National governments are increasingly purchasing surveillance devices manufactured by a small number of corporate suppliers and using them to control dissidents, spy on journalists, and violate human rights, the advocacy group Reporters Without Borders warns in a new report released this afternoon.
The group's 2013 report for the first time names five private-sector companies "Corporate Enemies of the Internet" for their choice to become "digital mercenaries" and sell surveillance and censorship technology to authoritarian regimes.
"If these companies decided to sell to authoritarian regimes, they must have known that their products could be used to spy on journalists, dissidents, and netizens," Reporters Without Borders says. The companies: the U.K.'s Gamma Group, Germany's Trovicor, Italy's HackingTeam, France's Amesys, and Blue Coat Systems, based in Sunnyvale, Calif.
The focus on surveillance technology is a shift from the Paris-based advocacy group's list of the nations that are the most repressive in terms of Internet censorship. This year's list of the worst governments lists Syria, China, Iran, Bahrain, and Vietnam as the five nations that engage in the most extensive surveillance of their citizens.
Not on the list this year: Burma, Cuba, North Korea, and Uzbekistan, which made an appearance in 2012.
Reporters Without Borders' list of the worst corporate offenders comes after years of media reports and disclosures, including a December 2011 release by WikiLeaks, about the growth of the international surveillance-industrial complex.
It's become big business for the companies that show up at restricted-access conferences to try to sell new spy technologies. The most popular conference of the sort, with 1,300 attendees in 2011, is in the Middle East, where nearby governments are "the most avid buyers of surveillance software and equipment," according to The Washington Post.
Amesys, a unit of French technology firm Bull SA, has boasted that it can aid governments in moving from eavesdropping on one person to "full country traffic monitoring," including automatic translation and mapping of real-world social networks based on who's talking to who.
Amesys' presentation offers a one-stop shop for nationwide monitoring, including GSM cell phone communications, satellite signals, Internet communications, and phone calls. The company touts its "huge range of sensors and analyzing probes" and -- in an echo of what the former East German secret police attempted decades earlier -- a "centralized intelligence system gathering all information." Moammar Gadhafi's secret police used Amesys technology to monitor Internet traffic in Libya, The Wall Street Journal reported.
Reporters Without Borders says the companies sell hardware and software that can be used for both targeted and wholesale surveillance. Here's a list of the group's complaints about each of them:
HackingTeam: "Hacking Team's 'DaVinci' Remote Control System is able, the company says, to break encryption and allow law enforcement agencies to monitor encrypted files and emails (even ones encrypted with PGP), Skype, and other voice over IP or chat communication. It allows identification of the target's location and relationships. It can also remotely activate microphones and cameras on a computer and works worldwide. Hacking Team claims that its software is able to monitor hundreds of thousands of computers at once, all over the country."
Gamma: "Gamma International sells interception equipment to government and law enforcement agencies exclusively. Its FinFisher Suite (which includes Trojans to infect PCs, mobile phones, other consumer electronics and servers, as well as technical consulting) is regarded as one of the most advanced in today's market...During a search of an Egyptian intelligence agency office in 2011, human rights activists found a contract proposal with an offering from Gamma International to sell FinFisher to Egypt. The company said that no deal has been made."
Trovicor: "Trovicor monitoring centers are capable of intercepting all ETSI-standard communications. That means phone calls, text messages, voice over IP calls (like Skype) and Internet traffic...Media reports as well as research by human rights groups around the world suggests that monitoring centers have been delivered to Bahrain and led to imprisonment and torture of activists and journalists."
Amesys: "The system consists of a network probe, storage systems, and monitoring centers for the purpose of analysis. The software allows for the creation of files on individual users, examples of which were found when anti-Gaddafi rebels raided the offices of Libya's secret police. EAGLE is based on Deep Packet Inspection technology and can analyze all kinds of Web-related activities. The Amesys documentation lists the various kinds of online activity that can be inspected, including email (SMTP, POP, IMAP as well as Web mail), voice over IP, different chat protocols as well as http-Web traffic and search engine queries."
Blue Coat: "Blue Coat offers Deep Packet Inspection technology, which can be used to survey and censor the Internet... The presence of 13 Blue Coat devices in Burma was confirmed in 2011...In 2012, the Telecomix-Collective, a well-established hacker group that helped maintain connections to Egypt and other countries when governments tried to shut down access during the Arab Spring, released 54GB of logfiles which they say establish the presence of 15 Blue Coat proxy servers (Blue Coat Proxy SG9000) in Syria."
CNET has contacted the five companies named by the free expression advocacy group (which also goes by the name Reporters Sans Frontieres, or RSF) for comment but has received only two responses. We'll update this story if we receive more.
Danielle Ostrovsky, a spokeswoman for Blue Coat, sent us a statement saying her employer's products are used in schools and libraries as a way to categorize Internet content. "We recognize, however, that there are bad actors in the world and that our products, like any technology, can be misused for malign purposes. We support freedom of expression and do not design our products, or condone their use, to suppress human rights," the statement said. "We design our products using common industry standards. For example, our Packet Shaper product uses an industry standard format for traffic monitoring called 'netflow' that is used by numerous security products including routers, switches, and firewalls."
Eric Rabe, a U.S.-based public relations consultant who is working for HackingTeam, sent us a statement saying:
We regret that Reporters Without Borders has concluded that Hacking Team is somehow an enemy of anyone except criminals, terrorists, or others who abuse modern technologies. We work to help make the Internet a safer place by providing tools to police organizations and other government agencies that can prevent crimes or terrorism. Recently, in Spain, a Russian-led group bilked citizens of some 30 nations by hijacking their computers and demanding ransom. Investigation of a crime such as that one requires that police be able to monitor computer traffic of the criminals. Terrorists too rely on cell phones, computers, and the Internet to carry out their deeds.
On the issue of repressive regimes, Hacking Team goes to great lengths to assure that our software is not sold to governments that are blacklisted by the E.U., the U.S.A., NATO and similar international organizations or any "repressive" regime. Furthermore, we have created an external board to review potential HT sales, and this board has a veto over sales it deems illegal or unwise. We also go to some lengths to monitor reports of use of our software in ways that might be inappropriate or illegal. When we find reports of such issues, we conduct an investigation to determine if action is needed. Under the terms of our contracts with clients, we have the authority to suspend support for the software that is used illegally, making it ineffective.
Last updated on March 12 at 9:30 a.m.