Revealed: Domestic Surveillance Company in talks with Burma Govt

By Hanna Hindstrom 24 July 2015

RANGOON — An Italian spyware company at the centre of a global hacking scandal has been in discussions with the Burmese government about helping them establish domestic surveillance mechanisms since 2012, a trove of emails released by WikiLeaks has shown.

Communications reviewed by The Irrawaddy show that The Hacking Team offered “lawful interception” and “active IT intrusion” services to Burma’s military intelligence agency as recently as the end of last year.

“The offers were submitted to a Myanmar company which is a preferred supplier of security solutions to Myanmar Military Intelligence,” notes an email dated Nov. 3 last year.

Although the bid appears to have been unsuccessful, it raises questions about the role of international firms in facilitating human rights violations in Burma, a former military dictatorship known for monitoring journalists and activists.

Last October, a spokesperson for a Burmese company claiming to represent the Ministry of Defence contacted The Hacking Team asking them to help set up “offensive” solutions for mobile devices.

“We got your contact from ISS World Training [an international conference on electronic surveillance] in Czech where we visited with two colonels from Ministry of Defence, Myanmar,” writes Aung Lynn Thway, from Naung Yoe Technologies, a Naypyidaw-based technology firm, listing the President’s Office and the Burmese Parliament among its clients.

“MoD is interested in you offensive solution on mobile devices and request us to contact HT on behalf of them.” [sic]

When contacted by The Irrawaddy, Aung Lynn Thway denied being interested in intrusive technology, adding that no deal was ultimately reached.

However, his leaked email notes that “a few suppliers” have approached the Ministry of Defence, suggesting that other companies may already be offering similar services to the Burmese authorities.

“There has been reporting for many years that Singapore-based companies were assisting the Burmese security forces on surveillance,” said David Mathieson, Senior Burma Researcher at Human Rights Watch. “And in light of the massive surge in mobile services in Burma and internet use in just the past couple of years, the Office of Military Affairs Security must be trying to keep pace with these technologies and monitor the opposition.”

The earliest email communications date back to November 2012—mere months after European Union sanctions were suspended—when the Hacking Team spoke of “potential deals with customers from Qatar, Myanmar, Cambodia, Laos, Brunei and many other countries.” According to its website, The Hacking Team only works with governments and government agencies but will not strike deals if there are “credible concerns” that its technology could be used to abuse human rights. They did not respond to a request for comment on their dealings in Burma.

The firm has been the subject of controversy since the transparency website WikiLeaks published thousands of hacked emails on July 8 exposing its financial ties to several authoritarian regimes including Egypt, Russia and Saudi Arabia. It specialises in a Remote Control System (RCS), a type of malware that enables governments and law enforcement agencies to bypass encryption technology to monitor all devices, including mobile phones and computers.

The revelations will likely fuel concerns about ongoing surveillance and privacy breaches in Burma, which began a slow process of democratic reform in 2011. The military continues to wield significant influence and remains largely free from public oversight. According to the Assistance Association for Political Prisoners, over 600 people are either in prison or currently on trial for their political activities.

Human rights activists and journalists report regular monitoring by the government, despite a widening space for free speech since President Thein Sein took office. Earlier this year, student activists who staged peaceful protests claim to have had their phones tapped and Facebook pages hacked by the police. In 2013, US tech giant Google warned several Burmese journalists that they had been the targets of “state-sponsored attacks” on their Gmail accounts—a charge the government has denied.

“It is deeply worrying that Western tech companies are offering spyware to the Burmese military, in an election year where the authorities continue to arrest, monitor and harass democracy activists,” added Mathieson, describing the Hacking Team revelations as a “disturbing example” of international companies prioritizing profits over rights.

“It demonstrates starkly that international sanctions were there for a sound reason, and that was to limit the Burmese security service’s access to technology that could further stifle peaceful political activities.”

In a March submission to the UN, the NGO Privacy International warned that Burma lacks basic data protection and privacy mechanisms, leaving residents increasingly vulnerable to government surveillance and control as the ICT industry develops. There are no laws governing state interception of personal information, although the government has reportedly requested help from the EU to draft such legislation.

“As the ICT industry opens up, the legal framework governing the use of surveillance technology is still in its infancy,” said Edin Omanovic, Research Officer at the London-based Privacy International. “The fact that the authorities are looking for some of the most advanced surveillance capabilities on the market should therefore be of concern to everyone. Without adequate legal safeguards and oversight in place, this technology can be used to target anyone.”

Burma’s Ministry of Information could not be reached for comment on the revelations, despite repeated attempts on Thursday.