My challenge was simple enough: establish whether major surveillance manufacturers were willing to bypass global sanctions and export restrictions to obtain a sale.
My findings were astonishing. Not only did major European and Chinese spyware companies appear prepared to brush aside laws restricting sales to countries notorious for human rights abuse, but some even volunteered ways to cover up the proposed transactions.
“We wipe everything,” the Chinese firm Semptian told our undercover reporter.
“We don’t know who is the end user. And we don’t care,” the company’s cofounder Frank Feng said.
Another company, the Italian-based IPS, offered other methods to hide the true nature of the deal proposed by our undercover reporter.
“I mean, talking about interception, I can also use dummy words. ‘Flowers’ instead of ‘IP’,” sales director Ugo Santillo said. “We can even use a fake or a dummy email account – email@example.com means Ugo from IPS.”
So why all the secrecy?
It boils down to money – and what I quickly learned was an eagerness on the part of spyware companies to close multi-million dollar deals, regardless of the potential for their equipment to fall into the wrong hands.
This is how we conducted the investigation: over four months, our undercover reporter approached suppliers of spyware while claiming to act on behalf of two clients.
The proposition? To supply the governments of Iran and South Sudan with military-grade surveillance gear with the potential to spy on private phone calls and emails and to scour the internet browsing history of civilian populations.
It’s a proposal that should have given any surveillance company pause for thought; Iran is currently under international sanctions and South Sudan has long been engulfed in political violence, with the government accused of multiple human rights violations.
The spyware might have ended up in the hands of criminals, corporate spies or even armed groups.
But the companies we targeted seemed oblivious to the consequences of the sales. Not once did they raise the possibility that their equipment might have been used by repressive governments to crush political dissent or even to result in political protesters being arrested, imprisoned, tortured or killed.
But I was even more shocked by the reaction of a company we approached in Hong Kong.
We asked to buy their high-powered surveillance equipment on the condition that they did not ask us to disclose the identity of the purchaser – or the equipment’s “end user”. Under this scenario, the spyware might have ended up in the hands of criminals, corporate spies or even armed groups.
Instead of insisting on details of where their spyware would end up, the manufacturers were only too eager to push the sale through. One company representative even told our undercover reporter that his main concern was fulfilling his sales target.
Not once during the discussions with the surveillance companies did any of them express concerns about how the equipment would be used by the clients – despite the obvious potential for human rights abuses – or for criminal abuse.
The findings of our investigation prompted me to look at the ever-growing list of clients, and potential clients, that have records of human rights abuse which are serviced by the surveillance industry.
Such lists are very difficult to obtain, as very few public records exist of who is buying spyware. So what we know about the industry comes almost exclusively from leaks and journalistic investigations.
Below are just a few of the deals that have come to light:
The Italian malware company, Hacking Team, became infamous within the surveillance industry when in 2015 they themselves got hacked.
WikiLeaks released 400 GB of leaked internal documents, which, if true, gave an insight into some of the clients and potential clients of the company.
Although they denied any wrongdoing, the company had its export licence to sell the software changed by the Italian government and are now under tighter export restrictions.
To date, this has been the most extensive insight into how a surveillance company operates.
But as the saying goes, there is no such thing as bad publicity, and many activists and industry experts believe that the scandal surrounding Hacking Team has, in fact, been good for the company. Potential clients who had previously been unaware of their products, rushed in to snap them up.
Hacking Team’s reported clients or potential clients:
In 2012, the collapse of Gaddafi’s Libyan government revealed the role that the French surveillance firm Amesys played in supporting the regime’s intelligence services.
In the rubble of intelligence services building, journalists and activists discovered an “Eagle” monitoring centre purchased from Amesys, a unit of the French technology firm, Bull, capable of intercepting countrywide communications, including email.
Although supplied legally by the company to the regime, there was a public outcry in France when the story broke, leading to the break – up of the company.
There is now an ongoing judicial review of the case in France, exploring whether the company and its executives can be prosecuted for human rights abuses.
Amesys’ reported clients or potential clients:
Gamma are the manufacturers of the most invasive malware system on the market, FinFisher.
The Gamma group found itself in the media when in 2015 Privacy International released a report detailing the supply of its software to Uganda, during a time of political unrest.
Privacy International’s report alleged that the FinFisher system was the “backbone of a secret Ugandan Government operation to spy on members of the opposition activists and journalists”.
In response to the report the Gamma Group, said that “it did not assist or encourage any government agency in the misuse of its products”.
Gamma’s reported clients or potential clients:
For a more extensive list, visit: sii.transparencytoolkit.org
Despite the concerns surrounding the deals or potential deals on this list, it’s possible that they were all conducted within the rule of law, due in part to the complex web of competing agendas involved.
Economics, geopolitics and a fragmented global legal system mean that the spread of this type of equipment is almost inevitable.
This has led to the International Federation for Human Rights (FIDH) in France to call for changes to legislation that would make surveillance companies legally responsible for the human rights abuses committed by their clients, using the systems that they’ve supplied.
But in a growing and more crowded market, there are an estimated 528 surveillance companies worldwide, competing for a finite and limited legal market, there are those who believe that some of these companies will inevitably have to operate at the grey edges of the legal market to survive.
And for us, that means an ever-growing possibility that criminals and authoritarian regimes will have the power to monitor and infiltrate our lives, like never before.
And it made me wonder: will it ever be possible for this booming industry to be properly regulated? And can any of us ever know for sure who might be watching and listening to our private texts, phone calls, emails and our internet browsing history?
Monday, April 10 – 20:00 GMT
Tuesday, April 11 – 12:00 GMT
Wednesday, April 12 – 01:00 GMT
Thursday, April 12 – 06:00 GMT
Friday, April 14 – 12:00 GMT
Saturday, April 15 – 20:00 GMT
Sunday, April 16 – 01:00 GMT
Monday, April 17 – 06:00 GMT