TERRY GROSS, HOST:
This is FRESH AIR. I'm Terry Gross. Many of the activists in Arab Spring protests used text messages and social media to communicate and organize events. Our guest, investigative reporter Ben Elgin, has found that some regimes cracking down on protests have acquired new, sophisticated surveillance systems that enable them to hack into protestors' computers, monitor their cell phone calls and text messages, and track their movements.
Most of that surveillance technology was provided by Western companies that are part of a booming new industry that is secretive and largely unregulated. Elgin writes for Bloomberg News, where he and his colleague Vernon Silver have spent months looking into the growing surveillance industry and its connections to repressive regimes. He spoke with FRESH AIR contributor Dave Davies.
DAVE DAVIES, HOST:
Well, Ben Elgin, welcome to FRESH AIR. You have a story in October, which begins with an opposition journalist in Iran who is under arrest. Describe what he experienced and why you began that story there.
BEN ELGIN: Sure, yeah, his name is Saeid Pourheydar, a 30-year-old opposition journalist. And he was very involved with the protest movements that occurred after the 2009 contested presidential elections there. And he would often speak with outside media, such as the BBC and Voice of America.
He was arrested about a year ago and was brought in for questioning, and he was beaten severely. He ended up having four of his front teeth punched and kicked out. And in between beatings, he was interrogated with transcripts from text messages that he had sent, from phone calls he had made.
And these were unbroadcast phone calls that he had had with, you know, media from outside of the country. And he was baffled, you know. How did they get this information? And here it was being used against him in a very severe way. And, you know, things only got worse for him.
At one point, you know, they led him out of his cell and told him that a judge had decided that he was to be executed. So he was brought into another room and blindfolded and handcuffed and, you know, made to stand onto a stool with a tightened noose around his neck.
Saeid, you know, stood there. His legs were trembling and, you know, sweating thoroughly. And he thinks he stood there for about 25 minutes when finally the guard said oh, there's been an administrative mistake, we'll have to do this at a later time.
And it's just the mental torture he went through, along with the physical torture, was extreme. And why we led with this example is just to show the way that this monitoring and surveillance technology is being used against activists inside of these repressive regimes and just what sort of impact that it can have.
DAVIES: Now, what are some of the capabilities of this surveillance technology that you write about?
ELGIN: It's basically to tap into the digital communication, so all Internet use, conversations that are happening over mobile phones or even tracking people's locations, where they go, through their mobile devices, so basically all communications and movements being made.
DAVIES: So email, cell phone calls, text messages?
ELGIN: Absolutely. Yeah. And some of these regimes are utilizing very sophisticated text message-analysis systems. So, basically, all text messages sent - and I should say first that text messages is far more ubiquitous in places like Iran and Syria than Internet access. And so all text messages being sent are copied and stored away in an enormous archive system.
And authorities can then come in later and search. They can search by recipient. They can search by sender. They can search by content. So they can basically say look, I want to know anybody who texted anything about a protest on, you know, December 9th, and all these text messages will come back.
DAVIES: And it's, of course, been written widely that a lot of the protests in the Arab spring, you know, were driven by the use of social media and digital communication. This is obviously a very serious matter for them.
ELGIN: Absolutely. Technology definitely contributed in a significant way, no doubt about that. And it enables these people to connect and communicate, and I think it's in no small part driven by this explosion in communications tools there.
For instance Iran, five years ago, it was something like two out of 10 citizens had mobile phone subscriptions, and now it's something closer to nine out of 10, on par with the United States. So this significant ramp-up in the last five years certainly contributed to this, but what we're seeing is there's definitely a dark side to this technology, as well, and we're just seeing that play out.
DAVIES: You and your partner, Vernon Silver, wrote about the use of some of this surveillance technology in Iran, in Syria, in Bahrain, in Tunisia. To what extent are American or Western firms involved in the technology used here?
ELGIN: Western firms, I would say, are the primary suppliers of this stuff. And these are very secretive deals. Companies do not want to be known as the supplier of message filtering and monitoring software to, you know, the Assad regime in Syria or the Iran government authorities.
So this is pretty secretive stuff, but what we've really focused on over the last nine months was trying to follow this technology and figure out who exactly supplied this stuff to these regimes, how did it get there, and how has it been used against these activists. And what we really found is a number of European, as well as U.S., companies have supplied very important pieces of this technology.
DAVIES: Do you want to take one of the American firms that you have reason to believe has been, you know, supplying this kind of technology to a repressive regime and tell us what they're doing and, you know, how you found out - what they say about it?
ELGIN: Yeah, well, there's the case of Syria. They've been building an Internet surveillance system, and actually engineers have been on the ground since February, and that's coincided with the bloody crackdown there that began in March and has now claimed over 5,000 lives according to the U.N.
And this Internet surveillance system is being primarily built by an Italian company, a company called Aria, you know, they're a wiretapping firm. But they've used key components from other European firms, and a very key component is coming from a U.S. company called NetApp.
And NetApp is a $15 billion market cap company here in Silicon Valley, based in Sunnyvale. And what they do is they provide the storage and the archival system which is usually important, particularly for an Internet surveillance system.
Basically, this system is copying the emails scanning across the network, and they copy these down and put them in a searchable database and so authorities can then come and do searches of this at a later date.
And the size of this system is huge. I mean, early schematics of this proposal, which we were able to obtain through the course of our reporting, had this NetApp system at four petabytes, and I didn't even know what that meant. I mean, I had to look it up. And four petabytes is essentially the amount of data that would be in one trillion pages of printed text. I mean, it's a humongous data system.
And the cost of this was significant, as well. You know, according to the documents we saw, the NetApp component was priced at around 2.75 million euros, which is close to around $4 million. So this is a significant deal.
Now NetApp, for their part, said look, we have no idea how that got into Syria. We just don't understand how this happened, and we're willing to cooperate with government authorities. It was a very kind of terse and short statement that they made, and they since haven't followed up and were unwilling to tell us, for instance, who in fact was the supposed customer was here and who, in fact, is the customer on the software license or the warranty.
I mean, there's a lot more information out there that hasn't been disclosed. But it's a pretty common explanation that we've heard by U.S. companies. They basically say look, we just don't know, it's a rogue distributor, we don't know how our stuff got into Syria or Iran.
DAVIES: So I'm an American company. I made this stuff, and I know I can't sell it legally to Syria or Iran, but I could sell it to somebody else, who sells it to somebody else, and after that it's not my responsibility. That's what you hear?
ELGIN: Absolutely, yes. So in the case of NetApp, we understand that it was sold through an Italian distributor to Aria, who is serving as the general contractor on this big Internet surveillance system within Syria. Now, we do know that there were some direct communications between NetApp and Aria. You know, we've seen emails, you know, of correspondence.
But yeah, basically, it's perfectly legal for NetApp to sell this to this Italian distributor. What would be illegal is if this was sold into Syria. So they're basically saying look, we sold it to Point B; we have no idea how it got to Point C.
DAVIES: In Syria, you said that there was this Italian-based firm, which was setting up this big monitoring network while the protests and the repression was going on. Was it ever operational that you know of?
ELGIN: From what we understand, it got up to a test - a kind of a testing mode, right. They had most of it built, and they were testing to see how it worked, and there were some technical hiccups going on. And what occurred is we wrote about it, and there was just a bit of a firestorm of protest and indignation about it, and Aria has said a couple weeks ago that they will not proceed with this technology, and they're going to pull out of the deal.
Now, so it looks like it's being stopped. However, you know, as journalists we need to follow this up and to make sure that in fact that has occurred because from we gather all of the technologies there, you know, the NetApp storage and archiving system that we discussed earlier, I mean, that's there. And so is it at a point now where somebody inside of Syria can just finish up the wiring and have this thing, you know, become activated? We don't know.
But yes, indeed, that was built to near completion and was in a bit of a testing mode.
DAVIES: We're speaking with Bloomberg News investigative reporter Ben Elgin. We'll talk more after a short break. This is FRESH AIR.
(SOUNDBITE OF MUSIC)
DAVIES: If you're just joining us, we're speaking with Ben Elgin. He's an investigative reporter for Bloomberg News who has spent months looking into sophisticated surveillance technology, which has been exported to Middle Eastern countries and in some cases used in repressing protests there.
Let's just talk a little bit about the scale of this surveillance technology industry. How big is it? How fast is it growing?
ELGIN: Yeah, it's booming. You know, so it really got its legs after 9/11, and we've heard estimates of between $3 and $5 billion in terms of the market size for this. And one kind of way to illustrate this is there's a trade show that's sort of like - it's known as the Wiretapper's Ball, and it's sort of the place where all the intelligence agencies across the world gather with the technology companies.
And there they make deals and discuss the latest and greatest, and the Washington Post actually had a really good story on the ball, you know, a couple weeks ago, and they basically described how there was 35 people at the original show in 2002, and now it's - you know, the latest show had something like 1,300 attendees. I mean, it's become a very big business.
And U.S. agencies are frequently there. At the most recent one in Washington, there were apparently 35 U.S. federal agencies, everything from the FBI to the Fish and Wildlife Service are there checking out the technologies.
DAVIES: So they're not there as regulators there, they're there shopping?
ELGIN: Absolutely, and the U.S. government has been much more of a customer on this subject than they have been a regulator. You know, there's been some talk of investigating how U.S. technology ended up in Syria, but I still haven't seen any formal investigation begin.
DAVIES: Now at this big expo, where all the buyers and sellers gather, I assume they don't let journalists in?
ELGIN: Yeah, I should have mentioned that, and my colleague Vernon Silver in Rome has attended a couple of these shows but has not been allowed entrance. And they have security guards at the door, and they're very strict. You have to have an invitation. You have to work for a security agency or one of these companies selling the technology in order to enter.
So it's top secret. And some of the sessions at these shows are just remarkable. They do publish the agenda online, and so you can see the types of things that they talk about. And, you know, in this upcoming show in Dubai in February, there's a session on government IT hacking and how government agencies can essentially penetrate the computers or cell phones of would-be targets, you know, their citizens.
So that's the sort of stuff that gets discussed.
DAVIES: Yeah, any other examples that really, you know, bring your eyebrows up?
ELGIN: Well, yeah. There was a couple - actually, it looks like there's a panel of discussions on social network analysis, right. So I think governments are really wary of the rise of Facebook and other types of social networking sites. And they want to be able to tape in and analyze and mine this data and figure out, you know, who the key players are and how to determine - you know, make sense of this mishmash of connections.
So there's a whole number of sessions on mining and sifting through this and understanding it in an intelligent way.
DAVIES: So it isn't just hacking in, getting access, it's also how you accumulate and sort the data?
ELGIN: Absolutely, because that's one of the key things here with this eavesdropping and surveillance. They get so much information, right. I mean, for instance, in these text-message systems, where they're essentially taking copies of all text messages flowing over the network, I mean, it's just an avalanche of data. So how do you then roll up your sleeves and dig into it and actually have some usable intelligence out of that? So it really is a data analysis problem.
DAVIES: You know, surveillance, you know, by governments has been around a long time. I mean, you know, there's been phone-tapping, I don't know how many decades by the FBI and other law enforcement. And the way I pictured that happening is that they go to some official infrastructure or utility, like the phone company, where all this - there are trunks where all this data, whether they're phone or Internet, gets routed through.
And you come in the front door with an order, show you have the authority to do this, and then with the people who run the systems, you go through and find what you need. It seems like some of this new technology is completely different, right. It's designed so that you can set up something somewhere, surveil a wireless network. I mean, it's very different, isn't it, really?
ELGIN: Hugely more complicated, and yeah, I mean, communications have just changed dramatically over the last 20 years, and I think that's - that has been a big reason why this industry has just exploded. The number of surveillance companies providing this technology has leapt forward.
Yeah, and so we're basically seeing a multitude of different ways. You know, oftentimes, you know, there still are say network probes that are sort of similar to they say the tapped phone lines from 20 years ago, where just stuff is sitting on the network and pulling off, say, emails of interest or text messages of interest.
But then there's what we're seeing now, more intrusion-like technologies. For instance, the issue of Skype is very troubling for some authorities, because it's an encrypted way to communicate over a computer. And if you're sitting out on the network, it's very difficult to determine what is being said during a Skype conversation.
And so one way around that is to put some intrusion technology on the target's computer. So basically you're seeing all the keystrokes and hearing the conversation before it becomes encrypted. And so there are some technologies that boast about their abilities to do this. One is a UK company called Gamma Group, and they make a product called FinFisher, and basically what it does is they get onto people's machines through, say, fake iTunes updates, right.
So somebody thinks they're downloading a piece of software off the Internet, but in fact they're downloading this piece of spyware, and now the government has full access to the person's - everything they type, everything they say, et cetera.
DAVIES: Are there some applications that will allow a government to activate the little camera on top of your laptop and then use that to do photographic surveillance of a user?
ELGIN: Yeah, actually, it's pretty interesting. That same product I was just talking about, FinFisher, bills its ability to do that, as well. So not only are - you know, is this piece of hidden code on a target's computer logging every keystroke and everything being said, but they also boast about their ability to activate the webcam or activate the computer's microphone without the target knowing about it.
It's actually somewhat humorous. WikiLeaks just released about 300 marketing brochures about the surveillance industry, and one of them was a video - a marketing video for FinFisher, and it's pretty humorous. They've got this ominous techno music in the background, and it's an animated video, and they basically show somebody, you know, downloading, by accident, this fake iTunes update, and then all of a sudden it pans over to the security authorities, who now have full access and are looking at the person typing away because the webcam has been activated, the microphone is activated, et cetera.
GROSS: Ben Elgin will continue his interview with FRESH AIR contributor Dave Davies in the second half of the show. Elgin is an investigative reporter for Bloomberg News. I'm Terry Gross, and this is FRESH AIR.
(SOUNDBITE OF MUSIC)
GROSS: This is FRESH AIR. I'm Terry Gross. Let's get back to the interview FRESH AIR contributor Dave Davies recorded with Ben Elgin, an investigative reporter for Bloomberg News who's been looking into Western companies that sell surveillance technology to repressive regimes like Iran and Syria. Those regimes use the technology to hack into the emails, text messages and cell phone calls of protesters and dissidents. These Western companies are part of a growing surveillance technology industry that is secretive and largely unregulated.
DAVIES: So I want to talk about the rules that govern the manufacture and trade of some of the sophisticated technology. First of all, is it legal to - for somebody to manufacture something that allows me to send out a dummy iTunes update program, and then when I fool somebody into downloading it, allows me to take over their computer, read their email, you know, monitor their movements through the camera on the laptop? Is it legal to manufacture this stuff?
ELGIN: Well, that'll depend on where it's being manufactured and where it's being sold. But I believe it is. I mean, in this technology - for instance, this FinFisher technology that is - that we're discussing here with the fake iTunes update and how it's implanted on computers, I mean, it's built by a UK company. It's distributed by a German partner, and it showed up - for instance, a test pilot project of FinFisher showed up in Egypt. So this type of technology is showing up in a lot of different places.
I don't know whether that would be illegal in the United States, actually. It's a good question.
DAVIES: Of course, surveillance technology is used a lot by law enforcement. So, presumably, a lot of this stuff has a legitimate use, right?
ELGIN: Yeah. Absolutely. And, for instance, location targeting, you know, it can be very invasive, right? If you're an activist in Iran, you know, you definitely don't want government miners to know where you're going at all times and who you're meeting with. So there's this negative side. But at the same time, you know, this is usually important if you're trying to track terrorists or drug dealers.
And, you know, in the United States, we have this technology, like if you call 911 on your cell phone, well, it can identify roughly where you are. So there's some beneficial uses to this, and there's some beneficial law enforcement uses to this technology. And it's the key question is: How can it be used? And is a warrant needed to use this information, or can a, you know, a security agent just come in and grab it whenever they want?
DAVIES: Right. And I guess that presents the dilemma when we're talking about exporting the technology, because if you sell it to a sovereign state that has its own procedures, you know, its own courts, its own, you know, criminal justice system, are you essentially trusting that state to make proper use of the technology?
ELGIN: Absolutely. And that's what it comes down to. And, you know, what we heard from a couple of these companies who were selling this stuff - so, selling location-targeting stuff to, say, Iran - they made the argument that, you know, look. We're not selling it to the government. We're selling it to this mobile operator inside of Iran. So that's the customer. But there really isn't a distinction there.
We talked to a number of engineers who work for these mobile operators inside of Iran, and they basically told us that, you know, when the government wants something, when they want us to set up certain technologies or when they want to get at certain information, we have to provide it. It's a part of our license to operate here, and the technology would be used as the government sees fit.
DAVIES: Now they're are countries - Iran and Syria among them - where there are, in effect, trade embargoes that would cover this kind of material, at least from the United States, right?
ELGIN: These laws are there, but there isn't much oversight. There isn't much investigation going on. So, for instance, these 2010 Iran laws, there have been no companies identified for selling this stuff. And the U.S. Government Accountability Office actually just had a report this summer, and they were charged with trying to research who, in fact, is supplying this stuff to Iran. And the report they published came back and basically said: We can't identify anybody. This is a very secretive industry, and there's no way for us to determine this.
DAVIES: So we've got a problem here. I mean, if this sophisticated, you know, surveillance technology is going out to all kinds of places that are making horrific uses of it, who's responding? Is, I mean, the United Nations, the European community, human rights activists?
ELGIN: Yeah, all of the above. And, for instance, the EU just adopted some new legislation earlier this month which basically prohibits the sale of - or the export of surveillance and monitoring technologies into Syria. So we're seeing the rules sort of evolve and get a little bit stronger inch by inch, if you will.
One other group we've seen sort of weigh in on this has been sort of the online activist community. There's a group called Telecomix, a group of online hackers, if you will, and they were actually the ones who first discovered another U.S. company being used inside of Syria, a company called Blue Coat Systems. And their technology was being used to filter and block websites.
And Telecomix was able to get its hands on some server logs and were able to see, okay. Well, this is, these are Blue Coat Systems being used to block these websites. And they ended up publishing the data, and Blue Coat has gotten into some hot water over it. And Blue Coat is one of these companies that also says, look. We have no idea how it got here. And, you know, and with these online activist groups also digging in and trying to learn who is being sold where, I think the pressure is becoming a little more intensified on these companies.
DAVIES: Yeah. I just was going to ask, from your observation of the industry, does it seem like companies that are making this stuff feel pressure to change what they're doing?
ELGIN: I, you know, I think so. I think when a spotlight is upon them, the behavior changes. I mean, we saw that with this Syria Internet surveillance system. It was moving ahead, and then suddenly, people knew about it. And then all the companies, you know, swore they didn't want anything to do with it. So I think as long as this industry is very secretive, I think companies - I mean, it's a lucrative business. You know, these are - these contracts are worth millions and millions of dollars.
You know, the Syria Internet surveillance system was worth around 17 million bucks. So these companies are going to pursue these deals if, you know, if it can be done without any reputational damage. But, you know, with journalists looking at it, with online activist groups looking at it, human rights groups, you know, politicians beginning to flex their muscles a little bit, I think the pressure is starting to be felt.
DAVIES: And it raises the question: How do you report on this stuff? I mean, you know, these are - these aren't companies that generally, I suspect, provide a lot of information about what they're up to.
ELGIN: Yeah. It's been really - it's been a sort of a - as an investigative reporter, it's a fun project. But it's - shoe leather reporting is what - is how I describe it. It's trying to find people who have worked on these projects, people who have worked at these mobile operators within these repressive regimes, people who have worked for these surveillance companies, building, selling and installing these pieces of equipment.
DAVIES: Can you tell us about one of those people?
ELGIN: You know, I actually mentioned one person in the Iran story, you know, a former Ericsson engineer, a wonderful guy, a man named Siavash Fahimi, and he had worked on some of these technologies there in Iran. And he ended up being - not only had he built some of these technologies at Ericsson while in Iran, he became caught up in the protest movement after the elections of 2009, and he was arrested. And he was beaten and put into prison and interrogated 14 times over 50 days.
And, you know, during these interrogations, not only was he presented with these text-message transcripts, he was presented with a very sophisticated diagram of who he had called, and then who those people had called. And there was this big kind of spreadsheet of connections there, and he was interrogated on every, you know, person within his network of contacts.
And so here he was saying, you know, gosh, not only did I build this technology, but here I am seeing sort of the dark side of it in action. The damage that can be done was suddenly very clear to him, and I think that led him to talk. Siavash has since fled the country, which made it easier for him, right. He's now in Turkey awaiting asylum to get to the United States.
DAVIES: And in the countries where this stuff is operating, are people figuring out ways to get around this surveillance technology?
ELGIN: Yeah. They're working on it. So there are a number of companies that provide people sort of an anonymous way to use the Internet. So one of these companies in the U.S. is a firm called Tor, and, you know, they get funding from the State Department. And basically what they do is they provide a tool which allows people to use the Internet anonymously, and this could be effective in places like Iran.
The problem is Iran's technology, the regime's use of technology is getting so sophisticated that they are sometimes able to knock Tor users off, right. So they're basically able to determine, you know, packets traveling across the Internet are cloaked by Tor, and therefore they can block them from proceeding. It's sort of a cat-and-mouse game, and Tor will change how it does business and, once again, be able to help people. But then the - Iran's regime will figure out, you know, the changes made and address them. So it's really a kind of a high-stakes cat-and-mouse game right now, but there are ways that these activists are trying to get around the restrictions put into place.
DAVIES: You know, since you've done this reporting, has it changed the way you think about your use of email or text messages?
ELGIN: Yeah, particularly when emailing and texting with people overseas and with would-be sources, absolutely. Yeah. I mean, I began very carefully choosing the words I would use in communications to people, particularly if they're inside of these countries. I mean, I don't know what triggers the filters there. Sometimes I would seek out people's help, human rights activists and such who have worked in these countries, and just trying to get a sense for: How can I effectively communicate with somebody inside of these countries?
Phone calls, you know, very difficult to do, and I would sort of leave it up to would-be sources to tell me when they thought it was potentially safe to do that. I would opt more often to try to get people onto Skype, which provided at least another layer of security to have a conversation.
DAVIES: Well, Ben Elgin, thanks so much for speaking with us.
ELGIN: Thanks, Dave.
GROSS: Ben Elgin is an investigative reporter for Bloomberg News. You'll find links to his reports on surveillance technology on our website, freshair.npr.org. Elgin spoke with FRESH AIR contributor Dave Davies, who is senior reporter at WHYY. You can read his blog, Dave Davies off Mic, at NewsWorks.org.
NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.