Hacking Team: 'We Don’t Do Business With North Korea'
Full transcript of our interview with Hacking Team in Milan.
Image: Hacking Team
For transparency's sake, here's the full transcript of Mari Bastashevski's interview with Hacking Team in Milan, Italy.
MOTHERBOARD: Do you have something you would like to open with?
Eric Rabe, Hacking Team's spokesperson: Well, I mean, we're in the process of trying to figure out exactly what happened, but it's quite clear that this was a very sophisticated attack done by not a casual hacker but somebody … or some organisation perhaps, that knows their business. The problems that they have caused are of course a problem for us as a business and that is a serious issue, but the really grave problem that they've created is that they've released our software to the internet.
Why is that a grave problem?
Formerly, we had control over who could use this tool and we sold it only to police agencies and people who were government agencies. Now, anybody can use it and turn it against anybody they want to use it against. So if people were concerned about the idea…pick a country…Saudi Arabia had access to this, well now North Korea has access to this. It could be anybody.
What's the difference between North Korea and Saudi Arabia having access to it? How would it be used differently?
That's a fair point, but there certainly has been concern that the software was sold to people who would use it in an inappropriate way and we've been concerned about that a lot. We tried to manage that. Now, we have no way to mitigate that. If somebody wants to use this software in any imaginable way it's out there for them to use. So it's a concern.
But you wouldn't be held responsible for that?
Suppose you can take that attitude but we don't. We would never have just made this accessible to anybody. You know businesses, criminals?
But was that because of security or profit concerns? It's quite an expensive software. You're selling it. What are the priorities between profit and security?
Well we're talking about a bunch of different things here. First of all yes, of course there is a business reason why we wouldn't want to have our product basically free for anybody to use. We'll fix that. I mean, right now, this tool is not useful for its intended purpose which is law enforcement investigations because it either can be or will soon be discoverable. Problem is that not everybody uses anti-virus software, so if somebody decided to use this as part of some kind of human rights repressing, for example, now they could.
There are many allegations that the software has been sold to countries where human rights are not highly valued.
Wasn't this already happening? There are multiple reports from respected NGO that attest to as much. And in fact, if you follow the updates, this is precisely the reason hackers gave to explain why they were after you.
Actually, I'm not sure that there are reports of that. There have been half a dozen allegations or so that perhaps our software's been used in some kind of surveillance to surveil journalists or human rights activists. Not many. There are many allegations that the software has been sold to countries where human rights are not highly valued. And then the leap is, "Oh, so therefore they must be using that to spy on civilians."
I've personally interviewed a number of journalists and activists who have been repressed and punished by the authorities as a result of intercepted communications in the countries where your product is being sold. How do you know it hasn't been used in that way? Do the governments provide you with a report on their targets and evidence?
Well, and do you know if it was our software that was being used? Can you prove it?
You know yourself how difficult it is to confirm that while everything about the software is a secret. How do we proceed here?
Do you meet all the clients and travel to the places where your software is installed? Have you visited Uzbekistan for example?
Yes we meet with them. People come here for training. Uzbekistan, I'm not confirming that Uzbekistan is a client, if that's what you're asking. Others may try to identify clients of ours but we do not confirm that people are or not.
OK. Clearly many talented and educated researchers, such as Citizenlab, as well as activists and journalists, are concerned about this enough to invest time and resources into researching you and you're very critical of them because of that. Wouldn't taking them seriously and engaging with them on these issues be a more effective way of sustaining your business long term?
No, no, no. That's not true. We're not critical. We've actually worked with Human Rights Watch, Privacy International, Citizenlab, all these organisations. They've got a very particular point of view though—it's not ours! When somebody comes to us with an allegation that our software has been used against Ethiopian people that was a very big concern for us, because it's way outside of bounds of what we would expect our software to be used for. So we've investigated that and we tried to find out what happened and whether there has been some sort of justification for what appears to be a bad act. We tried to find out. If we discover in a case like that that our software has been used in a way that we do not believe is correct.
How do you conduct such an investigation?
Well, the first thing you do is you call the accused client! And you say somebody we know, or we don't know, says this….
And then you take their word for it?
Well, in some cases it's been reported that the software has been used by somebody who is not a customer of ours. In cases like that, we have a record that we didn't sell anything to that entity and whatever they're doing they're not doing it with our stuff. Then we move on. And in the case where it turns out to be our client the first step to take is of course to call the client and say, "Somebody says you're using that to do rotten stuff. Is that true?" They may say, "Yes, we have used it in that case because we believe this person is a terrorist, or we think this person is a drug dealer." Or whatever. And we ask, "OK, what are your evidence for that? Somebody else is saying that they are a journalist, or a human rights activist." And then we have that counter-conversation.
Do you get to review the evidence of their statements? And does it stick?
Well, we don't have to prove a legal case. At the end of the day it's a business decision for us to establish whether we want to continue a relationship with someone who is said to be a bad actor. We have contracts with them saying what they would use the software for, if they're using it for something else we have the justification to stop it right there, to stop working with them. And we have done that.
Oh? Who did you cut off?
As I said, we don't have a policy to discuss our existing or prospective clients.
Would it make things easier if there was a legislation that made it a legal case, specially in regard to human rights? Or would you not be looking forward to that?
There is already the Wassenaar protocol that goes into effect immediately and with which we fully comply. And that is an export control regulation for dual use technologies such as Hacking Team is. We didn't fight that. We think that is perfectly reasonable. We didn't leave the EU to avoid being regulated by that. Instead, we work with the Italian government on a regular basis processing potential sales to ensure that they pass the requirements of the government's way to do business.
The only concern we did have and we were able to resolve was how long this process would take. If it holds up a sell for, you know, a year, it's the same as turning down the sale. So we have to find out quickly. But if there is an orderly and efficient way to do that, we're happy to do it. And we've developed such a system with Italy that you know [has] been in effect this year, and for very much the reason you're suggesting. I'm sure it takes it off of us and puts in on another institution to prove or disprove. Formally we had something that was actually composed of people inside and outside the company, a little board that reviewed sales and says, "We don't think that this is a good place to do business"
Have you blocked anyone on the basis of the comments from the board?
Who would that be? Sudan?
[laughs] I'm not identifying our clients.
We don't do business with North Korea. We're not going to do business with them.
Well, if you've blocked them from importing they're not in fact your clients. Or is it still the short list?
Well, the problem is if I say we looked at Cuba or North Korea, or some of those kinds of countries. Actually, Cuba is no longer on the US blacklist so we can review that, but North Korea certainly is so let's take North Korea. We don't do business with North Korea. We're not going to do business with them. And the reason is not just because they're on [an] international blacklist but also because it's evident that they're very likely to use this software with intent to repress.
But is that even a relevant example? Is the internet use widespread in North Korea amongst the civilians?
So it seems unlikely they would try to be a client at this time.
Ok maybe they wouldn't care to use it.
Well, OK. So what is the guideline behind what you consider "evident"? I mean, Azerbaijan is not under mandatory embargo, at the same time the abuse there is "evident." Dozens of journalists and activists who are now in jail were previously under surveillance. Their electronic correspondence repeatedly compromised.
We've said many times that this is a developing area about the law around this software. It's new so it takes time for it to develop. It is developing. Wassenaar agreement is in place. US is developing those controls as well but Italy and the EU are ahead of that and those are already in effect. So that's one thing. And I'm certainly not here to support repressive regimes or the kinds of abuses that you describe, but I don't think the question is quite that simple, and I don't think that Hacking Team is the best international forum to decide who is and isn't a bad actor.
Who would you respect as an authority over that?
Well, I think the EU for example. Perhaps United States, or other Western nations...providing lists of people that they don't think you should do business with.
So, Western government's authority exclusively?
Yes. I think it's the logical place for that to happen. But these kinds of cases that you've just ticked off don't rely on our software. I am not sure that any of those would have actually been facilitated with the software we sell. And certainly the repressive governments had existed long before there was an internet, so this isn't something where you can say, "Oh gosh, if only there wasn't this software we wouldn't have repressive government."
That's fragmenting the responsibility, saying it's someone else's fault, until everyone is responsible and therefore no one is.
That's certainly not the point. And it changes. From time to time a government that may have been OK at one point, ends up on a blacklist because their behaviour changed, or because someone discovered something that they were doing that was not known before. And there are cases where governments are labelled repressive by governments and people and activists who are working on this and yet those governments are allies of Western Countries. I think there are people who would argue that the United States is a repressive government. So, the solution to that would be for us to simply close our doors and go out of business? I don't think that's an acceptable alternative because what you have, and you got to listen to me on this, the internet, encrypted communications, TOR, and similar kinds of technologies have provided a safe haven for terrorists and bad actors. And I'm not suggesting for a moment that the internet, computers, and mobile phones are not also enormously helpful, in any millions of ways, but at the same time you can't ignore the fact that it's also very helpful for people who are doing bad things.
What are your statistics on the number of them being caught with your tools?
In the past, it would have been possible to investigate these kinds of crimes by following people around, tapping their telephones and you know what used to be a traditional surveillance now that's not possible because we have technologies to protect communications. A lot of it would go on one side, but on the other side it provides safe haven for people to do bad things.
We're back to the discussion on security over privacy but it seems like a wrong way to deal with it at the get go. It has to be both?
Well it does have to be both, absolutely! We have had a system in place for a long time for maybe court orders or you know different kind of oversight of how this surveillance is done and that's perfectly appropriate in this situation too. In many countries that's required and we're not arguing for a moment that it shouldn't be the case. But you can't say that technology that allows governments, police agencies, investigations to follow the behaviour of criminals and prevent crime and to prosecute crime once that happens is of no value for society? It can't be something that we do not allow!
Sure, but doesn't the commercial and profit factor, when mixed into the necessity of security tend to tip the scales in favor of more profit?
Well, I won't suggest for a moment that we're not happy to try to sell our software, but I think we also recognize that we have a responsibility to sell it to people who are going to use it in the appropriate way. That's the area that developed in the company over the past couple of years. If you came in ten years ago, or five years ago, I don't think that would have been a grave point of issue. We're worried about it but it wasn't being abused or it wasn't being abused in a particular way. Now we've found cases where we have more cause for concern, so, you know. We are examining those things and some former clients and are saying we're not comfortable working with these particular countries. So they're no longer clients of ours. That's a natural evolution of this. The technology is evolving and the need for our technology is evolving as well. The concerns around privacy issues also are evolving and I don't think we had nearly the kind of activism on this issue five years ago, ten years ago, that we have today.
Why not welcome it?
I think we've been more open than any other company in our industry. Certainly any of our competitors. The fact that I'm talking to you, I mean, and other journalists this week, maybe.
But you're talking to me after the fact of the attack. This wasn't previously possible.
I've been on panels before. I've defended my position. And still tried to bring some reason to discussion. But there is a lot of emotion around this. I get that. That makes it hard to have a sensible discussion on the issue.
That, and the fact that you cannot discuss your existing and prospective clients. But let's switch focus. What happened on the technical front? How is this possible? You claim to contribute to security, you work with state secrets, and yet you're completely exposed, and your clients, and possibly their targets. A lot of people, even those not familiar with your product and the issues surrounding this, are wondering about the quality of this security, and quality overall.
It is certainly not a situation we've welcomed. Obviously we felt like we've had better security and systems in place than we turned out to have. I mean, we knew we would be a target for, you know, this kind of accident so I would say you've taken precautions, but I think that given enough time and effort most systems can be broken and we've seen that not only with our company but with others and government agencies that have far more resources than we have to protect themselves. JP Morgan, Office of Personnel Management, heaven knows who else. All attacked and penetrated. In our case, yes, frankly it's a very serious situation for us as a company and our clients. We're right now: a. trying to understand exactly what happened, b. trying to put into effect an upgrade of our system so the damage would be mitigated from that point of view. But still, this is a very serious situation.
So you're planning on re-opening?
What will you be taking out of this experience to change how you work, beside the system upgrade? Is there something that you'll do different?
Certainly. I think reviewing our internal security, maybe managers.
Will you acknowledge and respond to the widespread criticism the company is under right now?
Oh sure, I follow it, and we've taken seriously media comments and researchers that have looked at our stuff and tried to determine whether they had a valid point. Sometimes they do and sometimes they're more hysterical and motivated by emotion than by logic. But we don't feel that we have a responsibility to report out when we make changes. That's an internal matter for us. Look, we're operating a business. We think we're operating it responsibly. There are people who think that the right solution is to get to come in and oversee our business for us, but we don't agree with that.
What do you think we should do? Do you think we should just get a meeting room for people to come in and let them let them sort of run a company?
I think that's not a bad idea, if they're qualified.
I do not think so. I recognize that it's not satisfying to somebody who wants to manage our business for us but we think we, as I said before, done more than anybody else to address the issues that people are raising and to try to be a responsible provider of this kind of software.
So what is the biggest concern for you right now?
The biggest concern right now is that we don't compromise the investigations of the law enforcements. They're on the way.
How are your clients taking this? The intelligence agencies especially?
They understand that a criminal act has occurred here and that we're a victim. They are patiently waiting for us to figure this out.
Are they staying with you?
We've not lost a single client yet. Nobody has left at this point. Maybe some will decide, but I would be surprised.
Anything else you want to add?No.