All Posts in

July 24, 2015 - Comments Off on Unlawful Interception: Pakistan’s intelligence agencies, Hacking Team, & the abuse of communication surveillance powers

Unlawful Interception: Pakistan’s intelligence agencies, Hacking Team, & the abuse of communication surveillance powers

Earlier this week, Privacy International released their in-depth report on the state of surveillance in Pakistan, Tipping the scales: Security & surveillance in Pakistan. Available to the public, the report examines the exponential rate at which communication surveillance measures have been undertaken by the government of Pakistan defended as being necessary to combat internal and external threats to the nation. However, while it is the role of the state to protect its citizens from internal and external threats to their life and liberty, this echoes an all too common rationale used by foreign governments and intelligence agencies worldwide to justify ever increasing surveillance of their own citizens, and to limit or remove the legal rights of those same citizens to push back against the invasion of their privacy.

The “Global War on Terror” has seen law enforcement agencies worldwide request and in most instance receive millions in “anti-terrorism” funding, as well as broader powers with oft-generous leeways, to tackle terrorism as they see fit. Armed forces, intelligence agencies and law enforcement departments worldwide will direct such largesse towards the acquisition of and greater access to technologies that allow them to spy on their own citizens. Since September 11 2001, this had led to the rights of citizens abroad violated by their own governments, who will carry out surveillance without proper public oversight – if at all. Activists, journalists, politicians and other ordinary citizens with no link to terrorist groups whatsoever have found themselves under observation, and often without any legal recourse.

As a partner in this “War on Terror”, Pakistan is no different, with its military forces receiving generous levels of funding from the government as well as from its international allies, to tackle its own conflicts against armed militants. It has also given broad powers and authority to state agencies, to tackle what they argue is language and behaviour that is detrimental to the reputation and safety of Pakistan. Coupled with bans on encryption and forms of proxy software, what this has led to, according to Privacy International's report, has been an abuse of:

"...their (Pakistan's intelligence agencies) communication surveillance powers, including spying on opposition politicians and Supreme Court judges. Widespread internet monitoring and censorship has also been used to target journalists, lawyers and activists."

Privacy International's report also reveals that Pakistan's Inter-Service Intelligence Agency (ISI) wanted to expand their surveillance capabilities via the commission in 2013 of a:

"mass surveillance system to tap international under- sea cables at three cable landing sites in southern Pakistan. The “Targeted IP Monitoring System and COE [Common Operations Environments]” would allow Pakistan to collect and analyse a significant portion of communications travelling within and through the country at a centralized command centre. With a projected intake of an estimated 660 gigabytes per second, the system would amount to a significant expansion of Pakistan’s communications intelligence gathering capacities."

To create such a system to strengthen one's surveillance efforts, it has become de rigueur to reach out to the private sector for hardware and software surveillance solutions. A multi-billion dollar industry, commercial surveillance firms have found no shortage of potential clients in the wake of post-September 11th attacks attributed to terrorist organisations or lone wolves. The Privacy International report highlights how Pakistan's intelligence agencies and security forces, represented by partners in the Pakistani private sector, sought to purchase products and services to allow them to expand their surveillance abilities, to infiltrate the digital devices and computers of citizens, from international spyware firms.

Earlier this month one of these companies, the controversial Italian spyware manufacturer Hacking Team, was hacked. The firm's official twitter account was taken over on July 5, and links to over 400 GB worth of internal Hacking Team data were provided, which in turn were shared by WikiLeaks and others. This hack allows us to explore how Pakistani intelligence agencies purchase the technology and services they require for greater surveillance creep.

A controversial player in the commercial digital surveillance industry, Hacking Team has frequently asserted that it goes to great lengths to ensure that its software is not utilised to undermine human rights. The internal communications and invoices unearthed, however, strongly contradict the firm's claims. Communications with representatives indicate little concern made regarding misuse of HT's software packages to undermine human rights activities – they are, instead, reassured and informed that there will be no trouble in operating in particular regions. Hacking Team's core business centred around their Remote Control System (RCS) software suite, which allows customers to infiltrate the computer and mobile devices of targeted individuals and install backdoors, in turn allowing for undetectable monitoring at will. Hacking Team's RCS, also known as Galileo, allows customers to (according to their promotional material):

Keep an eye on all your targets and manage them remotely, all from a single screen. Be alerted in incoming relevant data and have meaningful events automatically highlighted.

Remote Control System: the hacking suite for governmental interception.

Right at your fingertips.”

If the modus operandi of Hacking Team and Galileo sounds familiar, it should: Finfisher, a surveillance software package released by Gamma International Ltd in 2007, was brought to the world's attention in August of last year, due to a 40 GB leak that exposed the company's internal communications and financial history, as well as the governments that purchased – or were interested in purchasing – Finfisher for domestic surveillance purposes. Finfisher, like Hacking Team's RCS/Galileo software suite, allowed customers to infiltrate the computer systems of targeted individuals, and install software undetected. Digital Rights Foundation has covered Finfisher and how it operates here.

Finfisher's "Remote Monitoring and Deployment Solutions" and Hacking Team's RCS have something else in common: both were of interest to Pakistani companies, working on behalf of domestic military intelligence and intelligence agency clients. An examination of Hacking Team's leaked internal data uncovered email communications between Hacking Team and Pakistani IT company representatives between 2011 and 2015. Also uncovered were internal communications, mostly in Italian, between members of Hacking Team regarding their thoughts on potential Pakistani partners, as well as sharing and discussing news articles pertaining to the security situation in Pakistan and South Asia. Unlike Finfisher, the data leaked does not appear to indicate that a successful purchase of RCS/Galileo was made by Pakistani buyers.

"You can compare them to MI5": Pakistan's Interest in Hacking Team's Tech

The extensive data leak reveals the manner in which Hacking Team communicates with representatives of potential clients in Pakistan. Sensitivity is requested by representatives in regards to the identities of their clients; preferential treatment; verification of identities by clients, visa invitation letters; VIP guest ticket requests; interest in specific software and service demonstrations, and internal discussions regarding client representatives are covered in the emails. Below are samples of the email communications between Hacking Team and potential customers:

January 18th 2011 marks the earliest recorded communication (as collected by Wikileaks and other sources) between Hacking Team and Pakistani client representatives. Marco Bettini, HT's International Sales Manager, is in communication with Zeeshan Zakaria, Chief Executive of Defence Solutions & Systems Ltd (DSS), a Lahore, Pakistan-based company. The email, part of a long response thread entitled “R: R: R: R: Demokit” in response to Mr. Zakaria's previous email that states that there will be “4 guests who will see the demo. We will require you to do the demo.” In the email Mr. Zakaria also says that he will “appreciate if you dont (sic) offer your prices or product to anyone else in Pakistan for the time being.” Mr. Bettini asks for the name of the guest “in order to require the badges for ISS admittance” and if he, Mr. Zakaria, will be attending as well. Hacking Team does not”give any exclusivity based on country”, says Bettini, but they can “block” other companies asking for “any activity or quotation for the same customer” if Mr. Zakaria can provide the name of the agencies he is working with.

(As ISS comes up quite often in Hacking Team emails, it should be explained at this point that ISS in the context of the emails is an abbreviation of “Intelligence Support Systems for Lawful Interception, Electronic Surveillance and Cyber Intelligence Gathering”. The website for the ISS describes it as thus:

ISS World Middle East is the world's largest gathering of Middle East Law Enforcement, Intelligence and Homeland Security Analysts as well as Telecom Operators responsible for Lawful Interception, Hi-Tech Electronic Investigations and Network Intelligence Gathering.”

In 2011, the ISS conference was held in Dubai from February 21-23, 2011. Among the conference's sponsors as of 2015? Hacking Team, Finfisher, and Gamma Group. Though a separate entity since October 1st 2013, Finfisher was established in 2007 as part of the Gamma Group.

The following day, an email from Ali Ahmed of Miran International – according to its website, a Karachi-based “company specialising in security, defence and telecommunications” - is forwarded by David Vincenzetti, Hacking Team's CEO, to, concerning an inquiry “from one the premier Intelligence Agencies in Pakistan” in regards to “infecting of GSM handsets.” (sic). Unaware of the earlier communication to HT by DSS, Miran International is interested in partnering with the Italian firm in Pakistan for the project if the latter has not already found a partner in the country.

"K Block" refers to the HQ of the Intelligence Bureau, at the Secretariat in Islamabad, Pakistan. Image Via Wikileaks.

"K Block" refers to the HQ of the Intelligence Bureau, at the Secretariat in Islamabad, Pakistan. Image Via Wikileaks.

The following day Hacking Team contacts Mr. Zakaria of DSS, asking him to provide the names of his guests. He is also informed by HT that they “are already involved in other opportunities in Pakistan.” “To protect your job,” the email from Mr. Bettini continues, “please inform me as soon as you can the agencies and contacts you are working with.” (sic). Following this email, Mr. Ahmed of MI is sent anemail by Mostapha Maana, Hacking Team's account manager for the Middle East region, similar to the one sent by Mr. Vincenzetti, asking for the agency letter, to check if they are already “in contact” with the client in question. It bounces back, and is sent again on the 21st by Mr. Maana. Mr. Maana gets in touch with Mr. Zakaria of DSS , and knows that “ we have been trying to work together since 2008”. As before, Mr. Zakaria is asked for the names of his clients “in order to protect your job”. Mr. Zakaria responds that “at this stage I think we should not discuss the names of the customers as it is a little sensitive.” Mr. Maana then responds, saying that he needs to know the names of the clients “otherwise I cannot refuse to meet the other Pakistan company at the ISS. By the way, I already know the name of this company's customer.”

It is at this point that Mr. Zakaria identifies the customer/client as being the National Police Bureau, with names of the officers attending the conference being named in the email. He requests that VIP invitations be arranged for the officers as “they are very interested your product.”

Hacking Team outlines to how RCS/Galileo works to the representative for a potential client.

Hacking Team outlines to how RCS/Galileo works to the representative for a potential client. Image via Wikileaks.

We come back to Miran International, who, whilst requesting a Non Disclosure Agreement (NDA) have listed their clients: Pakistan's Intelligence Bureau (IB) and Inter-Services Intelligence (ISI). “You can compare them to MI5 and MI6” Mr. Ali Ahmed offers helpfully. According to the Miran representative, “they're the only 2 agencies in Pakistan allowed to use voice interception and location products like A5-1 gsm interception systems.” (sic) *. “ISI and IB are the top agencies in Pakistan with no budget issues” he continues, “allowed to purchase without the tendering process.”

(*An example of what they could be referring to, for a point of reference, could be this:

Miran International and Hacking Team continue to discuss potential cooperation until early 2015, when internal emails between members of Hacking Team appear to look upon Miran International, and its sister company Vision Metric with some concern, and there is no update after February 26th of this year, when David Vincenzetti appears to remark that it is “una perdita di tempo” - a waste of time.

Hacking Team's CEO appears to have become fed up with this potential deal, calling it "a waste of time."

Hacking Team's CEO appears to have become fed up with this potential deal, calling it "a waste of time." Image via Wikileaks.

The communications between Hacking Team and Miran International may have been fruitless from the former's perspective, but a perusal of the communications between the two unearths other details. We learn, for instance, Gamma Group's representative in Pakistan was “very active in Islamabad with ISI” (sic) (though unsuccessful), and that Gamma Group's Sales Director, Edgar Bucheli, was in touch with senior ISI officials.

Here the representative passes on the information that the Intelligence Bureau (IB) is interested. Image via Wikileaks

Here the representative passes on the information that the Intelligence Bureau (IB) is interested. Image via Wikileaks.

As for DSS, communications between them and Hacking Team continue until early 2014, and then stop, apparently due to a lack of success on the part of this company as well.

This does not stop Hacking Team from being approached by Pakistani companies, such as United International Technologies (UIT), which “has been in the Pakistan market for 35 years and is the Pakistan company representative for global defense and aerospace companies such as BAE Systems, Rockwell Collins, QinetiQ, Chemring Group and Poongsan among others.” UIT contacts Hacking Team via email on February 27th 2015, and until the 5th of March discuss NDAs and the “end users” or clients of UIT, “Pakistan Army Military Intelligence and/or ISI.” UIT informs them that they will be at the 2015 ISS conference in Dubai, from the 16th to the 18th of March. As of the 5th of March, UIT is “at a very preliminary stage.” Nothing else follows.

Hacking Team and its international partners discussing a new ISI head, as any work with the "current one is a waste of time.

Hacking Team and its international partners discussing a new ISI head, as any work with the "current one is a waste of time.

What is noticeable about communications between Hacking Team and the representatives of potential client is the plainly laid out request for software that provides the customer with the ability to infiltrate and monitor communication traffic. What is conspicuous by their absence are any concerns raised about human rights or other ethical considerations.

Here the representative clearly states what the client wants.

Here the representative clearly states what the client wants. Image via Wikileaks

The private companies mentioned in this post are just a few of the many that vie for contracts from the armed forces, the police forces and intelligence agencies of Pakistan, to offer the latest in software packages that ostensibly help protect the citizens of Pakistan. The reality is that the tools that are purchased on behalf of the forces and agencies mentioned are being chosen specifically because they are advertised as being able to bypass security measures that allow users privacy and a sense of safety, with next to nothing in terms of official restraint or public oversight.

To purchase and utilise such measures without clear lawful authority violates the rights of Pakistani citizens, as laid out in the International Covenant on Civil and Political Rights, to which Pakistan became a signatory in 2010. The representative from Miran International wrote in his email that ISI and IB have “no budget issues”. On the contrary, the money which pays for the supposed free rein of these agencies comes from the taxes paid by Pakistani citizens. With no public oversight, the taxes collected from citizens are being used to finance the purchase – or research the purchase of – equipment that violates their rights.

Privacy International's report, Tipping the scales: Security & surveillance in Pakistan, can be downloaded here.

Written by Adnan Chaudhri

May 29, 2015 - Comments Off on & Facebook’s Illusion of Choice & Facebook’s Illusion of Choice

If you don't have Telenor, this is what you get.


On May 28th, Telenor Pakistan (a wholly-owned subsidiary of the Norwegian telecommunications Telenor Group) formally announced that it had partnered with Facebook on the latter's initiative. According to Facebook and its partners, the objective of is to provide selected internet services for free. At first blush, this comes across as a boon for citizens in the developing world, where data services can be expensive for many. Being able to access the internet without running up large bills, and without draining one's monthly data package allowance sounds ideal. By signing up to, Telenor's mobile subscriber base in Pakistan – which at last counts comes close 35.2 million – will have access to a list of websites and internet services, which Techjuice has listed here. With Telenor as a start, more people in Pakistan will have greater access than ever before, and for next to nothing.

Beyond the altruistic sentiment, however, all is not well. Rather than giving people greater choice, in reality what and its backers are offering is limited and leaves everyone worse off, down the road, creating and encouraging two-tier internet access that, in the long run, makes losers out of us all. Pakistani Tech activists and entrepreneurs have expressed their dismay Facebook and Telenor's launching of the initiative. Arzak Khan of Internet Policy Observatory Pakistan, for instance, expressed deep concern that an established operator like Telenor is joining Facebook's initiative and launching what is a limited and insecure internet. The impact of such a move will stifle investment in infrastructure development and threaten freedom of expression, equality of opportunity, security, privacy and innovation."

We don't support”, say activists such as Sana Saleem of Bolo Bhi. I believe that they are changing the way that people will access internet in the future for the next billion they are making internet insecure and  limiting their access by suggesting that only these few websites and apps are approved by Facebook, it is against the principle of Net Neutrality and it limits people’s access."

The belief that internet service providers should not discriminate between different forms of content, thus guaranteeing a level playing field for all websites, is one of the key guiding principles behind the preservation of a free and open internet. This belief, known as Net Neutrality, is what ensures that your access to is the same as your access to Express Tribune, or Project Gutenberg. By not favouring or blocking a particular website or service, people are able to access the internet with the freedom of choice, regardless of financial or social background. By offering a select number of websites and services for free solely to people that have subscribed to one of its partners, Facebook is acting in direct violation of the concept of Net Neutrality, by favouring some websites/services and denying access to others. Should Telenor Pakistan subscribers choose to visit websites or services that are not on the proscribed list, they will have to do so outside of What offers is the opposite of Net Neutrality, and is known as Zero Rating, defined by Access Now as “the practice by service providers of offering their customers a specific set of services or applications that are free to use without a data plan, or that do not count against existing data caps.” The nature of zero rating has meant that it has been banned or restricted in countries such as Canada and the Netherlands. Nonetheless, this discriminatory practice has been received with open arms in Pakistan. To quote Ghaus Iftikhar Nakodari, Founder of Jumpshare:

The walled garden approach of making a select few websites available for free will hurt businesses who work so hard to compete in their market. If this trend takes off, I am afraid internet providers will start charging for access to batches of websites in future.”

A internet gateway such as makes censorship by governments easier, with what Access Now call a “single centralised checkpoint” for information. Facebook itself has been targeted by and taken down by several governments for “allowing” politically sensitive content. Pakistanis that would use to access websites and services that are sensitive in nature could find themselves blocked individually or en masse.

Facebook itself has a notoriously bad reputation in regards to the privacy of its users. Privacy settings have been changed in the past without informing users in advance, with private messages becoming public. Terms and conditions have also been modified in the past without warning. The nature of Facebook's business model, furthermore, is reliant on user data, which is in turn provided to third parties. It is quite likely that will collect user data via services and IOS/Android apps. The lack of proper transparency in regards to how that data will be used by and partnering companies should disturb many, due to the potential for surveillance without consent.

Surely Facebook is aware of the privacy concerns of many, and will strengthen security for the benefit of its users? Well, as Access Now and the Electronic Freedom Foundation have pointed, not really. Each points out that the current version of does not permit HTTPS (HTTP Secure), SSL (Secure Sockets Layer) or TLS (Transport Layer Security) encryption protocols. If one is sending sensitive personal data – emails, credit card purchases etc – over the internet, these encryption protocols ensure the security and integrity of your web traffic, without the risk of being eavesdropped upon by government agencies or malicious hackers looking to steal your details. By not allowing these protocols, users are at danger each time they access websites and services via Facebook's offering. is not without its supporters. There are those defend Facebook and its partners, saying that this opens up the internet to those that could not afford to access it in the past. As internet services become more crucial to our lives, access is indeed essential. Defenders of also argue that once people have tried out, they will be able to move onto the “proper” internet, having had a taste. The problem here is that should more telecoms providers move towards and similar initiatives, it becomes more lucrative for telecoms and internet service providers offer zero rate internet. Should a Telenor subscriber choose to access a website or service not offered by, they may be subject to the usual higher data package costs, thus discouraging them, depending on whether or not they can afford to be charged. And according to Asad Baig of Media Matters for Pakistan:

in such a scenario, when certain service providers in partnership with initiatives like, provide access to certain websites 'free of charge', its very difficult to make consumers understand the implications regarding access. Such services are generally perceived as 'consumer friendly' and that's exactly what makes net-neutrality advocacy in Pakistan so difficult."

Rather than offering greater choices to people, Facebook and not only put privacy, security and the freedom of expression of internet users at risk, and seeks to make access decisions for the users instead, penalising them should they choose otherwise. Saad Hamid of Invest2innovate provides an analogy:

Imagine going to any public park in Pakistan for 5 rupees and one day the fee is waived and you can go to certain parks for free. Seems awesome right? It does feel good today being a customer but what happens one day when the fee is introduced again - would you pay for it? This is exactly the concern with - it's helpful to the user in the short term and it's highly damaging to businesses and startups who want to develop a tendency among users to pay for services.”

May 14, 2015 - Comments Off on Spectrum Eyes: The NSA & Pakistani Metadata

Spectrum Eyes: The NSA & Pakistani Metadata


Last Friday, Digital Rights Foundation had learnt via The Intercept that Ahmad Muaffaq Zaidan, Al Jazeera's Islamabad Bureau chief made the list. The US government terrorist watch list, to be precise.

According to National Security Agency (NSA) documents leaked by whistleblower Edward Snowden, in 2012 the NSA indicated that it considered that Mr. Zaidan was a member of Al Qaeda and the Muslim Brotherhood. Mr. Zaidan has strongly denied that he has ever been a member of either organisation, and is backed by his employers and respected international journalists, such as CNN's security analyst Peter Bergen.

So how did a respected veteran journalist find himself placed on a terrorist watch list?

Metadata refers to location and data about communications, such as the callers, sender and recipient, location of communication devices and their unique identifiers, time and length of calls, and other data. Metadata is useful data: it can be analysed by intelligence officers and software in order to detect specific patterns and to establish detailed profiles on particular individuals and/or groups. In the wake of September 11th 2001, the United States government has actively pursued what it constitutes as threats to global security, on the basis of human intelligence and metadata.

Journalists are always told, whether in school or on the job, to go where the story is. To follow the trail. The nature of investigate journalism will often entail communications and physical interactions with people from criminal or terrorist organisations or backgrounds. Zaidan has travelled to and interviewed key figures in geopolitical hotspots, including Afghanistan and Pakistan, two countries that gained prominence post-9/11. Based upon the metadata that has been generated by his movements and communications, Mr. Zaidan found himself on a terrorist watch list and a US government database (TIDE - Terrorist Identities Datamart Environment, shared by US intelligence agencies). According to SKYNET, a problematically-named computer programme designed to analyse metadata, his movements were similar to that of couriers for high ranking Al Qaeda officials.

In Ahmad Zaidan's own words, “to assert that myself, or any journalist, has any affiliation with any group on account of their contact book, phone call logs, or sources is an absurd distortion of the truth and a complete violation of the profession of journalism.”

Though the NSA and the US government did not tell The Intercept as to how Mr. Zaidan came to be added to the TIDE government database, what is known from leaked documents highlights the grave dangers that the collection and interpretation of metadata hold in store for all of us.

One of the questions that SKYNET used as a basis, for instance, was “who has traveled from Peshawar to Faisalabad or Lahore (and back) in the past month? Who does the traveler call when he arrives?”. Behaviour patterns seen as 'suspect' were also looked at by SKYNET, including “incoming calls only,” “visits to airports,” and “overnight trips.”

What the NSA documents also reveal is that the information was collected from “major Pakistani telecoms providers” according to the Intercept report. According to the documents, 55 million Pakistani mobile phone records were fed into the SKYNET system, via its Pakistan dragnet, DEMONSPIT - “as an example” - one of which was “PROB” (sic) Zaidan, due to his frequent Peshawar-Lahore excursions. Others were also highlighted by the system, using similar criteria.

What arises: the collection of metadata has been actively pursued by government intelligence agencies as a way to capture potential terrorists. The belief is that by examining their movements before hand, persons of interest can be arrested or subdued before an attack takes place. The belief is also that metadata will tell us where the enemy can be found, and taken out. This collation of data has been the basis of drone attacks in Afghanistan, Pakistan, and Yemen, and is cited as being how Osama bin Laden's hideout in Abbotabad, Pakistan, had been located.

As with Mr. Zaidan, however, metadata does not automatically infer intent, and can ensnare innocent people, often with tragic consequences. Drone attacks in Pakistan, as of 24th November 2014, have resulted in the deaths of an estimated 1,147 people, according to a report released last year by the human rights organisation Reprieve (

As the former head of the NSA, General Michael Hayden once remarked, “we kill people based on metadata.” (

What does the Intercept report mean for Pakistani citizens? Simply this: a clear violation of the right of the individual to privacy has taken place. The documents in the report do not clarify the technical or legal means by which 55 million mobile phone records were obtained, and it is unlikely that those mobile phone records were the only examples forms surveillance sans oversight undertaken against Pakistani citizens. It is evident that in the name of global security, the rights of Pakistani citizens have been ignored. The context-free manner in which metadata is analysed ensures that the mobile phone calls, smartphone usage et al of Pakistanis will be kept on NSA servers and examined for “potential” persons of interest.

The current draft of the 2015 Prevention of Electronic Crimes Bill, as amended by the Standing IT Committee of the Pakistani National Assembly, would allow for Pakistani intelligence agencies to forward mobile phone and data records of Pakistani citizens, without consent necessary. A legal analysis undertaken by Privacy International and Digital Rights Foundation found that the the draft law does not call for regulation of “sharing of data among government entities” ( If the United States government highlights the digital activity of any Pakistani citizens on the basis of data already gathered, it will most likely follow that Pakistani intelligence agencies will be approached by their NSA counterparts to bring in the individuals, regardless of concrete evidence of wrongdoing.

The capture and storage of the telecommunications of Pakistani citizens – without consent – violates the right to privacy, and aims to criminalise behaviour out of context. To quote Geoffrey King, Internet Advocacy Coordinator for the Committee to Project Journalists, “Given a big enough pool of data, anyone can end up fitting a 'suspicious' pattern.”

Written by Adnan Chaudhri