Governments turn to hacking techniques for surveillance of citizens

Friday 11 November 2011


In a luxury Washington, DC, hotel last month, governments from around the world gathered to discuss surveillance technology they would rather you did not know about. The annual Intelligence Support Systems (ISS) World Americas conference is a kind of mecca for representatives from intelligence agencies and law enforcement. But to the media or members of the public, it is strictly off limits.

Gone are the days when mere telephone wiretaps satisfied authorities’ intelligence needs. Behind the cloak of secrecy at the ISS World conference, tips are shared about the latest advanced “lawful interception” methods used to spy on citizens – computer hacking, covert bugging and GPS tracking. Smartphones, email, instant message services and free chat services such as Skype have revolutionised communication. This has been matched by the development of increasingly sophisticated surveillance technology.

Among the pioneers is Hampshire-based Gamma International, a core ISS World sponsor. In April, Gamma made headlines when Egyptian activists raided state security offices in Cairo and found documents revealing Gamma had in 2010 offered Hosni Mubarak's regime spy technology named FinFisher. The "IT intrusion" solutions offered by Gamma would have enabled authorities to infect targeted computers with a spyware virus so they could covertly monitor Skype conversations and other communications.

The use of such methods is more commonly associated with criminal hacking groups, who have used spyware and trojan horse viruses to infect computers and steal bank details or passwords. But as the internet has grown, intelligence agencies and law enforcement have adopted similar techniques.

“Traditionally communications flowed through phone companies, but consumers are increasingly using communications that operate outwith their jurisdiction. This changes the way interception is carried out … the current method of choice would seem to be spyware, or trojan horses,” says Chris Soghoian, a Washington-based surveillance and privacy expert. “There’s now a thriving outsourced surveillance industry and they are there to meet the needs and wants of countries from around the world, including those who are more – and less – respectful to human rights.”

In 2009, while a government employee, Soghoian attended ISS World. He made recordings of seminars and later published them online – which led him to be the subject of an investigation and, ultimately, cost him his Federal Trade Commission job. The level of secrecy around the sale of such technology by western companies, he believes, is cause for alarm.

“When there are five or six conferences held in closed locations every year, where telecommunications companies, surveillance companies and government ministers meet in secret to cut deals, buy equipment, and discuss the latest methods to intercept their citizens’ communications – that I think meets the level of concern,” he says. “They say that they are doing it with the best of intentions. And they say that they are doing it in a way that they have checks and balances and controls to make sure that these technologies are not being abused. But decades of history show that surveillance powers are abused – usually for political purposes.”

Another company that annually attends ISS World is Italian surveillance developer Hacking Team. A small, 35-employee software house based in Milan, Hacking Team's technology – which costs over £500,000 for a “medium-sized installation” – gives authorities the ability to break into computers or smartphones, allowing targeted systems to be remotely controlled. It can secretly enable the microphone on a targeted computer and even take clandestine snapshots using its webcam, sending the pictures and audio along with any other information – such as emails, passwords and word documents – back to the authorities for inspection. The smartphone version of the software has the ability to track a person’s movements via GPS as well as perform a function described as “remote audio spy”, effectively turning the phone into a bug without its user’s knowledge. The venture capital-backed company boasts that its technology can be used "country-wide" to monitor over 100,000 targets simultaneously, and cannot be detected by anti-virus software.

“Information such as address books or SMS messages or images or documents might never leave the device. Such data might never be sent to the network. The only way to get it is to hack the terminal device, take control of it and finally access to the relevant data,” says David Vincenzetti, founding partner of Hacking Team, who adds that the company has sold its software in 30 countries across five continents. "Our investors have set up a legal committee whose goal is to promptly and continuously advise us on the status of each country we are talking to. The committee takes into account UN resolutions, international treaties, Human Rights Watch and Amnesty International recommendations."

Three weeks ago Berlin-based hacker collective the Chaos Computer Club (CCC) exposed covert spy software used by German police forces similar to that offered by Hacking Team. The "Bundestrojaner [federal trojan]” software, which state officials confirmed had been used, gave law enforcement the power to gain complete control over an infected computer. The revelation prompted an outcry in Germany, as the use of such methods is strictly regulated under the country’s constitutional law. (A court ruling in 2008 established a “basic right to the confidentiality and integrity of information-technological systems”.)

“Lots of what intelligence agencies have been doing in the last few years is basically computer infiltration, getting data from computers and installing trojans on other people’s computers,” says Frank Rieger, a CCC spokesman. “It has become part of the game, and what we see now is a diffusion of intelligence methods into normal police work. We’re seeing the same mindset creeping in. They’re using the same surreptitious methods to gain knowledge without remembering that they are the police and they need to follow due process.”

In the UK there is legislation in place governing the use of all intrusive surveillance. Covert intelligence gathering by law enforcement or government agencies is currently regulated under the Regulation of Investigatory Powers Act (Ripa), which states that to intercept communications a warrant must be authorised by the Home Secretary and be deemed necessary and proportionate in the interests of national security, public safety or the economic well-being of the country. There were 1682 interception warrants approved by the Home Secretary in 2010, latest official figures show.

According to Jonathan Krause, an IT security expert who previously worked for Scotland Yard's hi-tech crime unit, bugging computers is becoming an increasingly important methodology for UK law enforcement. “There are trojans that will be customer written to get past usual security, firewalls, malware scanning and anti-virus devices, but these sorts of things will only be aimed at serious criminals,” he says.

Concerns remain, however, that despite export control regulations, western companies have been supplying high-tech surveillance software to countries where there is little – or no – legislation governing its use. In 2009, for instance, it was discovered that American developer SS8 had supplied the United Arab Emirates with smartphone spyware, after around 100,000 users were sent a bogus software update by telecommunications company Etisalat. The technology – if left undetected – would have enabled authorities to bypass Blackberry email encryption by mining communications from devices before they were sent.

Computer security researcher Jacob Appelbaum is well aware what it is like to be a target of covert surveillance. He is a core member of the Tor Project, which develops free internet anonymysing software used by activists and government dissidents across the Middle East and north Africa to evade government monitoring. A former spokesman for WikiLeaks, Appelbaum has had his own personal emails scrutinised by the US government as part of an ongoing grand jury investigation into the whisteblower organisation. On 13 October he was in attendance at ISS World where he was hoping to arrange a presentation about Tor – only to be ejected after one of the surveillance companies complained about his presence.

“There’s something to be said about how these guys are not interested in regulating themselves and they’re interested in keeping people in the dark about what they’re doing,” he says. “These people are not unlike mercenaries. The companies don’t care about anything, except what the law says. In this case, if the law’s ambiguous, they’ll do whatever the law doesn’t explicitly deny. It’s all about money for them, and they don’t care.

“This tactical exploitation stuff, where they’re breaking into people’s computers, bugging them… they make these arguments that it’s good, that it saves lives. But we have examples that show this is not true. I was just in Tunisia a couple of days ago and I met people who told me that posting on Facebook resulted in death squads showing up in your house."

The growth in the use of these methods across the world, Appelbaum believes, means governments now have a vested interest in keeping computer users' security open to vulnerabilities. "Intelligence [agencies] want to keep computers weak as it makes it easier to surveil you," he says, adding that an increase in demand for such technology among law enforcement agencies is of equal concern.

“I don’t actually think breaking into the computer of a terrorist is the world’s worst idea – it might in fact be the only option – but these guys [surveillance technology companies] are trying to sell to any police officer," he says. "I mean, what business does the Baltimore local police have doing tactical exploitation into people’s computers? They have no business doing that. They could just go to the house, serve a warrant, and take the computer. This is a kind of state terror that is simply unacceptable in my opinion.”

Jerry Lucas, the president of the company behind ISS World, TeleStrategies, does not deny surveillance developers that attend his conference supply to repressive regimes. In fact, he is adamant that the manufacturers of surveillance technology, like Gamma International, SS8 and Hacking Team, should be allowed to sell to whoever they want.

“The surveillance that we display in our conferences, and discuss how to use, is available to any country in the world,” he says. “Do some countries use this technology to suppress political statements? Yes, I would say that’s probably fair to say. But who are the vendors to say that the technology is being not being used for good as well as for what you would consider not so good.”

Would he be comfortable in the knowledge that regimes in Zimbabwe and North Korea were purchasing this technology from western companies? “That’s just not my job to determine who’s a bad country and who’s a good country. That’s not our business, we’re not politicians … we’re a for profit company. Our business is bringing governments together who want to buy this technology.”

TeleStrategies organises a number of conferences around the world, including in Europe, the Middle East and Asia Pacific. Every country has a need for the latest covert IT intrusion technology, according to Lucas, because modern criminal investigations cannot be conducted without it. He claims “99.9 per cent good comes from the industry” and accuses the media of not covering surveillance-related issues objectively.

“I mean, you can sell cars to Libyan rebels, and those cars and trucks are used as weapons. So should General Motors and Nissan wonder, ‘how is this truck going to be used?’ Why don’t you go after the auto makers?” he says. “It’s an open market. You cannot stop the flow of surveillance equipment.”

This article first appeared at: http://www.guardian.co.uk/technology/2011/nov/01/governments-hacking-techniques-surveillance

Bank Transfer Day

Thursday 3 November 2011


Bonfires and fireworks are what most people associate with 5 November. But this year the date has taken on a new meaning for thousands planning a mass boycott against some of the largest banks in the world.

Angry at corporate greed and unethical financial practices, over 60,000 have vowed to close their bank accounts on Guy Fawkes Day, pledging to transfer their money to local credit unions and co-operatives as an alternative.

The campaign was launched on 3 October by 27-year-old Los Angeles-based art gallery owner Kristen Christian, and has since gained backing from protesters involved in the anti-corporate “Occupy” movement in cities across America and Britain.

Christian was prompted into taking action after being repeatedly charged fees by the Bank of America that she felt were excessive. She started an event page on social networking website Facebook called “Bank Transfer Day”, which gained near-immediate popularity, spreading virally over the internet in a matter of days.

“I was tired of paying outrageous fees to banks for a severe lack of services,” she says. “The final straw came with the announcement of new monthly fees for any customers with less than $20,000 (£ 12,500) in combined accounts. It’s apparent this new policy directly targets the impoverished and working class.

“The structure of for-profit corporate banks is fundamentally flawed and a hindrance to a thriving economy. The goal of Bank Transfer Day is to shift funds to the local level before 5 November. These funds will allow credit unions to expand low-interest rate loans to private citizens and small to medium-sized businesses, encouraging economic growth on the local level.”

Credit unions, cooperative financial institutions owned and controlled by their members, are expected to enjoy a huge boom in the lead up to the boycott. Some have announced that they will be opening extended hours on 5 November, a Saturday.

“The anti-consumer practices of the large banks aren’t a new thing,” says Greg Smith, the president of PSECU, one of America’s largest credit unions. “Consumers are fed up, and we want to let them know that there are financial institutions out there like credit unions that can provide the same products and services their bank does, but instead of gouging them, we will do it fairly.”

Though Bank Transfer Day began as a campaign directed as a protest against US banking institutions, it has tapped into to a strong anti-banking sentiment also widespread across Europe.

London-based organisation Positive Money, which campaigns for banking reform, was quick to lend its backing. The group is encouraging British citizens to transfer their money from big banks such as Barclays and HSBC to smaller, mutually owned “ethical” institutions or building societies such as the Cooperative and Nationwide.

“Customers today don’t have any rights to say what their money can be used for. So the banks can use this money to invest in the arms industry and for projects that are damaging for the environment and for society as a whole,” says Mira Tekelova, a spokeswoman for Positive Money.

“Bank Transfer Day is about encouraging our supporters to chip away at the power and influence from the big banks by simply withdrawing financial support. It’s just a small step of what needs to be done.”

The campaign has come in from criticism from some, who have claimed it could lead to greater instability of an economy that is already failing and on the brink of possible collapse. However, according to Albrecht Ritschl, a professor of economic history at the London School of Economics, the boycott is not likely to bring about a major crisis.

“I could not imagine that this would be a big enough movement to really have far reaching consequences,” he says. “If they find enough people to join the boycott, then of course the boycotted banks will get into trouble because they will lose lots of deposits.

“If they concentrate on one particular institution, and the institution is small, then they could probably sink it. I would tend to think, though, unless I’m entirely mistaken, that this particular boycott movement will probably only have punctual or limited impact.”

Ritschl added that the ongoing protests were not likely to spark any self-regulated change from within the banking sector, but could force politicians to introduce stricter rules regulations to appease public anger.

“I don’t think these protests will be entirely ineffective,” he says. “They do keep the discussion about bankers, the role of banks and the financial meltdown alive. They will add momentum to the quest for radical banking reform and bankers’ compensation schemes, so in that broader political sense I would tend to think that yes they will have an impact.”

Many of those participating in Bank Transfer Day have already taken it upon themselves to close their accounts – though some have been obstructed their banks.

In October two women entered a Bank of America (BoA) branch in Santa Cruz, California, carrying a sign that read, “I am closing my BoA account today.” The police were called and the women were made to leave the branch after they were reportedly told by a member of staff, “you can’t be a protester and a customer at the same time.”

The bank said in a statement: “We do not allow protestors inside of our banking centres. If a customer who is participating in a protest wishes to conduct bank business, including close an account, we ask them to come back when they are not protesting or they may also conduct their bank business at a nearby branch away from protest activities."

One man the banks will have difficulty stopping from closing his account is Alex Schaefer, who is fully committed to the 5 November boycott. The 41-year-old American artist has become notorious in recent months for painting pictures of banks on fire – a symbolic reflection of US society’s incendiary anger over the financial crisis.

“It’s been slowly dawning on me since about 2003 or 2004 that the financial sector is totally out of control,” says Schaefer. “The ratings agencies [which assess the financial strength of companies] aren’t doing anything and the politicians are completely bought off. In my opinion they’re just sailing the ship into destruction.”

Shaefer, who previously worked as a video games artist for Disney, was questioned by police in July after he was spotted painting a picture of a burning bank in Burbank, Southern California. The authorities suspected he could be a plotting terrorist attack.

He explains: “They asked me ‘do you hate the banks?’. I told them: I don’t hate the banks but I think everybody is sick of this criminal business model that they’ve been operating for the last twenty years.

“Here are banks that are stealing and gambling billions and trillions of dollars, totally bailed out on the pocketbooks of the people. So why aren’t those guys getting their doors knocked on by the police. It’s an imbalance of justice.”

A similar bank boycott, Move Your Money, was launched in 2009 by the editor-in-chief of the US blog Huffington Post, Arianna Huffington. It encouraged Americans to put their money into credit unions to protest against risky investments made by bankers that led to the US government’s $700 (£440) billion bailout in 2008. In a televised interview last year, Huffington said: “We've had lots of good speeches and lots of good rhetoric, but this is an opportunity for people to take action.”


This article first appeared in issue no.900 of The Big Issue in the North.