Governments Turn to Commercial Spyware to Intimidate Dissidents
Governments Turn to Commercial Spyware to Intimidate
Dissidents
By NICOLE PERLROTH MAY 29, 2016
SAN FRANCISCO — In the last five years, Ahmed Mansoor, a
human rights activist in the United Arab Emirates, has been jailed and fired
from his job, along with having his passport confiscated, his car stolen, his
email hacked, his location tracked and his bank account robbed of $140,000. He has
also been beaten, twice, in the same week.
Mr. Mansoor’s experience has become a cautionary tale for
dissidents, journalists and human rights activists. It used to be that only a
handful of countries had access to sophisticated hacking and spying tools. But
these days, nearly all kinds of countries, be they small, oil-rich nations like
the Emirates, or poor but populous countries like Ethiopia, are buying
commercial spyware or hiring and training programmers to develop their own
hacking and surveillance tools.
The barriers to join the global surveillance apparatus
have never been lower. Dozens of companies, ranging from NSO Group and
Cellebrite in Israel to Finfisher in Germany and Hacking Team in Italy, sell
digital spy tools to governments.
A number of companies in the United States are training
foreign law enforcement and intelligence officials to code their own
surveillance tools. In many cases these tools are able to circumvent security
measures like encryption. Some countries are using them to watch dissidents.
Others are using them to aggressively silence and punish their critics, inside
and outside their borders.
“There’s no substantial regulation,” said Bill Marczak, a
senior fellow at the Citizen Lab at the University of Toronto’s Munk School of
Global Affairs, who has been tracking the spread of spyware around the globe.
“Any government who wants spyware can buy it outright or hire someone to
develop it for you. And when we see the poorest countries deploying spyware,
it’s clear money is no longer a barrier.”
Mr. Marczak examined Mr. Mansoor’s emails and found that,
before his arrest, he had been targeted by spyware sold by Finfisher and
Hacking Team, which sell surveillance tools to governments for comparably cheap
six- and seven-figure sums. Both companies sell tools that turn computers and
phones into listening devices that can monitor a target’s messages, calls and
whereabouts.
In 2011, in the midst of the Arab Spring, Mr. Mansoor was
arrested with four others on charges of insulting Emirate rulers. He and the
others had called for universal suffrage. They were quickly released and
pardoned following international pressure.
But Mr. Mansoor’s real troubles began shortly after his
release. He was beaten and robbed of his car, and $140,000 was stolen from his
bank account. He did not learn that he was being monitored until a year later,
when Mr. Marczak found the spyware on his devices.
“It was as bad as someone encroaching in your living
room, a total invasion of privacy, and you begin to learn that maybe you
shouldn’t trust anyone anymore,” Mr. Mansoor recalled.
Mr. Marczak was able to trace the spyware back to the
Royal Group, a conglomerate run by a member of the Al Nahyan family, one of the
six ruling families of the Emirates. Representatives from the Emirates Embassy
in Washington said they were still investigating the matter and did not return
requests for further comment.
Invoices from Hacking Team showed that through 2015, the
Emirates were Hacking Team’s second-biggest customers, behind only Morocco, and
they paid Hacking Team more than $634,500 to deploy spyware on 1,100 people.
The invoices came to light last year after Hacking Team itself was hacked and
thousands of internal emails and contracts were leaked online.
Eric Rabe, a spokesman for Hacking Team, said his company
no longer had contracts with the Emirates. But that is in large part because
Hacking Team’s global license was revoked this year by the Italian Ministry of
Economic Development.
For now, Hacking Team can no longer sell its tools
outside Europe and its chief executive, David Vincenzetti, is under
investigation for some of those deals.
New evidence suggests to Mr. Marczak that the Emirates
may now be developing their own custom spyware to monitor their critics at home
and abroad.
“The U.A.E. has gotten much more sophisticated since we
first caught them using Hacking Team software in 2012,” Mr. Marczak said.
“They’ve clearly upped their game. They’re not on the level of the United
States or the Russians, but they’re clearly moving up the chain.”
Late last year, Mr. Marczak was contacted by Rori
Donaghy, a London-based journalist who writes for the Middle East Eye, an
online news site, and a founder of the Emirates Center for Human Rights, an
independent organization that tracks human rights abuses in the Emirates. Mr.
Donaghy asked Mr. Marczak to examine suspicious emails he had received from a
fictitious organization called the Right to Fight. The emails asked him to
click on links about a panel on human rights.
Mr. Marczak found that the emails were laden with highly
customized spyware, unlike the off-the-shelf varieties he has become accustomed
to finding on the computers of journalists and dissidents. As Mr. Marczak
examined the spyware further, he found that it was being deployed from 67
different servers and that the emails had baited more than 400 people into
clicking its links and unknowingly loading its malware onto their machines.
He also found that 24 Emiratis were being targeted with
the same spyware on Twitter. At least three of those targeted were arrested
shortly after the surveillance began; another was later convicted of insulting
Emirate rulers in absentia.
Mr. Marczak and the Citizen Lab plan to release details
of the custom Emirates spyware online on Monday. He has developed a tool he
called Himaya — an Arabic word that roughly means “protection” — that will
allow others to see if they are being targeted as well.
Mr. Donaghy said he was frightened by Mr. Marczak’s
findings, but not surprised.
“Once you dig beneath the surface, you find an autocratic
state, with power centralized among a handful of people who have increasingly
used their wealth for surveillance in sophisticated ways,” Mr. Donaghy said.
The Emirates have cultivated an image as progressive
allies of the United States in the Middle East. Their rulers often highlight
their sizable foreign aid budget and their women’s rights efforts. But human
rights monitors say the Emirates have been aggressive in trying to neutralize
their critics.
“The U.A.E. has taken some of the most dramatic steps to
shut down individual human rights activists and dissenting voices,” said James
Lynch, the deputy director for Amnesty International’s program in the Middle
East and North Africa. “It is highly sensitive to its image and fully aware of
who is criticizing the country from abroad.”
Last summer, Mr. Lynch was invited to speak about labor
rights at a construction conference in Dubai and was turned away at the
airport. Officials did not give a reason, but he later saw that his deportation
certificate listed reasons of security.
Mr. Mansoor, who still resides in the Emirates, has been
outspoken about the use of spyware but is increasingly limited in what he can
do. He worries that anyone he speaks to will also become a target.
And more recently, the state has started punishing the
families of those who speak out, as well. In March, the Emirates revoked the
passports of three siblings whose father was charged with attempting to
overthrow the state.
“You’ll wake up one day and find yourself labeled a
terrorist,” Mr. Mansoor said. “Despite the fact you don’t even know how to put
a bullet inside a gun.”
A version of this article appears in print on May 30,
2016, on page B1 of the New York edition with the headline: Intimidating
Dissidents With Spyware.
Comments
Post a Comment