KUALA LUMPUR, Dec 30 ― A tech blogger released today documents showing two payments from a local company to Hacking Team that he said was evidence Putrajaya had purchased spyware from the Italian security firm.
Keith Rozario uploaded on his blog copies of two telegraphic transfer slips ― one for €38,500 (RM170,270) dated September 25, 2013, and another for €210,000 (RM899,157) dated December 29, 2014 ― from Miliserv Technologies Sdn Bhd, based in Shah Alam, to the Milan-based Hacking Team.
“Hacking Team sold its specially crafted spyware to at least three agencies within the Malaysian Government,” Rozario wrote.
He claimed he was already in possession of the documents months ago when the issue was first highlighted but decided against releasing them for reasons that he did not state.
But after Minister in the Prime Minister’s Department Datuk Seri Azalina Othman Said told Parliament last month that Putrajaya had no information on the alleged purchase, Rozario said he decided to go ahead and publish the payment slips.
“Next time ask your PR guys to call me before you go setting your pants on fire,” he wrote.
He added that if it were true that Putrajaya had not procured spyware from Hacking Team, the government should then investigate Miliserv Technologies for making such large payments to the firm.
According to Rozario, the spyware allegedly purchased by Putrajaya were meant for specific individuals and not for mass-surveillance.
He admitted that it was not uncommon for agencies like the police or the military to require the use of such technology for their work.
“But it’s not the equipment that’s being questioned,” he pointed out. “It’s the manner in which that equipment is used that is so controversial. Is it used with a warrant? Is it used for catching criminals, or criminalising politicians (and their lawyers)?
“So there is no need to deny buying it (this is where BN’s [Barisan Nasional] PR people should have called me), Datuk Seri should have just stated categorically that we did procure the spyware, but we used it specifically for on-going criminal investigations in accordance with all relevant Malaysian laws,” he added, referring to Azalina.
In a parliamentary reply on November 23, Azalina denied that the Prime Minister’s Department had purchased any spyware from Hacking Team.
Prime Minister Datuk Seri Najib Razak told Parliament on December 1 that Putrajaya did not have any information on its alleged purchase of Hacking Team’s Remote Control System (RCS) software to spy on Malaysians.
Rozario wrote last July that the Malaysian Anti-Corruption Commission (MACC) and the Prime Minister’s Department had bought Hacking Team’s spyware through Miliserv Technologies that describes itself on its website as a 100 per cent Bumiputera company registered with the Finance Ministry, founded to provide “advanced digital technology products” in IT and intelligence gathering.
The tech blogger said today the Hacking Team leaks showed carrier files, which are used to embed spyware, titled “Pengundi Asing” [Foreign Voters] that purportedly showed how foreigners supposedly voted in the general election, as well as “Dakwat Kekal” [Indelible Ink] that mentioned rumours on how indelible ink was used in the Malaysian polls. Phantom voters and the use of indelible ink were controversial topics in the last general election in 2013.
“Besides the fact that the government was essentially spreading rumours about itself, these carrier documents don’t point to ISIS terrorist(s) or hard core gangsters. These point to the average citizens, and specifically opposition supporters,” he said.
In July, an unidentified hacker, or a group of hackers, leaked Hacking Team’s internal documents, source codes and email communications, revealing invoices that showed the Prime Minister’s Office (PMO) and the MACC buying the RCS software from the Italian company.
An excerpt of the invoice published in a report by CSO Online listed the PMO as an “Active” client as at March 31 this year, while MACC’s maintenance contract was listed as “Expired” as at January 31 last year.
Invoices contained in the released data, torrented by the hacker that goes by the name Phineas Fisher, showed other countries purchasing the RCS spyware from Hacking Team, including Russia, Saudi Arabia and the US.
According to Ryan Gallagher, a journalist from US news website The Intercept who specialises in government surveillance, the RCS software allows Hacking Team’s clients to steal photographs and documents from one’s devices, as well as to record audio from Skype or phone calls, copy text and WhatsApp chat messages, and even to turn on the location function on one’s phone.