News

Police confirm agreement with spyware seller

Hacking spyware used by some of the world’s worst dictatorships may be in use in New Zealand.

The spyware, produced by Italian-based company, Hacking Team, is used by state agencies to monitor the communications of people of interest.

The Italian government was so concerned by the sale of spyware to countries with poor human rights it temporarily banned the company’s right to export.

New Zealand Police have confirmed to Newsroom in response to an Official Information Act request that they have signed a non-disclosure agreement with Hacking Team.

Non-disclosure agreements are typically signed to ensure sensitive information isn't shared with other parties.

Hacking Team’s spyware has the ability to turn computers and phones into eavesdropping and tracking devices. It can turn on cameras and microphones to record conversations, track GPS locations, take screenshots and monitor all communications made through devices - including encrypted audio and typed messages.

A phone or computer can be infected with Hacking Team’s spyware in a number of ways, from browsing unencrypted content, to being installed over Wi-Fi networks. It can also be included in emailed attachments. The spyware is not detected by anti-virus software and works on most devices - from PCs, to iPhones and tablets.

The non-disclosure agreement was signed in 2016. Police withheld information requested under the Official Information Act which would show if and how Hacking Team’s spyware was being used, saying releasing the information - or acknowledging its existence or non-existence - could prejudice the maintenance of the law, including the prevention, investigation, and detection of offences, and the right to a fair trial.

An appeal has been made to the Ombudsman for the information's release.

Not a new connection

While it's not clear if police are using the spyware, New Zealand’s connection to Hacking Team predates the 2016 non-disclosure agreement, suggesting another agency may have a relationship with them.

In 2014 the cyber-security company Kaspersky shared locations of servers associated with Hacking Team’s spyware. New Zealand was identified as having seven servers. Kaspersky’s report says while it cannot be certain servers based in a country are used by that country, for cross-border legal reasons it would make sense.

In 2015 the Hacking Team was itself hacked by an activist, resulting in 400 gigabytes of the company’s emails and files being leaked online. Leaked emails showed senior staff members from New Zealand Police and the Ministry of Foreign Affairs and Trade were on a Hacking Team mailing list.

The leaked emails also show a 2014 exchange with a private New Zealand citizen who enquired about the cost of the spyware. Hacking Team responded to him saying they can only supply government agencies, saying: “We currently have some existing negotiations in place within the country”.

The hack exposed the sale of Hacking Team’s spyware to countries with poor human rights records such as Morocco, Sudan, Egypt, Ethiopia, Bahrain, Uganda, Russia and Vietnam. It is believed the spyware has been used to target journalists in Morocco and an activist in the United Arab Emirates.

In New Zealand, the rights surrounding surveillance are covered by the Search and Surveillance Act. The act is not without critics. Former Green Party co-leader Metiria Turei said the legislation was “notorious for eroding civil liberties and giving sweeping powers to more government agencies than ever before.”.

The 2012 act is currently under review. Former Justice Minister Amy Adams said apps, social media and cloud-based services have posed “challenges” for police and other agencies investigating crime.

A completed report from the Law Commission and Ministry of Justice on the issues raised for review is waiting to be tabled in Parliament before being made public.

Search and Surveillance Act scrutinised

Currently police must obtain a warrant to monitor New Zealanders, however, the act does allow police to search or spy on people without a warrant in some extreme cases such as suspected murder, slave dealing, infanticide and other crimes with a penalty greater than seven years' prison.

Recently, the application of the act has come under question.

Three human rights activists had their phone calls and messages monitored starting the day they staged a peaceful sit-in protest at a Department of Corrections office in Hamilton. They were arrested for trespass, which carries a maximum sentence of three months.

All three were discharged without conviction and became aware of the surveillance from court documents. Police won't say on what grounds the surveillance was approved.

Barrister Felix Geiringer has worked on surveillance cases and said he does not feel the current system has sufficient safeguards to counter unlawful surveillance.

“It’s too easy to get a warrant in circumstances that don’t justify it.

“My view is, unless there is an argument for urgency, they should have to submit the application to somebody whose job it is to pick it apart and show why it might not be valid.”

He believes that after surveillance is completed, there should be a review. If nothing comes of the surveillance, police never tell anyone about it.

Finally, Geiringer said there need to be consequences for unlawful surveillance.

He said taking a case to the High Court is prohibitively expensive and even if you win, damages awarded can be less than the cost of the case, while police officers found to have conducted unlawful searches were not reprimanded.

“You’re out of pocket for establishing the police were wrong."