Software from Company That Sells Only to Governments
If Saudi authorities are using spyware to target activists’ mobile phones, it could indicate a ratcheting up of efforts to scrutinize online activism in an environment that is already hostile to the freedoms of expression and association, Human Rights Watch said. Where “standard” criminal investigations involve arrests of peaceful protesters or liberal website operators, companies that supply surveillance technologies without adequate safeguards risk complicity in rights violations.
Citizen Lab researchers were not able to confirm whether Saudi Arabia or any other government has successfully deployed Hacking Team tools in Saudi Arabia, nor who may have been specifically targeted. However, given that the spyware is embedded in a doctored version of an existing application, potential targets are likely to have an interest in current affairs related to the Qatif governorate. Citizen Lab researchers previously published additional evidence that Hacking Team may be in use in Saudi Arabia, based on presence of Hacking Team-linked servers in the country.
Qatif has been the site of ongoing protests, especially since Saudi Arabia’s intervention in Bahrain in March 2011, despite a categorical ban on protests issued by authorities that month. On April 17, Saudi Arabia’s Specialized Criminal Court sentenced a Qatif-based human rights activist, Fadhil al-Manasif, to 15 years in prison and a 15-year ban on foreign travel after he serves his prison term, largely for his role in helping international journalists cover the protests in Qatif. Saudi Shia citizens, who make up a majority of the town’s residents, face systematic discrimination in public education, government employment, and in building houses of worship in majority-Sunni Saudi Arabia.
In December 2013, Human Rights Watch released a report documenting how activists in Saudi Arabia have embraced the Internet and social media to build relationships, discuss ideas, and promote social and political reforms. Saudi authorities have arrested, prosecuted, and otherwise attempted to silenceactivists and suppress calls for change, including in Qatif.
New counterterrorism regulations promulgated in early 2014 criminalize virtually all dissident expression as “terrorism,” including acts such as “contact or correspondence with any groups [that are] hostile to the kingdom,” “making countries, committees, or international organizations antagonistic to the kingdom,” and “calling, participating, promoting, or inciting sit-ins [or] protests.”
It is unclear how intrusion tools are regulated under Saudi law and what protections for digital privacy, if any, are enforced in practice to prevent illegitimate government surveillance. Under article 17 of Saudi Arabia’s counterterrorism law, promulgated in January, the interior minister has the power to seize or monitor any means of communication at his discretion, and without a warrant, as long as it “is beneficial for revealing the truth.” Under article 21 of the Arab Charter on Human Rights, which Saudi Arabia ratified in 2009, “[n]o one shall be subjected to arbitrary or unlawful interference with regard to his privacy, family, home, or correspondence….”
The United Nations special rapporteur on freedom of opinion and expression, Frank La Rue, stated in his 2013 report to the UN Human Rights Council: “Use of an amorphous concept of national security to justify invasive limitations on the enjoyment of human rights is of serious concern. Surveillance of communications must only occur under the most exceptional circumstances and exclusively under the supervision of an independent judicial authority.”
La Rue expressed specific concerns about use of intrusion spyware: “From a human rights perspective, the use of such technologies is extremely disturbing.… [The spying capability they enable] threatens not only the right to privacy [but also] procedural fairness rights with respect to the use of such evidence in legal proceedings.”
Citizen Lab and Human Rights Watch previously documented use of Hacking Team tools to target an independent, diaspora-run Ethiopian media organization. Hacking Team states that it sells exclusively to governments, and markets its products for “standard” criminal investigations, “lawful intercept,” and intelligence-gathering activities related to counterterrorism and crime.
In response to a request for comment to Citizen Lab’s June 24 report, Hacking Team responded with a statement to Human Rights Watch that points to the firm’s customer policy. According to the written policy and the firm’s statement, the company reviews potential sales for risk that its products may facilitate human rights violations and may decline a sale under certain circumstances.
Hacking Team told Human Rights Watch that it will suspend support for its products if the company believes a customer has misused the technology, and has done so in the past. However, the company has not released information about prior investigations, nor about any actions to address specific incidents. The company has also stated that it does not confirm or deny the identity of any specific customer as a matter of company policy.
Powerful spyware remains virtually unregulated at the global level. There are insufficient national controls or limits on their export to prevent sales to governments that are likely to use them to target and persecute dissidents. There is also an urgent need for oversight and mechanisms to ensure that firms selling such tools are held accountable for abuses linked to their business, Human Rights Watch said.
“Selling so-called ‘lawful intercept’ tools to governments that equate dissent with terrorism is a recipe for disaster,” Wong said. “Hacking Team should investigate possible misuse of its products in Saudi Arabia. Hacking Team and other makers of similar tools should immediately cease any support and sales to abusive governments.”