On Wednesday, before interviewing the staff of the controversial surveillance tech company Hacking Team, I spent some time observing their daily routine through the windows of the coffee shop located right opposite their office on Via della Moscova 13, in Milan, waiting to see the traces of the mayhem the hack must have caused. The employees paced through the office constantly, and often went outside to smoke. At lunch, four of them ate at the coffee shop. They didn't say much. Later, they signed off for a truck full of medium sized boxes, which a source identified as new servers.
It was only two days after an unknown hacker breached Hacking Team's network and leaked more than 400GB of its internal documents, including a list of customers and embarrassing revelations. According to the documents in the cache, HT was selling malware to the intelligence agencies of sketchy countries such as Sudan, Ethiopia, Uzbekistan, and Bangladesh's dead squads, among many others.
Hacking Team CEO David Vincenzetti was the first person I saw at the office. He quickly agreed to give me an interview, but was just as quickly advised against it by a less forthcoming colleague.
"I work for 18-20 hours every day right now and I'm very tired," Vincenzetti told me. "Maybe we'll do this another time?"
I asked how I could best reach him to schedule that.
"Everything is offline right now," he said. "No e-mail." Then he asked me to wait at the entrance, where he returned shortly with Eric Rabe, the company's spokesperson.
"Everything is offline right now."
This interview offers little new insight into the company's operations, because of Rabe's sometimes vague and evasive responses, but it does show a bizarre detachment between what Hacking Team does, as revealed in the hack, and the way the company perceives and insists on presenting itself—as if there were two different realities where the leak did and did not happen.
Rabe admitted the issue is not one the company welcomed and that the company is currently offline. Yet he downplayed the event as if it were a nuisance, something that can simply be patched up and fixed, and while Rabe acknowledged the hack and that clients were compromised, he tried to maintain the fiction that none of the revealed clients are in fact confirmed clients.
To make it worse, he chose Saudi Arabia as a hypothetical example to speak about questionable clients.
But Saudi Arabia is precisely one of the countries that appear as Hacking Team's customer. In fact, the company sold 1,250 licenses to the country's General Intelligence Directorate, its affiliated "Technical Control Company," and the Ministry of Defense. These contracts combined have earned Hacking Team nearly US$3 million to date, according to the leaked documents.
In his response to my question whether Hacking Team travels to the countries where it sells its products, Rabe told me that "yes, we meet with them. People come here for training."
But even just meeting with Sudanese NISS (National Intelligence and Security Service) personnel—not to mention Hacking Team's business relationship with the country, which the company denied existed, according to an exchangeof letters between the company and the UN Panel of Experts—might violate international law.
When pressed for answers about contributing to human rights abuses, Rabe continued to argue, much like in the past, that Hacking Team investigates their clients when accused, adding that it does so by first calling them up with the news.
"Well, the first thing you do is you call the accused client!" he said.
He still did not exactly explain how these alleged investigations turned out, contradicting himself by claiming that it is not Hacking Team's responsibility to look for answers. He also declined to go into into details to explain how the so-called "fulfillment vehicles," the intermediaries that sometimes resold Hacking Team software in countries such as Panama or Ecuador, play in these investigations.
Although we found no evidence of ended relationships ever occurring, Rabe also maintained that "at the end of the day it's a business decision for us to establish whether we want to continue a relationship with someone who is said to be a bad actor. […] so they're no longer clients of ours. That's a natural evolution of this."
Rabe repeated that Hacking Team is not the one to make decisions on human rights violations.
"I don't think that Hacking Team is the best international forum to decide who is and isn't a bad actor," he said.
Yet we can now see that this is a judgment call the Hacking Team made constantly. It chose not only which clients to sign on when they come to Hacking Team, but actively seeked new clients in Bahrain, Bangladesh, Ecuador, and Rwanda.
"I don't think that Hacking Team is the best international forum to decide who is and isn't a bad actor."
Speaking about potential legal issues around the sale of Hacking Team's spy tools to countries with trade restrictions, Rabe implicated the Italian government, saying the authorities were aware of all the sales and negligent in vetting them. Given his words, the Italian authorities would be hard-pressed to deny that they did not exercise at least some oversight in these sales, which may make legal repercussions over the findings unlikely, at least in Italy.
When confronted about criticizing privacy advocates, something we saw in the company internal correspondence, he not only denied the fact but went as far as to counter it by saying that Hacking Team was collaborating with Human Rights Watch, Privacy International, and Citizen Lab. Privacy International responded to that claim, saying, "Instead of engaging they have continuously evaded and denied evidence, while continuing to sell their gear to some of the most authoritarian countries in the world.
The leaks showed that Hacking Team knew what their technology was being used for in Ethiopia, yet they recommenced their contract because '700k is a relevant sum.' It's now more apparent than ever that Hacking Team and the wider surveillance industry cannot be left to police themselves, and that we need to be able to hold them to account to ensure that they cannot continue to act with impunity."
He claimed that no clients have left Hacking Team yet.
Rabe's statements are not playing out well from the technology perspective either. Rabe explained that all their products are now "hot" freeware and as such are not marketable, something he repeated in the company's press release issued shortly after our interview, yet he states that company is going to be on track and back in operation shortly. And while he wasn't able to speculate about Hacking Team's future, he claimed that no clients have left Hacking Team yet.
It was predictable that Hacking Team would not admit in public that it regrets continuing its work with Ethiopia, or that it deflected questions about Sudan, all the while making an example of North Korea as a client they wouldn't do business with, because it's the one country he can name without fear of proof to the contrary, but it's unlikely that North Korea alone can save the image of the company or overpower the impression we get about it from the internal documents.
Click here to read the full transcript of the interview.
Mari Bastashevski is an artist whose practice combines investigative journalism and photography, she is focused on researching international conflict profiteering and mass interception industry, its participants, and layers of state secrecy under which these operate. She is based based between switzerland and france, but is never home.