Correction: An earlier version of this story incorrectly said that the firm Linode is based in Atlanta. It is based in New Jersey.
An Italian computer spyware firm, whose tools foreign governments allegedly have used to snoop on dissidents and journalists, relies heavily on the servers of U.S. Internet companies, according to a new report.
At least 20 percent of the servers used by clients of Hacking Team, based in Milan, are located in the United States, effectively making the companies that own those servers key nodes in a hidden global network of spyware servers, according to a report to be released Tuesday by Citizen Lab, at the University of Toronto’s Munk School of Global Affairs.
The discovery raises ethical questions for the cloud companies whose servers Hacking Team clients use to surreptitiously take control of targets’ computers and phones, turn on Web cameras and intercept encrypted communications. And it comes amid a growing cry for export controls on such software.
The United States was home to the single largest concentration of Hacking Team servers detected since May 2012, according to the researchers. Of the 555 machines identified worldwide, the researchers found that 80 belonged to Linode, a New Jersey firm, and that 40 of those were in the United States.
With Citizen Lab’s help, a human rights activist in Dubai recently discovered that his computer had been hacked using the Italian firm’s software. His e-mail was still being read even after he changed the password. In Morocco, computers belonging to a group of journalists critical of the government were hacked using the same spyware. And in December, an Ethiopian journalist in the United States was targeted, again apparently using Hacking Team software, according to Citizen Lab.
A Linode server in Atlanta and one in London were linked to the Dubai and Morocco cases, respectively, according to the report’s lead author, Bill Marczak, a Citizen Lab research fellow.
“What we’ve tried to do here is unravel Hacking Team’s labyrinthine hidden collection structure that they use to hide government spying globally,” said Morgan Marquis-Boire, a senior researcher at Citizen Lab.
The researchers found that the U.S. servers linked to Hacking Team in some cases attempted to camouflage themselves as U.S. companies and Web sites such as Apple and ABC News.
A spokesman for Hacking Team, which has a sales office in Annapolis, Md., did not dispute the findings on its U.S. servers. “Much of the world’s Internet traffic transits the United States, so it is no surprise that Citizen Lab would find servers in this country carrying all manner of Internet traffic including that of various criminals and terrorists,” Eric Rabe, the firm’s chief communications executive, said in an e-mail.
He added: “Our clients do not use our tools to attack U.S. systems, but rather to perform surveillance on subjects of criminal investigations. The tools are used to intercept communications from [a] particular subject’s devices, not to perform some sort of general scanning of an entire population or the traffic of a particular server.”
Rabe said the 11-year-old firm, which does not identify its clients, sells “exclusively to government agencies such as police departments or intelligence services.” He said it does not sell to governments if there are “credible concerns that Hacking Team technology will be used to facilitate human rights violations.”
Several countries with checkered human rights records have used Hacking Team spy tools that rely on U.S. Web hosting providers, according to Citizen Lab.
Although none of these countries are under U.S. sanctions for rights abuses, activists have nonetheless raised concerns that some authoritarian governments are exploiting the largely unregulated spyware trade.
Hacking Team touts its Remote Control System as stealthy and “untraceable.” In the wrong hands, RCS can become a highly invasive tool that puts dissidents’ or activists’ lives at risk, the researchers say.
Technology experts say that holding cloud computing companies accountable for their users’ activity can be a difficult issue because selective policing of server use may be legally problematic. But when notified that an account appears to be linked to abusive or illegal activity, firms should investigate and take action, said Andrea Matwyshyn, assistant professor of legal studies and business ethics at the University of Pennsylvania’s Wharton School.
Linode, along with Texas firm Rackspace, were the cloud-hosting companies most frequently linked to Hacking Team.
A Linode spokesman said the company takes abuse complaints seriously and investigates suspicious activity immediately.
Rackspace spokesman Brandon Brunson said the alleged misconduct involving Hacking Team’s spyware “would definitely violate our policies.”
But he said that when the company investigated the systems identified as belonging to Hacking Team by Citizen Lab, it found only two active customers from the date range associated with those machines. Rackspace was unable to trace the account owners, an individual and a small business, back to Hacking Team, he said.
As of Monday, the two Rackspace servers linked to Hacking Team were still active, according to Citizen Lab and verified by The Washington Post.
“These are spyware servers running the same type of spyware which has been widely documented as targeting activists in repressive countries,” Marczak said. “I would hope that Rackspace would treat this issue with the seriousness it deserves.”
Industry officials familiar with Hacking Team have told The Post that the firm advocates using five proxy servers to make it difficult for a sleuth to track a spy campaign back to its origins.
Rabe declined to address how the server contracts are set up, saying only, “Hacking Team works with the clients to establish their service. Each system is designed and configured for the particular requirements of an individual client.”
Hacking Team installs its spyware tools on clients’ equipment, but clients manage the operations.
Soltani is an independent security researcher and consultant.