and PSTN (public switched telephone network). Until recently based in Ra’anana, Israel, it lists the Statue of Liberty, Los Angeles International Airport, New Jersey Transit, the London and Beijing Undergrounds, and the Eiffel Tower amongst its top clients. Police forces in Europe and the U.S. are on its client-list too.
Since the early 2000s, NICE has worked directly with the national security agencies of Uzbekistan, and Kazakhstan. Although the work on monitoring centers is conducted between NICE management in Israel and the authorities directly, NICE also has a substantial commercial presence throughout the regions where it has monitoring centers, especially in Kazakhstan, Moldova, Poland, and Russia. Likewise but to a lesser degree, the company offers mass interception and surveillance services in the Middle East and many conflict-affected African countries. NICE is attempting expansion in Bahrain and Saudi Arabia.
In 2008, NICE announced that the Russian telecommunications provider VimpelCom would undertake further expansion of NICE solutions to its service centers in Russian language, which would help improve VimpelCom customer service in Russia, Kazakhstan, Uzbekistan, Ukraine, and Armenia.
In Kazakhstan, as well as Moldova, Poland, and Russia, NICE is represented by Aman Computers, led by Sagi Eliyahu. Aman Computers also represents the Israeli ICT firms Informatica and Citirix, providing video surveillance and other services to the Ministry of Defense, the Israeli police, Rafael Advanced Defense Systems, Israeli Aircraft Industries (IAI), and the IDF. In one form or another, NICE technology is used to monitor some 1.5 billion people.
Both Verint and NICE, although Verint is technically a U.S. company, are cleared for exports through Israel. Surveillance exporters based in Israel are pre-authorized to export these commodities and services by Israeli government agencies, and enjoy the speedy export procedures granted to companies recognized with “security industry” status. Authorization is presented to the firms in the form of a list of pre-approved export destinations.
In 2013, the list of pre-approved export destinations for “unclassified” technologies was expanded to include 100 countries, an increase from the previous list of only 30 registered countries. In exchange for these export permissions, the Israeli intelligence community occasionally requests that benefitting companies take on contracts in countries of interest. So in Central Asia, similarly to the rest of the world, companies enjoy minimum scrutiny and are dealing with limited paperwork produced and pre-approved by the national security agencies themselves.
The initial panopticon was based on an eighteenth century workhouse blueprint. It let the managers observe the workers while the workers could not see the managers. Designing an Internet-generation panopticon that gives the government the means to observe any citizen at any time online is at the very core of the product provided to state authorities by the cyber-surveillance industry.
Companies like NICE, Gamma Group, Verint, and HT, who sell this power to governments for which “watched a YouTube protests video” constitutes criminal behaviour become co-arbiters of what is and isn’t a “wrong act”. Yet for the companies, much like for their clients, their own secrecy remains absolute and proprietary: not something for press consumption, researchers, or advocates.
In Central Asia and the Caucasus, the deployment of mass surveillance and information vacuum around it (knowing the watchtower is there, but not what’s in it) has created a widespread culture of electronic self-censorship and self-imposed exile. A culture in which people who disagree with the government and wish to be active about it voluntarily choose to cut off electronic communication with friends and family as a way of preemptive protection. For them, knowing what surveillance is in place, how it operates, and who puts it there is an imperative. Until that knowledge is made public, or until unrestricted surveillance is restricted, someone will take offence. And profiteers will continue to face opposition, enquiry, and yes, hacking.