American pursues lawsuit over Ethiopian spyware, while proposal to regulate dual-use technologies needs comments by security researchers
On July 14, the Electronic Frontier Foundation urged a federal court to allow an Ethiopian-born naturalized U.S. citizen who works with journalists to proceed with his lawsuit against the Ethiopian government for allegedly infecting his computer with spyware.
The spyware relayed copies of his electronic activity – including Skype calls, Internet searches and emails – to the Ethiopian government through an intrusion and surveillance program, developed by the company Gamma Group, known as FinSpy, according to the suit.
Ethiopian journalists have alleged they have been targeted with malware in the past. Journalists working for the Ethiopian Satellite Television Service (ESAT) in the United States were targeted with spyware created by the information technology company known as Hacking Team, which was reportedly deployed multiple times by entities believed to have government ties.
Last week, Hacking Team was hacked and 400 GB of documents, source code, and internal emails were published. Although Hacking Team announced yesterday that the leaked documents are now obsolete because it has created a new version of its remote access software, researchers and journalists are still combing through the documents and finding new information.
Some of the new information includes the names of approximately 38 governments who are current or former clients of Hacking Team. The company also appears to have stonewalled a UN investigation into whether the government of Sudan had been a client.
Hacking Team has a notorious reputation in human rights circles because of its history selling surveillance systems to authoritarian regimes, which have used the software to spy on activists and journalists critical of the regime in power.
The Hacking Team revelations come at a time of renewed discussion about the so-called Crypto Wars of the 1990’s. Law enforcement and intelligence agencies are publicly insisting on the need for backdoors in companies’ encrypted products to ensure they are not “in the dark” should a criminal seek to use encryption to carry out an attack or other type of malicious behavior.
Meanwhile, the latest revelations about Hacking Team’s engagement with repressive regimes has reignited debate among activists and security researchers about the Wassenaar Arrangement, a voluntary, multi-national agreement which intends to control the export of certain “dual-use” technologies. In December 2013, the list of controlled technologies was updated to include surveillance systems, in response to reports linking the export of surveillance systems to human rights abuses in countries.
The changes include adding two new classes of export-regulated software to the dual use provision regulations, including intrusion software and IP network surveillance systems.
Many security researchers and academics are concerned by the vagueness of the definitions involved and worry that legitimate security research would be affected if the amendments are included in the Arrangement.
One of the terms in question is “intrusion software” which is intended to enforce controls of delivery surveillance software such as FinSpy and tools by Hacking Team, but which also appears to encompass commercial penetration-testing tools that include encryption. Security researchers say the definition is too broad and will hinder the sharing and publication of important security research and restrict free speech.
To address these concerns, security researchers and security journalists can submit their feedback to the U.S. Department of Commerce via the formal comment page before the call closes on July 20.