Saudi Arabia: Malicious Spyware App Identified

Saudi Arabia’s government should clarify whether it is infecting and monitoring mobile phones with surveillance malware, Human Rights Watch said today. Saudi officials should also say whether and how they intend to protect the rights of those targeted to privacy and free expression.

Independent security researchers, in a June 24, 2014 report, identified surveillance software made by the Italian firm Hacking Team that appears intended to target individuals in Qatif, in eastern Saudi Arabia. Qatif has been a site of ongoing protests of various government policies since 2011, as well as government repression of peaceful dissent.

“We have documented how Saudi authorities routinely crack down on online activists who have embraced social media to call out human rights abuses,” said Cynthia Wong, senior Internet researcher at Human Rights Watch. “It seems that authorities may now be hacking into mobile phones, turning digital tools into just another way for the government to intimidate and silence independent voices.”

Security researchers at the Toronto-based research group Citizen Lab have identified a malicious, altered version of the Qatif Today (al-Qatif al-Youm) Android app, an application that provides mobile access to Arabic-language news and information related to the Eastern Province town of Qatif. This altered application, if installed on a mobile phone, infects the phone with spyware made by Hacking Team, a company that says it sells surveillance and digital intrusion tools only to governments.

The spyware enables a government to access the phone’s emails, text messages, files from applications like Facebook, Viber, Skype, or WhatsApp, contacts, and call history. It also allows authorities controlling the spyware to turn on a phone’s camera or microphone to take pictures or record conversations without the owner’s knowledge.

If Saudi authorities are using spyware to target activists’ mobile phones, it could indicate a ratcheting up of efforts to scrutinize online activism in an environment that is already hostile to the freedoms of expression and association, Human Rights Watch said. Where “standard” criminal investigations involve arrests of peaceful protesters or liberal website operators, companies that supply surveillance technologies without adequate safeguards risk complicity in rights violations.

Citizen Lab researchers were not able to confirm whether Saudi Arabia or any other government has successfully deployed Hacking Team tools in Saudi Arabia, nor who may have been specifically targeted. However, given that the spyware is embedded in a doctored version of an existing application, potential targets are likely to have an interest in current affairs related to the Qatif governorate. Citizen Lab researchers previously published additional evidence that Hacking Team may be in use in Saudi Arabia, based on presence of Hacking Team-linked servers in the country.

Qatif has been the site of ongoing protests, especially since Saudi Arabia’s intervention in Bahrain in March 2011, despite a categorical ban on protests issued by authorities that month. On April 17, Saudi Arabia’s Specialized Criminal Court sentenced a Qatif-based human rights activist, Fadhil al-Manasif, to 15 years in prison and a 15-year ban on foreign travel after he serves his prison term, largely for his role in helping international journalists cover the protests in Qatif. Saudi Shia citizens, who make up a majority of the town’s residents, face systematic discrimination in public education, government employment, and in building houses of worship in majority-Sunni Saudi Arabia.

In December 2013, Human Rights Watch released a report documenting how activists in Saudi Arabia have embraced the Internet and social media to build relationships, discuss ideas, and promote social and political reforms. Saudi authorities have arrested, prosecuted, and otherwise attempted to silence activists and suppress calls for change, including in Qatif.

New counterterrorism regulations promulgated in early 2014 criminalize virtually all dissident expression as “terrorism,” including acts such as “contact or correspondence with any groups [that are] hostile to the kingdom,” “making countries, committees, or international organizations antagonistic to the kingdom,” and “calling, participating, promoting, or inciting sit-ins [or] protests.”

It is unclear how intrusion tools are regulated under Saudi law and what protections for digital privacy, if any, are enforced in practice to prevent illegitimate government surveillance. Under article 17 of Saudi Arabia’s counterterrorism law, promulgated in January, the interior minister has the power to seize or monitor any means of communication at his discretion, and without a warrant, as long as it “is beneficial for revealing the truth.” Under article 21 of the Arab Charter on Human Rights, which Saudi Arabia ratified in 2009, “[n]o one shall be subjected to arbitrary or unlawful interference with regard to his privacy, family, home, or correspondence….”

The United Nations special rapporteur on freedom of opinion and expression, Frank La Rue, stated in his 2013 report to the UN Human Rights Council: “Use of an amorphous concept of national security to justify invasive limitations on the enjoyment of human rights is of serious concern. Surveillance of communications must only occur under the most exceptional circumstances and exclusively under the supervision of an independent judicial authority.”

La Rue expressed specific concerns about use of intrusion spyware: “From a human rights perspective, the use of such technologies is extremely disturbing.… [The spying capability they enable] threatens not only the right to privacy [but also] procedural fairness rights with respect to the use of such evidence in legal proceedings.”

Citizen Lab and Human Rights Watch previously documented use of Hacking Team tools to target an independent, diaspora-run Ethiopian media organization. Hacking Team states that it sells exclusively to governments, and markets its products for “standard” criminal investigations, “lawful intercept,” and intelligence-gathering activities related to counterterrorism and crime.

In response to a request for comment to Citizen Lab’s June 24 report, Hacking Team responded with a statement to Human Rights Watch that points to the firm’s customer policy. According to the written policy and the firm’s statement, the company reviews potential sales for risk that its products may facilitate human rights violations and may decline a sale under certain circumstances.

Hacking Team told Human Rights Watch that it will suspend support for its products if the company believes a customer has misused the technology, and has done so in the past. However, the company has not released information about prior investigations, nor about any actions to address specific incidents. The company has also stated that it does not confirm or deny the identity of any specific customer as a matter of company policy.

Powerful spyware remains virtually unregulated at the global level. There are insufficient national controls or limits on their export to prevent sales to governments that are likely to use them to target and persecute dissidents. There is also an urgent need for oversight and mechanisms to ensure that firms selling such tools are held accountable for abuses linked to their business, Human Rights Watch said.

“Selling so-called ‘lawful intercept’ tools to governments that equate dissent with terrorism is a recipe for disaster,” Wong said. “Hacking Team should investigate possible misuse of its products in Saudi Arabia. Hacking Team and other makers of similar tools should immediately cease any support and sales to abusive governments.”

source: 
Human Rights Watch