Spyware Firms In Breach Of Export Sanctions

Spy equipment producers are breaking laws and circumventing international sanctions by agreeing to sell stock to countries known for human rights abuses, and to clients who do not declare the end user.

This means surveillance tools could easily fall into the hands of armed groups, corporations, governments cracking down on dissent, or opposition leaders, an exclusive investigation by Al Jazeera reveals.

During Spy Merchants, a four-month undercover operation, Al Jazeera secretly filmed representatives of two Italian companies and one Chinese business agreeing to sell spyware that is capable of tracking millions of people online and able to intercept phone calls and text messages without anyone finding out.

The vendors boasted of being able to side-step the law by using sister and shell companies and explained how to possibly circumvent export regulations by lying about the details of shipments and using third countries exempted from certain rules as stopping places.

Posing undercover as a middle man buying equipment for the South Sudanese and Iranian governments, our reporter James (not his real name) was able to negotiate deals to acquire surveillance tools that Iran is prohibited from buying and that would cause serious human rights concerns in South Sudan.

The two Italian companies, IPS and AREA, indicated that they were open to the possibility of violating European laws to sell equipment that would end up in the hands of Iranian and South Sudanese clients, where they could potentially be used to spy on citizens.

China-based business Semptian, meanwhile, was ready to sell spying gear worth nearly $3 million without knowing who the recipient would be.

When our reporter asked Semptian cofounder Frank Feng if previous buyers had used shell companies, Feng responded: "We have done it. We don't know who is the private company and who is the end user. And we don't care about it. This way is good, because we have done it before."

Nuclear weapons of 21st century

Former British intelligence officer Julian Richards described powerful surveillance tools as "the nuclear weapons of the 21st century".

"These are the things that states that want to get ahead in, in their security capabilities. These are the things they'll pay big money for," he told Al Jazeera.

The equipment these surveillance companies make is used to monitor phone and internet traffic on a large scale.

The so-called IMSI catchers and IP Intercept systems are respectively used to listen in on phone calls and text messages, and can be used to spy on the internet usage of millions of people.

"When these technologies end up in the wrong hands. They end up with agencies which have a very proven and bloody history of repression and human rights abuse," Claire Lauterbach, a researcher at Privacy International, told Al Jazeera.

"It's truly remarkable, when you consider what the implications of this might be."

The surveillance systems do have legitimate uses for intelligence and law enforcement agencies, but they are often used by repressive governments to track political dissidents.

"I found that activists, students, journalists, opposition figures in North Africa and the Middle East would be [targeted] and sometimes be imprisoned as a result of these systems coming from Europe," said Marietje Schaake, a member of the European parliament focused on foreign affairs trade and technology.
After viewing Al Jazeera's investigation, she said: "I found that unacceptable then, and I find it unacceptable today."

The companies our undercover reporter approached seemingly had no problem in forging documents to make sure the deal would go ahead.

"First, we are ok with Iran. Of course, it's subject to export restriction. But this is something that we can manage," said IPS sales manager Ugo Santillo.

By using a sister company and describing the hardware sold by IPS as a "traffic management system", IPS said it could sell IP intercept systems to Iran.

In response to these allegations, IPS told Al Jazeera that they operate with full respect of the regulations.

They added: "We had no intention of completing this or any deal with the individual our staff met with. Any deal that we may have discussed with him would have to be dependent on obtaining the full legal authorisation from the authorities."

Freedom of speech curtailed

AREA, meanwhile, was prepared to discuss selling IMSI catchers, tools that can spy on mobile phones without users' knowledge, to South Sudan, despite serious human rights concerns and EU sanctions.

In South Sudan, according to Human Rights Watch , government forces and opposition fighters "committed serious abuses against civilians" in the civil war, and authorities there "harass, intimidate, and arbitrarily arrest and detain journalists".

Pagan Amum, a South Sudanese politician, was forced to flee the country in 2013 when the war began after becoming the target of government surveillance. He was arrested and accused of plotting a coup.

"The government with that surveillance has reduced the political space for our citizens to speak, the right of freedom of speech has been curtailed, even to speak in private," he told Al Jazeera.

"To conduct this surveillance, in violation of the law, this is absolutely very dangerous, it becomes actually, just like weapons of mass destruction," he said.

AREA explained what it described as a typical industry tactic: theoretically one could sell surveillance equipment by getting a licence to export to Tanzania , it said, from where the IMSI catcher would be "donated" as a "gift" to South Sudan.

Ultimately, AREA did nothing more than set up a meeting with a Turkish partner, BTT.

To obtain this export license the Turkish partner, offered to lie by stating that the hardware is telecom equipment and not used to spy on people.

"I say this is dual use telecom equipment, okay," BTT's Alper Tosun told our reporter. "And most of the time, it is telecom testing equipment. This is the main purpose that I am declaring."

Absolutely unacceptable

In the past, AREA has been caught selling spy equipment to a country with a history of abusing its citizens.

In 2011, the company made a deal with the Syrian government worth almost $14 million.

Although AREA claimed it had a valid export license to supply Syria, company executives were recently accused of falsifying export documents relating to the 2011 deal.

"I find it absolutely unacceptable that there are people willing to sell to places where human rights violations are obvious," said MEP Schaake.

In the case of South Sudan, she said, the country "is on the brink of massive violence. I do believe that every individual, no matter who their employer is, should really look at themselves in the mirror and wonder, 'What am I doing?'"

BTT did not respond when asked for comment about these allegations.

AREA said it "works with the relevant governments to ensure the proper export and legal use of our equipment."

The company declined further comment until seeing the evidence.

Huge effects for democracy

Semptian, the Chinese company, was also ready to sell IMSI catchers.

At one point, impatient company cofounder Feng encouraged our reporter to buy sooner rather than later because he had to reach a sales "performance" target.

Using a shell company, Semptian was ready to sell our reporter 10 IMSI catchers without knowing who would end up using the spying tools.

To remain anonymous, Feng told our undercover reporter that the company would remove all logos and branding from the surveillance equipment.

Semptian did not respond to a request for comment for this programme.

"Anyone with enough money is able to buy these highly sophisticated systems which could proliferate all over the world. I would like to see more accountability and transparency in this very, very dark and dangerous market," said MEP Schaake.

For Privacy International's Lauterbach, continued illegal trading of surveillance could threaten the foundations of many societies.

"If we can't find a way to bring surveillance and the practice of surveillance within the rule of law, it's going to have huge effects for democracy," she said.

After Spy Merchants was completed, Al Jazeera received a letter from lawyers acting for IPS denying all wrongdoing. They specifically denied that Chief Executive Officer Fabio Romani or any other person in a position of authority at IPS ever attempted to sell its products and services in Iran.

Al Jazeera

You Might Also Read:

We Are In A New Era Of Espionage:

The Future of Government Surveillance - Looks Like This:

Phineas Fisher Fingered: Hacking the Turkish Government:

Hacking Team Inside Job:

African States Quick To Adopt Network Surveillance:

 

 

« Around Half Of Human Jobs Can Be Automated Now
Turkey Blocks Wikipedia »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Masergy Communications

Masergy Communications

Masergy delivers hybrid networking, managed security and cloud communication solutions to enterprises around the globe.

Privitar

Privitar

Privitar is leading the development and adoption of privacy engineering technology enabling our customers to innovate and leverage data with an uncompromising approach to data privacy.

CloudAlly

CloudAlly

CloudAlly provides online cloud to cloud backup and recovery solutions, which backs up daily changes in your SaaS to unlimited Amazon S3 storage and makes it available for restore or export.

Communications Authority of Kenya

Communications Authority of Kenya

The Authority is responsible for facilitating the development of the information and communications sectors including; broadcasting, telecommunications, electronic commerce and cybersecurity.

Randori

Randori

Randori is an attack platform that provides "red-teaming" as a service - basically, staging simulated hack attacks to test for vulnerabilities and gaps in the security response.

Level Effect

Level Effect

Level Effect is developing new capabilities to bring a unique perspective on proactive network defense and advanced security analytics.

Software Diversified Services (SDS)

Software Diversified Services (SDS)

SDS provides the highest quality mainframe software and award-winning, expert service with an emphasis on security, encryption, monitoring, and data compression.

Safetech Innovations

Safetech Innovations

Safetech Innovations is a team of cyber security experts, always at your service. We use human and cyber intelligence to help your business in uncertain times.

Virtue Security

Virtue Security

Virtue Security are specialists in web application penetration testing.

Financial Services Information Sharing and Analysis Center (FS-ISAC)

Financial Services Information Sharing and Analysis Center (FS-ISAC)

The Financial Services Information Sharing and Analysis Center is the only global cyber intelligence sharing community solely focused on financial services.

BlackFog

BlackFog

BlackFog is a leader in device data privacy, data security and ransomware prevention. Our behavioral analysis and anti data exfiltration technology stops hackers before they even get started.

Blackpanda

Blackpanda

Blackpanda is Asia’s premier cyber security incident response group, hyper-focused on digital forensics and cyber crisis response.

Agile Defense

Agile Defense

Agile Defense is an Information Technology services provider, delivering leading-edge Digital Transformation solutions to the Federal Government.

Kong

Kong

Kong - powering the API world. Increase developer productivity, security, and performance at scale with the unified platform for API management, service mesh, and ingress controller.

Waterleaf International

Waterleaf International

Waterleaf provide advanced network and cybersecurity solutions - informed by data sciences. Transforming Connectivity, Security and Information for Municipalities, Government & Enterprise.

CyberAntix

CyberAntix

CyberAntix offers Premium CyberSecurity for your business using an advanced Security Operations Centre technology and process platform reinforced by a steadfast and expert SOC team.