{"id":2686,"date":"2017-07-21T13:47:48","date_gmt":"2017-07-21T03:47:48","guid":{"rendered":"https:\/\/blogs.qut.edu.au\/crime-and-justice-research-centre\/?p=2686"},"modified":"2017-07-21T13:47:48","modified_gmt":"2017-07-21T03:47:48","slug":"spyware-merchants-the-risks-of-outsourcing-government-hacking","status":"publish","type":"post","link":"https:\/\/blogs.qut.edu.au\/crime-and-justice-research-centre\/2017\/07\/21\/spyware-merchants-the-risks-of-outsourcing-government-hacking\/","title":{"rendered":"Spyware merchants: the risks of outsourcing government hacking"},"content":{"rendered":"

This post authored by\u00a0Dr. Monique Mann\u00a0<\/a>(CJRC),\u00a0Dr Adam Molnar and Dr Ian Warren (Deakin Criminology)\u00a0originally appeared on The Conversation on Friday the 21st of July 2017. Link to original article here:\u00a0<\/em>https:\/\/theconversation.com\/spyware-merchants-the-risks-of-outsourcing-government-hacking-80891<\/a><\/p>\n

\"\"<\/a><\/p>\n

An Australian Tax Office (ATO) staffer recently leaked<\/a> on LinkedIn a step-by-step guide to hacking a smartphone.<\/p>\n

The documents, which have since been removed, indicate that the ATO has access to Universal Forensic Extraction software made by the Israeli company Cellebrite. This technology is part of a commercial industry that profits from bypassing the security features of devices to gain access to private data.<\/p>\n

<\/p>\n

The ATO later stated<\/a> that while it does use these methods to aid criminal investigations, it \u201cdoes not monitor taxpayers\u2019 mobile phones or remotely access their mobile devices\u201d.<\/p>\n

Nevertheless, the distribution of commercial spyware to government agencies appears to be common practice in Australia.<\/p>\n

This is generally considered to be lawful surveillance. But without proper oversight, there are serious risks to the proliferation of these tools, here and around the world.<\/p>\n

The dangers of the spyware market<\/h2>\n

The spyware market is estimated to be worth millions of dollars globally<\/a>. And as Canadian privacy research group Citizen Lab has noted<\/a>, spyware vendors have been willing to sell their wares to autocratic governments.<\/p>\n

There are numerous examples of spyware being used by states with dubious human-rights records. These include the surveillance of journalists, political opponents and human rights advocates, including more recently by the Mexican government<\/a> and in the United Arab Emirates<\/a>. In Bahrain, the tools have reportedly been used to silence political dissent<\/a>.<\/p>\n

A rally in support of Apple\u2019s refusal to help the FBI access the cell phone of a gunman involved in the killings of 14 people in San Bernardino, in Santa Monica, California, United States. REUTERS\/Lucy Nicholson<\/a><\/p>\n

Commercial spyware often steps in when mainstream technology companies resist cooperating with law enforcement because of security concerns.<\/p>\n

In 2016, for example, Apple refused<\/a> to assist the FBI in circumventing the security features of an iPhone. Apple claimed that being forced to redesign their products could undermine the security and privacy of all iPhone users.<\/p>\n

The FBI eventually dropped its case against Apple, and it was later reported<\/a> the FBI paid almost US$1.3 million to a spyware company, reportedly Cellebrite<\/a>, for technology to hack the device instead. This has never been officially confirmed.<\/p>\n

For its part, Cellebrite<\/a> claims on its website to provide technologies allowing \u201cinvestigators to quickly extract, decode, analyse and share evidence from mobile devices\u201d.<\/p>\n

Its services are \u201cwidely used by federal government customers\u201d, it adds.<\/p>\n

Spyware merchants and the Australian Government<\/h2>\n

The Australian government has shown considerable appetite for spyware.<\/p>\n

Tender records<\/a> show Cellebrite currently holds Australian government contracts worth hundreds of thousands of dollars. But the specific details of these contracts remain unclear.<\/p>\n

Fairfax Media has reported<\/a> that the ATO, Australian Securities and Investment Commission, Department of Employment , Australian Federal Police (AFP) and Department of Defence all have contracts with Cellebrite.<\/p>\n

The Department of Human Services has had<\/a> a contract with Cellebrite, and Centrelink<\/a> apparently uses spyware to hack the phones of suspected welfare frauds.<\/p>\n

In 2015 WikiLeaks released emails<\/a> from Hacking Team, an Italian spyware company. These documents revealed negotiations with<\/a> the Australian Security and Intelligence Organisation (ASIO), the AFP and other law enforcement agencies.<\/p>\n

Laws and licensing<\/h2>\n

In Australia, the legality of spyware use varies according to government agency.<\/p>\n

Digital forensics tools are used with a warrant by the ATO<\/a> to conduct federal criminal investigations. A warrant<\/a> is typically required before Australian police agencies can use spyware.<\/p>\n

ASIO, on the other hand, has its own powers<\/a>, and those under the Telecommunications (Interception and Access) Act 1979<\/a>, that enable spyware use when authorised by the attorney-general.<\/p>\n

ASIO also has expanded powers<\/a> to hack phones and computer networks<\/a>. These powers raise concerns about the adequacy of independent oversight.<\/p>\n

Centrelink is using the services of spyware company, Cellebrite. AAP Image\/Dan Peled<\/a><\/p>\n

International control of these tools is also being considered.<\/p>\n

The Wassenaar Arrangement<\/a>, of which Australia is participant, is an international export control regime that aims to limit the movement of goods and technologies that can be used for both military and civilian purposes.<\/p>\n

But there are questions about whether this agreement can be enforced. Security experts also question whether it could criminalise some forms of cybersecurity research<\/a> and limit the exchange of important encryption technology<\/a>.<\/p>\n

Australia has export control laws<\/a> that apply to intrusion software<\/a>, but the process lacks transparency about the domestic export of spyware technologies to overseas governments. Currently, there are few import controls.<\/p>\n

There are also moves to regulate spyware through licensing schemes. For example, Singapore is considering<\/a> a license for ethical hackers. This could potentially improve transparency and control of the sale of intrusion software.<\/p>\n

It\u2019s also concerning that \u201coff-the-shelf\u201d spyware is readily accessible<\/a> to the public.<\/p>\n

\u2018War on math\u2019 and government hacking<\/h2>\n

The use of spyware in Australia should be viewed alongside the recent announcement of Prime Minister Malcolm Turnbull\u2019s so-called war on maths<\/a>.<\/p>\n

The prime minister has announced laws<\/a> will be introduced obliging technology companies to intercept encrypted communications to fight terrorism and other crimes.<\/p>\n

This is part of a general appetite to undermine security features that are designed to provide the public at large with privacy and safety when using smartphones and other devices.<\/p>\n

Despite the prime minister\u2019s statements to the contrary<\/a>, these policies can\u2019t help but force technology companies to build backdoors<\/a> into, or otherwise weaken or undermine, encrypted messaging services and the security of the hardware itself.<\/p>\n

While the government tries to bypass encryption, spyware technologies already rely on the inherent weaknesses of our digital ecosystem. This is a secretive, lucrative and unregulated industry with serious potential for abuse.<\/p>\n

There needs to be more transparency, oversight and strong steps toward developing a robust framework of accountability<\/a> for both the government and private spyware companies.<\/p>\n","protected":false},"excerpt":{"rendered":"

This post authored by\u00a0Dr. Monique Mann\u00a0(CJRC),\u00a0Dr Adam Molnar and Dr Ian Warren (Deakin Criminology)\u00a0originally appeared on The Conversation on Friday the 21st of July 2017. Link to original article here:\u00a0https:\/\/theconversation.com\/spyware-merchants-the-risks-of-outsourcing-government-hacking-80891 An Australian Tax Office (ATO) staffer recently leaked on LinkedIn a step-by-step guide to hacking a smartphone. The documents, which have since been removed, indicate<\/p>\n","protected":false},"author":4341,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"class_list":{"0":"post-2686","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-uncategorized"},"acf":[],"_links":{"self":[{"href":"https:\/\/blogs.qut.edu.au\/crime-and-justice-research-centre\/wp-json\/wp\/v2\/posts\/2686","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.qut.edu.au\/crime-and-justice-research-centre\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.qut.edu.au\/crime-and-justice-research-centre\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.qut.edu.au\/crime-and-justice-research-centre\/wp-json\/wp\/v2\/users\/4341"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.qut.edu.au\/crime-and-justice-research-centre\/wp-json\/wp\/v2\/comments?post=2686"}],"version-history":[{"count":1,"href":"https:\/\/blogs.qut.edu.au\/crime-and-justice-research-centre\/wp-json\/wp\/v2\/posts\/2686\/revisions"}],"predecessor-version":[{"id":2687,"href":"https:\/\/blogs.qut.edu.au\/crime-and-justice-research-centre\/wp-json\/wp\/v2\/posts\/2686\/revisions\/2687"}],"wp:attachment":[{"href":"https:\/\/blogs.qut.edu.au\/crime-and-justice-research-centre\/wp-json\/wp\/v2\/media?parent=2686"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.qut.edu.au\/crime-and-justice-research-centre\/wp-json\/wp\/v2\/categories?post=2686"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.qut.edu.au\/crime-and-justice-research-centre\/wp-json\/wp\/v2\/tags?post=2686"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}