Early last week it emerged that government cybersecurity supplier Hacking Team had been hacked. An incredible cache of documents and emails – 400GB’s worth – was released on Sunday by the hackers, providing a fascinating – and terrifying – insight into the operations of a company dubbed one of ten “enemies of the internet” by Reporters Without Borders in 2013:
“Their products have been or are being used to commit violations of human rights and freedom of information. If these companies decided to sell to authoritarian regimes, they must have known that their products could be used to spy on journalists, dissidents and netizens.”
The Intercept has been one of the most active news websites in digging through the leaked documents. Their stories this week include confirmation that surveillance technology was sold to countries with poor human rights records; questions about the FBI, DEA and US Army buying spyware from the company; and a sales push in the UK:
“[A] deal with the London cops, worth £385,000 ($591,000) to Hacking Team, was abruptly halted in in May 2014 following “internal reviews on how we wished to move this area of technology forward,” according to an email from the police, although the force left the door open for a future deal, adding: “Of course in the months/years to come this could change and if that is the case then we would welcome your organization’s participation.”
“Since then, Hacking Team has continued to try to crack the U.K. market. It tried – and apparently failed – to set up a deal with Staffordshire Police after an officer contacted the company seeking technology to “access WiFi points to check users” and infect devices to covertly collect data.”
The next Snowden/Wikileaks?
So we have a story about a massive document leak which concerns the most powerful governments and law enforcement agencies in the world. Sound familiar?
We’ve been here before with Wikileaks, and with the Snowden revelations – two of the biggest stories of the last decade.
Hacking Team could be as big – but one week in and we’re not seeing the coverage we should. And I think that’s because of two things those stories had that Hacking Team doesn’t: a face, and a partner.
Edward Snowden was able to work with The Guardian on his leak; via Laura Poitras his story broke in the Washington Post too. He was canny enough to agree to go on camera, knowing that his anonymity would otherwise become the story. And so a complex story involving the NSA, GCHQ and the intelligence agencies of many other countries became ‘the Snowden revelations’.
Wikileaks had already learned this lesson. In the film We Steal Secrets Julian Assange tells documentary maker Mark Davis “The public demands that it [the leaks] has a face”. And the site had been publishing documents about governments for years before realising that channelling those leaks through news organisations might result in a bigger impact.
Leaks: supply and demand
For most of this week the Hacking Team story has been hackers talking to themselves. It has been all over the technology press, but barely registering in the nationals.
Engadget’s Violet Blue coins a neologism to describe the process: hackenfreude:
“It became a group effort. Hackers around the world dug into the illicit files and all but completely dismantled Hacking Team’s business, and reputation.
“Global security research communities tore into the docs in waves around the clock; hackers created a GitHub repository named “Hacked Team (Hacking Team) We Kill People™.” The docs showed Hacking Team’s operational security to be abysmal, its code to be inelegant and childlike and its email communications revealed a petty, arrogant and extremely sloppy organization that actively endeavored to avoid scrutiny about the human rights abuses of its clients.
“All of this happened while Hacking Team was asleep, prompting the Twitter hashtag #IsHackingTeamAwakeYet, to which infosec professionals appended the most egregious examples of Hacking Team’s foibles and lawlessness.”
Among those chipping in was Wikileaks itself, which created a search facility for users to search the emails.
This means an opportunity has been missed: working with a partner organisation could have meant that organisation committing an investment of resources to a produce persistent coverage with significant mass impact, and others investing resources to be on the story too.
I hope a news organisation has already had the sense to see that this is a leak which deserves significant investment of resources. And not just in the short term…
Three problems to solve
…Because leaks like this are no longer the rarity we seem to think they are. Just as people become concerned about the increasing ability of governments and corporations to gather information on their citizens and customers, more individuals than ever now have the ability to gather information on what government and corporations are actually doing.
But in order for that to be used effectively three things need to happen.
Firstly, hacktivists need to think beyond the data dump. The criticism of Assange was that he dumped leaks without regard for the impact: this will always be used against hackers. Snowden justified his decision to leak to a news organisation because he did not feel that he had the skills or the capacity to judge which documents should be published.
Many of the smears aimed against Snowden have involved implying that his leaking was indiscriminate; that the Russians or Chinese now had access to it (ignoring the fact that 4.9 million Americans have access to classified information and 480,000 private contractors had the “top-secret” security clearance issued to Snowden).
(Notably, Hacking Team have adopted a similar line of attack, blaming a ‘foreign’ government for the attack and claiming it “could prove a field day for criminals”.)
Secondly, we need to develop an ethical code for working with these leaks.
Snowden and Manning were treated as whistleblowers, meaning that publishers were able to build on a long tradition in that vein.
But the Sony and Hacking Team documents represent a new category of information – and I think that makes it more difficult for journalists to react to. I’ll explore this in a future post.
Finally, and perhaps most importantly, journalists need to be better at finding and interrogating large data dumps like these.
The Sony hacking scandal email was barely 3 months ago (Wikileaks made that into a searchable database too). Swissleaks was only 2 months before that. Lux Leaks was 3 months before that. And a year before that, we had Offshore Leaks.
Leaks are become less the exception and more the norm. As the Hacking Team free-for-all rumbles on, journalists are left looking like they don’t quite know how to join the party.