Spyware: Government denial despite the evidence

• Appalling for Ministry to issue a simple denial without further clarification
• Five questions the Malaysian people need to ask their government

THE Prime Minister’s Department of Malaysia has denied (twice!) that it has ever procured surveillance software from Milan-based spyware maker Hacking Team, even though hundreds of e-mails in the leaked Hacking Team archive point to it.
 
The news that Malaysian government entities had been using Hacking Team’s spyware broke after the Italian company was hacked in mid-2013, and details posted on its Twitter feed.
 
The leaked information showed that it has sold its software to countries such as Azerbaijan, Bahrain, Colombia, Egypt, Ethiopia, Honduras, Kazakhstan, Malaysia, Mexico, Mongolia, Morocco, Nigeria, Oman, Panama, Russia, Saudi Arabia, Sudan, Thailand, Tunisia, Turkey, the United Arab Emirates, and Uzbekistan.
 
Three Malaysian government entities were named in these records: The Malaysia (sic) AntiCorruption Commission, the Prime Minister (sic) Office and an unknown entity known only as Malaysia Intelligene (sic).
 
These purchases were routed through a Shah Alam-based company called Miliserv Technologies, which describes itself as being in the business of supplying and installing telecommunications equipment, according to records with the Companies Commission of Malaysia (CCM).
 
The company was registered in 2005, with a total authorised capital of RM1 million, of which RM750,000 has been issued. [RM1 = US$0.23 at current rates]. To download its CCM records, click here.
 

In her latest rebuttal, the minister in charge of parliamentary affairs Azalina Othman Said distanced her ministry from other government agencies, encouraging reporters to seek official statements directly from other agencies accused of procuring the spyware.
 
In the meantime though, the Malaysian Anti-Corruption Commission (MACC) has made a ‘semi’ admission that it had procured the spyware, and to clear any doubts there’s more proof at the end of this post.
 
In spite of this, Azalina has remained silent.
 
To be clear, I’m not accusing anyone of anything. I’m merely reproducing what is already in the public domain, in the hopes of us taking this conversation further to address more pertinent points.
 
We are frustratingly stuck on this issue of purchase (or lack thereof) because the Prime Minister’s Department denies it bought spyware.
 
I find it quite appalling that the Ministry would issue a simple denial without further clarification when I had furnished many documents that show otherwise – in other words, they’ve provided an unsubstantiated denial to my substantiated claim.
 
So here’s an e-mail (linked here) showing Miliserv requesting Hacking Team to register the Prime Minister’s Department as the end-user of the system in the licensing agreement, and here’s another (below) showing Hacking Team preparing to welcome six PMO (Prime Minister’s Office) staff to its headquarters in Milan for ‘advanced training.’

 

 
I have removed the names of the PMO staff (red blocks) as I believe that employees shouldn’t be punished for mistakes their employers commit (but you can search for it online, and the leaked information comes with their passport numbers as well).
 
Why send six staffers to Milan for training if you didn’t buy the spyware?
 
Now, why is it important that we clear this up, even after the MACC has implicitly admitted purchasing such spyware?
 
Well, it’s because of a little known agreement known as the Wassenaar Arrangement.
 
Implications of Wassenaar
 

 
In 2013, ‘intrusion software’ – such as the spyware sold by Hacking Team – was added to the list of technologies considered dual-use under the Wassenaar Arrangement, which controls the export of such technologies (and conventional arms).
 
In the same way you can’t sell bazookas to ISIS, a company selling intrusion and surveillance software has to be very careful that it doesn’t sell software to terrorist organisations or despotic governments.
 
All sales of such software must be accompanied by a degree of ‘customer due diligence’ to ensure the ultimate consignee was a legitimate customer (no anonymous Arabs allowed!)

Now, the Wassenaar Arrangement is quite controversial, and Malaysia isn’t a signatory, and some purchases we’re going to discuss were made prior to the decision to control intrusion software.
 
But Italy is a signatory, and the principle still stands, which is that:
 
Spyware sold by Hacking Team can be considered a weapon (Wassenaar or not) and the export of such software should be done only after careful due diligence to determine the end-user of the system and its purpose of use.
 
According to all the leaked e-mails, Hacking Team was always under the impression that the MACC and the Prime Minister’s Department was the end-customer of spyware it sold to Miliserv.
 
If we believe the e-mails, something isn’t quite right.
 
Two possibilities
 
Because the Prime Minister’s Department has denied procuring such software, there now exist only two possibilities.
 
Possibility 1: If Azalina is being truthful and the Prime Minister’s Department indeed did not purchase spyware from Hacking Team, then Miliserv misled Hacking Team, and used the Prime Minister’s Department as a front to purchase dual-use technology for an unknown entity. Malaysians (and the world) need to know who that unknown entity was.
 
Possibility 2: If Miliserv was honest, then the Prime Minister’s Office (or Department) did indeed purchase spyware. The Government’s refusal to admit the purchase fuels even more speculation. It also means that Azalina lied in Parliament and to the Malaysian people – although a politician lying isn’t exactly a surprise.
 
Other pertinent questions
 
If the ministry admitted the purchase, we could move the conversation forward and discover why the purchases were made and how the spyware was used.
 
We could also evaluate if we have a Government gone mad with so many government agencies intent on purchasing spyware, and whether the purchase of such spyware was necessary even for legitimate uses.
 
Finally, we could have an open discussion if we should be buying anything from a company that proudly lists Sudan as a customer, and if should we be allowing a third-party company to operate this software on behalf of government agencies.
 
Unfortunately, these interesting discussions are stalled due to the Government’s denial. (Read this post for the interesting questions to ask, also reprinted below.)
 
I’ve always maintained that there are ‘legitimate’ uses of such software. This e-mail details a presentation Hacking Team made to the counter-terrorism unit of the Malaysian police – the senior officer present was impressed and even asked if Hacking Team could testify in court regarding the technical aspects of its software.
 
Everything was above board, and I applaud the questioning of testimonies in court, as it means the officer was prepared go through due legal process (something SOSMA allows him to circumvent).
 
Oh and a final bonus. At one point, the PMO purportedly asked Hacking Team to lie on its Customs declaration forms for shipments into Malaysia … tsk, tsk, tsk.
 

Conclusion
 
This will be my final post on the subject. If Malaysia’s ministers deny all this once again, that would be the end of the story, unfortunately. It was a fun ride, but I need to move on to other things.
 
Consider the pertinent questions we need to ask the Government about the purchase below.
 
Bonus points
 

1. An authorisation letter from Hacking Team to Miliserv, authorising it to sell its software to the PMO.
2. Here is a signed document from the MACC signalling that it bought the software. Curiously, it does not appear in the MyProcurement website.
3. Hacking Team didn’t quite like Miliserv, and in this e-mail you can see ties were strained.

 
Addendum I
 
There seems to be some confusion in the e-mails and even the local media as to the difference between the Prime Minister’s Department and the Prime Minister’s Office.
 
For the purpose of this post, I’ve treated them as the same. At this point, I’m convinced it was the PMD (not PMO) that purchased the software, but I’ve been wrong before, so be warned!
 
Addendum II: 5 questions we need to ask
 
If you believe (as I do), that the Malaysian Government bought spyware, then here are some pertinent questions:
 
Question 1: Do these government agencies actually have investigative powers?
 
While the police might have the legal authority to investigate someone, does the PMO, MACC or anyone else share that authority? If a government agency has no right to investigate someone, then why is it buying spyware?
 
The conversation should end here, as I don’t believe the PMO has any authority to use spyware, but the next question actually goes even further and ask if anyone has the legal authority to use it.
 
Question 2: Is spyware legal?
 
Installing spyware on a laptop or smartphone is far more intrusive than a regular home search – it’s like having an invisible officer stationed in your house listening in on everything you say and do.
 
It doesn’t just invade the privacy of the victim, but even those that victim communicates or shares their laptop with, or even those that just happen to be nearby.
 
The MACC Act that governs the powers of the commission specifically state that the Public Prosecutor or Commissioner of the MACC can authorise the interception of communications if they ‘consider’ that the specific communication might help in an ongoing investigation.
 
However, spyware from Hacking Team isn’t really ‘intercepting’ communications, because what is being communicated through the Internet is usually encrypted, Hacking Team circumvents this by capturing the data before it is encrypted and then sends that captured data in a separate communication back to its control servers.
 
Strictly speaking, this isn’t interception, its shoulder surfing on steroids.
 

 
More worrying is that the spyware might take screenshots of diary entries and notes that the victims never intended to communicate with anyone – draft e-mail entries that they later delete are also captured by this spyware.
 
Obviously this falls into a different category than simple ‘interception,’ but I’m not done yet.
 

Hacking Team proudly proclaims that its software can remotely trigger webcams and microphones on laptops to begin recording, essentially placing a spy at the homes of its victims, allowing the company to listen in on private conversations that were never intended for anyone outside the home.
 
It may also violate the privacy of the household that the infected smartphone or laptop happens to be in, and could be used to determine far more intimate details of innocent bystanders including “the hour each night the lady of the house takes her daily sauna and bath,” far exceeding what is reasonably needed for a criminal investigation.
 
Malaysian legislation permits the use of searches of private property as well as interception of communications, but clearly makes a distinction between the two as they represent different levels of privacy intrusion.
 
In the United States, you need a warrant to go into someone’s home, but you need a super-warrant for wiretap.
 
I would suggest that nothing in our law allows for the installation of such nefarious spyware, and the use of the spyware is illegal regardless of whether the government agency has investigative powers.
 
Question 3: What was the purpose?
 
Now, if we establish that indeed it is legally possible for the PMO to run a surveillance programme, we then have to ask what the purpose of the programme was.
 
The public might be sympathetic to a government agency investigating ISIS or other terrorist organisations, but the PMO doesn’t go after terrorists, and from all the evidence, it seems it used it for political purposes.
 
Even the MACC needs to show us which criminal investigations were helped by the use of spyware (if any).
 
Question 4: Is it right to have a third party operate the spyware?
 
In all the cases, the spyware was operated by a third party – the company called Miliserv.
 
Now, the police have investigative powers, but they can’t outsource that surveillance to a third party. The IGP (Inspector-General of Police) can’t wake up one morning and outsource all police investigations to his brother’s company, but that’s exactly what the MACC did by outsourcing its investigations to Miliserv.
 
Remember the invisible officer I mentioned? Imagine if that officer were a third-party contractor to an incompetent software vendor, rather than an officer of the law … creepy!
 
Question 5: Why did the Government try to cover up its purchase?
 
The real smoking gun is why the Government tried to hide its tracks.
 
Not only did the PMO ask for the spyware it imported to be wrongly declared in Customs declarations, but even on a technical level, Hacking Team employed ‘anonymisers.’
 
All spyware have to report back to a central server, and by right that server has to be located in-country – for local government access. But in this case, Hacking Team provided a ‘feature’ that routed the information across the globe first to obfuscate the source of the spying.
 
So if the Government installed spyware on your machine, it would first send detailed information about you to a server in the United States, and then the United Kingdom, before finally ending up in Malaysia – all this to obfuscate the fact that the Government was spying on you.
 
Even if you found out, you’d only know that you were being spied upon by a US server.
 
What this means though is that your personal information is zipping around the world, and more importantly, even the Government knows it needs to hide its tracks.
 
Why the need for such obfuscation if the Government was acting legally?
 
The final conclusion
 
It’s really important we get to the bottom of these questions, especially Question 2, as these are not just gross invasions of privacy and over-stepping of legal boundaries, they set the tone for future government transparency.
 
If the Government can get away with this, it will continue to doing it. If we want a better government, we need to hold ministers who lie in Parliament accountable, and hold office-bearers accountable when they exceed the law.
 
It’s important because if Malaysians don’t hold our Government up to high standards, we will inevitably end up having no standards.
 
Keith Rozario blogs at keithRozario.com covering technology and security issues from a Malaysian perspective. He also tweets from @keithrozario. This article first appeared on his blog and is reprinted here with his kind permission.
 
Related Stories:
 
The Malaysian Government doesn’t buy spyware? Yeah, right
 
Malaysian Govt spyware use unconstitutional, call for action
 
SEA journalists being targeted by hackers, state agencies
 
 
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.