This post was originally posted on Medium here.
The full trove of documents from Italy’s commercial spyware provider Hacking Team is now online. From the invoices sent by the Hacking Team to Miliserv Technologies, the Shah Alam based entity that seem to be the Putrajaya’s channel, there was large investment in surveillance technology in 2013. There were concerns from civil society groups and overseas observers about the Malaysian government’s repressive stance during that period, an election year.
Perhaps this was no surprise, as The Verge wrote about Wikileak’s efforts to track spyware contractors and Malaysia was on the itinerary for Gemma International and Hacking Team. According to Wikileaks, Hacking Team visited Malaysia in December 2011 and then for a longer period in March 2013.
Hacking Team had a good reason to visit Malaysia, given that Malaysia has spent around 1.86 million Euros on their catalogue and sits as one of their top 10 customers.
The December 2011 visit tied into the purchase of Remote Control System (RCS) software for the Malaysia Anti-Corruption Commission (MACC), via Miliserv. This was not the only link however, there was a bill for 10 thousand Euros in 2010. Before 2010, the MACC had already spent 390,000 Euros on Hacking Team’s products probably through the Miliserv channel. The invoices of which was not released and may have been archived.
The 10,000 Euros spent in 2010 by the MACC pales in comparison with the license upgrade the commission purchased in 2011.
After a period in 2012, where Miliserv does not appear in the invoices, February 2013 sees the company spending more for new software licenses and hardware systems. March 2013 was also when a Hacking Team employee visited Malaysia for 8 days, 4 days longer than the last visit of 2011, according to Wikileaks. It seems like some major deals were signed in this period.
The next invoice issued to Miliserv sees them settling their purchase of the Da Vinci Remote Control System under the same order no: MTPO-002–2013.
Then later in the month, they were invoiced for what seems like a renewal of a maintenance agreement. They finished paying that over 2 invoices with the same order no: 20130422.021–1.DM, with another one issued in September of the same year.
Miliserv again was involved in the maintenance renewal contract for MACC’s Remote Control System (RCS) in 2014.
The invoice had stated that the RCS maintenance was to last from 1 January 2014 to the last day of the year in 2016. However, Hacking Team’s records showed that MACC was an inactive client by 2015.
Where does the PMO and military intelligence, the two other government bodies listed by Hacking Team to be customers, sit in terms of spending?
The Prime Minister’s Office looks to have been about to make a new purchase that would have cost 100,000 Euros recently. The following order was not dated or invoiced yet in the Hacking Team’s systems.
Unfortunately for Malaysian military intelligence, their fulfilment partner based in Hong Kong, Charmco Enterprises, had their cover blown by the hacking of Hacking Team’s records. However, according to the Hong Kong Government Logistics department’s eGazette (PDF), (if it was the same Charmco Enterprises) the company had been dissolved in 24 September 2004.
Update: After searching the Hong Kong company register, there seems to be three Charmco Enterprises Ltd which were registered there.
Invoices to Charmco, which match up with military intelligence spending, were issued beyond their dates of dissolution in 2004.
A preliminary analysis of the invoices and bills between the Malaysian government and the Hacking Team suggest a lengthy working relationship. Without more information, this is but a limited perspective into Malaysia’s connections with one spyware company, from the side of the spyware company. The revenue data that Hacking Team collected seems to confirm that Malaysia has so far been a good customer.
Looking at the invoices issued, the contact between the Hacking Team and agencies in the Malaysian government in 2013 seemed to have expanded from prior years. In particular, under the customer histories record of the Hacking Team, the PMO, which hitherto had not been a user of their products, appeared on the books. Also unlike the other agencies, there were no signs that the PMO paid maintenance fees in 2014 and 2015.
It was during the same year that Citizen Lab released a report (PDF) with their findings of a piece of surveillance technology, Finfisher from Gamma International, embedded in a Malay language election material. As they concluded,
Our findings so far do not make it possible to say who has put FinFisher in this document, or who is circulating it. But because FinFisher is explicitly only sold to governments we think that it is reasonable to assume that some government actor is responsible.
It is likely that the Malaysian public will want to know if domestic electronic surveillance has reached a point of no return. In the absence of trustworthy data, Malaysians and civil society may have to look at the wealth of information released by Wikileaks et al if only purely to know how far electronic surveillance has gone in Malaysia. Has Malaysia crossed the Rubicon in terms of electronic privacy? Who is under the microscope, who is being spied on, and who is doing the spying?