Hacking Team hack raises important questions for development & ICT4D

by Tobias Denskus on July 15, 2015

in Student work

In his guest post, Italian ComDev student Adriano Pedrana shares his reflections on the Milano-based Hacking Team’s recent hack and why it matters for the development and ICT4D community.

Hacking Team being hacked. The news that the company that had specialized in providing spyware to governments and police forces was targeted by anonymous hackers broke last week. New details emerge as people go through 400 GB of their private data (mail, source code etc.) which have been hacked and made public, and some already predict that all that will remain of this company will be their video ad, which makes clear visual reference to the Anonymous hacker movement.

Hacking Team Commercial 3One of the things I regret about this piece of news is that it arrived with bad timing, when the Greek economic crisis captures everybody’s attention. Nevertheless there has been good news coverage. And there have already been some official reactions, such as an inspection by Italy’s data protection authorities (link in Italian) and a case being opened by a public prosecutor (whether against the hack or Hacking Team itself remains open at this stage).

The Hacking Team spokesperson stated that their software has now become a weapon in the hands of terrorist groups, an argument that Pedro Vilaça, an IT researcher, has called “PR bullshit”.

Hacking Team also asked their customers to stop using their software – though, some say, they could have done it themselves through a speculated backdoor under their control, which, if proved right, would give a huge monitoring power to a private company. Hacking team has denied the existence of such a backdoor in a press release on 8th July 2015.

What has this story to do with international development and ICT4D? After all, Hacking Team products were (said to be) used by police forces and governments solely against organized crime (with remarkable results, if we have to believe the software house’s official information). But the story behind the scenes seems to be a bit different.

The starting point is that software is not an innocent, long string of 1s and 0s. Some computer programs can definitely be used as a weapon as well. And this is not something new. In the 1990s, the US Export Regulations prohibited free trade of strong cryptographic software. Among other things, these rules blocked the legal spreading of the de-facto cryptographic standard PGP. To circumvent them, PGP inventor Philip Zimmermann had to print the whole software code in 12 books. In this form he could then send them abroad legally under the US First Amendment (the one protecting the freedom of speech). The books were then scanned abroad and reconverted to code lines. So the software could be reconstructed and distributed in a legal way all over the world (for more information about this story, click here). Nowadays US rules are more relaxed about cryptography, but they still prohibit some goods to be exported or sold to specific countries or people (further information here).

The UN also bans the export of certain products through ad hoc resolutions, and the EU has done the same. Most of these bans, though, are linked to weapon and weapon related products. But what about the type of software produced by Hacking Team? According to Privacy International, the UN consider this software as a weapon and have been investigating specifically on Hacking Team about a supply to intelligence in Sudan, which is subject to international embargo. Privacy International says that Hacking Team declared having stopped cooperating with Sudan at the end of 2014, though they have never replied on a specific UN request about their previous cooperation with government in Khartoum. Now, thanks to the hack it seems that there is proof of this cooperation with this and with other more or less oppressive regimes. Hacking Team staff internally labeled cooperation with Sudan and Russia as “not officially supported“, a sign that they were probably aware of various grey areas.

According to some news articles (here is one, in Italian), Hacking Team also lobbied the Italian Government in order to lift a ban on their products being exported because of EU regulations. They were successful, showing to have more than one ‘friend’ in the world of politics. This may also be one of the reasons why Hacking Team has been financed by the regional government of Lombardy, through Finlombardia Gestioni a venture capital fund aimed at companies based in the region. You can see the name of Hacking Team appearing in Finlombardia’s investment porfolio.

Moreover, Citizen Lab has published extensive material that suggests that Hacking Team products were used to spy on journalists, the media and dissidents.

These are some of the links between Hacking Team scandal and international development, human rights and foreign policy. What could happen now? Hacking Team is trying to save their business and fight back. Its CEO has accused Wikileaks’ founder Julian Asssange (where his company’s email are freely searchable): “he should be arrested, he is the bad guy”.
On a more general basis, as Tobias Denskus has pointed out on his blog, the Hacking Team story has all the ingredients to trigger an interesting debate, as well as, hopefully, some change in the way legislation is applied to this type of digital weapons. The end result could be a better consistency between EU, development and human rights discourses and the practice of exporting technology and software which have a real potential to undermine said policies.

My personal opinion (for what it’s worth) is that all this fuss will instead distract the attention from other, lesser known companies working in the same field. After the scapegoat is sacrificed to the altar of the media outrage, the survivors will be able to go on “business-as-usual”, with the extra advantage of sharing a probably considerable pool of former Hacking Team clients, who will also be eager to continue doing what they have done ’till now, no questions asked.
Nor answered.

This post is an edited version of a post Adriano shared on LinkedIn. We are always interested in guest blog posts and comments from students, alumni & friends-so please feel free to comment below or get in touch with us directly!

Previous post:

Next post: