The irony of Hacking Team—an Italian company that sells surveillance software—being hacked (or as Wired put it, “disemboweled”) is delicious, especially given Hacking Team’s denials it sold to governments with notorious human rights records. Hacking Team still insists it broke no laws and has behaved ethically. Whether Hacking Team survives remains to be seen, but this episode’s importance extends beyond one company. What the hack revealed touches on important policy issues.
Cyber Surveillance Tools and Sanction Regimes
The disclosed materials indicate Hacking Team sold its wares to the Sudanese government and a state-owned Russian company that produces military radar. Marietje Schaake, member of the European Parliament, argues that the sale to Sudan violates sanctions imposed by the UN Security Council—sanctions implemented through EU law. Schaake also states that the sale to the Russian company appears to violate EU sanctions imposed in response to Russian activities in Ukraine.
Whether Hacking Team violated these sanctions I leave for others to decide, but the accusations suggest that future sanction regimes should explicitly cover the type of surveillance tools Hacking Team sold. In March 2015 correspondence, the UN Panel of Experts involved in monitoring the Sudan sanctions stated that Hacking Team’s software “may potentially” fall within the prohibited categories of “military equipment” or “assistance” related to prohibited items. This less-than-definitive phrasing invites questions about the interpretation of the UN sanctions. Such questions can be avoided in the future by including surveillance software within the scope of prohibitions imposed by UN sanctions.
Wassenaar Arrangement Rules on Intrusion Software
The Hacking Team disclosures focuses new attention on rules adopted in December 2013 that subjected intrusion software to the Wassenaar Arrangement, an export-control regime for dual-use technologies involving forty-one countries. As Kim Zetter noted, this change sought “to restrict the sale and distribution of computer surveillance tools to oppressive regimes,” though some argue it could chill cybersecurity research. Experts identified Hacking Team products as falling within these new rules.
However, revelations that Hacking Team’s customers included countries with poor human rights records reinforce why the Wassenaar regime included intrusion software. The episode gives momentum to the Wassenaar approach of regulating cyber surveillance companies. While the momentum does not resolve the security research community’s concerns, the incident strengthens the position of governments and human rights groups interested in more regulation in this area.
The Future of Lawful Hacking
Hacking Team’s clients include not only repressive governments but also government agencies in democracies, including EU members and the United States, which connects the disclosures with controversies about “lawful hacking.” In June 2015, Senator Charles Grassley, Chair of the Senate Judiciary Committee, wrote to FBI Director James Comey seeking information about the FBI’s use of spyware, their legal justification that authorizes deployment of such software, and whether the FBI has purchased spyware from, among others, the Hacking Team. The disclosure that the FBI has been a Hacking Team customer will intensify scrutiny of its use of hacking in criminal investigations. The same might occur in other countries where government agencies are listed as Hacking Team clients, such as Australia, Chile and Mexico. This trajectory will increase tensions building between government interest in exploiting digital technologies for law enforcement and advocates for privacy and other civil liberties.
International Human Rights in the Digital Age
The nature of Hacking Team’s products and the global scale of its sales make the leaked information important for international human rights. Concerns about the threat government surveillance poses to the use of digital technologies existed prior to the Hacking Team disclosures. But, like the Snowden leaks, these disclosures will heighten worries that governments are engaging in surveillance that violates human rights. In response to the disclosures, the UN Special Rapporteur on the Right to Freedom of Opinion and Expression tweeted that the documents revealed the depth and extent of digital attacks on civil society and underscored the importance of encryption and anonymity. The disclosures will also be important to the work of the newly appointed UN Special Rapporteur on the Right to Privacy.
Making It Too Easy for Authoritarian Regimes
Hacking Team might go out of business, but its demise would not affect how authoritarian governments behave. Much like Snowden’s leaks, the Hacking Team contretemps reinforces their perceptions of the hypocrisy of democracies. They can easily point out double standards: multiple U.S. government agencies are clients of a company that sells to a Sudanese regime accused of genocide, even after the Hacking Team has been credibly accused of doing business with Sudan and other repressive governments? And it takes another spectacular criminal act to expose gaps between rhetoric about Internet freedom and the reality of governmental and private-sector behavior? Authoritarian governments do not need the travails of democracies to harness digital technologies for repression, but the democratic world’s struggles with these disruptive technologies are giving cyber repression too much space to metastasize.