Private Companies Are Helping African Governments Spy on Their Own People
Surveillance for hire
by PETER DOERRIE
In July 2012, one year after the Arab Spring shook Arab regimes around the world, an email appeared in the inbox of Mamfakinch, a Moroccan online publication critical of the government.
Under the subject line “dénonciation” — French for “denunciation” — was a single sentence. “Please don’t use my name or anything else, I don’t want any trouble.” And under that, a link to what appeared to be a Word document with the name “scandale(2).doc.”
But instead of insider information about corrupt government officials, the file turned out to be malware, as the Canadian NGO Citizen Lab later determined after Mamfakinch’s staff got suspicious and and contacted experts.
Reverse-engineering the malware, Citizen Lab concluded that Mamfakinch had fallen victim to a sophisticated cyber attack, likely at the hands of Morocco’s intelligence service.
A year later in December 2013, a similar attack targeted the Ethiopian Satellite Television Service, an opposition media network based in the United States. Two journalists were contacted via Skype from the account of a former collaborator. The sender tried to get the reporters to download malware disguised as a Word file.
The software would have allowed the attacker to completely take over any compromised computer.
Even more aggressive was the strategy of the Ugandan police and secret service during the run-up to and aftermath of the presidential elections 2011. Privacy International, a human rights organization, detailed in a report how the agencies created fake wireless networks in parliament and hotels frequented by the opposition and used blackmail and bribery to install malware on smartphone and computers.
These are just a few of the cases of systematic surveillance and hacking that have been documented in Africa. Undoubtedly, many more occur without notice. The underlying technologies, which many observers believed were only available to wealthy states, are now also in the hands of smaller countries. Activists and opposition movements are the targets.
“An individual analysis of hacking cases is difficult,” said one member of Privacy International who asked to remain anonymous. “You need to conduct a forensic analysis of individual devices and software.”
The reason that countries such as Uganda and Ethiopia — not exactly global centers of information technology — have access to sophisticated malware and the necessary command and control infrastructure is simple. High-profile intrusion technology has been commoditized, with some of the most prominent private enterprises in the sector operating from Western countries.
The business is highly secretive, but ironically the best information available on the extent and capacity of government-sponsored hacking and surveillance comes from internal documents belonging to two of these service providers.
Gamma Group, a British company with a German subsidiary, and the Italian outfit Hacking Team were both themselves hacked by an anonymous activist, who proceeded to dump internal records, email archives and even source code on the public internet.
It is because of these leaks that we know that both Mamfakinch and ESAT were victims of Hacking Team’s software RCS, which it had rented out to Moroccan and Ethiopian state security agencies. Uganda turned out to be a client of Gamma Group, and deployed that company’s security suite FinnFisher.
Both technologies give their users powerful capabilities. Compromise a device with RCS or FinFisher and you gain access to all its data and functions. Webcams and microphones can be switched on remotely, even while the device itself seems to be switched off. Smartphones can reveal the exact position of their users and provide a digital reflection of the users’ lives.
Gamma Group and Hacking Team only work with governments, according to their own statements.They both boast about helping to combat terrorism. “We believe that fighting crime should be easy,” Hacking Team’s website reads. Gamma Group’s website claims to provide “government agencies with customized solutions based on their national security requirements.”
David Vincenzetti, founder and CEO of Hacking Team, is convinced he occupies the moral high ground. “Privacy is very important,” he told Foreign Policy recently. “But national security is much more important.”
Democracies purport to balance privacy and security by way of laws, regulations and independent courts, although U.S. National Security Agency whistleblower Edward Snowden’s revelations seem to undermine this assumption.
With the African clients of Gamma Group and Hacking Team the situation is even worse. While many African constitutions guarantee the right to privacy and ban surveillance without a court order, institutional safeguards such as these don’t work very well in many countries on the continent.
Authoritarian governments routinely ignore their own laws, and few nations possess an independent judiciary or a sufficiently powerful opposition to frustrate any abuse of executive powers.
Companies such as Hacking Team and Gamma Group should be aware of this, argued Felix Horne of Human Rights Watch. The NGO has documented grave human-rights abuses by security agencies in all of the countries mentioned here.
“For a common user, it is practically impossible to secure himself against attacks,” Horne told War Is Boring. “This Skype call could be bugged without us noticing.”
“Some African governments use anti-terrorism legislation to undermine legitimate political opposition,” Horne added.
Privacy International’s expert cautioned that “the capability to surveil a webcam or to document all keystrokes of a person to collect material for a criminal prosecution or blackmail” could have a similarly chilling effect on free speech as the presence of armed security forces.
Both Horne and the anonymous expert agreed that the majority of Uganda’s and Ethiopia’s political activists assume that they are under constant electronic surveillance.
International companies share responsibilities for this breach of fundamental human rights. African governments don’t possess the domestic capabilities and human resources to develop modern surveillance technology — or even to run ready-made solutions on their own.
In addition to licensing their software, companies such as Hacking Team offer a wide range of training and consulting to help clients to deploy the malware. This can include training in social-engineering techniques aimed at manipulating targets into installing the software on their own devices.
Ethiopian intelligence professionals who have sought refuge abroad have reported that Chinese nationals run the national telecom’s surveillance and wiretapping infrastructure. This underscores another problem. “Thanks to the leaks, we have relatively good information on the activities of Gamma Group and Hacking Team,” Horne said. “But we have no idea what other products might be out there that Ethiopia could be using.”
Privacy International’s expert agreed. “We know of companies in the E.U., Israel and China that sell these kind of services.” But we know very little about their client lists and capabilities. The same can be said about possible capabilities provided by Western intelligence services, which have partnered with security agencies of repressive governments across Africa in the past — when it suited their agendas.
High-end surveillance technology doesn’t come cheap. Based on the Hacking Team leak, we know that Ethiopia and the Sudan — whose president is wanted by the international Criminal Court on genocide charges — both paid around a million dollars per year for the use of RCS.
For the victims of government surveillance, the enhanced capabilities of police and secret services can have stark consequences. “There are a number of cases in which individuals in Ethiopia have been arrested because of the content of bugged calls,” Horne recalled. “Some were played recordings during their interrogation. And sources within the security services have said that they also control emails and Facebook.”
This has contributed to a complete lack of public space for dissent in Ethiopia.
Mamfakinch also suffered. The news site lost large numbers of its contributors in the wake of the hack and had to close shop in 2014. Editor and co-founder Hisham Almiraat told Foreign Policy that the often anonymous authors feared identification by the security services. “This type of surveillance has a chilling effect on political participation,” Privacy International’s expert said. “We have good reasons to be concerned about the use of these technologies.”
Horne agreed, in principle. At the same time, he cautioned that modern communications tools also contribute to democratization in important ways. When massive protests shook the Ethiopian province of Oromia in late 2015 and again in 2016, for example, the Ethiopian government didn’t block Facebook — despite the social network’s role as a venue for organizing protests and communicating with the international media.
“We asked ourselves why they didn’t just block Facebook [in Oromia] during the protests,” Horne recounted. Soldiers used live ammunition to shoot protestors, so the government definitely took the situation seriously. “A source within the security services later told us that one reason was Facebook was too valuable as a source of information to shut it down.”
It’s possible that even the most sophisticated surveillance technology can’t contain the freedom of expression and political debate that smartphones and the internet have unleashed.