Hacking Team is an Italian-based company that has the very noble mission of selling spywares to peaceful customers using it to the greater good, such as Saudi Arabia, Nigeria, Sudan, Kazakhstan and Singapore (feel the sarcasm!).

Hacking Team's new spyware is encrypted with Apple OS X Native Encryption Scheme, using a symmetrical encryption and a static key. For the computer literates, the new spyware also uses custom packer (more technical information here). It's also a fashionable spyware that is, in fact, a backdoor (referring to the FBI v. Apple debate) :

. The original discovery of the new Hacking Team's spyware is attributd to Palo Alto Networks.

The company is not the only one to sell cybersecurity products to governments. The private sector has boomed with companies with similar objectives, given the rise of cyberwarfare and the inability of governmental agencies to adjust to new technologies at a sufficient pace. This was already well documented in 2012, as this article from the Washington Post demonstrates.

In the same line of thought, Lee Fang, for The Intercept, reported that Cyberpoint, a private cybersecurity firm, obtained "special export license from [US] state department" to allow them to "develop defense cybersecurity capabilities" and export to the UAE. The pretention is that the firm helps the US Federal Government and its international customers to "defend their critical systems and infrastructures from advanced exploitation techniques and the kinds of sophisticated threats where commodity solutions are inadequate" (from a letter written to the Justice department). So in other words, the company only produces defensive software. Yet, the organization is also a partner of Hacking Team.

We know that because quite ironically, Hacking Team was hacked in July 2015 and lost most of its data to the public hands through WikiLeaks. Hacking Team was first exposed by Wikileaks in 2011 through the Spy files which exposed a global mass surveillance industry. The leak revelead 160 intelligence contractors - an industry worth billions of dollars per year. It confirmed the obvious - companies from the sophisticated countries sell to the third world countries. But it goes beyond that :

"the WikiLeaks Spy Files are more than just about ’good Western countries’ exporting to ’bad developing world countries’. Western companies are also selling a vast range of mass surveillance equipment to Western intelligence agencies. In traditional spy stories, intelligence agencies like MI5 bug the phone of one or two people of interest. In the last ten years systems for indiscriminate, mass surveillance have become the norm. Intelligence companies such as VASTech secretly sell equipment to permanently record the phone calls of entire nations. Others record the location of every mobile phone in a city, down to 50 meters. Systems to infect every Facebook user, or smart-phone owner of an entire population group are on the intelligence market." ( - WikiLeaks)

So companies like Hacking Team sell spyware to (totalitarian) governnents for profit. But they also spy on people and sell the data to government. And it even goes beyond espionage - these companies can literally contribute to physical damages :

There are commercial firms that now sell special software that analyze this data and turn it into powerful tools that can be used by military and intelligence agencies.

For example, in military bases across the U.S., Air Force pilots use a video link and joystick to fly Predator drones to conduct surveillance over the Middle East and Central Asia. This data is available to Central Intelligence Agency officials who use it to fire Hellfire missiles on targets. (-WikiLeaks)

Wait, they can do this legally?

Well, it's a little more complicated than this. There are laws that apply at the domestic level. Canada, for instance, has a very comprehensive legislation that makes it illegal to install softwares without consent (Canada's anti-spam law). There are stiff penalties for businesses that don't follow these rules (up to ten millions of dollars). In addition, a right of action would allow consumers and businesses to sue for damages of up to one million per day. There are also a number of other provisions, like the Federal Privacy Act and its provincial counterparts that require government departments to obtain the consent of citizens for data collection. In addition, Canadian organizations are required to ensure the privacy of information transferred to foreign providers. These laws are overseen by the Privacy Commissioner of Canada and provincial counterparts. They have access to co-operation programs and share information regarding breaches of information with foreign entities such as the US Federal Trade Commssion.

Notwithstanding this, when data are used for the purpose of intelligence collection and with the argument that it is necessary for national security, then the applicable legislation is the one pertaining to the activities of the CSIS. In this scenario, authorities are allowed to collect information both nationally and internationally under the right circumstances (i.e. reasonable for national security).

And even if we had domestic laws regulating spyware use within Intelligence agencies, what is needed is a law that applies internationally and forces cooperation - i.e. an international treaty. At the moment, international law is notoriously silent on espionage during peace time. There are some academics who argue about the illegality of the practice in regards to some principles of international law such as sovereignty (Russell Buchan, for instance) - but there is no consensus within States. In the absence of legal precedents, academic debates are unlikely to lead to chances in States' practices or even in the private sector.

Nonetheless, as unconventionnal as selling spywares may sound, spy agencies always equipped themselves in the private sector just as the military does. The private sector can make bombs, so software developing is seen as an extension of this practice. It is the first time, however, that the private sector is permitted to create products that so easily and indiscriminately infringe on civilian privacy (and sell them to anyone without restriction).

#HackingTeam #WikiLeaks #Spyware #VASTech #Cyberpoint