This is the fourth piece in a series of articles we will be featuring on Strife in the coming week looking at the role of Proxy Warfare in the 21st century by Series Editor Cheng Lai Ki. Previous articles in the series can be found here.
By: Saher Naumaan
Intelligence agencies have long conducted their own surveillance domestically and abroad. However, is outsourcing surveillance an emerging trend for governments? Following the Snowden leaks in 2013, the role of telecommunication companies and Internet Service Providers as intermediaries allowing intelligence agencies access to user data was exposed. The United States tried to obligate companies—such as Google and Yahoo! who own and operate the infrastructure of cyberspace—to become agents of government controls in the private sector, monitoring threatening or suspicious activity in their own networks. This has resulted in the companies becoming an extension of government surveillance
Beyond this debate, private companies who design, sell, and employ surveillance hardware and software, have begun to act as proxies for intelligence agencies. While they don’t directly gather data, they develop the tools that enable spying on the public. In 2011, the Wall Street Journal reported that the global surveillance industry was valued at $5 billion and increasing dramatically from virtually zero prior to September 11. The lawful interception industry in particular is estimated to reach $1.3 billion by 2019, up from just $251 million in 2014. Private companies are profiting from the rapidly expanding market for off-the-shelf surveillance technologies that governments are so keen to acquire. The development of this industry and its popularity among government agencies is part of a larger trend in the privatisation of the creation and application of surveillance technologies.
When one communicates online or browses the internet, the data is transmitted over telecommunication companies’ fibre-optic cables to reach the recipient. Attaching splitters to these wires at telecommunication junction points allows the government to intercept communications. The data travelling through the cables is duplicated and one copy diverted to the government, as technician Mark Klein revealed to be the case at the AT&T facility in San Francisco. The equipment installed in this case was a Narus Semantic Traffic Analyzer, used for data packet inspection—tracking and filtering data as it travels through the network. Similar to Narus, another company called Verint taps the communications at Verizon. Under an NSA program, FAIRVIEW, these companies installed surveillance equipment capable of targeting Internet Protocol traffic in real time and sending the data (emails, chats, etc.) to the NSA.
But the NSA isn’t the only government agency engaging in surveillance using invasive technologies. International Mobile Subscriber Identity (IMSI) catchers are tactical interception technologies that capture the information identifying mobile phones in the target area. Behaving as a fake cell-tower, an IMSI catcher is able to intercept communication and manipulate a phone’s functions by emitting a signal that connects the phone to it. The most well-known IMSI catcher, the “StingRay” sold by Harris Corporation, has been used by state and federal authorities in the United States for years. The Federal Bureau of Investigation (FBI) and other law enforcement agencies use these intrusive surveillance tools to track and monitor suspects and dispense with the need for warrants. A notable example of this application is a case in Arizona where the legality of a StingRay’s use was challenged following the FBI’s warrantless deployment of the device to locate and arrest the suspect. Even more troubling are the signs that the acquisition of tactical spyware has expanded to private security and military companies, and the creation of IMSI catchers for example has become “democratized,” or a capability not exclusive to law enforcement. Its prevalence among other actors means increased vulnerability of cellular networks and individuals to foreign governments, hackers, criminals, or any party with the knowledge and resources to build an IMSI catcher.
Interception can also take the form of “Computer Network Exploitation” or government speak for “hacking.” Computer exploitation allows governments to hack people’s mobile phones and computers, record their activity, and read the contents of their communications. Unlike PRISM which provides the US government with court-approved front-door access to user accounts under the Foreign Intelligence Surveillance Act, the MUSCULAR project infiltrated Google and Yahoo!’s back-end infrastructure, bypassing the companies’ security without their knowledge. The NSA along with its British equivalent, the Government Communications Headquarters (GCHQ), was able to access communications in real time and search target activity through tapping the Google and Yahoo! clouds.
Other means of tampering with networks for surveillance purposes involve software such as “network injectors,” physical devices located inside internet service providers’ networks that can replace people’s internet browsing traffic with malicious code. Gamma International’s FinFisher products can corrupt files, send infected software updates, or inject code on websites that infects a user when it visits the sites. Any unencrypted traffic is vulnerable to interception and even clicking on a link can exploit a target and infect the user’s device. WikiLeaks exposed internal documents which showed that Hacking Team’s Remote Control System (RCS) can hijack mobile devices, access emails, record calls, and activate webcams. After the private Italian company was hacked last year, internal documents also proved the FBI’s use of RCS in targeted surveillance operations. The further discovery of the Drug Enforcement Administration as a Hacking Team client not only shows the trend of surveillance technologies making their way from intelligence agencies to law enforcement, but also calls into question the legality of using this spyware.
ISS World: Where does the technology come from?
Intelligence agencies in places like the US, Israel, and China have developed their own versions of tactical intrusion software. “Implants” can target and commandeer a mobile phone or computer; “trojan horses” disguised as legitimate software damage or control data; and “spear-phishing” to target specific parties by impersonating a known sender to access the network. These capabilities have recently been commercialized and are now on the market for those who covet the technology but are unable to produce it themselves.
TeleStrategies Inc. hosts a conference and arms trade fair annually in several different regions called Intelligence Support System (ISS) World, which claims to be the world’s “leading Lawful Interception, HiTech Criminal Investigations and Intelligence Gathering.” Major players in the private surveillance industry, such as Vupen Security SA in France and the previously mentioned Hacking Team and Gamma Group, market computer hacking tools and malware advertised as capable of circumventing or defeating encryption. Intelligence and law enforcement agency invitees from around the world attend to connect with vendors and train on industry practice and equipment.
Aside from the highly invasive and legally ambiguous nature of this spyware, the number of buyers is growing to include authoritarian regimes that use the tools to target their own citizens. The commercialization of digital spying is setting a precedent for the proliferation of surveillance technologies to actors with significant records of human rights abuses. Whether it is activists monitored during the Arab Spring, US-based Ethiopian journalists targeted by their own government, or political dissidents bugged in Panama and Columbia, the burgeoning surveillance industry provides tools for all scenarios. According to TeleStrategies these products fall within the legal parameters of the export controls regime, the Wassenaar Arrangement, which was expanded in 2013 to include surveillance technologies.
Concerted attention needs to be paid by legislators, jurists, and activists to resolve the increasing gap between the capabilities provided by surveillance technologies and the legal framework needed to regulate the use of those capabilities, otherwise the liberty, security, and privacy of global citizenry will continue to erode.
Saher Naumaan is a Master’s student in the War Studies Department at King’s College London and an editorial assistant for War on the Rocks. Her research interests focus on surveillance, technology, and security. She can be found on Twitter @sahernaumaan
 Jennifer Valentino-Devries, Julia Angwin, Steve Stecklow, “Document Trove Exposes Surveillance Methods,” The Wall Street Journal, November 19, 2011, http://www.wsj.com/articles/SB10001424052970203611404577044192607407780.
 “Lawful Interception Market worth $1,342.4 Million by 2019,” Marketsandmarkets.com, last modified August 2014, http://www.marketsandmarkets.com/PressReleases/lawful-interception.asp.
 Major telecommunications companies use fibre-optic cables, or other similar connection between the point of origin and the point of reception, for electronic voice or data communication. See more at: https://www.eff.org/files/filenode/att/mark_klein_unredacted_decl-including_exhibits.pdf.
 Kevin Poulsen, “Mark Klein Documents,” Wired, May 1, 2007, http://www.wired.com/2007/05/mark_klein_docu.
 Ryan Gallagher, “Meet the Machines that Steal Your Phone’s Data,” ArsTechnica, September 25, 2013, http://arstechnica.com/tech-policy/2013/09/meet-the-machines-that-steal-your-phones-data/.
 United States v. Rigmaiden, CR08-814-PHX-DGC, Dkt. #0674-1 [Declaration by FBI Supervisory Agent Bradley S. Morrison RE: Harris StingRay] (D.Ariz., Oct. 27, 2011). See https://www.documentcloud.org/documents/1282619-11-10-17-2011-u-s-v-rigmaiden-cr08-814-phx-dgc.html#document/p3/a220910.
 Ben Bryant, “The Black Market Dealers Selling Tactical Surveillance Equipment Online,” VICE Motherboard, January 15, 2016, http://motherboard.vice.com/read/the-black-market-dealers-selling-state-surveillance-equipment-online.
 Bruce Schneier, “The Further Democratization of Stingray,” Schneier on Security (blog), April 27, 2015 (6:27 a.m.), https://www.schneier.com/blog/archives/2015/04/the_further_dem_1.html.
 Barton Gellman and Ashkan Soltani, “NSA Infiltrates Links to Yahoo, Google Data Centers Worldwide, Snowden Documents say,” The Washington Post, October 30, 2013, https://www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html.
 “Finfisher: Governmental IT Intrusion and Remote Monitoring Solutions,” WikiLeaks: The Spy Files, October 2011, https://wikileaks.org/spyfiles/docs/gamma/298_finfisher-governmental-it-intrusion-and-remote-monitoring.html.
 Morgan Marquis-Boire, “You Can Get Hacked Just by Watching This Cat Video on YouTube,” The Intercept, August 15, 2014, https://theintercept.com/2014/08/15/cat-video-hack/.
 “Remote Control System V5.1,” WikiLeaks, accessed March 25, 2016, https://wikileaks.org/spyfiles/files/0/31_200810-ISS-PRG-HACKINGTEAM.pdf.
 Joseph Cox, “The FBI Spent $775K on HackingTeam’s Spytools Since 2011,” Wired, July 6, 2015, http://www.wired.com/2015/07/fbi-spent-775k-hacking-teams-spy-tools-since-2011/.
 Lorenzo Franceschi-Bicchierai, “The DEA Has Been Secretly Buying Hacking Tools from an Italian Company,” VICE Motherboard, April 15, 2015, http://motherboard.vice.com/read/the-dea-has-been-secretly-buying-hacking-tools-from-an-italian-company.
 An extreme example includes Stuxnet, a virus jointly designed by US and Israeli intelligence to attack the computer systems that controlled the centrifuges in Iran’s nuclear enrichment program.
 While attribution remains difficult, US State Department cables revealed by WikiLeaks identify China’s People’s Liberation Army as responsible for certain cyber espionage incidents. See more at: http://www.reuters.com/article/us-china-usa-cyberespionage-idUSTRE73D24220110414.
 “The Surveillance Catalog: Where Governments Get Their Tools,” The Wall Street Journal, Updated February 7, 2012, http://graphics.wsj.com/surveillance-catalog/.
 “ISS World Training,” TeleStrategies.com, 2015, http://www.issworldtraining.com/AboutUS.html.
 Steve Stecklow, Paul Sonne, and Matt Bradley, “Mideast Uses Western Tools to Battle the Skype Rebellion,” The Wall Street Journal, June 1, 2011, http://www.wsj.com/articles/SB10001424052702304520804576345970862420038.
 Lorenzo Franceschi-Bicchierai, “Ethiopia Might Have Bought a Ton of Surveillance Tech,” VICE Motherboard, March 23, 2015, http://motherboard.vice.com/read/ethiopia-might-have-bought-a-ton-of-surveillance-tech.
 James Bamford, “The Espionage Economy,” Foreign Policy, January 22, 2016, http://foreignpolicy.com/2016/01/22/the-espionage-economy/.
 Collin Anderson, “Considerations on Wassenaar Arrangement Control List Additions for Surveillance Technologies,” Access Now, March 9, 2015, https://www.accessnow.org/cms/assets/uploads/archive/Access%20Wassenaar%20Surveillance%20Export%20Controls%202015.pdf.