http://online.wsj.com/article/SB10001424052970203611404577044192607407780.html
NOVEMBER 19, 2011
Document Trove Exposes Surveillance Methods
By JENNIFER VALENTINO-DEVRIES, JULIA ANGWIN and STEVE STECKLOW
Documents obtained by The Wall Street Journal [1] open a rare window into a new global market for the off-the-shelf surveillance technology that has arisen in the decade since the terrorist attacks of Sept. 11, 2001.
The techniques described in the trove of 200-plus marketing documents, spanning 36 companies, include hacking tools [2] that enable governments to break into people's computers and cellphones, and "massive intercept" [3] gear that can gather all Internet communications in a country. The papers were obtained from attendees of a secretive surveillance conference held near Washington, D.C., last month.
Intelligence agencies in the U.S. and abroad have long conducted their own surveillance. But in recent years, a retail market for surveillance tools has sprung up from "nearly zero" in 2001 to about $5 billion a year, said Jerry Lucas, president of TeleStrategies Inc., the show's operator.
Critics say the market represents a new sort of arms trade supplying Western governments and repressive nations alike. "The Arab Spring countries all had more sophisticated surveillance capabilities than I would have guessed," said Andrew McLaughlin, who recently left his post as deputy chief technology officer in the White House, referring to the Middle Eastern and African nations racked by violent crackdowns on dissent.
The Journal this year uncovered [4] an Internet surveillance center installed by a French firm in Libya and reported that software made by Britain's Gamma International UK Ltd., had been used in Egypt to intercept dissidents' Skype conversations. In October, a U.S. company that makes Internet-filtering gear acknowledged [5] to the Journal that its devices were being used in Syria.
Companies making and selling this gear say it is intended to catch criminals and is available only to governments and law enforcement. They say they obey export laws and aren't responsible for how the tools are used.
Trade-show organizer Mr. Lucas added that his event isn't political. "We don't really get into asking, 'Is this in the public interest?'" he said.
TeleStrategies holds ISS World conferences world-wide. The one near Washington, D.C., caters mainly to U.S., Canadian, Caribbean and Latin American authorities. The annual conference in Dubai has long served as a chance for Middle Eastern nations to meet companies hawking surveillance gear.
Many technologies at the Washington-area show related to "massive intercept" monitoring, which can capture vast amounts of data. Telesoft Technologies Ltd. of the U.K. touted its device in its documents as offering "targeted or mass capture of 10s of thousands of simultaneous conversations from fixed or cellular networks." [6] Telesoft declined to comment.
California-based Net Optics Inc., whose tools make monitoring gear more efficient, presented at the show and offers a case study on its website that describes helping a "major mobile operator in China" [7] conduct "real-time monitoring" of cellphone Internet content. The goal was to help "analyze criminal activity" as well as "detect and filter undesirable content," the case study says.
Net Optics' CEO, Bob Shaw, said his company follows "to the letter of the law" U.S. export regulations. "We make sure we're not shipping to any countries that are forbidden or on the embargo list," he said in an interview.
Among the most controversial technologies on display at the conference were essentially computer-hacking tools to enable government agents to break into people's computers and cellphones, log their keystrokes and access their data. Although hacking techniques are generally illegal in the U.S., law enforcement can use them with an appropriate warrant, said Orin Kerr, a professor at George Washington University Law School and former computer-crime attorney at the Justice Department.
The documents show that at least three companies--Vupen Security SA of France, HackingTeam SRL of Italy and Gamma's FinFisher--marketed their skill at the kinds of techniques often used in "malware," the software used by criminals trying to steal people's financial or personal details. The goal is to overcome the fact that most surveillance techniques are "useless against encryption and can't reach information that never leaves the device," Marco Valleri, offensive-security manager at HackingTeam, said in an interview. "We can defeat that."
Representatives of HackingTeam said they tailor their products to the laws of the country where they are being sold. The firm's products include an auditing system that aims to prevent misuse by officials. "An officer cannot use our product to spy on his wife, for example," Mr. Valleri said.
Mr. Valleri said HackingTeam asks government customers to sign a license in which they agree not to provide the technology to unauthorized countries.
Vupen, which gave a presentation at the conference on "exploiting computer and mobile vulnerabilities for electronic surveillance," said its tools take advantage of security holes in computers or cellphones that manufacturers aren't yet aware of. Vupen's marketing documents describe its researchers as "dedicated" [8] to finding "unpatched vulnerabilities" [9] in software created by Microsoft Corp., Apple Inc. and others. On its website, the company offered attendees a "free Vupen exploit sample" that relied on an already-patched security hole.
Vupen says it restricts its sales to Australia, New Zealand, members and partners of the North Atlantic Treaty Organization and the Association of Southeast Asian Nations. The company says it won't sell to countries subject to international embargoes, and that its research must be used for national-security purposes only and in accordance with ethical practices and applicable laws.
The documents for FinFisher, a Gamma product, say it works by "sending fake software updates for popular software." [10] In one example, FinFisher says intelligence agents deployed its products "within the main Internet service provider of their country" [11] and infected people's computers by "covertly injecting" FinFisher code on websites that people then visited.
The company also claims to have allowed an intelligence agency to trick users into downloading its software onto BlackBerry mobile phones "to monitor all communications, including [texts], email and BlackBerry Messenger." [12] Its marketing documents say its programs enable spying using devices and software from Apple, Microsoft, and Google Inc., among others. FinFisher documents at the conference were offered in English, Arabic [13] and other languages.
A Google spokesman declined to comment on FinFisher specifically, adding that Google doesn't "tolerate abuse of our services."
An Apple spokeswoman said the company works "to find and fix any issues that could compromise [users'] systems." Apple on Monday introduced a security update to iTunes that could stop an attack similar to the type FinFisher claims to use, namely offering bogus software updates that install spyware.
Microsoft and Research In Motion Ltd., which makes BlackBerry devices, declined to comment.
The documents discovered in Egypt earlier this year indicated that Gamma's Egyptian reseller was offering FinFisher systems there for about $560,000. Gamma's lawyer told the Journal in April that it never sold the products to Egypt's government.
Gamma didn't respond to requests for comment for this article. Like most companies interviewed, Gamma declined to disclose its buyers, citing confidentiality agreements.
Privacy advocates say manufacturers should be more transparent about their activities. Eric King of the U.K. nonprofit Privacy International said "the complex network of supply chains and subsidiaries involved in this trade allows one after the other to continually pass the buck and abdicate responsibility." Mr. King routinely attends surveillance-industry events to gather information on the trade.
At the Washington and Dubai trade conferences this year, which are generally closed to the public, Journal reporters were prevented by organizers from attending sessions or entering the exhibition halls. February's Dubai conference took place at a time of widespread unrest elsewhere in the region. Nearly 900 people showed up, down slightly because of the regional turmoil, according to an organizer.
Presentations in Dubai included how to intercept wireless Internet traffic, monitor social networks and track cellphone users. "All of the companies involved in lawful intercept are trying to sell to the Middle East," said Simone Benvenuti, of RCS SpA, an Italian company that sells monitoring centers and other "interception solutions," mostly to governments. He declined to identify any clients in the region.
In interviews in Dubai, executives at several companies said they were aware their products could be abused by authoritarian regimes but they can't control their use after a sale. "This is the dilemma," said Klaus Mochalski, co-founder of ipoque, a German company specializing in deep-packet inspection, a powerful technology that analyzes Internet traffic. "It's like a knife. You can always cut vegetables but you can also kill your neighbor." He referred to it as "a constant moral, ethical dilemma we have."
--Paul Sonne contributed to this article.
Write to Jennifer Valentino DeVries at jennifer.valentino-devries@wsj.com, Julia Angwin at julia.angwin@wsj.com and Steve Stecklow at steve.stecklow@wsj.com
[1] http://projects.wsj.com/surveillance-catalog/
[2] http://projects.wsj.com/surveillance-catalog/#/search/category:hacking
[3] http://projects.wsj.com/surveillance-catalog/#/search/category:intercept
[4] http://online.wsj.com/article/SB10001424052702304520804576345970862420038.html
[5] http://online.wsj.com/article/SB10001424052970203687504577001911398596328.html
[6] http://projects.wsj.com/surveillance-catalog/documents/267027-telesoft-technologies-hinton-5000-interceptor/#document/p1/a38601
[7] http://projects.wsj.com/surveillance-catalog/documents/266953-netoptics-china/#document/p1/a38148
[8] http://projects.wsj.com/surveillance-catalog/documents/267761-documents-265202-vupen-exploits/#document/p1/a38929
[9] http://projects.wsj.com/surveillance-catalog/documents/267761-documents-265202-vupen-exploits/#document/p1/a38929
[10] http://projects.wsj.com/surveillance-catalog/documents/267850-merged-finfly-isp/#document/p1/a39171
[11] http://projects.wsj.com/surveillance-catalog/documents/267849-merged-finfly-web/
[12] http://projects.wsj.com/surveillance-catalog/documents/267844-merged-finspy-mobile/#document/p1/a39214
[13] http://projects.wsj.com/surveillance-catalog/documents/267875-finfisher-arabic-brochure/