Bogota, December 9, 2015
On December 7, on an interview aired on “W radio”, General Palomino, the head of the Colombian National Police, was asked about the fact that a journalist working for Vicky Davila’s team investigating police corruption, saw how some information disappear from his computer. This journalist described how the mouse arrow moved before his very eyes, as if possessed, and deleted information. To this question, the general answered that he didn’t think that the police had the capacity to do this. He said: “I don’t think the police has devices capable of interfering and manipulating at a distance.” For Karisma Foundation general Palomino’s response is naive at best, since it has been demonstrated that Colombian authorities have purchased remote control tools as part of their surveillance technology. General Palomino’s response disregards the risks and problems that were monitored and reported by Karisma regarding Colombia’s legal framework and law enforcement practices.
Privacy International, a British NGO, and Karisma Foundation described in a recent report that the Colombian police has a significant communications interception structure described in the info graph “Colombia’s wiretapping systems uncovered”, and what is most concerning in the light of recent news is that even this analysis appears out of date.
Karisma Foundation rejects the abusive and illegal surveillance to which journalists were apparently subjected. In order to contribute to the public debate we will analyze below General Palomino’s words in the light of known State capacities for using remote control tools, commonly known as “hacking” tools. We shall also explain how the reach provided by this capacity means that its use by law enforcement would require a reform in the law. Until this is done, its use remains illegal.
First we must establish whether existing public information is sufficient to assert that the police has hacking tools. The answer is a resounding yes.
Derived from the Hacking Team scandal in 2015, the police admitted that it had purchased remote control tools. The information leaked about the company Hacking Team, regarding the hacking or remote control tools it sells to Governments, established that the National Police Directorate (DIPON), using the PUMA budget, carried out two procurement operations through intermediaries in order to obtain tools offered by this company in the international market. The first contract is valid until 2016, whereas the second contract was still in process when the scandal broke out. Hacking Team’s offer is an example of the remote control tools that can do precisely what the journalist in Vicky Davila’s team described, in which the computer behaves is as if it were “possessed”, and an external party can control it at a distance to, for example, delete files.
If the police has remote control tools, the next step is to determine whether they have used them. Again, the answer is yes. In fact, although the media hasn’t been very prolific in providing information about how the authorities employ these tools, Karisma Foundation has followed the news about this topic and we can say not only that the police has these tools, but that there is public information that allows us to say that they do use them:
Hacking Team. The Hacking Team leaks in 2015 also revealed details about the use of these tools by the police that haven’t yet been contested. Among the documents leaked there are emails originating from Colombian Police accounts requesting Hacking Team for “exploits” to be used in 2015. These emails show the Colombian Police asking Hacking Team to prepare files used to infect target devices in order to control them and gather information from them. It isn’t possible at this time to know whether this took place as part of legitimate surveillance operations or not. What is documented is simply the fact that police emails repeatedly request files that would initiate this type of action.
The 13 people accused of committing terrorist attacks in Bogotá in 2015. Also in this year, the news coverage of the way in which suspects of the bombs at calle 72 with carrera 10, and at carrera 13 with calle 46 were identified, includes the description of police use of information obtained from the suspects’ cell-phones. In this case, the most probable way this information was obtained is by the use of UFED; a universal forensic extraction device for mobile phones. By using software associated to this tool, they could analyze the information to establish a network of contacts. This news item recounts the various tools used by the police with similar ends, other than “hacking” tools. In this case, however, these tools were used as part of a criminal investigation.
Andromeda. In 2014, news about Andromeda suggested that the military intelligence front was used to “wiretap” the negotiating teams participating in the peace process (both the guerrilla’s and the government’s) in Havana. From here, military and civilian “hackers” had gained access to emails and other information relevant to the negotiation, and it was even claimed that they had wiretapped journalists and others who opposed the peace process. Little is yet known about these activities and the tools that were used. However, in an article published today, December 9th, with our input for ENTER.CO it not only confirms that members of Andromeda were accessing information about the peace process and doing business with it, but that around the time when Andromeda operated, a Remote Control tool was used pointing at the same server that hosted the Buggly webpage -the hackerspace that served as a front for Andromeda-. This information suggests that, even though they also don’t have the power to legally do so, military intelligence officials also have the technological capacity for communications interception, and that even less is known about how they
It is clear that, contrary to what General Palomino believes, even before the details of this new scandal emerge, we know that the police not only has these capacities but also a variety of related tools. Moreover, there are a number of documented cases in which they have made use of these tools. The central problem is precisely that these tools provide such enormous capacity to intrude in people’s private lives, that their power surpasses even that of many Colombian public figures, as was shown by the Colombian security agency DAS in its well-known wiretapping case.
Communications surveillance tools are much more intrusive today than the oft-used image of a person listening in on a telephone conversation. When a telephone is tapped, one has access to someone’s communications only from the moment such interception begins until it is terminated. Current surveillance capacities allow the intruder to virtually take possession of another’s device and to know people’s online activities, read their email traffic, and have access to everything contained in the device (contacts, browsing history, files, etc.) and even control peripheral devices (turn on cameras and microphones to see and listen to its surroundings). Surveillance is maintained for an indefinite period and regardless of who is using the device (for instance, a home computer may be used by all household members). These features and their potential for abuse -which materializes with each new scandal of illegitimate surveillance of journalists, human rights advocates and political opponents- forces us to assert that not only have abusive intelligence practices not stopped, but that there are major issues with the current legal framework, which is outdated and lacking in the necessary controls to prevent the type of abuse reported here.
The analysis piece titled “When the State Hacks”, published today by Karisma Foundation, delves into the nature of these tools and their risks, and exposes how their current use by Colombian authorities is illegal. Karisma Foundation believes that the authorities must have all the necessary tools to fight crime, but they must have them under legal mandate, affording greater protections to citizens, providing legal certainty to the authorities, and aiming for some degree of trust in citizen-authority relations in order to prevent abuses and illegitimate access. General Palomino’s response is therefore rather unfortunate. It minimizes and ignores the Government’s surveillance capacity, and in particular that of the institution in his charge. More troublesome still is that by doing so he is avoiding a deeper discussion about the risks to people’s privacy associated with the use of these tools.
Karisma Foundation has published an info graph (Spanish) as well as it’s analysis of Remote Control tools as a contribution to this public discussion. If this topic is of concern to you, please share these documents with General Palomino (@GeneralPalomino), and with the members of the Intelligence Law Commission -the only body enabled to exert some control over this activity– (@jaimeduranbar @jimmychamorro @PaolaHolguin @carlosfgalan @MIgueBarretoC @OPedroorjuela @Tatacabello) by using hashtag #ElTalHackeoSíExiste so that in 2016 this debate takes place and our rights to privacy, freedom of speech and freedom of the press are protected.
*”Hacking” is an expression that identifies an ethic of providing access to technology to empower people, and was later understood as the activity of finding vulnerabilities in information systems, essentially with the goal of reporting them and repairing them. Finally, it began to be used in the sense of seeking vulnerabilities in information systems in order to exploit them illegally. For Karisma, the correct expression when one “hacks” to cause harm is to “crack”, so using the expression “hacking” in this sense is incorrect. However this is the popularized use. For ease of understanding, we have decided to use the term “hacking” to mean “cracking” in this document, although we are aware that this is only one of the meanings of this word.