hacking team

Report Reveals Colombia’s “Shadow Mass Surveillance System”

Colombian law enforcement and intelligence agencies have been significantly expanding their ability to intercept electronic communications for more than a decade with help from private firms in the US, Europe, and Israel. According to a new twopart report by the human rights group Privacy International, these companies have helped Colombia construct a “shadow mass surveillance system in the absence of clear lawful authority, safeguards against abuse and opportunities for public scrutiny.”

“There is a big gap between the general public knowledge about the capabilities of the State and the real technical capabilities of surveillance the State has and employ[s],” Carolina Botero, an investigator from the Colombian technology advocacy group Fundación Karisma, wrote in an email. “We know a lot of what happens in the US, UK or Europe in general. [Former US national security contractor Edward] Snowden did a great job revealing this information. In the meantime there is little knowledge of the capabilities in the south.”

The report raises concerns given the increasing threats faced by various public figures in Colombia. At least 40 activists, journalists, politicians and community leaders were killed last year. Past experience suggests that expanded surveillance capabilities may have helped catch major criminals. But they don’t seem to have made Colombia a safer place for freedom of expression. Instead, these technologies have sometimes been used to target those in need of protection.

According to Privacy International, Colombia’s intelligence and law enforcement services began quietly building the country’s first mass surveillance platform in 2005. The Integrated Recording System, or IRS, was created for bulk monitoring of 3G mobile phone communications. Colombia’s security agencies later obtained a system known as the Single Monitoring and Analysis Platform, or PUMA, which intercepts data on a mass scale from “backbone” telecommunications cables and funnels it to monitoring centers located around the country.

The initial set-up of the IRS and PUMA systems was provided by Verint, an Israeli-American company that reportedly helped the US National Security Agency install similar technologies to monitor the communications of American citizens. Verint has also been accused of exporting its mass surveillance technology to Central Asian governments with well-known reputations for political repression.

In 2013, an Israeli company called NICE Systems won a $26 million contract with its Colombian partner Eagle Commercial to expand PUMA into “Super-PUMA,” including upgrading the system to handle newer 4G traffic. Leaked emails surfaced a few months ago showing NICE Systems also acted as an intermediary in a $335,000 sale of spyware from the Italian firm Hacking Team to the Colombian police. The emails further indicated the U.S Drug Enforcement Administration (DEA) uses Hacking Team products capable of monitoring “all the traffic” from Colombia’s internet service providers.

The Privacy International report also describes how the DEA helped the Colombian government develop a targeted telecommunications interception system called “Esperanza” in the early 2000s. The Colombian company STAR Inteligencia & Tecnología provided much of the technology, sometimes using products from the US-based security contractor Pen-Link and UK-based Komcept Solutions.

Esperanza enables targeted surveillance that relies on active “tasking” by human users and supposedly requires specific judicial authorization, such as a warrant. However, Privacy International notes that “even the most tightly regulated of lawful interception systems in Colombia, Esperanza, has been subject to abuse by government agencies.” In 2009, it was revealed that the now-disbanded Administrative Department of Security (DAS) had illegally spied on hundreds of public figures including politicians, judges, journalists, and activists, allegedly using the Esperanza system. The head of the agency at the time, Maria del Pilar Hurtado, was recently sentenced to 14 years in prison for her role in the scandal.

In addition to enabling bulk surveillance of Colombians’ communications, private corporations from the US, Europe, Israel and elsewhere have offered the country’s police an array of “tactical” surveillance gear, like audio and video recording devices that look like child car seats, credit cards and other everyday objects. Many foreign companies also sell IMSI catchers, also known as “stingrays” or “cell site simulators,” which can intercept cell phone communications and track the location and movements of a large number of users.

Privacy International says that rather than helping Colombia obtain accountable and legally-authorized communications interception capabilities, some tech firms have contributed to “overlapping, unchecked systems of surveillance that are vulnerable to abuse.” The report recommends the Colombian government conduct better oversight of how these technologies are being used. It also recommends exporter countries and the international community exert greater controls on the companies supplying these products. “No more than a handful of individuals within the industry appear to have adequately considered the human rights impact of their businesses,” it reads.

The decades-long armed conflict in Colombia has left more than 200,000 dead and millions more displaced from their homes, with widespread atrocities committed by both state and non-state actors. Botero wrote that having lived through such violence had led many Colombian citizens to “truly believe that national security is more valuable than other rights,” including privacy. However, Botero says that a final ceasefire between the government and the main rebel group, which may come soon, would leave “no more excuses for Colombians to resign privacy any longer.”

“There’s no doubt that even if one is not doing anything illegal, there are decisions one takes privately and shouldn’t be forced to disclose to random government analysts,” Botero wrote. “There is a false dilemma when we are forced to choose between security and privacy particularly when security is not an end in and [of] itself.”