The move comes after intensive media scrutiny spurred by the hack of their internal systems last summer and revelations that they had sold surveillance technology to some of the world's most authoritarian states.
This statement was originally published on privacyinternational.org on 8 April 2016.
Hacking Team, an Italian surveillance company selling intrusive spyware to government authorities around the world, has had its global export license revoked by the Italian export authorities, according to a report in Il Fatto Quotidiano.
The move comes after intensive media scrutiny spurred by the hack of their internal systems last summer and revelations that they had sold surveillance technology to some of the world’s most authoritarian states.
One of the countries to which Hacking Team sold was Egypt, whose human rights record and relationship with Italy has come under pressure after the torture and killing of graduate student Giulio Regeni earlier this year.
Global License
In March 2014, Privacy International wrote to the Italian export authorities and government representatives, drawing attention to Hacking Team’s technology, which can be used to gain access to all data stored on a device, and take control of functions such as the webcam and camera. We cited evidence produced by Citizen Lab, which indicated that Hacking Team’s technology was in use by authoritarian regimes across the world, including Sudan, Saudi Arabia and Egypt.
In the letter, we asked that the ministry take unilateral steps, known as a “catch-all”, to impose a licensing requirement on all of Hacking Team’s sales, meaning that the company would have to apply for a license from the Government before exporting. With sufficient human rights considerations in place, the idea was that the equipment would not be exported if there was a clear risk to human rights.
As confirmed during a subsequent meeting between the Ministry and Privacy International, and as the Intercept reported last year, the Ministry did subsequently impose a “catch-all” because of human rights concerns, meaning that the company was seeking individual authorisations for every export.
Hacking Team fought back however. Taking advantage of their relationships with senior officials in the government and security agencies, they warned that the move could destroy the company. With the imposition of EU-wide rules on the export of such equipment in January 2015, the Ministry in April 2015 granted Hacking Team a global authorisation for export, a form of license countries use to give exporters more freedom to export items, although Hacking Team was still required to report to the Ministry the destinations of their exports, including Egypt.
Investigators from the United Nations were also knocking on their door. Privacy International had in early 2014 reported to UN experts monitoring the arms embargo in the Darfur region of Sudan that Citizen Lab had found evidence that their equipment was being used in the country. Subsequent enquiries by the investigators led to Hacking Team cancelling their contract with Sudan, and claiming to the investigators that they had no “current” business in the country.
Then, in what was one of the biggest surveillance stories in 2015, there was a hack of Hacking Team’s internal systems, exposing to the public a massive trove of internal company material, including details of all of the company’s customers, and the inner workings of the surveillance industry.
As a result, Privacy International together with our partner, the Italian Coalition for Civil Rights and Freedoms wrote to the Ministry again, asking whether they were subjecting each of Hacking Team’s exports to individual scrutiny.
This leak, however, seemed to have no effect on Hacking Team’s license, and we never received a response from the Ministry.
Why the Italian government has now decided to revoke the global authorisation is unknown.
Speculation has linked the decision to the torture and killing of Italian graduate student Giulio Regeni, who was studying in Cairo before his body was found earlier in 2015. The incident has increased scrutiny of Egypt’s human rights record, where torture and human rights abuses are widespread at the hands of government agencies, and activists subject to intense restrictions.
In February this year, Privacy International released the results of an investigation into Egypt’s Technical Research Department, a shadowy government agency charged with acquiring surveillance technologies, who had also acquired Hacking Team’s technology.
Subsequently, in March 2015, the European Parliament passed a resolution spurred by the case of Gulio Regeni, highlighting Egypt’s human rights record, and recalling that in 2013 “Member States also agreed to suspend export licenses to Egypt of any equipment which might be used for internal repression”.
While the decision is to be welcomed, its effects are still unknown. As there are no trade restrictions across Europe, the decision will not affect any EU trade or countries with which Italy has such a trade agreement. For other countries, it will now mean that Hacking Team will have to apply for an individual license for each country. It will then be up to the Italian authorities to approve or deny any requests.
Without adequate human rights considerations however, there is little stopping the Italian authorities from simply accepting the requests.
The EU is currently discussing if and how to update this procedure for surveillance technologies, and if to call for Member States to assess the human rights impact before accepting applications for licenses. Privacy International, together with a coalition of NGOs, has called for the EU to take the necessary steps required to ensure that the trade in all surveillance technologies, not just that sold by Hacking Team, are in line with Italy’s and the EU’s human rights obligations.