Hacking Team's Eric Rabe speaks to IBTimes UK, defending his company's business of selling powerful cyber weapons which allows governments to spy on and monitor their citizens.

Cyber Spying
A cyber security analyst works in a watch and warning center at a Department of Homeland Security cyber security defense lab at the Idaho National Laboratory, September 30, 2011, in Idaho Falls, Idaho. (Credit: Reuters)

The sales pitch for Hacking Team is a pretty easy one.

"Imagine being able to prevent terrorist attacks before the happen. Being able to monitor the activity of criminals anywhere in the world, knowing what they are going to do next, when and where"

For governments, intelligence and law enforcement agencies, power like this would have been a day dream just a few years ago. Now companies like Hacking Team, Vupen and UK-based FinFisher are offering just this type of tool.

The problem arises when these powerful cybwer-weapons are put into the wrong hands, and used by repressive regimes to illegally monitor its citizens.

No one knows

No one really knows to what extent governments and law enforcement agencies around the world are monitoring our every move. Everyone knows it goes on, but no one can say for certain to what extent.

While the use of powerful cyber-weapons to monitor phone calls, emails and online activity of terrorists and criminals is hard to argue against, using the same weapons to monitor those 'believed' to be involved in illegal activity is a lot harder to justify.

In both cases powerful software is needed to be able to infiltrate activity on smartphones, tablets and PCs. There are a growing number of companies around the world offering these cyber-weapons and ultimately it is they who decide who get to use their surveillance tools.

A lack of regulation and the need to keep pace with cyber-criminals has put a huge amount of power in the hands of these companies, letting them make the decision about who should be trusted and who denied this power.

One of the most high-profile of these companies is Hacking Team, a Milan-based company which has been offering its surveillance system to governments and law enforcement agencies for almost a decade. It has come under fire in recent years after it was discovered that its software had been used by repressive regimes in Morocco and the United Arab Emirates to illegally monitor activists.

It has even been alleged that the use of Hacking Team's tools have directly led to the torture and murder of people - a charge strongly denied by Hacking Team.

Unenviable

Eric Rabe has a pretty unenviable job. As head of communications and public policy for Hacking Team, his job consists of defending a company which sells powerful cyber-weapons allowing its customers to monitor your every email, text message, phone call and web search.

Hacking Team, like its competitors, is very secretive about its work, revealing nothing about who it works with, how much it gets paid, and most importantly what exactly its software is used for.

Calls for more regulation and transparency in its dealings have been growing since the revelations last year and while there has been no change in regulations thus far, the negative media coverage does seem to have had an effect on the way Hacking Team deals with the public and the press.

Last month at the annual RSA security conference in San Francisco Rabe and other Hacking Team representatives made an appearance to the surprise of many industry watchers.

At a panel discussion on cyber surveillance, Hacking Team came in for criticism from Jacob Appelbaum, a security expert and core member of the Tor project, as well as from Kurt Opsahl, senior attorney at the Electronic Frontier Foundation (EFF).

According to Tom Brewster from TechWeekEurope who was at the panel discussion, Appelbaum said the use of Hacking Team tools and similar software can be the difference between life and death.

"These people are tortured, some of them are murdered ... the result of the things we are talking about here is a life and death matter."

Horrific

During the panel discussion some horrific images of torture were displayed on a large screen, which Rabe says were used "without one scintilla of evidence" that there was a relationship between the images and Hacking Team's software.

But whether or not Hacking Team feels the criticism it has received is unjust, a discussion about this whole industry is currently on-going and Rabe admits his company "needs to engage in this discussion [and the company] recognises the seriousness of the software, its power and potential for abuse."

Rabe believes that common ground between companies like Hacking Team, FinFisher and Vupen and groups like the EFF can be found and he is "willing to engage in the conversation."

Speaking to the IBTimes UK from the east coast of America, Rabe gives his description what his company does:

"Hacking Team provides legal surveillance software to the law enforcement, intelligence communities and governments around the world. We sell exclusively to governments so no private person or business can buy this. This is a very effective product that allows law enforcement agencies to monitor the communications of people who may be under surveillance."

The "this" Rabe speaks of is Remote Control System (RCS) or DaVinci, a hugely powerful tool which allows Hacking Team's customers to monitor people though there phones, laptops and PCs. It lets those in control track keystrokes to capture usernames and passwords; allows for remote uploading of files and can even use a device's microphone to record what is being said by the target.

RCS can be used to monitor anywhere from a few targets up to hundreds of thousands of targets according to the company's brochure.

Legitimate

While legitimate use of RCS on a few specific targets is quite understandable, finding reasons why it could be legitimately used on hundreds of thousands of targets simultaneously is much more difficult. When I put this to Rabe he said it was technically possible to monitor this many targets, but that he didn't know of "anybody that's doing anything of that magnitude."

It is at this point that critics of Hacking Teams and companies like it - such as Vupen and UK-based FinFisher - point out that once the cyber-weapon is handed over, it is very difficult for them to know how it is going to be used.

Last year security researcher Morgan Marquis-Boire highlighted that software created by Hacking Team was being used by oppressive regimes in the United Arab Emirates and Morocco to monitor anti-government protestors and which in at least one case lead to the torture of an activist.

While it is generally accepted that these incidents did take place, Hacking Team is still reticent to openly admit it was there software which was used. Rabe conceded that Hacking Team "has been accused of being involved in both [incidents], and we did investigate [both incidents] and that included conversations with various clients, not necessarily clients in the countries cited. " Rabe adds that his company does everything in its power to prevent anything like this happening.

When a client buys the software from Hacking Team, it is configured specifically for the client depending on their needs and the laws in the country in which they are operating. Rabe says the decision over which functions to enable and which to disable is a joint one, following consultation between Hacking Team and the client.

"The process under which Hacking Team sells its products is designed to make sure they are not abused and they are used in accordance with the applicable laws and international standards such as black lists that restrict where some products like this can be sold."

Blacklists

Rabe says his company does not sell to companies which are on NATO, US or EU black lists but it has also been pointed out by the EFF that not all countries suspected to have committed human rights abuses are on these blacklists.

Another element in the company's checks-and-balances procedure was the creation of an external board which reviews all potential sales, looking at how the countries and agencies looking to buy RCS will use it.

The board consists of external members including lawyers and engineers and according to Rabe the group has the power to "veto any sale."

But no matter how many checks you carry out prior to a sale, at the end of the day it comes down to a judgement call, as Rabe admits, adding that this "is the best we think we can do on this issue."

Many critics claim that despite the checks put in place by these companies, once the software is handed over to a particular agency or country they no longer have control over what it is used for. However Rabe says his company has several techniques in place to prevent unauthorised use of RCS.

One of these is what is called an "audit trail" which prevents a rogue employee or agent from using the software for his or her own ends. The feature allows those in charge to see any activity on the system. The problem with this sytems however means that if those at the top want to use the tool for illegal monitoring there is no one to stop them.

Hacking Team says it monitors the press and the underground hacktivist community, watching for any allegations that its software is being used for purposes beyond what it was sold to do.

Power

Rabe told IBTimes UK that Hacking Team does have the power to stop supporting the software and therefore rendering it ineffective, but even in the cases in Morocco and UAE, the company didn't go this far, preferring instead to have "conversations with its clients."

While privacy advocates are quick to point out the negatives surrounding this cyber weapon, Rabe says that because of the rapid increase in the use of technology to carry out crime, security agencies need weapons like RCS in order to combat the criminals.

Breaking a cyber-crime ring making millions from ransomware and potentially interupting terrorist plots before they happen, are just two of the examples Rabe gives of how Hacking Team's tool can be used for good.

The problem is that we will never know when Hacking Team's tool has been used in these cases as governments and the agencies involved won't reveal these details. The only time we will hear about Hacking Team is when it is revealed that its softweare has gotten into the wrong hands.

Rabe may be begining to change the perception of the company and speak more openly about what it does, but it is likely to get a lot busier for him in the coming months and years as out online activity comes under more and more scrutiny from those using Hacking Team's software.