Turkey’s national police force paid the controversial online “security” firm Hacking Team $600,000 to spy on its own citizens—which scholars say is a likely illegal practice—for more than three years, purported hacked documents reveal.
Hacking Team, which made the nonprofit Reporters without Borders’ list of Enemies of the Internet for selling surveillance software to countries with records of human-rights abuses, was ravished Sunday night by hackers who exposed 400GB of alleged company files. Among them are documents that show that the General Directorate of Security (GDS), Turkey’s civilian police force, contracted to use with Hacking Team’s “Remote Control System” (RCS) product from June 2011 to November 2014.
The RCS, the company claims, allows users to bypass encryption, antivirus software, and firewalls. A “Client Overview List” from 2014 names an intelligence officer in the Turkish police force as a direct contact person and notes the RCS was used on 50 total targets.
But that’s a legally dubious program for the national police force to use. Traditionally, advanced signals infiltration is solely the authority of Ankara’s Telecommunications Directorate, or TIB. According to the Turkey’s Code of Police Conduct (Law 2559), GDS warrants only grant them limited power that certainly doesn’t include infiltrating a computer system or a network. And the country’s highest court recently struck down GDS use of “preventative searches warrants”—physical searches without probable cause—as illegal.
That the GDS used Hacking Team’s RCS software is clearly detailed in the documents believed to have been stolen from the company’s servers. One, “Agreement signed on June 21st, 2011,” includes an invoice from 2011, and it appears to mark the beginning of a deal between the Hacking Team and the Turkish police force. Another, “Customer_History.xlsx,” shows that Turkey paid Hacking Team €150,000 ($164,175) in 2011 and €140,000 ($153,230) in 2012 for “licence/upgrades.” Another €150,000 invoice on Nov. 4, 2013 was the last Turkish payment, according to the company’s alleged 2014 records, and the license was valid until Nov. 11, 2014.
“Client List_Renewal date.xlsx,” categorises Turkish police as an “Active” client, and it notes a “Renewal in progress (December 2014).” But that deal appears to have fallen through: A future prospects document prepared by company’s chief operating officer, Giancarlo Russo, and edited as recently as July 3, notes no expectation for earnings from Turkey in 2015. The same document lists Turkey’s total payments to the company as €440,000 ($594,718) at the date of last payment).
Traces of Hacking Team activity have been in Turkey for years, though. In 2012, Kaspersky Labs experts detected 12 cyberattacks to five separate targets in the country, attributed to the RCS tool, and a Wired article from 2013 detailed its use against an American scholar in Turkey who was critical of the moderate Islamist Gülen Movement. Later leaks of government corruption in Turkey showed that followers of Gülen have been staffed in police intelligence for a decade.
It’s not just Turkey, either. Citizen Lab’s 2014 report on the global use of Hacking Team’s tool draws a concerning map showing that the governments of Ethiopia, Morocco, and United Arab Emirates have used Hacking Team services to target human-rights activists and independent journalists. That report also lists 10 IP addresses of servers from Turkish ISPs that have the fingerprints of Hacking Team’s fake security certificates. One of the endpoints (95.9.71.180), noted by the Citizen Lab researchers as a “spyware’s government operator,” is a server owned by Turkey’s largest ISP, Türk Telekom, where the team has detected activity for a week in November 2013.
We still don’t know the exact targets of Turkish police force during the three years of its Hacking Team contract, but the cumulating evidence points to unlawful purchase of surveillance tools paid by Turkish taxpayers and targeted spying on its people by the administration of Turkey’s then-Prime Minister, and current President, Recep Tayyip Erdo?an.
Photo via 401(K) 2012 / Flickr (CC BY 2.0) | Remix by Max Fleishman