HackingTeam, a private company that manufactures “targeted surveillance solutions,” is using American servers to launder traffic used to take clandestine control of targets’ computers and smartphones, according to a new report from Citizen Lab.
The Milan, Italy-based company has been under investigation by Citizen Lab for months because its software is allegedly used by foreign governments to target journalists and dissidents in authoritarian regimes. The Remote Control System is able, according to the company, to break encryption and allow law enforcement and intelligence entities to monitor email, VoIP calls (such as Skype), as well as remote activation of cameras and microphones.
Piping RCS data obtained from infected machines through a number of proxies makes it more difficult to trace HackingTeam’s software back to a specific government.
This new research is pretty important, as it raises numerous legal and ethical questions about the extent to which American Internet infrastructure can be used by foreign governments and law enforcement to conduct surveillance operations—questions that haven’t been yet need to be answered, according to the report.
“Without that consent, foreign governments using the RCS [Remote Control System, HackingTeam’s flagship product] spyware in this manner willfully flout the international legal principles of sovereignty and nonintervention,” the researchers wrote, “These principles provide the basis for the formal rules and procedures states have developed for law enforcement cooperation and assistance concerning investigation of crimes with transnational dimensions.”
Legally, this is unprecedented, according to Nate Cardozo, one of the Electronic Frontier Foundation’s staff attorneys. “Wiretapping is illegal around the world,” he told me, and if any government does so outside of existing legal processes there may be criminal or civil penalties. “If there is litigation over it [illegal wiretapping], and if the relay is in the US, we could serve discovery, and get routing information which would be helpful to winning a case.”
But, Cardozo said that this situation was so new, it’s unclear whether foreign governments spying on their own citizens violates US or international law.
It’s pretty clear, though, that laundering traffic through US servers violates the terms of service of those companies hosting HackingTeam’s platform. The researchers identified 114 RCS servers scattered across the US; the vast majority run by cloud hosting companies Linode and Rackspace. A Rackspace spokesman told the Washington Post, that such activity “would definitely violate our policies.”
Overall the researchers have identified 10 countries suspected of using the software, running traffic through the US, a list which includes several no-so-friendly-governments. Citizen Lab has previously identified 21 governments deploying HackingTeam’s wares.
This most recent report is part of a much larger project to investigate HackingTeam and private surveillance manufacturers more generally. Citizen Lab has discovered numerous examples of foreign governments using such off-the-shelf surveillance solutions to target political dissidents and journalists.
Also, it’s worth noting that given the extent of the NSA’s mass surveillance programs, it’s possible, even likely, that the agency is spying on the the traffic which is spying on foreign citizens. “I would be surprised if they weren’t,” Cardozo said.