Spyware Industry Needs Regulation
Ethiopian authorities have carried out a renewed campaign of malware attacks, abusing commercial spyware to monitor government critics abroad, Human Rights Watch said today. The government should immediately cease digital attacks on activists and independent voices, while spyware companies should be far more closely regulated.
On December 6, 2017, independent researchers at the Toronto-based research center Citizen Lab published a technical analysis showing the renewed government malware campaign aimed at Ethiopian activists and political opponents. These attacks follow a long, documented history of similar government efforts to monitor critics, inside and outside of Ethiopia.
“The Ethiopian government has doubled down on its efforts to spy on its critics, no matter where they are in the world,” said Cynthia Wong, senior internet researcher at Human Rights Watch. “These attacks threaten freedom of expression and the privacy and the digital security of the people targeted.”
Based on analysis of attacks starting in 2016, the Citizen Lab report identified several targets who received phishing emails, including several ethnic Oromo activists and scholars, one of Citizen Lab’s own research fellows, and Jawar Mohammed, an Oromo activist and executive director of the US-based Oromia Media Network (OMN). During the period of the infections described in the report, there were widespread protests in Ethiopia, beginning with Oromo protests over development plans around the capital, Addis Ababa, which culminated in a 10-month state of emergency that was lifted in August 2017. Security forces responded to those largely peaceful protests with lethal force, killing over one thousand protesters and detaining tens of thousands more since November 2015.
The government has gone to various lengths to restrict OMN – an independent media network that covers current events in Oromia, Ethiopia – and other diaspora media outlets. Given Ethiopia’s stranglehold on independent media and access to information, diaspora media outlets provide an important source of information that is independent from government, albeit often heavily politicized.
OMN played a key role in disseminating information during protests in 2015 and 2016. The government has routinely jammed satellite television programs, arrested informants, pressured satellite companies to drop OMN, arrested people who show OMN in their places of businesses, and charged OMN under the antiterrorism law in October 2016.
Identified targets in the most recent round of malware attacks were commentators on Ethiopian affairs, who received emails that were tailored to their interests. The emails invited the targets to download and install a software update, which contained malware, to view the content. The phishing attacks, if successful, would have infected their personal computers with spyware. The Citizen Lab report also uncovered dozens of successfully infected devices belonging to other targets in 20 countries, including in the US, UK, Eritrea, Canada, and Germany.
Citizen Lab’s analysis of the attacks and logfiles places the operator inside Ethiopia and links the software to Cyberbit, an Israel-based cybersecurity company. The company is a wholly owned subsidiary of Elbit Systems, an Israel-based defense company. The analysis suggests that the spyware in use is Cyberbit’s PC Surveillance System (PSS), which the company may have recently rebranded as PC 360.
Cyberbit’s marketing materials describes PSS as a “comprehensive solution for monitoring and extracting information from remote [personal computers].” Once a computer is infected, the spyware’s operator would gain access to virtually any information available on the device, including files, browsing history, passwords, emails, and what the target types into the computer. The spyware can also take screen shots and activate a computer’s microphone and camera for live surveillance. The marketing materials indicate that PSS was created for law enforcement and intelligence agencies to “reduce crime” and “prevent terrorism.”
Citizen Lab’s report also identifies potential Cyberbit product demonstrations to possible clients in several other countries, including Kazakhstan, Nigeria, the Philippines, Rwanda, Serbia, Thailand, Uzbekistan, Vietnam, and Zambia.
This is the third known spyware vendor that the Ethiopian government has engaged since 2013. Human Rights Watch and Citizen Lab previously wrote about the government’s use of malware sold by UK/Germany-based Gamma International (reorganized as FinFisher) and Italy-based Hacking Team to target journalists and activists in the Ethiopian diaspora. Authorities continued to misuse Hacking Team’s product through at least 2015, when a widely covered breach of the company’s corporate data confirmed its business in the country.
The government also has a history of abusing other surveillance technologies, which has facilitated a range of human rights violations. Inside the country, Ethiopian authorities have frequently used mobile surveillance to target independent voices. Human Rights Watch has documented how security agencies would play intercepted phone calls during abusive interrogations in an effort to intimidate critics and political opponents into silence.
Spyware companies often market their products to government agencies tasked with fighting crime or preventing terrorism. However, the Ethiopian government has a documented history of abusing its counterterrorism laws to target journalists, bloggers, protesters, and government critics. At least 85 journalists have fled into exile since 2010 as a result of the government’s ongoing crackdown on independent media. Ethiopia’s laws lack meaningful protections for the right to privacy, and the country’s broad security and law enforcement powers are not adequately regulated to prevent arbitrary, unlawful, or disproportionate surveillance.
Human Rights Watch wrote to Cyberbit to request comment on Citizen Lab’s findings, the company’s approach to assessing the human rights impact of spyware sales to government customers, and what steps the company would take if it uncovered government abuses linked to their product. In a December 5 response, the company stated that it is “a vendor and it does not operate any of its products. Cyberbit Solutions customers are the sole operators of the products at their sole responsibility and they are obliged to do so according to all applicable laws and regulations” in their jurisdictions.
The company also stated that it offers its products only to government authorities, and any sales of “lawful interception and intelligence products are subject to export control due to their nature and they were sold only after obtaining all relevant authorizations,” including specific approval of a designated government end user.
Finally, the company stated that while it cannot confirm or deny any specific transaction or client, the company appreciates the concerns raised and is “addressing it subject to the legal and contractual confidentiality obligations Cyberbit Solutions is bound by.”
Cyberbit should immediately investigate misuse of its products by Ethiopian authorities, publicly disclose its findings, and end any plans for future sales and any ongoing support it may be providing, Human Rights Watch said.
Despite some progress in recent years, the sale of commercial spyware remains poorly regulated at the national and international level, as Ethiopia’s repeated purchase of such tools demonstrates. Since 2014, the European Union and 41 member countries to the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies have begun to introduce regulations to control the sale of systems like those sold by Cyberbit. However, even where they exist, national implementation of such export controls has been uneven. Some governments do not adequately consider the risk to human rights when evaluating a company’s application to export spyware to repressive regimes.
While Israel does not formally participate in the Wassenaar Arrangement, it nonetheless incorporates the Wassenaar control lists into its national regulations. Exports of spyware systems from Israel’s thriving cybersecurity industry to foreign governments for security purposes require approval from Israel’s Defense Export Control Agency. Though the agency consults with the Israeli Ministry of Foreign Affairs, it is unclear whether the government requires an examination of the end-user’s or destination country’s human rights record and whether the sale might facilitate violations of rights.
According to 2016 media reports, the agency had previously approved the sale of similar spyware by the Israeli technology company NSO Group to the United Arab Emirates (UAE), despite its record of surveillance abuses. The UAE later used this technology to target a prominent human rights activist, Ahmed Mansoor. In October, the export agency announced that it will loosen some export restrictions, though how the changes will apply to spyware systems remains unclear.
The latest Ethiopian malware campaign raises significant questions about whether Israel’s export controls are adequate to prevent human rights abuses linked to spyware sales, Human Rights Watch said. Israel and other governments should ensure that such sales are reviewed on a case-by-case basis, and evaluate the end-use and human rights record of the end user.
“It is troubling if Israeli authorities allowed the sale of Cyberbit’s spyware to Ethiopian security agencies, given their established record of using malware to violate rights,” Wong said. “Spyware should be kept far from known human rights abusers.
For more about this report, check out Human Rights Watch