Spyware Firms In Breach Of Export Sanctions

Spy equipment producers are breaking laws and circumventing international sanctions by agreeing to sell stock to countries known for human rights abuses, and to clients who do not declare the end user.

This means surveillance tools could easily fall into the hands of armed groups, corporations, governments cracking down on dissent, or opposition leaders, an exclusive investigation by Al Jazeera reveals.

During Spy Merchants, a four-month undercover operation, Al Jazeera secretly filmed representatives of two Italian companies and one Chinese business agreeing to sell spyware that is capable of tracking millions of people online and able to intercept phone calls and text messages without anyone finding out.

The vendors boasted of being able to side-step the law by using sister and shell companies and explained how to possibly circumvent export regulations by lying about the details of shipments and using third countries exempted from certain rules as stopping places.

Posing undercover as a middle man buying equipment for the South Sudanese and Iranian governments, our reporter James (not his real name) was able to negotiate deals to acquire surveillance tools that Iran is prohibited from buying and that would cause serious human rights concerns in South Sudan.

The two Italian companies, IPS and AREA, indicated that they were open to the possibility of violating European laws to sell equipment that would end up in the hands of Iranian and South Sudanese clients, where they could potentially be used to spy on citizens.

China-based business Semptian, meanwhile, was ready to sell spying gear worth nearly $3 million without knowing who the recipient would be.

When our reporter asked Semptian cofounder Frank Feng if previous buyers had used shell companies, Feng responded: "We have done it. We don't know who is the private company and who is the end user. And we don't care about it. This way is good, because we have done it before."

Nuclear weapons of 21st century

Former British intelligence officer Julian Richards described powerful surveillance tools as "the nuclear weapons of the 21st century".

"These are the things that states that want to get ahead in, in their security capabilities. These are the things they'll pay big money for," he told Al Jazeera.

The equipment these surveillance companies make is used to monitor phone and internet traffic on a large scale.

The so-called IMSI catchers and IP Intercept systems are respectively used to listen in on phone calls and text messages, and can be used to spy on the internet usage of millions of people.

"When these technologies end up in the wrong hands. They end up with agencies which have a very proven and bloody history of repression and human rights abuse," Claire Lauterbach, a researcher at Privacy International, told Al Jazeera.

"It's truly remarkable, when you consider what the implications of this might be."

The surveillance systems do have legitimate uses for intelligence and law enforcement agencies, but they are often used by repressive governments to track political dissidents.

"I found that activists, students, journalists, opposition figures in North Africa and the Middle East would be [targeted] and sometimes be imprisoned as a result of these systems coming from Europe," said Marietje Schaake, a member of the European parliament focused on foreign affairs trade and technology.
After viewing Al Jazeera's investigation, she said: "I found that unacceptable then, and I find it unacceptable today."

The companies our undercover reporter approached seemingly had no problem in forging documents to make sure the deal would go ahead.

"First, we are ok with Iran. Of course, it's subject to export restriction. But this is something that we can manage," said IPS sales manager Ugo Santillo.

By using a sister company and describing the hardware sold by IPS as a "traffic management system", IPS said it could sell IP intercept systems to Iran.

In response to these allegations, IPS told Al Jazeera that they operate with full respect of the regulations.

They added: "We had no intention of completing this or any deal with the individual our staff met with. Any deal that we may have discussed with him would have to be dependent on obtaining the full legal authorisation from the authorities."

Freedom of speech curtailed

AREA, meanwhile, was prepared to discuss selling IMSI catchers, tools that can spy on mobile phones without users' knowledge, to South Sudan, despite serious human rights concerns and EU sanctions.

In South Sudan, according to Human Rights Watch , government forces and opposition fighters "committed serious abuses against civilians" in the civil war, and authorities there "harass, intimidate, and arbitrarily arrest and detain journalists".

Pagan Amum, a South Sudanese politician, was forced to flee the country in 2013 when the war began after becoming the target of government surveillance. He was arrested and accused of plotting a coup.

"The government with that surveillance has reduced the political space for our citizens to speak, the right of freedom of speech has been curtailed, even to speak in private," he told Al Jazeera.

"To conduct this surveillance, in violation of the law, this is absolutely very dangerous, it becomes actually, just like weapons of mass destruction," he said.

AREA explained what it described as a typical industry tactic: theoretically one could sell surveillance equipment by getting a licence to export to Tanzania , it said, from where the IMSI catcher would be "donated" as a "gift" to South Sudan.

Ultimately, AREA did nothing more than set up a meeting with a Turkish partner, BTT.

To obtain this export license the Turkish partner, offered to lie by stating that the hardware is telecom equipment and not used to spy on people.

"I say this is dual use telecom equipment, okay," BTT's Alper Tosun told our reporter. "And most of the time, it is telecom testing equipment. This is the main purpose that I am declaring."

Absolutely unacceptable

In the past, AREA has been caught selling spy equipment to a country with a history of abusing its citizens.

In 2011, the company made a deal with the Syrian government worth almost $14 million.

Although AREA claimed it had a valid export license to supply Syria, company executives were recently accused of falsifying export documents relating to the 2011 deal.

"I find it absolutely unacceptable that there are people willing to sell to places where human rights violations are obvious," said MEP Schaake.

In the case of South Sudan, she said, the country "is on the brink of massive violence. I do believe that every individual, no matter who their employer is, should really look at themselves in the mirror and wonder, 'What am I doing?'"

BTT did not respond when asked for comment about these allegations.

AREA said it "works with the relevant governments to ensure the proper export and legal use of our equipment."

The company declined further comment until seeing the evidence.

Huge effects for democracy

Semptian, the Chinese company, was also ready to sell IMSI catchers.

At one point, impatient company cofounder Feng encouraged our reporter to buy sooner rather than later because he had to reach a sales "performance" target.

Using a shell company, Semptian was ready to sell our reporter 10 IMSI catchers without knowing who would end up using the spying tools.

To remain anonymous, Feng told our undercover reporter that the company would remove all logos and branding from the surveillance equipment.

Semptian did not respond to a request for comment for this programme.

"Anyone with enough money is able to buy these highly sophisticated systems which could proliferate all over the world. I would like to see more accountability and transparency in this very, very dark and dangerous market," said MEP Schaake.

For Privacy International's Lauterbach, continued illegal trading of surveillance could threaten the foundations of many societies.

"If we can't find a way to bring surveillance and the practice of surveillance within the rule of law, it's going to have huge effects for democracy," she said.

After Spy Merchants was completed, Al Jazeera received a letter from lawyers acting for IPS denying all wrongdoing. They specifically denied that Chief Executive Officer Fabio Romani or any other person in a position of authority at IPS ever attempted to sell its products and services in Iran.

Al Jazeera

You Might Also Read:

We Are In A New Era Of Espionage:

The Future of Government Surveillance - Looks Like This:

Phineas Fisher Fingered: Hacking the Turkish Government:

Hacking Team Inside Job:

African States Quick To Adopt Network Surveillance:

 

 

« Around Half Of Human Jobs Can Be Automated Now
Turkey Blocks Wikipedia »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

mnemonic

mnemonic

mnemonic helps businesses manage their security risks, protect their data and defend against cyber threats.

cPacket Networks

cPacket Networks

cPacket’s distributed intelligence enables network operators to proactively identify imminent issues before they negatively impact end-users.

Bangladesh Association of Software & Information Services (BASIS)

Bangladesh Association of Software & Information Services (BASIS)

BASIS is the national trade body for Software & IT Enabled Service industry of Bangladesh.

Cyber Forensic & Investigation (CFI)

Cyber Forensic & Investigation (CFI)

Cyber Forensic & Investigation (CFI) is recognized as Thailand’s leader in cyber investigations and digital forensics.

Alyne

Alyne

Alyne is a Munich based 2B RegTech offering organisations risk insight capabilities through a Software as a Service.

CybernetIQ

CybernetIQ

CLAW by CybernetIQ is the industry's most advanced SOAR platform helping unify all cybersecurity tools under one umbrella and providing organizations faster, better and more accurate cybersecurity.

Osirium

Osirium

The Osirium PxM Privileged Access Management platform addresses both security and compliance requirements by defining who gets access to what and when.

Ensconce Data Technology (EDT)

Ensconce Data Technology (EDT)

EDT’s focus is on providing solutions to properly sanitize Solid State Drives (SSD) and Magnetic Drives (HDD) before they are disposed or redeployed.

Cryptoloc

Cryptoloc

Cryptoloc's core business is developing solutions designed to protect businesses from all kinds of security threats using a unique patented cryptography.

Carson McDowell

Carson McDowell

Carson McDowell are one of Northern Ireland's leading law firms. We are the law firm of choice for many of Northern Ireland's Top 100 companies as well as international companies doing business here.

Centre for Cyber Security Research and Innovation (CSRI) - Deakin University

Centre for Cyber Security Research and Innovation (CSRI) - Deakin University

CSRI solves the cyber security threats of tomorrow, today. We work with industry and government leaders on innovative research that has real-world impact.

Concourse Labs

Concourse Labs

Concourse Labs Security Guardrails continuously verify cloud infrastructure and workloads. Continuously assess clouds for security, resiliency, and regulatory compliance.

GM Sectec

GM Sectec

GM Sectec is the world's largest independent Cyber Defense and Fraud Prevention firm laser focused on payment security.

ATHENE National Research Center For Applied Cybersecurity

ATHENE National Research Center For Applied Cybersecurity

ATHENE is the largest research center for cybersecurity and privacy in Europe, conducting application-oriented top-level research for the benefit of the economy, society and the state.

Fernao Group

Fernao Group

Fernao offer you all solutions from a single source - from cyber security, business resilience and digital infrastructure to cloud technologies and pentesting.

Neptune Shield

Neptune Shield

Neptune Shield's mission is to deliver cutting edge Maritime focused Cyber Security & Threat Protection through our Hampton Roads based Tech & Cyber Security Hub.