KUALA LUMPUR, July 8 — The news that the Malaysian Government uses spyware developed by a Milan-based company called Hacking Team has got an Internet rights organisation calling for an independent probe, while a lawyer pointed out that such use on citizens would be unconstitutional.
Khairil Yusof, cofounder of the Sinar Project, an NGO (non-governmental organisation) that advocates transparency in governance, said that Members of Parliament (MPs) should call for the establishment of a bipartisan parliament oversight committee to ensure that the Government “is not doing anything illegal, in this case digital spying of citizens.”
“There must be a PAC inquiry on this, and the findings made public on possible unconstitutional government actions,” he told Digital News Asia (DNA) via email, referring to the Malaysian Parliament’s Public Accounts Committee (PAC).
“We also repeat the call that there is a strong need for a civil society digital rights watchdog, with technical and legal capacity to ensure continuous monitoring and to hold government accountable for issues such as this,” he added.
News that Malaysian government entities had been using Hacking Team’s spyware broke after the Italian company was hacked over the weekend, and details posted on its Twitter feed. Note that as at press time, the Hacking Team website was offline, although because it uses CloudFlare technology, snapshots of some sections like its Customer Policy page could be viewed.
Hacking Team said it goes to “great lengths” to ensure that its Remote Control System (RCS) software is not sold to repressive regimes or those with questionable human rights records, but The Guardian reported that in 2013, Reporters Without Borders named the company as one of the “corporate enemies of the Internet.”
The leaked information showed that it has sold its software to countries such as Azerbaijan, Bahrain, Colombia, Egypt, Ethiopia, Honduras, Kazakhstan, Malaysia, Mexico, Mongolia, Morocco, Nigeria, Oman, Panama, Russia, Saudi Arabia, Sudan, Thailand, Tunisia, Turkey, the United Arab Emirates, and Uzbekistan. Other RCS customers include the Australian Federal Police, the Defence Department and Drug Enforcement Agency in the United States, the South Korean Army, and even the Infocomm Development Authority of Singapore (IDA).
Three Malaysian government entities were named in these records: The Malaysia (sic) AntiCorruption Commission, the Prime Minister (sic) Office and an unknown entity known only as Malaysia Intelligene (sic).
The Malaysian Anti-Corruption Commission (MACC) is no longer an active customer, and it is not known why the Prime Minister’s Office (PMO) would see the need for spyware.
These purchases were routed through a Shah Alam-based company called Miliserv Technologies, which despite its name, describes itself as being in the business of supplying and installing telecommunications equipment, according to records with the Companies Commission of Malaysia (CCM).
The company was registered in 2005, with a total authorised capital of RM1 million, of which RM750,000 has been issued. To download its CCM records, click here.
Currently, it is not known exactly what the implicated government entities were using Hacking Team’s RCS software for, but civil liberties lawyer Syahredzan Johan said that if it was indeed true that the Malaysian Government was spying on its people, “then major violations of our fundamental liberties would have taken place.”
“Article 5 of the Federal Constitution provides that all persons have the right to life and personal liberty. Personal liberty here includes the right to privacy, as recognised by the Federal Court,” he said.
“So the law recognises the right to privacy. Spying on citizens is a violation to this right to privacy. As such, it contravenes Article 5 of the Federal Constitution (PDF link),” he told DNA via Facebook.
When asked what recourse was open to Malaysian citizens, Syahredzan said they would first have to obtain proof that the Government was indeed spying on the people. “Undoubtedly, this would not be an easy task. The Government would not readily admit such a thing.
“But if proof is somehow obtained, then the subject can bring the case to court by suing the Government.
“Outside of the courts, citizens can always pressure the Government to reveal whether it has indeed spied on its citizens. Non-violent actions such as protests and petitions may be useful to advocate for the Government to respect our privacy rights.
“Unfortunately, the right to privacy is not a big ticket issue in Malaysia, so there are not many ‘privacy activists’ out there,” he added, echoing the views of Sinar Project’s Khairil. When asked if the use of spyware such as RCS could be legitimate if only used against foreign nationals, Syahredzan said that it would still constitute a violation of constitutional rights. “Certain rights are accorded to all persons, not just Malaysians, and the right to life and personal liberty is one such right,” he said.
The Malaysian Government has been tightening and strengthening some of its security laws over the last few years, citing the need to combat terrorism and violent crime. It introduced the Prevention of Terrorism Bill (POTA), amended the Sedition Act which it had previously promised to repeal, and amended the Security Offences (Special Measures) Act 2012 (Sosma).
The Sosma amendments legitimise wire-tapping against suspected ‘hardcore criminals’ and human traffickers, although the law itself was first passed as an anti-terrorism and national security measure.
When asked if the Government could legitimise spyware use if it came under Sosma, Syahredzan said the law does allow the Government to intercept communications, but for ‘security offences’ —terrorism, treason and so on. “More worryingly, the Criminal Procedure Code allows the State to intercept, listen or record any message or communication received through any communication if it is likely to contain any information relating to the commission of a crime,” he said.
“Worse still is the fact that the State can use this information against the person in court. These provisions have not been challenged in court, but I believe that they are in fact unconstitutional for being in breach of Article 5 [of the Federal Constitution],” he added.
Not the first time
According to a research report from The Citizen Lab, Hacking Team’s RCS can capture data that is stored on a target’s computer even if the target never sends the information over the Internet.
It can copy files from a computer’s hard disk, record Skype calls, e-mails, instant messages, and passwords typed into a web browser. Furthermore, RCS can turn on a device’s webcam and microphone to spy on the target.
This is not the first time Citizen Lab, from the University of Toronto’s Munk School of Global Affairs, has looked into spyware use. In 2013, it traced command and control (C+C) servers for the FinFisher (aka FinSpy) spyware from UK-based Gamma International to 25 countries, including Malaysia.
Citizen Lab however noted that the discovery of a FinSpy C+C server in a given country cannot conclusively indicate that the country is using FinSpy on its citizens.
Much like RCS, FinSpy captures information from an infected computer, such as passwords and Skype calls, and sends the information to a FinSpy C+C server.
In March 2013, industry regulator the Malaysian Communications and Multimedia Commission (MCMC) initiated an investigation against news portal The Malaysian Insider for running a report that said the Malaysian Government was using FinFisher to spy on its own citizens, based on a blog post in the New York Times.
Be that as it may, in May 2013, cybersecurity firm F-Secure noted that Gamma company executives were present at the ISS World 2011 surveillance software trade show in Kuala Lumpur.
The MCMC had not responded to DNA’s request for comments on the Hacking Team issue as at press time. — DNA
* This article was first published here.