Latin American Governments Paid This Company to Spy on Their Citizens
The Italian spyware company Hacking Team provided services to governments across Latin America, some of which were used to spy on political dissenters, journalists, and other non-criminal targets, according to a new report.
The report, published this week by the Latin American digital rights organization Derechos Digitales, is based on an in-depth investigation into documents leaked when Hacking Team, itself, was hacked last year.
Along with client lists, communications, and other information gleaned from a massive data dump leaked by hacker Phineas Fisher in 2015, the report illustrates several specific examples where Hacking Team's services were explicitly directed by Latin American governments against political opponents.
Derechos Digitales argues that even outside of specific cases of abuse, the use of Hacking Team's spyware in the region, in general, should be considered illegal -- and at times even contributed to human rights violations.
Outsourced Government Surveillance
Hacking Team did a lot of business in Latin America, according to the leaked information assembled and published in the Derechos Digitales report.
The report shows governments across Latin America contracted with Hacking Team -- including state and federal government organizations in Mexico and Panama and intelligence agencies and police forces in Colombia, Ecuador, Honduras, Chile, and Brazil -- along with how much each country paid for the company's main service, a hacking and spyware tool offered by Hacking Team called the Remote Control System (RCS).
Hacking Team's RCS systems offer, in some respects, many of the same digital spying capabilities that powerful U.S. government agencies like the National Security Agency and the FBI have been shown to have. For example, RCS systems allow for remote monitoring of digital devices and communications by the company's clients, including covert collection of emails, text messages, location data, phone call histories, audio from phone calls, and keystroke logs.
Politically Motivated Spying
The most egregious cases of Hacking Team working with Latin American governments include evidence of the company explicitly working with clients to spy on specific, political, targets.
For example, emails from April, 2014 between an Ecuadorian intelligence agent and support staff at Hacking Team show the company and client discussing how to hack the communications of Carlos Figueroa, a well-known opponent of Ecuador's President Rafael Correa, without getting caught.
Figueroa later told the Associated Press that he had noticed problems with a lot of his digital communications, including and going beyond email.
"I had four email accounts and problems with all of them," he told the AP in 2015. "I also had problems with Facebook. At one point, it seems like they attacked all my communications on social media."
While no Ecuadorian state agencies had publicly obtained a court order to eavesdrop on the activist and dissident, Figueroa noticed irregularities at the time that now correlate with the conversation leaked from the company. "We all just assume our telephones are permanently tapped," he said. Indeed, one of the screenshots sent from Ecuador's intelligence agency to the company included an illustration named "MobilFigueroa," or Figueroa's cellphone.
Mexico, however, was the top Latin American customer for Hacking Team's spying systems. Over 11 different clients, including the country's federal intelligence agency, the Federal Police, the State Attorney and five state governments, were among Hacking Team's Mexican malware market, which grossed the company about 5.8 million euros, the equivalent of over 6.5 million U.S. dollars through the years.
In Mexico too, Derechos Digitales found evidence of political abuse of Hacking Team's RCS systems, especially among local governments. The governor of Puebla, Mexico, for example, used RCS to conduct surveillance on a slew of political opponents including academics and journalists.
It's also worth noting that in Mexico, it is not legal for any local governments or officials to use Hacking Team's services. Only federal authorities can intercept communications, according to Mexico's constitution, and only after being granted permission from a judge.
Legality and 'Legitimate' Uses
Many Latin American governments using the RCS were simple cases of surveillance against drug traffickers, terrorists, and other criminal elements or security threats.
That doesn't necessarily mean those use of RCS were legal, as Derechos Digitales interprets it. In an interview with Vice's Motherboard, Gisela Perez de Acha -- a lawyer and public policy analyst with Derechos Digitales who wrote the report -- called into question any use of Hacking Team's spyware in Latin America.
"It's illegal in the whole region," she said to Motherboard. "And it's illegal because [the use of the spyware] is not explicitly authorized."
Even when conducted with the court order by only federal agents, Derechos Digitales argues the use of RCS was illegitimate, likely illegal, and dangerous for democracy.
"The main goal of criminal investigation and intelligence systems is to safeguard security, peace, and the principles of each country," wrote Perez de Acha in the report. "However, when you use methods like malware, these goals are reached via secret and potential illegal mechanisms -- with little public discussion -- when, given its democratic goal, they ought to be the object of citizen control and accountability."