Leaked documents posted to Italian cybersecurity company Hacking Team’s Twitter account on Sunday (5 July) revealed what appear to be the firms’ government clients.
The Milan-based company, which sells software that monitors computer activity remotely, was revealed to have suffered a hacking attack that resulted in its internal emails and other details of its sales being published.
A pool of those leaked documents indicate that Hacking Team’s surveillance software has been snapped up by the governments of Hungary, Italy, Germany, Luxembourg, Poland, Spain, Cyprus, the Czech Republic and Switzerland.
Privacy advocates have pointed out that EU countries on Hacking Team’s client list are in bad company.
Hacking Team has attracted criticism for its sales to governments outside Europe that are known for human rights abuses.
According to a 2014 report from the security research centre Citizen Lab in Toronto, some of the worst human rights abusers who bought Hacking Team software include Saudi Arabia, Kazakhstan, and Turkey. Sunday’s leaks added Sudan and other countries to that list.
“I think European agencies seriously need to consider whether they want to be doing business with any company that’s also involved in the sale of sophisticated surveillance equipment to repressive regimes with a track record of targeting activists, journalists, and human rights defenders,” said Edin Omanovic, a research officer at London-based NGO Privacy International.
Last year, Citizen Lab exposed the use of Hacking Team’s spyware against Ethiopian journalists.
A request for comment sent by email to Hacking Team returned with a delivery failure notice. Other journalists reported the same problem with the company’s email address.
The Hacking Team case will stay in focus for a while as the EU considers new rules on the export of surveillance technologies.
The European Parliament will vote tomorrow (9 July) on liberal Dutch MEP Marietje Schaake’s report on the export of those products from Europe.
In a blog post on Monday, Schaake wrote, “While on the one hand many European politicians want to ensure and achieve ‘cybersecurity’, and condemn human rights violations in third countries, the products at the source of these violations could have been sold without any problem.”
The European Commission has been reviewing the 2008 dual use regulation, which set out rules for the export of products with military as well as civilian purposes.
At the end of June, eight NGOs, including Privacy International, published a report on the dual use review and called for member states to use the EU common position on arms exports when selling surveillance technologies outside Europe.
One point in the common position says EU member states should only sell arms to countries where human rights are respected.
“The Regulation should adopt a human rights, rather than ‘human security’ approach to export controls,” the NGOs’ report says.
EU countries are already signatories on the international Wassenaar Arrangement, which restricts exports of weapons and technologies that can be used for military purposes.
In February, Hacking Team announced in a statement that the company was cooperating with the Wassenaar Arrangement.
“We are now the first in our industry to comply with these latest international laws, and we are doing so because we are committed to assuring that our products are not misused,” Hacking Team CEO David Vincenzetti said at the time.
The European Parliament will vote during the 9 July plenary session on reforming export rules for surveillance technologies.