When we think of innovation in the global digital economy, most of us think of exciting new social media or apps that empower us to network and create. However, there is another dynamic sector of innovation, one with a more sinister end use: computer network attack, censorship and surveillance — what some are referring to as the market for “digital arms.” It’s a market Canadians need to understand better, as we have some explaining to do.
Citizen Lab research has been tracking this dark market, shedding light on its scope, scale and character. In 2011, we found that U.S.-based Blue Coat Systems’ network monitoring devices were deployed in Syria and Burma. We followed this up in 2013 with our Planet Blue Coat report, which used wide-scale Internet scans to reveal the presence of Blue Coat ProxySG devices, capable of censorship, and Blue Coat PacketShaper devices, capable of mass surveillance, in countries that rank among the world’s most notorious abusers of human rights, including China, Russia, the United Arab Emirates and Vietnam.
In 2012, Citizen Lab researchers determined that the computers of Bahraini and Emirati activists were secretly monitored by their governments using spyware products sold by a British (Gamma International) and an Italian (Hacking Team) company, respectively. Notably, Blue Coat Systems, Gamma International, and Hacking Team have all just made Reporters Without Borders’ 2013 Corporate Enemies of the Internet list, ranking alongside State Enemies of the Internet Syria, China, Iran, Bahrain and Vietnam.
Although a new and still largely obscure market, this trade in digital arms is clearly spreading furiously. Innovation in this case comes from a variety of drivers: the nearly insatiable desire among autocratic regimes to infiltrate, subvert and disable networked opposition; the growing desire among law enforcement, defence and intelligence agencies to exploit tools that allow them to undertake domestic surveillance and/or espionage abroad; and increasingly from large companies taking matters into their own hands, striking back at attackers they deem to be violating their private property.
Wednesday, we added to the body of evidence around this dark market. In You Only Click Twice: FinFisher’s Global Proliferation, Citizen Lab’s researchers document the results of a comprehensive global Internet scan for the command and control servers of Gamma International’s FinFisher surveillance software. The report details the discovery of a campaign in Ethiopia using FinSpy spyware against a political opposition group, and examination of a FinSpy Mobile sample that appears to have been used in Vietnam. The researchers also found command and control servers for FinSpy back doors, part of the FinFisher “remote monitoring solution,” in 25 countries, namely, Australia, Bahrain, Bangladesh, Brunei, Canada, Czech Republic, Estonia, Ethiopia, Germany, India, Indonesia, Japan, Latvia, Malaysia, Mexico, Mongolia, Netherlands, Qatar, Serbia, Singapore, Turkmenistan, United Arab Emirates, United Kingdom, United States, and Vietnam.
The presence of FinSpy command and control servers in Canada is certainly striking, but there’s a lot that we cannot say for sure about it. The servers are running on a commercial hosting provider, Softcom Inc., and so could belong to anyone. They could be employed by an agency of Canada’s security services, or someone else operating from afar. Only the web-hosting company, Softcom, could say for certain.
But that shouldn’t make Canadians relax. Canadian involvement in this marketplace is significant and growing. For example, ALOE Systems, a company based in Markham, Ont. that offers a surveillance system known as NetBeholder, serves as the “partner” company of MFI-Soft, a Russian manufacturer that supplies the Russian government with equipment to operate SORM — Russia’s nationwide system of communications interception.
Canadian company Netsweeper was found to supply Internet censorship equipment to national ISPs in Qatar, the UAE, and Yemen, where it has been used to block access to political and religious information.
Companies such as BlackBerry have been pressured to spy on their users for governments such as India, the UAE, Saudi Arabia and others, with huge question marks around the extent they have capitulated to these “regulatory requirements.” And, Canada’s largest pension plan, the Ontario Teachers’, is a majority investor in Blue Coat Systems.
Canada just keeps showing up on the radar of the digital arms trade, but unfortunately not because of any considered public debate.
Can the digital arms trade be controlled? Some argue the need for more intelligent export controls. The European Parliament has been debating end-use-based restrictions on this trade. Others think that’s futile.
The U.S. Department of State has issued guidance on the export of “sensitive technologies” to Iran and Syria pursuant to the applicable sanctions regimes. Human rights organizations have filed complaints against Gamma International, and Citizen Lab urged investor activism when we found out that Blue Coat Systems was owned in part by the Ontario Teachers’ Pension Plan (we’ve yet to receive any response from either Blue Coat or OTPP).
There are no easy solutions, but assuming surveillance, censorship, and other forms of digital compromise only happen in far-off places is no longer a viable approach. The digital-arms trade is alive and well in Canada. And the longer we put off dialogue and creative engagement on these issues, the closer we come to the day that the dangerous practices in which we’ve been complicit abroad come home to roost.