By Daniel Bedoya Arroyo, Security Incident Shift Lead; Javier Pallero, Policy Analyst; and Peter Micek, Senior Policy Counsel
Global surveillance is a global industry, and as the headlines yesterday revealed, repressive governments are often eager customers. Hacking Team, an Italian surveillance firm that sells tools that enable governments to break into computers and cell phones, was itself hacked, with nearly 500GB of internal documents released to the world. Previously, the company claimed it did not sell these tools to governments with repressive regimes. Digital rights organizations were skeptical, and thanks to the Citizen Lab’s investigations, many of us in the global community have been keeping close tabs on the situation.
Now, thanks the Hacking Team hack, there is clear evidence that the company does in fact sell to countries including Azerbaijan, Kazakhstan, Uzbekistan, Russia, Ecuador, Bahrain, Saudi Arabia, the Sudan, and the United Arab Emirates.
The sale of surveillance tools to rights-abusing regimes directly impacts users at risk, including journalists, bloggers, sexual rights activists, members of the LGBTIQ community, and human rights defenders. Below, we take a look at how people in these countries can protect themselves, and explore how companies and governments should respond.
How to defend yourself
It should come as no surprise that governments of repressive regimes are supplied with software that can record Voice over Internet Protocol (VoIP) calls, copy passwords, copy email and instant message conversations, and turn on a target’s camera and microphone. When governments are armed with such tools, the rights of people opposing the regime — such as people exposing corruption cases, or defending human rights — will often be abused. Tools like Hacking Team’s Remote Control System (RCS) put these people at risk of targeted surveillance and worse.
First, if you believe you may be at risk, and could possibly have a malware infection on your computer or phone, we urge you to contact Access for direct technical support at [email protected]
Second, even though some of the attack vectors used by Hacking Team are complicated, and undisclosed vulnerabilities are being used — making self-defense challenging — there are some things you can do to reduce your risk:
1.) Do not open unexpected attachments on emails or chats, even if they seem to come from a trusted contact. Be mindful that PDFs and DOC files can trigger installation of malicious software on your computer or phone.
2.) Do not install software from untrustworthy sources. When possible, use an encrypted HTTPS connection and Virtual Private Network (VPN) to download new software.
3.) Keep your system and applications up to date. Vendors and developers frequently fix security issues in the software you use, and if you don’t install the updates, your system remains vulnerable.
4.) If you need to connect to a public/insecure network, use a VPN service to protect yourself from adversaries on the local network.
5.) Consider installing browser plugins that improve your online safety, such as HTTPS Everywhere and NoScript.
6.) Although antivirus software is not able to detect all threats, especially the more sophisticated ones, it’s always a good idea to have up-to-date antivirus software running on your system. If you need help selecting a program, contact us for help.
How companies and governments should respond
The lack of corporate responsibility and public accountability mechanisms represent one of the greatest challenges in the fight for a human rights-based approach to surveillance.
Companies are subject to human rights obligations that require them to avoid causing or contributing to adverse human rights impacts. These rules, among others, are included in the Guiding Principles on Business and Human Rights [PDF], endorsed by the UN Human Rights Council in 2011.
If Hacking Team has indeed been providing surveillance technologies to regimes that don’t apply minimum human rights standards for the use of the technologies, the companies would then be responsible for contributing to human rights violations. Any company that is contributing to such violations should cease providing services to those governments, review company policies, and provide access to remedy to the people affected. Access has put together a plan with concrete actions for companies to take to provide remedy in such cases.
As for governments, international standards [PDF] mandate that governments protect against human rights abuses by third parties in their jurisdictions, including abuses by companies. This protection implies taking the necessary steps to prevent, investigate, and properly punish or redress any violations to fundamental rights. In this case, governments that exert jurisdiction over the Hacking Team corporation, its investors, or its business partners, should investigate the activities of the company and activate the proper accountability and redress instruments. Governments should also offer people access to remedy, in line with our implementation guide [PDF].
Finally, the 41 governments committed to the Wassenaar Arrangement (WA) should redouble efforts to stop the export of powerful surveillance technologies to governments that would use them to abuse human rights. Our recent paper offers recommendations for governments regarding the proliferation of dual use technology, including intrusion software like FinFisher, Hacking Team’s RCS, QuickTrail, and SS8 Interceptor. We’ll continue to monitor implementation of the agreement, and work for more transparency and accountability from surveillance tech makers.
Access calls on all surveillance technology makers to publish their client lists as a first step toward bridging the transparency gap in the sector.