A high-ranking official in Hong Kong’s corruption watchdog reached out to a cybersecurity firm notorious for its ties to authoritarian governments, leaked emails have revealed.

In June 2014, Independent Commissioner Against Corruption (ICAC) Principal Investigator Simon Tse Yiu-keung reached out to the Singapore office of Hacking Team, an Italian company that is known to supply invasive surveillance technology to security services in Libya, Morocco, Sudan, Saudi Arabia, Egypt and Ethiopia.

In an email to the Milan-based outfit, which was among nearly a million Hacking Team emails published by Wikileaks last week, Tse expresses his interest in the company’s Remote Control System (RCS) Galileo. The Galileo software enables users to hijack a target’s computer or mobile device, recording the device’s every use, movement, and even visual and audio data related to its surroundings.

YouTube video

“We are interested in your Galileo remote control system in particular for mobile phone,” Tse wrote to Daniel Maglietta on 11 June 2014, reminding the chief of Hacking Team’s Singapore Representative Office that the two had previously met in Kuala Lumpur at the ISS World Asia Conference.

Tse and Maglietta thereafter exchanged a series of emails to arrange for a private demonstration of the Galileo system in Singapore the following month.

The emails do not indicate whether ICAC representatives actually met Hacking Team or purchased the software. However, Maglietta’s last email to Tse, dated July 22, queries Tse’s schedule in mid-August – the same week Maglietta was travelling to Shenzhen via Hong Kong to meet “Beijing clients”.

“I have just received confirmation on a few meetings in August,” Maglietta wrote to Tse, “and want to make sure it does not overlap with yours.”

Tse’s first email to Maglietta.

According to a 2013 report by Reporters Without Borders, “digital mercenaries” like Hacking Team “sell products that are liable to be used by governments to violate human rights and freedom of information.”

The company was first thrust into the spotlight in 2012, when its RCS malware was found on the computers of award-winning Moroccan media outlet Mamfakinch, as well as UAE human rights activist Ahmed Mansoor. Hacking Team’s products were later used to target Ethiopian journalists based in Washington, DC.

The ICAC’s presence in the leaked emails has been flagged by Legislative Councillor Charles Mok, representative for the IT Sector functional constituency.

Mok told HKFP that whilst the ICAC’s use of such technology is not necessarily a concern, “there must be oversight”.

In a statement this afternoon, ICAC Deputy Commissioner Ryan Wong Sai-chiu told local media that the ICAC has a responsibility to keep up with the latest technological advances and enhance their surveillance capabilities. Wong added that the interception of communications is subject to legal supervision, meaning that there is “no need for a ‘grey area’” in which to operate.

Charles Mok
Photo: charlesmok.hk

Mok, however, voiced concern over whether existing legislation adequately protects Hong Kongers’ privacy.

“While the Interception of Communications and Surveillance Ordinance (ICSO) provides oversight over [the] interception of messages… it is unclear whether malware or spyware such as Galileo – being intrusive and even encryption-cracking – would be covered by existing laws such as the ICSO,” Mok said.

Although Mok said that he recognises that “there may be certain circumstances that require such tools,” he believes that the circumstances where the use of invasive spyware is acceptable are unclear: “It is especially worrying if the use of this malware and spyware is not covered under the ICSO – and that is what I want to find out. ICAC has not answered my questions yet.”

“Hong Kongers should be concerned,” according to Mok. “Whether using this type of malware breaches the ICSO is exactly the question I am asking the government, but I am worried that it may not be covered… Investigating difficult and serious crime may indeed require clandestine activities but that does not mean there shouldn’t be oversight.”

Jennifer Zhang of Hong Kong Transparency Report told HKFP that “there is nothing wrong” with the ICAC proactively making enquiries about new technology since it is their duty to investigate corruption – a task that gets increasingly difficult as technology advances.

The problem, she believes, is that “the ICSO commissioner’s annual reports in past years have not been fully transparent about each law enforcement agency’s individual number of interceptions and covert surveillance operations, the criminals they arrested following those operations, and the number of operation applications rejected.”

This, she said, “leaves the public with reasonable doubt over whether law enforcement, including the ICAC, are abusing their interception and surveillance power with no oversight.”

Update (July 20): ICAC Commissioner Simon Peh Yun-lu confirmed on Sunday that the corruption watchdog had made inquiries about Hacking Team’s Remote Control System and invited representatives of the company for a demonstration. Peh said that the ICAC is currently considering purchasing the Galileo spyware suite. 

Ryan Ho Kilpatrick is an award-winning journalist and scholar from Hong Kong who has reported on the city’s politics, protests, and policing for The Washington Post, Los Angeles Times, TIME, The Guardian, The Independent, and others