Spyware Firms In Breach Of Export Sanctions

Spy equipment producers are breaking laws and circumventing international sanctions by agreeing to sell stock to countries known for human rights abuses, and to clients who do not declare the end user.

This means surveillance tools could easily fall into the hands of armed groups, corporations, governments cracking down on dissent, or opposition leaders, an exclusive investigation by Al Jazeera reveals.

During Spy Merchants, a four-month undercover operation, Al Jazeera secretly filmed representatives of two Italian companies and one Chinese business agreeing to sell spyware that is capable of tracking millions of people online and able to intercept phone calls and text messages without anyone finding out.

The vendors boasted of being able to side-step the law by using sister and shell companies and explained how to possibly circumvent export regulations by lying about the details of shipments and using third countries exempted from certain rules as stopping places.

Posing undercover as a middle man buying equipment for the South Sudanese and Iranian governments, our reporter James (not his real name) was able to negotiate deals to acquire surveillance tools that Iran is prohibited from buying and that would cause serious human rights concerns in South Sudan.

The two Italian companies, IPS and AREA, indicated that they were open to the possibility of violating European laws to sell equipment that would end up in the hands of Iranian and South Sudanese clients, where they could potentially be used to spy on citizens.

China-based business Semptian, meanwhile, was ready to sell spying gear worth nearly $3 million without knowing who the recipient would be.

When our reporter asked Semptian cofounder Frank Feng if previous buyers had used shell companies, Feng responded: "We have done it. We don't know who is the private company and who is the end user. And we don't care about it. This way is good, because we have done it before."

Nuclear weapons of 21st century

Former British intelligence officer Julian Richards described powerful surveillance tools as "the nuclear weapons of the 21st century".

"These are the things that states that want to get ahead in, in their security capabilities. These are the things they'll pay big money for," he told Al Jazeera.

The equipment these surveillance companies make is used to monitor phone and internet traffic on a large scale.

The so-called IMSI catchers and IP Intercept systems are respectively used to listen in on phone calls and text messages, and can be used to spy on the internet usage of millions of people.

"When these technologies end up in the wrong hands. They end up with agencies which have a very proven and bloody history of repression and human rights abuse," Claire Lauterbach, a researcher at Privacy International, told Al Jazeera.

"It's truly remarkable, when you consider what the implications of this might be."

The surveillance systems do have legitimate uses for intelligence and law enforcement agencies, but they are often used by repressive governments to track political dissidents.

"I found that activists, students, journalists, opposition figures in North Africa and the Middle East would be [targeted] and sometimes be imprisoned as a result of these systems coming from Europe," said Marietje Schaake, a member of the European parliament focused on foreign affairs trade and technology.
After viewing Al Jazeera's investigation, she said: "I found that unacceptable then, and I find it unacceptable today."

The companies our undercover reporter approached seemingly had no problem in forging documents to make sure the deal would go ahead.

"First, we are ok with Iran. Of course, it's subject to export restriction. But this is something that we can manage," said IPS sales manager Ugo Santillo.

By using a sister company and describing the hardware sold by IPS as a "traffic management system", IPS said it could sell IP intercept systems to Iran.

In response to these allegations, IPS told Al Jazeera that they operate with full respect of the regulations.

They added: "We had no intention of completing this or any deal with the individual our staff met with. Any deal that we may have discussed with him would have to be dependent on obtaining the full legal authorisation from the authorities."

Freedom of speech curtailed

AREA, meanwhile, was prepared to discuss selling IMSI catchers, tools that can spy on mobile phones without users' knowledge, to South Sudan, despite serious human rights concerns and EU sanctions.

In South Sudan, according to Human Rights Watch , government forces and opposition fighters "committed serious abuses against civilians" in the civil war, and authorities there "harass, intimidate, and arbitrarily arrest and detain journalists".

Pagan Amum, a South Sudanese politician, was forced to flee the country in 2013 when the war began after becoming the target of government surveillance. He was arrested and accused of plotting a coup.

"The government with that surveillance has reduced the political space for our citizens to speak, the right of freedom of speech has been curtailed, even to speak in private," he told Al Jazeera.

"To conduct this surveillance, in violation of the law, this is absolutely very dangerous, it becomes actually, just like weapons of mass destruction," he said.

AREA explained what it described as a typical industry tactic: theoretically one could sell surveillance equipment by getting a licence to export to Tanzania , it said, from where the IMSI catcher would be "donated" as a "gift" to South Sudan.

Ultimately, AREA did nothing more than set up a meeting with a Turkish partner, BTT.

To obtain this export license the Turkish partner, offered to lie by stating that the hardware is telecom equipment and not used to spy on people.

"I say this is dual use telecom equipment, okay," BTT's Alper Tosun told our reporter. "And most of the time, it is telecom testing equipment. This is the main purpose that I am declaring."

Absolutely unacceptable

In the past, AREA has been caught selling spy equipment to a country with a history of abusing its citizens.

In 2011, the company made a deal with the Syrian government worth almost $14 million.

Although AREA claimed it had a valid export license to supply Syria, company executives were recently accused of falsifying export documents relating to the 2011 deal.

"I find it absolutely unacceptable that there are people willing to sell to places where human rights violations are obvious," said MEP Schaake.

In the case of South Sudan, she said, the country "is on the brink of massive violence. I do believe that every individual, no matter who their employer is, should really look at themselves in the mirror and wonder, 'What am I doing?'"

BTT did not respond when asked for comment about these allegations.

AREA said it "works with the relevant governments to ensure the proper export and legal use of our equipment."

The company declined further comment until seeing the evidence.

Huge effects for democracy

Semptian, the Chinese company, was also ready to sell IMSI catchers.

At one point, impatient company cofounder Feng encouraged our reporter to buy sooner rather than later because he had to reach a sales "performance" target.

Using a shell company, Semptian was ready to sell our reporter 10 IMSI catchers without knowing who would end up using the spying tools.

To remain anonymous, Feng told our undercover reporter that the company would remove all logos and branding from the surveillance equipment.

Semptian did not respond to a request for comment for this programme.

"Anyone with enough money is able to buy these highly sophisticated systems which could proliferate all over the world. I would like to see more accountability and transparency in this very, very dark and dangerous market," said MEP Schaake.

For Privacy International's Lauterbach, continued illegal trading of surveillance could threaten the foundations of many societies.

"If we can't find a way to bring surveillance and the practice of surveillance within the rule of law, it's going to have huge effects for democracy," she said.

After Spy Merchants was completed, Al Jazeera received a letter from lawyers acting for IPS denying all wrongdoing. They specifically denied that Chief Executive Officer Fabio Romani or any other person in a position of authority at IPS ever attempted to sell its products and services in Iran.

Al Jazeera

You Might Also Read:

We Are In A New Era Of Espionage:

The Future of Government Surveillance - Looks Like This:

Phineas Fisher Fingered: Hacking the Turkish Government:

Hacking Team Inside Job:

African States Quick To Adopt Network Surveillance:

 

 

« Around Half Of Human Jobs Can Be Automated Now
Turkey Blocks Wikipedia »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Council of European Professional Informatics Societies (CEPIS)

Council of European Professional Informatics Societies (CEPIS)

CEPIS is the representative body of national informatics associations throughout Europe and represent over 450,000 ICT and informatics professionals in 32 countries.

Cyber8Lab

Cyber8Lab

Cyber8Lab provides cybersecurity training programmes simulating real world cybersecurity incidents such as web defacement, malware, phishing, digital forensics analysis and wireless intrusion.

DCIT

DCIT

DCIT is a specialist in providing comprehensive consulting and auditing services in the field of information technology, PROVYS development software and security system AuditSquare.

Baffle

Baffle

Baffle is pioneering a solution that makes data breaches irrelevant by keeping data encrypted from production through processing.

BetterCloud

BetterCloud

BetterCloud puts IT in control of the modern workplace through user lifecycle management, data discovery, and IT and security automation purpose-built for SaaS.

mPrest

mPrest

mPrest is a global provider of mission-critical monitoring and control solutions for the defense, security, utility and Industrial Internet of Things (IoT) sectors.

ProWriters

ProWriters

As a leading cyber insurance company, ProWriters offers flexible Cyber Liability Insurance coverage designed to cover privacy, data, and network exposures.

Clone Systems

Clone Systems

Clone Systems is an award winning global cloud based managed security as a service provider.

Dynatrace

Dynatrace

Dynatrace provides software intelligence to simplify cloud complexity and accelerate digital transformation.

Willyama Services

Willyama Services

Willyama Services is a certified Information Technology and Cybersecurity professional services business providing services to government and private sector clients.

Secjur

Secjur

Secjur is a provider of AI-based compliance tools that aim to put compliance, data protection, information security and whistleblowing on autopilot.

AArete

AArete

AArete is a global management and technology consulting firm specializing in strategic profitability improvement, digital transformation, and advisory services.

NetRise

NetRise

NetRise was founded as a direct result of the many shortcomings currently in the device security market, specifically targeting the firmware of devices.

WeVerify

WeVerify

WeVerify is a platform for collaborative, decentralised content verification, tracking, and debunking.

Arculus Cyber Security

Arculus Cyber Security

Arculus Cyber Security enables customers to securely realise the benefits of digital transformation through pragmatic solutions, guidance and services.

Seers

Seers

Seers is the world’s leading privacy & consent management platform for companies worldwide. Trusted by over 50,000+ businesses.