The dubious but lucrative surveillance business
Surveillance of the Internet and telecommunications is above all the prerogative of governments that are on RSF’s list of Enemies of the Internet, regimes that cite “the nation’s vital interests” as grounds for being the most repressive in the world with regards to online freedom of information. The front runners are authoritarian regimes such as China, Iran, Syria and Uzbekistan, which have acquired and continue to acquire technology that allows them to spy on anything said or done by critical journalists, bloggers and Internet activists.
In countries that are regarded as democratic, such as France, the United Kingdom, United States, Australia and Mexico (see below), surveillance technology is used on security grounds and the confidentiality of journalists’ sources is under attack.
Is an ethical role for telecom companies in Iran possible?
Iran is one of the most repressive countries with regards to monitoring and controlling Internet users. A cyber-police force keeps a permanent eye on the Iranian public’s online activities. In the past three years, more than 100 Internet users, including many journalists and citizen journalists, have been arbitrarily summoned and arrested in various cities and some have been given harsh sentences.
Most of these journalists, both professional and non-professional, are the victims of surveillance technology known as Lawful Interception Management Systems (LIMS). But even under the Revolutionary Guard, this technology is used in an unlawful manner in Iran. In the wake of the historic accord on nuclear issues reached in January 2015, a growing number of telecom sector companies (including Vodafone, Telecom Italia, AT&T and Nokia) envisage investing in Iran. The French company Orange has begun talks on acquiring a stake in the leading Iranian mobile phone company MCI, which is controlled by the Revolutionary Guard, although it is vague about its intentions. “Like other international operators, the group is studying the opportunities offered by the Iranian market,” Orange has said. Vivaction is another French company that is in “the phase of rediscovering the market” in Iran. Richard Marry, one of its representatives said: “We have been going every month to Iran for more than 12 months to meet with the telecom ecosystem.”
Reza Moini, the head of RSF’s Iran-Afghanistan desk, comments: “With a mobile phone penetration rate of well over 100% and given that almost one household in two has a fixed line Internet connection, it is not only legitimate to ask what kind of presence international companies plan to establish in Iran but it is also essential that these companies are transparent about the accords they sign or are about to sign with the regime. We don’t want a repetition of the Nokia-Siemens and Ericsson cases.”
RSF issued a statement in September 2011criticizing the kind of cooperation that exists between many western companies and the Iranian regime and calling for international sanctions to be applied against them whenever it was established that the technology or infrastructure that they were installing in Iran allowed the regime to spy on and persecute the population.
Hacking Team and NSO: abetting Enemies of the Internet
In a special report on surveillance in March 2013, RSF for the first time spotlighted five “digital era mercenaries” – companies based in the United Kingdom, Germany, Italy, France and the United States whose products are used by repressive regimes to violate human rights and freedom of information. They included the Milan-based company Hacking Team, which sells “offensive” surveillance technology to Morocco and the United Arab Emirates that is used by their governments to spy on news websites and human rights activists.
HackingTeam was back in the news again in July 2015, when hackers got into its networks and obtained several hundred gigabytes of data, including many emails about its clients and the products being sold to them. The emails confirmed that France, Morocco, Sudan and Thailand and other countries were interested in its products, including Remote Control System (RCS), which was designed to enable government agencies to circumvent data encryption. The hacked emails also revealed that the Rwandan government had tried unsuccessfully to buy RCS in 2012. More surprisingly, they also showed that Mexico was HackingTeam’s biggest client, with 6 million dollars of purchases. The list of Mexican clients included the interior ministry, the federal police, the army, the navy, the domestic intelligence agency, the attorney-general’s office, state governments and even the state oil company PEMEX.
In response to the widespread adoption of governmental online surveillance in Mexico, the digital rights group Red en Defensa de los Derechos Digitales (R3D) brought a legal challenge on behalf of a group of journalists, human rights activists and students against a provision in the Federal Telecommunications Act that allows the authorities to retain large amounts of metadata without recourse to a judge. After Mexico’s supreme court rejected the challenge on 11 May 2016, the coalition appealed to the Inter-American Court of Human Rights. Journalists, bloggers and cyber-activists meanwhile continue to be vulnerable to spying by their government, whose dealings with Hacking Team clearly show that it is bent on mass surveillance of the Internet and telecommunications.
When questioned, the companies concerned – including Hacking Team in Italy – defended their activities by pointing to the need to combat terrorism and stating that they complied with the laws in the countries where they are based.
“This is not an adequate response, inasmuch as their technology continues to be used by authoritarian regimes that are Enemies of the Internet to spy on and imprison journalists,” Christophe Deloire said.
“Given the commercial relations that exist between many Mexican governmental entities and one of the leading exporters of surveillance technology, you cannot help wondering about the ability of Mexico’s journalists to do independent investigative reporting and protect their sources,” said Emmanuel Colombié, the head of RSF’s Latin America desk. “The lack of transparency on the part of the authorities on the intended use of this technology reinforces our concern. There must be safeguards against its systematic use to target news providers, media professionals, bloggers and human rights activists.”
Pegasus could obtain contacts, emails, text messages, the details and content of calls, and conversations on WhatsApp, Skype and even Telegram, which is reputed to be secure
Recent revelations suggest that the Mexican authorities used Pegasus, spyware developed by the Israeli company NSO, to spy on Rafael Cabrera, a Mexican investigative journalist working for various outlets including the Aristeguinoticias.com website. The existence of Pegasus was revealed in August 2016 by Citizen Lab and Lookout. By exploiting several iPhone security flaws (subsequently corrected), it could take complete control of the iPhone of any user who clicked on a malicious hypertext link sent by SMS. Pegasus could obtain contacts, emails, text messages, the details and content of calls, and conversations on WhatsApp, Skype and even Telegram, which is reputed to be secure. It could even remotely activate the phone’s camera and microphone and trace the phone’s location at any time.
“NSO helps make the world a safer place by providing authorized government agencies with technology that helps them combat terror and crime. Customers can use the product exclusively for the investigation and prevention of crime and terror. The ethical and lawful use of its product by the customers is of utmost importance to the company. In case of an alleged breach of the contract, the company will take appropriate action with the respective customer”, affirmations that RSF was not able to verify.
Pegasus was used to spy on Cabrera after he contributed to the investigative reporting that exposed the so-called “Mexican White House” scandal implicating President Enrique Peña Nieto’s family. According to the New York Times, the Mexican government paid 15 million dollars to NSO for three unspecified projects. Cabrera received several suspect messages asking him go to UNO TV’s headquarters and “informing” him that the president was considering bringing a defamation prosecution against the journalists involved in the “White House” investigation in order to have them jailed.
NSO claimed that the software it sold was solely used for legal surveillance. But, at the time that these revelations were taking place, Citizen Lab exposed a similar surveillance attempt targeting Ahmed Mansoor, an Emirati blogger and administration of Al-Hera, a democracy discussion forum. Mansoor received the same SMS on his iPhone 6 twice, on 10 and 11 August 2016, with a link that would supposedly provide him with information about human rights abuses by the Emirati government. Citizen Lab’s analysis of the SMS message established a connection to Pegasus and NSO.
"NSO helps make the world a safer place by providing authorized government agencies with technology that helps them combat terror and crime. Customers can use the product exclusively for the investigation and prevention of crime and terror. The ethical and lawful use of its product by the customers is of utmost importance to the company. In case of an alleged breach of the contract, the company will take appropriate action with the respective customer.", affirmations that RSF was not able to verify.