By Human Rights Watch Press
Published August 14, 2015
An Italian spyware firm took no effective action to investigate or stop reported abuses of its technology by the Ethiopian government against critics.
A review of leaked internal emails of the company known as Hacking Team, Human Rights Watch says, reveals that the firm continued to train Ethiopian intelligence agents to hack into computers and negotiated additional contracts despite multiple reports that its services were being used to repress government critics and other independent voices.
The Italian government should investigate Hacking Team practices in Ethiopia and elsewhere with a view to restricting sales of surveillance technology likely to facilitate human rights abuses, Human Rights Watch said on August 14, 2015.
â€œThe Hacking Team emails show that the companyâ€™s training and technology in Ethiopia directly contributed to human rights violations,â€ said Cynthia Wong, senior Internet researcher at Human Rights Watch. â€œDespite multiple red flags, Hacking Team showed a striking lack of concern about how its business could damage dissenting and independent voices.â€
The Ethiopian government has invoked national security to clamp down on core freedoms and human rights. Human Rights Watch documented in a March 2014 report that the Ethiopian government uses its surveillance capacities to unlawfully monitor the activities of perceived political opponents inside the country and among the diaspora. Individuals with perceived or tenuous connections to even registered opposition groups are arbitrarily arrested and interrogated based on their phone calls. Recorded phone calls with family members and friends â€“ particularly those with foreign phone numbers â€“ are often played during abusive interrogations in which people who have been arbitrarily detained are accused of belonging to banned organizations.
Human Rights Watch and others have documented that the countryâ€™s counterterrorism law has been used to target journalists and others critical of government policies. Dozens of journalists, bloggers, and media publishers have been criminally charged and at least 60 journalists have fled the country since 2010. The clampdown on dissent culminated in the ruling Ethiopian People’s Revolutionary Democratic Front (EPRDF) coalition taking 100 percent of parliamentary seats in the May federal election.
Hacking Teamâ€™s surveillance tools are designed to be undetectable by commercial anti-virus programmes and other analysis. According to internal emails, Hacking Team believed that the Ethiopian governmentâ€™s flawed use of the tool put its covert nature in jeopardy, along with the confidentiality of the firmâ€™s other customers.
Social engineering often involves sending highly personalized emails from seemingly trusted sources to entice surveillance targets to open documents infected with spyware, which requires knowledge of the targetâ€™s contacts and interests. The released emails show no indication that the company conducted any human rights due diligence based on this kind of information, which may have raised red flags about possible abuses. The new 2015 contract that the company was negotiating with Ethiopia at the time of the data breach included â€œmany months of training combined to [sic] our continuous on-site presence — in order to assist them, teach them, and supervise their investigative activitiesâ€ according to leaked emails.
Previous reporting by Citizen Lab and others described how the Ethiopian government had used tools provided by FinFisher, a UK and Germany based competitor to Hacking Team, to target or monitor computers owned by other individuals in the Ethiopian diaspora in the US, UK, and Norway. In February 2014, the Electronic Frontier Foundation sued the Ethiopian government on behalf of one of the victims for violating US privacy laws.
Italy and other governments should ensure that all sales of Hacking Team systems and similarly controlled technologies are reviewed on a case-by-case basis, Human Rights Watch said. At a minimum, controls should require an inquiry into the human rights climate of the destination country, the end user and likely end use, technical specifications of the technology, and marketing materials employed by the companies to sell to government agencies.