Petrovich12 - Fotolia
The European Union (EU) is training countries in the Balkans, the Middle East and Africa in surveillance techniques that campaigners fear could be used against political opponents, activists and journalists.
The EU is providing training for law enforcement agencies in multiple countries in surveillance techniques, which include hacking mobile phones, harvesting personal data from social media, and using spyware.
Law enforcement agencies in Morocco, Turkey, Algeria, Jordan, Lebanon, Tunisia and Turkey are among those to benefit from training in surveillance techniques provided by an EU-funded agency with a €9m annual budget.
The disclosures, contained in hundreds of EU documents obtained by the campaigning group Privacy International, have led to calls for urgent reforms by the EU to ensure governments that receive EU support do not misuse technology to violate the rights of their citizens.
Edin Omanovic, advocacy director of Privacy International, said the documents showed that EU aid programmes are putting people in other countries at risk.
“Instead of helping people who face daily threats from unaccountable surveillance agencies, including activists, journalists, and people just looking for better lives, this ‘aid’ risks doing the very opposite,” he said.
Twelve NGOs in Europe and Africa have written to the European Commission calling for the EU to rethink its strategy.
“European governments and firms must ensure that they are not providing the tools of repression to governments around the world,” they said. “The EU should be a promoter of rights, not an enabler of the governments to undermine them.”
The EU has offered training to law enforcement agencies of non-EU countries through the European Union Agency for Law Enforcement Training (CEPOL) since 2006, in topics that include cyber security, modern investigative techniques, and counter extremism and violent terrorism.
However, training documents obtained by Privacy International suggest that CEPOL’s training includes surveillance techniques that are open to abuse by states that lack legal safeguards for their citizens and operate unaccountable security agencies.
EU course taught Algerian police how to spread disinformation
In April 2019, for example, CEPOL trained 20 members of Algeria’s National Gendarmerie how to create fake identities on social media platforms, using a different mobile phone SIM cards to protect their identities.
The technique, which can be used to spread disinformation, breaches the terms of service of Facebook and other service providers and the EU’s own code of practice which commits social media to clamp down on fake accounts.
The Algerian gendarmes were also taught how to exploit poor security practices to access supposedly private web pages, to use open source search tools to map Wi-Fi networks, and to identify accounts with similar user names across the internet.
One of the tools described in the presentation, WiFi Pineapple, which is sold on Amazon, can be used to perform “man in the middle” attacks to access people’s passwords, while another tool, SSL Strip, allows investigators to monitor a target’s web browsing.
The training course took place as the Algerian capital, Algiers, faced protests that led to the resignation of its president and sparked a disinformation campaign by fake social media accounts posting state propaganda and denouncing democracy activists.
Moroccan agents taught how to harvest data from Facebook and Twitter
The EU also provided a training course for 20 agents of Morocco’s Director General for National Security (DGNS) in how to use fake profiles to harvest personal data from Facebook with the aid of open source websites – including Stalkscan, WhoPostedWhat, PeoplefindThor and Facebook Matrix – and to use software to visually map the connections between people.
The course advised the agents to register as developers on Twitter to monitor Twitter users, in breach of the platform’s terms of service, which prohibit the use of its application programming interfaces (APIs) for surveillance purposes, and to download an open source analysis and visualisation tool, known as DMI-TCAT, to analyse data.
Another tool, Twint, referred to in the training slides, uses “Twitter’s search operators to let you scrape Tweets from specific users, scrape Tweets relating to certain topics, hashtags & trends, or sort out sensitive information from Tweets like email and phone numbers”.
Monitoring mobile phones in Montenegro
An EU-backed course in Morocco, billed as “collecting counter-terrorism information from the internet”, gave advice to officials on electronic surveillance techniques, according to documents obtained by Privacy International using the Freedom of Information Act.
There were presentations on investigating mobile phones, the technical architecture of telecommunications networks, and the unique numbers used to identify mobile phones and SIM cards.
The slides gave examples of the data that government authorities in France are able to obtain from telecommunications operators, including the name of a subscriber visiting a particular website, and the identities of mobile internet users.
Another training course given to participants in the Baltic state of Montenegro introduced mobile phone surveillance devices, known as IMSI catchers, which can be used by police to harvest details of all mobile phone users attending a protest.
Training on malware and trojans in Bosnia and Herzegovina
The documents obtained by Privacy International show that the national police force of Spain discussed tracking IP addresses, emails and conducting wiretaps during a training course on financial investigations presented to intelligence agencies in Bosnia and Herzegovina.
One of the slides promoted the use of malware or trojans, commercially available tools developed by companies such as the NSO Group, that can be used to hack into mobile phones to extract data, and take over the camera or microphone to listen in to conversations.
Mobile phone extraction
A course supported by the EU in Morocco showed participants how to extract private data from mobile phones using tools sold by Swedish company Micro Systemation and Israeli company Cellbrite.
These tools can recover photographs, text messages, web histories, delete files, GPS data and data contained in photographs and images.
Cellbrite claims its Cloud Analyser can track online behaviour, analyse social media posts, likes, events and connects to “better understand a suspect or a victim’s interests, relationships or daily activities”.
The course also showed investigators how forensic software can be used to extract data from cloud services used by mobile phone users, providing access to backed-up WhatsApp messages, posts on Twitter, Facebook, emails and documents stories on services such as DropBox. It also described ways to bypass two-factor authentication and other security features.
The course material recommended using software from US company Grayshift which claims to be able to crack the secure password protection used on iPhones, and has the capability to decrypt the keychain used in iPhones to securely store passwords for apps and websites.
In a letter to the European Commission yesterday, a coalition of civil society organisations in Europe and Africa urged the European commissioners to reform EU budget and aid programmes to support the rights of citizens in countries with poor human rights legislation.
The EU is the largest provider of aid and a powerful force for change, said Privacy International’s Omanovic, and must enact urgent reforms to these “secretive and unacceptable programmes”.
“Failure to do so is a betrayal not just of the purpose of aid and the people it is supposed to benefit, but of the EU’s own values,” he said.
EU funds finance border surveillance programmes
Phone tapping in Bosnia and Turkey
EU funds have been allocated to fund a wiretapping system in Bosnia and Herzegovina, as well as wiretapping, computer and mobile phone forensic inspection, and “special operational equipment” in Turkey
Mobile phone surveillance in Niger
The government of Niger received surveillance equipment including a cellphone tower simulator capable of intercepting mobile communications under an EU Trust Fund programme to address migration in Africa (EUTF for Africa). Niger has no laws to regulate the equipment or to limit its use to border control.
Biometric identity systems in Côte d’Ivoire and Senegal
The EUTF for Africa has also financed biometric identity systems in Côte d’Ivoire for €30m and in Senegal for €28m. In Côte d’Ivoire, the biometric identity system is used to assist in the identification of Ivorians irregularly residing in Europe and to organise their return more easily.
West African police database
The EU allocated €5m to Interpol to develop a shared police database in West Africa, including Côte d’Ivoire and Niger.
Source: Privacy International