PMO purchases of Hacking Team software

P
E-mail from Miliserv to Hacking team stipulating the end-customer as the Prime Ministers Department
E-mail from Miliserv to Hacking team stipulating the end-customer as the Prime Ministers Department

The Prime Ministers Department has denied (twice!) that it has ever procured surveillance software from Hacking Team. Even though hundreds of e-mails in the leaked Hacking Team archive point to it. The latest rebuttal, Datuk Azalina distanced her Ministry from other government agencies, encouraging reporters to seek official statement directly from other agencies accused of procuring the spyware.

In the mean-time though, we’ve now learnt that the MACC has made a ‘semi’ admission that they procured the spyware, and to clear any doubts there’s more proof at the end of this post. But in-spite of this, Datuk Seri Azalina has remained silent.

To be clear, I’m not accusing anyone of anything. I’m merely reproducing what is already in the public domain, in the hopes of us taking this conversation further to address more pertinent points. We are frustratingly stuck on this issue of purchase (or lack thereof) because the Prime Ministers Department denies it bought spyware. I find it quite appalling that the Ministry would issue a simple denial without further clarification when I had furnished many documents, in other words they’ve provided an unsubstantiated denial to my substantiated claim.

So…here’s an e-mail (linked here), showing Miliserv requesting Hacking Team to register the Prime Ministers Department as the End User of the system in the Licensing agreement, and here’s another (below), showing Miliserv preparing to welcome 6 PMO staff to their headquarters in Milan for ‘advanced training’. I have removed the names of the PMO staff (red blocks) as I believe that employees shouldn’t be punished for mistakes their employers commit (but you can search for it online, it comes with passport numbers as well). Why send 6 staff to Milan for training if you didn’t buy the spyware?


Now why is it important that we clear this up, even after the MACC has implicitly admitted purchasing such spyware? Well, it’s because of a little known agreement known as Wassenaar.

Implications of Wassenaar

In 2013, ‘intrusion software’, such as the spyware sold by hacking team was added to that list of technologies considered dual-use under the Wassenaar arrangment, which controls the export of such technologies. In the same way you can’t sell bazookas to ISIS, a company selling intrusion and surveillance software had to be very careful that they didn’t sell their software to terrorist organizations, or despotic governments. All sales of such software must be accompanied by a degree of ‘customer due diligence’, to ensure the ultimate consignee was a legitimate customer (no anonymous Arabs allowed)
Now Wassenaar is controversial, and Malaysia isn’t a signatory, and some purchases we’re going to discuss fall prior to the decision to control intrusion software. But Italy IS a signatory of Wassenaar, and the principle still stands, which is that…

Spyware sold by hacking team can be considered a weapon (Wassenaar or not) and the export of such software should be done only after careful due diligence,ensuring the end-user of the system and their purpose of use.

According to all the leaked e-mails, Hacking Team was always under the impression that the MACC and The Prime Ministers Department (PMD) was a end customer of spyware it sold to Miliserv, and if we believe the e-mails, something isn’t quite right.

Two Possibilities

Because the Prime Ministers Department has always denied procuring such software there now exist only two possibilities.

Possibility 1: If Datuk Azalina is truthful and indeed the Prime Ministers department did not purchase spyware from Hacking Team, then Miliserv misled Hacking Team, and used the PMD as a front to purchase dual-use technology for an unknown entity. Malaysians (and the world) needs to know who that unknown entity was.

Possibility 2: Or Miliserv were honest, and indeed the Prime Ministers office (or department) purchased spyware. Their refusal to admit the purchase, fuels even more speculation. It also means that Datuk Azalina lied in Parliament and to the Malaysian people, although a politician lying isn’t exactly surprise of the century.

Other pertinent questions

If the Ministry admitted the purchase, we could move the conversation forward and discover why the purchases were made and how the spyware was used. We also could evaluate if we have a Government gone mad with so many government agencies intent on purchasing spyware, and whether the purchase of such spyware was necessary even for legitimate uses. Finally, we could have an open discussion if we should be buying anything from a company that list Sudan as a proud customer, and if should we be allowing a 3rd-party company to operate this software on behalf of government agencies.

Unfortunately, these interesting discussions are stalled due to the Government’s denial. (read this post for the interesting questions to ask)

I’ve always maintained that there are ‘legitimate’ uses of this software. This e-mail details a presentation Hacking team made to the counter-terrorism unit of the Malaysian Police, the senior officer present was impressed and even asked if Hacking Team could testify in court regarding the technical aspects of their software.Everything was above board, and I applaud the questioning of testimonies in courts, as it means the officer was prepared go through due legal process (something SOSMA allows him to circumvent).

Oh and a final bonus. At one point, the PMO purportedly asked Hacking Team to lie on their customs declaration forms for shipments into Malaysia..tsk tsk tsk.

Customs-avoidind
Zuraimi asked if Hacking team could change the description of their items during shipment because they didn’t want Malaysian customs to find out.

Conclusion

This will be my last and final post on the subject, if the Ministers denies once again, that’ll be the end of the story, unfortunately, it was a fun ride, but I need to move onto other things. Consider also a separate post about the pertinent questions we need to ask the government about the purchase.

Bonus points

  1. An authorization letter from Hacking Team to Miliserv, authorizing them to sell their software to the PMO.
  2. I know Paul Low somewhat admitted they bought from hacking team, to dispel any doubts,here is a signed document from the MACC signalling that they bought the software. Curiously it does not appear in the MyProcurement website.
  3. Hacking Team didn’t quite like Miliserv, and in this e-mail you can see their ties are strained.

Addendum

There seems to be some confusion in the e-mails and even the local media as to the difference between the Prime Ministers Department and the Prime Ministers Office, for the purpose of this post I’ve treated them as the same. At this point, I’m convinced it was the PMD (not PMO) that purchased the software, but I’ve been wrong before…so…. be warned!!

Add comment

Astound us with your intelligence