Spyware Industry Needs Regulation
Ethiopian authorities
have carried out a renewed campaign of malware attacks, abusing commercial
spyware to monitor government critics abroad, Human Rights Watch said today.
The government should immediately cease digital attacks on activists and
independent voices, while spyware companies should be far more closely
regulated.
On December 6, 2017, independent researchers at the
Toronto-based research center Citizen Lab published a technical analysis
showing the renewed government malware campaign aimed at Ethiopian activists
and political opponents. These attacks follow a long, documented history of
similar government efforts to monitor critics, inside and outside of Ethiopia.
“The Ethiopian government has doubled down on its efforts to
spy on its critics, no matter where they are in the world,” said Cynthia Wong,
senior internet researcher at Human Rights Watch. “These attacks threaten
freedom of expression and the privacy and the digital security of the people
targeted.”
Based on analysis of attacks starting in 2016, the Citizen
Lab report identified several targets who received phishing emails, including
several ethnic Oromo activists and scholars, one of Citizen Lab’s own research
fellows, and Jawar Mohammed, an Oromo activist and executive director of the
US-based Oromia Media Network (OMN). During the period of the infections
described in the report, there were widespread protests in Ethiopia, beginning
with Oromo protests over development plans around the capital, Addis Ababa,
which culminated in a 10-month state of emergency that was lifted in August
2017. Security forces responded to those largely peaceful protests with lethal
force, killing over one thousand protesters and detaining tens of thousands
more since November 2015.
The government has gone to various lengths to restrict OMN –
an independent media network that covers current events in Oromia, Ethiopia –
and other diaspora media outlets. Given Ethiopia’s stranglehold on independent
media and access to information, diaspora media outlets provide an important
source of information that is independent from government, albeit often heavily
politicized.
OMN played a key role in disseminating information during
protests in 2015 and 2016. The government has routinely jammed satellite
television programs, arrested informants, pressured satellite companies to drop
OMN, arrested people who show OMN in their places of businesses, and charged
OMN under the antiterrorism law in October 2016.
Identified targets in the most recent round of malware
attacks were commentators on Ethiopian affairs, who received emails that were
tailored to their interests. The emails invited the targets to download and
install a software update, which contained malware, to view the content. The
phishing attacks, if successful, would have infected their personal computers
with spyware. The Citizen Lab report also uncovered dozens of successfully
infected devices belonging to other targets in 20 countries, including in the
US, UK, Eritrea, Canada, and Germany.
Citizen Lab’s analysis of the attacks and logfiles places
the operator inside Ethiopia and links the software to Cyberbit, an
Israel-based cybersecurity company. The company is a wholly owned subsidiary of
Elbit Systems, an Israel-based defense company. The analysis suggests that the
spyware in use is Cyberbit’s PC Surveillance System (PSS), which the company
may have recently rebranded as PC 360.
Cyberbit’s marketing materials describes PSS as a
“comprehensive solution for monitoring and extracting information from remote
[personal computers].” Once a computer is infected, the spyware’s operator
would gain access to virtually any information available on the device,
including files, browsing history, passwords, emails, and what the target types
into the computer. The spyware can also take screen shots and activate a
computer’s microphone and camera for live surveillance. The marketing materials
indicate that PSS was created for law enforcement and intelligence agencies to
“reduce crime” and “prevent terrorism.”
Citizen Lab’s report also identifies potential Cyberbit
product demonstrations to possible clients in several other countries,
including Kazakhstan, Nigeria, the Philippines, Rwanda, Serbia, Thailand,
Uzbekistan, Vietnam, and Zambia.
This is the third known spyware vendor that the Ethiopian
government has engaged since 2013. Human Rights Watch and Citizen Lab
previously wrote about the government’s use of malware sold by UK/Germany-based
Gamma International (reorganized as FinFisher) and Italy-based Hacking Team to
target journalists and activists in the Ethiopian diaspora. Authorities
continued to misuse Hacking Team’s product through at least 2015, when a widely
covered breach of the company’s corporate data confirmed its business in the
country.
The government also has a history of abusing other
surveillance technologies, which has facilitated a range of human rights
violations. Inside the country, Ethiopian authorities have frequently used
mobile surveillance to target independent voices. Human Rights Watch has
documented how security agencies would play intercepted phone calls during
abusive interrogations in an effort to intimidate critics and political
opponents into silence.
Spyware companies often market their products to government
agencies tasked with fighting crime or preventing terrorism. However, the
Ethiopian government has a documented history of abusing its counterterrorism
laws to target journalists, bloggers, protesters, and government critics. At
least 85 journalists have fled into exile since 2010 as a result of the
government’s ongoing crackdown on independent media. Ethiopia’s laws lack
meaningful protections for the right to privacy, and the country’s broad
security and law enforcement powers are not adequately regulated to prevent
arbitrary, unlawful, or disproportionate surveillance.
Human Rights Watch wrote to Cyberbit to request comment on
Citizen Lab’s findings, the company’s approach to assessing the human rights
impact of spyware sales to government customers, and what steps the company
would take if it uncovered government abuses linked to their product. In a
December 5 response, the company stated that it is “a vendor and it does not
operate any of its products. Cyberbit Solutions customers are the sole
operators of the products at their sole responsibility and they are obliged to
do so according to all applicable laws and regulations” in their jurisdictions.
The company also stated that it offers its products only to
government authorities, and any sales of “lawful interception and intelligence
products are subject to export control due to their nature and they were sold
only after obtaining all relevant authorizations,” including specific approval
of a designated government end user.
Finally, the company stated that while it cannot confirm or
deny any specific transaction or client, the company appreciates the concerns
raised and is “addressing it subject to the legal and contractual
confidentiality obligations Cyberbit Solutions is bound by.”
Cyberbit should immediately investigate misuse of its
products by Ethiopian authorities, publicly disclose its findings, and end any
plans for future sales and any ongoing support it may be providing, Human
Rights Watch said.
Despite some progress in recent years, the sale of commercial
spyware remains poorly regulated at the national and international level, as
Ethiopia’s repeated purchase of such tools demonstrates. Since 2014, the
European Union and 41 member countries to the Wassenaar Arrangement on Export
Controls for Conventional Arms and Dual-Use Goods and Technologies have begun
to introduce regulations to control the sale of systems like those sold by
Cyberbit. However, even where they exist, national implementation of such
export controls has been uneven. Some governments do not adequately consider
the risk to human rights when evaluating a company’s application to export
spyware to repressive regimes.
While Israel does not formally participate in the Wassenaar
Arrangement, it nonetheless incorporates the Wassenaar control lists into its
national regulations. Exports of spyware systems from Israel’s thriving
cybersecurity industry to foreign governments for security purposes require
approval from Israel’s Defense Export Control Agency. Though the agency
consults with the Israeli Ministry of Foreign Affairs, it is unclear whether
the government requires an examination of the end-user’s or destination
country’s human rights record and whether the sale might facilitate violations
of rights.
According to 2016 media reports, the agency had previously
approved the sale of similar spyware by the Israeli technology company NSO
Group to the United Arab Emirates (UAE), despite its record of surveillance
abuses. The UAE later used this technology to target a prominent human rights
activist, Ahmed Mansoor. In October, the export agency announced that it will
loosen some export restrictions, though how the changes will apply to spyware
systems remains unclear.
The latest Ethiopian malware campaign raises significant
questions about whether Israel’s export controls are adequate to prevent human
rights abuses linked to spyware sales, Human Rights Watch said. Israel and
other governments should ensure that such sales are reviewed on a case-by-case
basis, and evaluate the end-use and human rights record of the end user.
“It is troubling if Israeli authorities allowed the sale of
Cyberbit’s spyware to Ethiopian security agencies, given their established
record of using malware to violate rights,” Wong said. “Spyware should be kept
far from known human rights abusers.”
