In the past five years, Ahmed Mansoor, a human rights activist in the United Arab Emirates (UAE), has been jailed and fired from his job, along with having his passport confiscated, his car stolen, his e-mail hacked, his location tracked and his bank account robbed of US$140,000. He has also been beaten twice in the same week.
Mansoor’s experience has become a cautionary tale for dissidents, journalists and human-rights activists. It used to be that only a handful of countries had access to sophisticated hacking and spying tools. However, these days, nearly all kinds of countries, be they small, oil-rich nations like the UAE, or poor but populous countries like Ethiopia, are buying commercial spyware or hiring and training programmers to develop their own hacking and surveillance tools.
The barriers to join the global surveillance apparatus have never been lower. Dozens of companies, ranging from NSO Group and Cellebrite in Israel to Finfisher in Germany and Hacking Team in Italy, sell digital spy tools to governments.
A number of companies in the US are training foreign law enforcement and intelligence officials to code their own surveillance tools. In many cases these tools are able to circumvent security measures such as encryption. Some countries are using them to watch dissidents. Others are using them to aggressively silence and punish their critics, inside and outside their borders.
“There’s no substantial regulation,” said Bill Marczak, a senior fellow at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, who has been tracking the spread of spyware around the globe.
“Any government who wants spyware can buy it outright or hire someone to develop it for you,” he said. “When we see the poorest countries deploying spyware, it’s clear money is no longer a barrier.”
Marczak examined Mansoor’s e-mails and found that, before his arrest, he had been targeted by spyware sold by Finfisher and Hacking Team, which sell surveillance tools to governments for comparably cheap six and seven-figure sums. Both companies sell tools that turn computers and telephones into listening devices that can monitor a target’s messages, calls and whereabouts.
In 2011, in the midst of the Arab Spring, Mansoor was arrested with four others on charges of insulting UAE rulers. He and the others had called for universal suffrage. They were quickly released and pardoned after international pressure.
However, Mansoor’s real troubles began shortly after his release. He was beaten and robbed of his car, and US$140,000 was stolen from his bank account. He did not learn that he was being monitored until a year later, when Marczak found the spyware on his devices.
“It was as bad as someone encroaching in your living room, a total invasion of privacy, and you begin to learn that maybe you shouldn’t trust anyone anymore,” Mansoor said.
Marczak was able to trace the spyware back to the Royal Group, a conglomerate run by a member of the al-Nahyan family, one of the six ruling families of the UAE. Representatives from the UAE embassy in Washington said they were still investigating the matter and did not return requests for further comment.
Invoices from Hacking Team showed that throughout last year, the UAE were Hacking Team’s second-biggest customers, behind only Morocco, and they paid Hacking Team more than US$634,500 to deploy spyware on 1,100 people. The invoices came to light last year after Hacking Team itself was hacked and thousands of internal e-mails and contracts were leaked online.