Hacking Team: The Italian Spyware Company’s Data Laundry Operations in the U.S.

The Issue

The Milan-based spyware firm HT S.r.l., also known as Hacking Team, provided several repressive regimes with an Internet surveillance tool, which routes the data tapped at a targeted device through a series of servers in different countries. The purpose is to obscure the data’s final destination and thus the eavesdropper. In the course of their investigation, the researchers of the Citizen Lab at the University of Toronto identified at least 12 cases, in which U.S. based data centers are part of this espionage infrastructure, (passively) assisting the governments of several repressive and authoritarian states, including Azerbaijan, Uzbekistan, and Ethiopia, in laundering their surveillance data. 

The Background

In mid-February, the Citizen Lab started to release their research results on the Hacking Team. The first report introduced the company’s Remote Control System (RCS), a surveillance tool that “can record Skype calls, copy passwords, e-mails, files and instant messages, and turn on a computer or phone’s webcam and microphone to spy on nearby activity,” and how it was used against employees of an Ethiopian news outlet based in Alexandria, Virginia. The second report mapped out the infrastructure used by RCS, tracing the so-called proxy chains back  21 governments that could be identified as clients of the spyware provider (despite Hacking Team’s assurance of intractability).

The Implications

On Tuesday, the Citizen Lab released the third report, covering the “Hacking Team’s US Nexus”. While the first two parts of the series echoed widely on- and offline, I chose to blog about this third release for its specific value for the Crossroads Community, as it directly addresses questions of cyber security law and policy.

Establishing a covert network infrastructure using servers on U.S. soil and routing wiretapped data from targeted computers and devices through the U.S., so the report, Hacking Team’s operations raise several cyber legal issues, including whether moving exfiltrated data through U.S. based communications facilities violates

• U.S. law, including the Computer Fraud and Abuse Act and the Wiretap Act,
• U.S. sovereignty and the international legal principle of nonintervention,
• the client states’ own laws on electronic surveillance,
• the corporate social responsibility of service providers owning the U.S. based infrastructure,
• the terms of service of service providers owning the U.S. based infrastructure,
• Hacking Team’s own corporate social responsibility.

A Final Thought

To me, Hacking Team’s RCS is a paragon of the messy policy problems that arise from cyberspace, exemplifying the fundamental relevance of the Internet’s technical architecture for policy deliberation in and governance of the virtual.