A computer researcher is lashing out Tuesday at a controversial Italian spyware vendor after learning that his work is powering commercial surveillance software that’s been pitched to governments around the globe.
Several weeks ago, a massive breach was suffered by Hacking Team, an offensive security firm that sells spy programs and other aptly named hacking services to a number of contentious clients worldwide.
As details continue to come to light, acclaimed computer researcher Collin Mulliner said he’s learned that his own efforts have been adopted in the code that powers some of the corporation’s commercial surveillance products.
On Tuesday, Mr. Mulliner wrote that he received an email from an individual who had been analyzing documents leaked due to the recent Hacking Team breach and discovered that the German researcher had supplied the code used in a project that eavesdrops on voice calls going through certain Android phones.
Indeed, Mr. Mulliner began trawling the leaked files himself and soon realized that “a bunch” of his open-source Android tools had been directly borrowed by Hacking Team to make monitoring software.
On his blog, Mr. Mulliner wrote that he’s disappointed to learn that his own work has benefited the “scumbags” whose surveillance tools have been sold to governmental and law-enforcement agencies of governments with subpar human rights records, including Ethiopia, Russia and Sudan.
“I’m pretty angry and sad to see my open source tools being used by Hacking Team to make products to spy on activists. Even worse is the fact that due to the lazy way they managed their source repository less informed people might get the idea that I developed parts of their tools for them,” Mr. Mulliner wrote. “Just to make this very clear: I did not write any of those tools for Hacking Team.”
“The reason why someone might think I wrote those tools for Hacking Team are pretty obvious once you take a look at the leaked code,” Mr. Mulliner added. In some files, he said, Hacking Team left in place all of the original copyright information, including Mr. Mulliner’s name, website and email address.
Mr. Mulliner told The Washington Times on Wednesday that he felt compelled to write the blog post to set the record straight with respect to why he wrote his code and said, “I do not want to be associated with [Hacking Team].”
Earlier this month, hackers penetrated the Italian company’s computers and made off with a massive trove of sensitive files, including a cache of internal emails and the source code for its proprietary software.
Hacking Team had already drew ire from privacy proponents prior to the breach due long-standing allegations that it has sold spyware to repressive regimes, even landing on Reporters Without Border’s “Enemies of the Internet” list for offering its eavesdropping services to countries where journalist and activists are often targeted by authorities.
While Hacking Team has previously said that it’s “offensive technology” tools are “never sold to countries that international organizations including the European Union, NATO and the U.S. have blacklisted,” the emails, in fact, did suggest contracts had been inked between the Milan-based cyber merchant and embargoed nation-states.
In a statement Wednesday, Hacking Team spokesman Eric Rabe acknowledged that it has made deals with the Sudanese and others who have been subjected to sanctions, but said that “the company has always sold strictly within the law and regulation as it applied at the time any sale was made.”
Mr. Mulliner acknowledged on his blog that his original research was published online as open-source software that can freely be borrowed and implemented, but he might look toward doing things differently down the road.
“For the future, I will use a license for all my software that excludes use for this kind of purpose,” he wrote, but added, “I have no clue yet how this license would look like.”
“Obviously Hacking Team also used other open source software such as Cuckoo Sandbox. I hope everybody is going to think about future license to prevent this kind of usage. I’m not a lawyer, but I would be interested in what legal action one could take if their software license excluded the use case of Hacking Team,” he wrote.
The tools adopted by Hacking Team, he told The Times, include an Android “fuzzer injecter” he helped code in 2009 to test text messaging security and a toolkit he developed to conduct platform-wide research.
Since most of his work is security-related, he said, it isn’t terribly difficult to change the usage rights.
“Writing a license that covers basic software is really hard,” he added, meaning it might not be as easy to ensure general-use programs aren’t borrowed for certain purposes, like surveillance.
Mr. Rabe, the Hacking Team spokesman, did not immediately respond to requests for comment.