Police across the world are getting special training from a little-known European Union agency on how best to snoop on Facebook and Apple iPhones, according to documents obtained by nonprofit Privacy International.
The files reveal that CEPOL, the EU’s law enforcement training agency, instructed officers across the globe, from within Europe and in Africa, on how to use malware and other tools to gain access to citizens’ phones and monitor social networks. In some cases, the training was funded by EU aid coffers and went to countries with histories of human rights abuses, Privacy International warned.
Furious about the previously-secret initiatives that are aiding surveillance rather than protecting people from it, Privacy International and fellow human rights organizations are calling for reform, demanding that aid money going on intelligence training be diverted to more altruistic programs. The revelations land just days after the EU Parliament announced plans to curb spy tool exports where human rights abuses were possible.
“Today’s revelations confirm our worst fears about the diversion and securitisation of EU aid,” said Edin Omanovic, advocacy director of Privacy International. “Instead of helping people who face daily threats from unaccountable surveillance agencies, including activists, journalists, and people just looking for better lives, this ‘aid’ risks doing the very opposite.
“The EU as the world’s largest provider of aid and a powerful force for change must enact urgent reforms to these secretive and unacceptable programmes. Failure to do so is a betrayal not just of the purpose of aid and the people it’s supposed to benefit, but of the EU’s own values.”
The files largely consist of slides and documents from trainings delivered by CEPOL, the European Union Agency for Law Enforcement Training based in Budapest, and its partners. CEPOL had not responded to a request for comment at the time of publication.
CEPOL provides training for various reasons and is funded by different EU programs. In the initiatives discovered by Privacy International, some came from anti-terror programs, whilst others, such as a €11.5 million ($13.6 million) drone, surveillance camera and wiretapping project in Niger, came from aid pots, like the EU Trust Fund for Africa. Privacy International is arguing that even where the EU’s backing of surveillance training isn’t coming from aid funds, it’s still taking money away from more obviously-benign projects.
Amongst the hundreds of training slides obtained by Privacy International are those promoting iPhone hacking tools like GrayKey. Produced by Atlanta-based Grayshift, the files show that the tool, which promises to bypass lockscreens of many modern iPhones, has now gone global and is being pushed in Africa and beyond by CEPOL.
In a training slide for a session in Morocco, CEPOL tells participants that the key benefit of using GrayKey with a tool called Axiom, made by Canadian police partner Magnet Forensics, is that it can grab the Apple keychain from within the iPhone, granting it access to apps and the data within. Morocco has repeatedly been criticized for using spy tools to target the iPhones of activists and journalists.
As for another way to break the security of iPhones or other smartphones, Spain’s Policia Nacional, a CEPOL partner, trained authorities in Bosnia and Herzegovina on using malware, malicious software that can remotely control an infected device. One slide simply reads: “The future is to use malware.” Such tools have proven controversial in the past, with Facebook even suing one Israeli provider, NSO Group, for trying to break WhatsApp security. (NSO Group has rejected Facebook’s claims that it broke the law in targeting WhatsApp.)
Facebook fakes and Twitter scrapes
The files also show how CEPOL and European police are encouraging foreign governments to spy on social networks. One training module, again for Morocco’s national security agency, promises methods to “go further” on Facebook. It was presented with a cheeky slide saying Facebook has been “helping stalkers since 2004.” The session covered the use of fake accounts (which would amount to a breach of Facebook’s policies) and buy into social network analysis tools used to visualize relationships between targets of interest.
For Twitter, agents are encouraged to pose as developers so they can be granted deeper access than the average user. They can then use scraping tools to gather up masses of tweets at once. Fearing abuse by surveillance companies, this is a practice Twitter has tried to clamp down on, limiting so-called “firehose” access to a few companies.
The documents were revealed just as the European Union has announced plans to curb surveillance exports. The EU Parliament and Council announced Monday they’d agreed on new criteria when it came to granting or rejecting export licenses for certain surveillance tools. The aim was to ensure that human rights were a consideration when granting such a license.
“Today is a win for global human rights. We have set an important example for other democracies to follow. We will now have EU-wide transparency on the export of cyber surveillance and will control the export of biometric surveillance. Authoritarian regimes will no longer be able to secretly get their hands on European cyber-surveillance,” said Markéta Gregorová, the rapporteur who has been leading the negotiations since the summer.
But Omanovic said those announcements were “critically undermined by the fact that EU agencies are themselves secretly promoting the use of techniques which pose serious threats.
“It is astonishing that these same techniques are being marketed to authorities in countries where we know activists and others are being targeted.”
The EU parliament had not responded to a request for comment on the Privacy International report at the time of publication.
In light of Privacy International’s findings, it appears that with the EU and surveillance, it’s a case of what the right hand giveth, the left hand taketh away.