Hacking Team leak underscores complexity of regulating software

Publication Type: 
Other Writing
Publication Date: 
July 13, 2015

Among the 400 gigabytes of internal documents belonging to surveillance firm Hacking Team that were released online this week are details of the company's dealings with some of the most oppressive governments in the world. The revelations, which have generated alarm among privacy, security, and human rights advocates, have also fueled debate around the esoteric but important topic of government controls on the export of powerful software that can secretly infiltrate and seize control of targeted computers.

According to the hacked files, Hacking Team's clients include government agencies in RussiaEthiopiaAzerbaijanBahrainKazakhstanVietnamSaudi Arabia,Sudan and other states known to spy on, jail, and murder journalists. They also include agencies in more open states such as the U.S. Federal Bureau of Investigation, which has spent nearly $775,000 on Hacking Team tools since 2011, according to an analysis of the documents by Wired.

In addition to other capabilities, Hacking Team's exploits can be used to intercept information before it is encrypted for transmission, capture passwords typed into a Web browser, and activate a target's microphone and camera, according to a February 2014 report on the targeting of Ethiopian journalists by researchers at Citizen Lab, a project of the Munk School of International Affairs at the University of Toronto. And in addition to delivering attacks through traditional computers, Hacking Team has also explored surveillance apps for mobile devices that can be deployed through the Google Play and Apple stores, according to Forbes.

Given the power of the spy tools being developed by Hacking Team and rivals such as Gamma International -- and in light of both companies' lists of dubious clients -- the Hacking Team disclosures have invigorated public discussion about government controls on exporting technologies designed to exploit and record all manner of private data.

Read the full blog at the Committee to Protect Journalists website