Image: serkan senturk/Shutterstock

European Surveillance Companies Were Eager to Sell Syria Tools of Oppression

Leaked documents and emails show how several companies bid to give Syria powerful telephone and internet surveillance technology.

|
Dec 12 2016, 10:00am

Image: serkan senturk/Shutterstock

In 2007, Syrians could only access the internet through state-run servers, and services like Microsoft Hotmail and Facebook were sometimes blocked. But Bashar al-Assad, who had been head of the Syrian Computer Society before becoming president, knew the internet would inevitably spread more, and he knew he had to tighten his grip over it.

On October 2, 2007, the head of the government-owned Syria Telecommunications Establishment, or STE, put out a call for companies to develop a surveillance system that would monitor all data flowing on the Syrian internet.

The tender listed a series of "services that must be monitored," including web browsing, email, chat rooms, instant messaging, internet VOIP calls, encrypted HTTPS web connections, and the use of VPNs.

An excerpt of the tender that the Syrian Telecommunications Establishment put out calling for help building an internet surveillance system.

"The system must be centralized and has the ability to monitor all the networks which use data communication services inside Syrian territories," STE wrote in the tender, which was part of a trove of confidential documents London-based digital rights organization Privacy International obtained and shared with Motherboard. "All monitoring activities should be done undetected, neither by the monitored targets, nor by ISPs, and not even by the management of the [public data networks]."

Read more: The Hacking Team Defectors

This system, which was officially called the "Central Monitoring System for Public Data Network services and Internet," was the first time the Syrian government called for help to monitor its citizens on the internet, and to censor websites and services.

A little-known Dubai-based surveillance intermediary founded in Berlin, called Advanced German Technology or AGT, was at the center of all these efforts, according to the leaked documents.

AGT's activities are yet another example of how a slew of little-known companies, mostly based in Europe, peddle their spy products to questionable governments. In the last few years, thanks mostly to leaks, data breaches, and the work of researchers and privacy activists, some of these companies, such as Hacking Team, FinFisher, or NSO Group, has been exposed publicly.

While the bloody civil war was still years away, Assad had been in power since 2000, and his regime had already been denounced by international organizations for torturing, jailing dissidents, and imprisoning human rights lawyers. Thanks to newly leaked documents, we now get a little window into how several companies tried to equip Assad's regime with surveillance and censorship technologies.

After the Arab Spring-inspired uprising turned into a civil war, Assad's regime used these tools to spy on dissidents, hacking political opponents, and censor the web.

"The lead up to the Arab Spring was open season for surveillance companies—they provided technologies to eager government clients widely known to be publicly engaged in repression," Privacy International wrote in a report published on Monday.

In 2007, AGT started developing a proof of concept for the Central Monitoring System, which was supposed to include "real-time monitoring of Syrian targets," in partnership with RCS Lab, an Italian surveillance tech vendor, according to the leaked documents.

"The lead up to the Arab Spring was open season for surveillance companies."

In April of 2008, the two companies travelled to Damascus to show off a demo for the monitoring system Syria was looking for.

The Syrian embassy in London did not respond to a request for comment sent via email. RCS Lab also did not respond to an email. AGT's founder and managing director Anas Chbib, did not deny trying to do business in Syria, only saying a lot of the report was "not accurate."

"We has [sic] been working with many vendors, which their responsibility to get the export license approved from their governments," Chbib said in an email, arguing that his company only serves as a middlemen. "We do not own any surveillance technology, as we are not manufacture [sic] or vendor of any of surveillance technologies."

Despite initial enthusiasm, STE wasn't sold, according to the report. RCS Lab and AGT tried to sweeten the deal by offering spyware called G-Spy—AGT's answer to the more well known spy software made by FinFisher and Hacking Team.

RCS Lab did not respond to a request for comment. But a current employee of the company, Luca Crovato, told Motherboard in an online message that "based on what I read on Privacy International and from what I know, the article contains numerous falsehoods lacking any confirmation."

"Journalism should be based on evidence," said Crovato, who also worked for a year at AGT, according to his Linkedin account. Crovato did not respond to a follow-up asking what falsehoods he was referring to.

The first page of a document prepared by RCS Lab and AGT for the Syrian Telecommunications Establishment.

In fact, there's plenty of evidence AGT and RCS Lab worked together in Syria. In a letter addressed to the director general of STE's, and obtained by Motherboard, AGT announced its "partnership" with RCS in an undated letter.

Another document laying out the technical proposal from AGT and RCS Lab explains that the proposed "comprehensive telecom monitoring solution" would be capable of "network sniffing," "wire-speed packet filtering and collection."

The system would be able to filter by keyword, according to the document, and identify and monitor "thousands of different IP protocols," such as HTTP, the email protocols SMTP and POP3, chat and video protocols for MSN, IRC, Yahoo, ICQ and other apps.

An excerpt of a confidential document prepared by RCS Lab to pitch its surveillance system for Syria.

Also, leaked documents obtained by Motherboard show that AGT asked the Syrian embassy in Rome to provide Crovato himself, and three of his colleagues, a visa to visit Damascus for "a project demonstration with Syrian Telecom Establishment."

"This is an important public data network project for the STE," AGT's letter to the embassy read.

A screenshot of a letter from AGT to the Syrian embassy in Rome, Italy.

The two companies also worked on a project to monitor satellite-based internet communications in Syria. RCS Lab's system was built to use a "passive" probe to intercept data and then deliver it to Syrian law enforcement or intelligence agency for analysis. RCS Lab and AGT suggested using hardware from American companies Dell and Netoptics to implement the project, which could have been against the US export regime at the time.

A leaked document, titled "RCS - AGT Answers to Technical Questions Reported in STE," included a sketch of the proposed interception system, specifically to capture satellite communications. The illustration cites "RCS Probing SubSystem" and "Sfera," the codename of one of the company's products.

A schematic showing RCS Lab's proposed surveillance system.

Eventually, however, another Italian company, Area Spa, partnering with German company Ultimaco, and a French company called Qosmos, would get the contract, according to Privacy International. Area Spa is being currently investigated in Italy for its dealings in Syria, and Qosmos is under investigation in France for allegedly aiding the Syrian government's torture of dissidents.

STE wasn't just interested in expanding its surveillance powers, it also wanted to be able to block content on the internet. Slightly a year after its call for new spy tech, STE called for the "supply, installation and operation of the equipment and software for content filtering required for Public Data Network Services (PDN) and the Internet," according to a leaked document.

AGT stepped up again, this time working with the French surveillance company Amesys, which is known to have sold surveillance tools to the Muammar Gaddafi regime in Libya. The company is currently being sued for those deals.

Read more: Watch How Government Spyware Infects a Computer in This Leaked Demo Video

"We are not concerned with 'Classic' spam (such as junk mail for pharmacies online or whatever)," the STE director general wrote in a leaked letter dated April 13, 2009, to companies interested in the bid. "But rather with propaganda mail which has the shape of spam".

From the leaked documents, it's unclear who won the contract to build this system, as the contract hadn't been awarded by early 2010, according to Privacy International.

Bull, the French security firm that now owns Amesys, did not respond to a request for comment via email.

Stephane Salies, a former employee and partial owner of Amesys at the time, confirmed in a letter to Privacy International that AGT was a distributor of Amesys technologies in the Middle East.

"AGT tried to answer a tender issued by a Syrian entity and asked Amesys to provide some products, but a few weeks later, we decided not to pursue this and blocked any potential activity in this country due to the political situation," Salies wrote in the letter.

One year later, in 2009, the Syrian government launched its next surveillance project: tapping the two international cables that bring the internet into the country in Aleppo and Damascus, in an attempt to get the ability to intercept and monitor all internet traffic coming in and out of Syria.

An excerpt of a tender for a system to intercept traffic at internet exchange cables in Damascus and Aleppo.

According to leaked documents, AGT stepped forward once again, this time working with VASTech, a South African company, which would later develop a similar system in Libya.

"VASTech does not reveal any information about our customers, agreements with them, or payments made by them," the spokesperson wrote, without directly denying any VASTech business in Syria.

"There was absolutely no due diligence on who they [AGT] were supplying to."

All these projects predated the start of the Syrian uprising in 2011, which has since turned into a bloody, years-long civil war.

At the time, the European Union didn't prohibit the sale of telecommunications and surveillance equipment to Syria. The EU only restricted the export of those goods in late 2011. The US government, on the other hand, already had some sanctions and restrictions in place which prohibited the export of US technology to Syria without a license.

In its response to Privacy International's questions, however, AGT said that until a "few years back," there was no need for a license for a "majority of surveillance technologies solutions." Depending on what Chbib means for a few years back, that is likely true.

Moreover, Chbib told Motherboard that "we have been always following the UN and EU restriction on export if there is any, and we stated it very clearly in all our offers, that the export license need to be approved before we sell any technology in case it's needed."

It's possible AGT never broke any law nor sanction in its activities in Syria and elsewhere, but an anonymous former employee told Privacy International that the company didn't seem to be too worried about that.

"There was absolutely no due diligence on who they [AGT] were supplying to," a former AGT employee told Privacy International. "And that's the way it was done, there was never any checks carried out."

Get six of our favorite Motherboard stories every day by signing up for our newsletter.