Search This Blog

Sunday, August 23, 2015

Is it ethical for government to use spyware on their people

PETALING JAYA - On July 5, in the hardest form of irony, a notorious firm of hackers-for-hire called Hacking Team became the target of a hack themselves.

Computers in the Milan-based firm were digitally disembowelled by unidentified hackers, who prompt­ly uploaded 400 gigabytes worth of executive emails, customer invoices and software source codes.

Even Hacking Team’s Twitter feed was hacked and used to distribute samples of the leaked files.

You shouldn’t feel bad for Hacking Team, however, because in most aspects the firm thoroughly deserves it. It is most known for selling spying software to any government willing to pay, regardless of the regime’s human rights record.

Normally, such sensational hacking news would interest little of the Malaysian public, but Hacking Team’s incriminating documents have surprising information. As it turns out, the Malaysian government is listed among its top 10 customers, and that three departments within the government had purchased the company’s spyware.

The departments involved are the Malaysian Anti-Corruption Commission, the Prime Minister’s Department and a Malaysian intelligence body known as MYMI.

According to Fong Choong Fook, executive director and senior IT security consultant of LE Global Ser­vices Sdn Bhd (LGMS), an IT security company, the spyware in basically a remote control software (RCS).

Once installed on a PC, the RCS allows the perpe­trator to monitor almost all of the victim’s computer usage. 

“The whole idea here is to do surveillance. And, if necessary, to take control of that PC to open it up for more exploits,” says Fong. He explains that Hacking Team’s RCS is nothing new.

In fact, some companies openly sell variations of this software as a means of employee production monitoring.

Enterprises can install this software on em­ployees’ computers to monitor how long they’ve been working, and what programmes they used.

The difference with Hacking Team’s software here is its “stealthiness”: the user is not meant to know if an RCS is installed in his computer.

For starters, the spyware in question wouldn’t have been detectable using antivirus software.

In some ways, the spyware can even be customised to penetrate specific organisation systems without arousing detection.

Adding to the terror is the fact that, due to its stealthy nature, the only way to detect the spyware is to be tech-savvy enough to do so.

Interestingly, the spyware itself isn’t illegal. That is, the Malaysian government isn’t in the wrong for purchas­ing such software.

“The software itself is not illegal. It’s just how you use it that makes it illegal or otherwise,” says Fong.

According to Fong, the spyware can be distributed using emails and websites, though in most cases the file has to be downloaded into computer.

A rather sinister way, Fong explains, is to sneak the spyware in along with legitimate software that users would normally down­load without much concern.

Theoretically, if a government department releases a GST calculator software downloadable for free, the spyware could be snuck along and then em­bed itself into the user’s system when the programme is installed. Such methods cannot be detected during installation, either.

Though not confirmed by the leaked documents, the spyware may be able to target smartphones as well.

According to him, phone spyware can listen into phone conversations, record text messages and emails and – using the phone’s GPS system – even pinpoint your exact location. This is compounded by the fact that smartphones have lesser and more simplistic protection than a computer would.

For the general populace, Fong believes that they shouldn’t have to con­cern themselves too much.

Terrifying as it sounds, for a government to widely spread spyware and monitor everyone in the coun­try simply takes up too many resources.

It’s certain groups that have to start becoming vigilant, notably journalists, ac­tivists and opposition groups.

In light of that, it’s down to the groups at risk to be vigilant about their com­puter usage and activities.

Users can also head over to resistsur­veillance.org, which contains the Detekt software that Amnesty International has launched as a counter-measurement against Hacking Team’s spyware.

The list of Hacking Team’s customers, for one, tells us just how many countries are playing the digital spy game. Besides Malaysia, the list of Hacking Team’s customers include Azerbaijan, Bahrain, Egypt, Ethiopia, Kazakhstan, Morocco, Nigera, Oman, Saudi Arabia, Sudan and even several United States agencies, including the FBI and Department of Defence.

Ethiopia, for example, has a spy agency that surveys and censors its journalists and political dissidents. Sudan is a country that is subject of a UN embargo, and documents pulled from Hacking Team’s servers show a US$480,000 (RM1.8 mil) invoice to its National Intelligence and Security Services for the same software.

Hacking Team’s revelations show that there is a need for improved regulations that can prevent private firms from selling hacking software to any government in the world.

The UN had certainly tried curtailing Hack­ing Team’s selling efforts to Sudan – written exchanges between Hacking Team’s executives and UN officials saw the Milan surveillance company arguing that spying tools didn’t count as weapons, and thus didn’t fall under UN’s arms embargo.

That argument might change, though. An arms control pact called the Wassenaar Arrangement is being hotly debated over its measures that would control international export of intrusion software.

by Tan Jee Yee

No comments:

Post a Comment