Special Report: Cyber-intel firms pitch governments on spy tools to trace coronavirus

By Joel Schectman, Christopher Bing and Jack Stubbs

WASHINGTON (Reuters) – When law enforcement agencies want to gather evidence locked inside an iPhone, they often turn to hacking software from the Israeli firm Cellebrite. By manually plugging the software into a suspect’s phone, police can break in and determine where the person has gone and whom he or she has met.

Now, as governments fight the spread of COVID-19, Cellebrite is pitching the same capability to help authorities learn who a coronavirus sufferer may have infected. When someone tests positive, authorities can siphon up the patient’s location data and contacts, making it easy to “quarantine the right people,” according to a Cellebrite email pitch to the Delhi police force this month.

This would usually be done with consent, the email said. But in legally justified cases, such as when a patient violates a law against public gatherings, police could use the tools to break into a confiscated device, Cellebrite advised. “We do not need the phone passcode to collect the data,” the salesman wrote to a senior officer in an April 22 email reviewed by Reuters.

A Cellebrite spokeswoman said the salesman was offering the same tools the company has long sold to help police enforce the law. The company is also offering a version of its product line for use by healthcare workers to trace the spread of the virus that causes COVID-19, but the tools can only be used with patient consent and can’t hack phones, she said.

Cellebrite’s marketing overtures are part of a wave of efforts by at least eight surveillance and cyber-intelligence companies attempting to sell repurposed spy and law enforcement tools to track the virus and enforce quarantines, according to interviews with executives and non-public company promotional materials reviewed by Reuters.

The executives declined to specify which countries have purchased their surveillance products, citing confidentiality agreements with governments. But executives at four of the companies said they are piloting or in the process of installing products to counter coronavirus in more than a dozen countries in Latin America, Europe and Asia. A Delhi police spokesman said the force wasn’t using Cellebrite for coronavirus containment. Reuters is not aware of any purchases by the U.S. government.

FILE PHOTO: A man displays a screen at a stand of Cellebrite, a company an Israeli company that manufactures data extraction, transfer and analysis devices for cellular phones and mobile devices, at the annual European Police Congress in Berlin, Germany, February 4, 2020. REUTERS/Hannibal Hanschke

So far, Israel is the only country known to be testing a mass surveillance system pitched by the companies, asking NSO Group, one of the industry’s biggest players, to help build its platform. But the rollout of NSO’s surveillance project with the Israeli Ministry of Defense is on hold pending legal challenges related to privacy issues, an NSO executive said. A spokesman for Israeli Defense Minister Naftali Bennett said NSO was involved in the project but did not provide further details.

Surveillance-tech companies have flourished in recent years as law enforcement and spy agencies around the world have sought new methods for countering adversaries who now often communicate through encrypted mobile apps. The firms argue that their experience helping governments track shadowy networks of militants makes them uniquely qualified to uncover the silent spread of a novel disease.

“I really believe this industry is doing more good than bad,” said Tal Dilian, a former Israeli intelligence officer and now a co-chief executive officer of Cyprus-based Intellexa, a cyber-surveillance firm that works with intelligence agencies in Southeast Asia and Europe. “Now is a good time to show that to the world.”

Yet some technologists remain skeptical that spying tools reliant on phone location data can be used to effectively combat a virus.

“It’s not precise enough, that’s the point. It’s not nearly going to get you down to whether you’re next to a certain person or not,” said Michael Veale, a lecturer in digital rights and regulation at University College London.

While the methods for location tracking and accuracy vary, surveillance companies say they can narrow down a person’s coordinates to within three feet, depending on conditions.


Privacy issues loom. Civil liberties advocates fear that virus tracking efforts could open the door to the kind of ubiquitous government surveillance efforts they have fought for decades. Some are alarmed by the potential role of spyware firms, arguing their involvement could undermine the public trust governments need to restrain the spread of the virus.

“This public health crisis needs a public health solution – not the interjection of for-profit surveillance companies looking to exploit this crisis,” said Edin Omanovic, advocacy director for the UK-based civil liberties group Privacy International.

Claudio Guarnieri, a technologist with the human rights organization Amnesty International, said any new surveillance powers embraced by states to combat the virus should be met with “high scrutiny.”

“New systems of control, from location tracking to contact tracing, all raise different concerns on necessity and proportionality,” said Guarnieri.

Cellebrite, for one, said it requires “agencies that use our solutions to uphold the standards of international human rights law.”

Government officials have sought to address such concerns by pointing to the unprecedented nature of the crisis. COVID-19, the respiratory disease caused by the new coronavirus, has so far infected more than 3 million people worldwide, killing over 210,000.

In South Africa, for example, after the government last month announced it would use telecom data to track the movements of citizens infected with COVID-19, a communications minister acknowledged concerns about loss of privacy.

“We do respect that everyone has a right to privacy, but in a situation like this our individual rights do not supersede the country’s rights,” Stella Ndabeni-Abrahams, the communications minister, said at a press conference for South Africa’s COVID-19 command council this month.

The South African Health Ministry declined to comment on details of the program and whether it had contracted with any of the intelligence firms.

A number of countries are developing and deploying COVID-19 contact-tracing apps that do not rely on location data. Instead, these apps, already in use in Singapore, India and Colombia, tap the smartphone connectivity technology Bluetooth to sense and record when other devices are nearby. When someone tests positive for coronavirus, typically, everyone that person made contact with is notified.

Christophe Fraser, an epidemiologist at Oxford University’s Big Data Institute, said this approach, if implemented properly, could save lives and shorten lockdowns. “The idea is to try and maximize social distancing practices of those at risk of infection and minimize the impact on all the other people,” he said.

This app-based approach to contact tracing is considered, by its advocates, as more privacy friendly because people voluntarily download the app and sensitive personal data are visible only to health authorities. This method of containing the disease is the focus of a rare collaboration between Apple Inc and Alphabet Inc’s Google to quickly deploy the Bluetooth-based technology for use in the United States and elsewhere. But the approach relies on widespread adoption of the apps, and its accuracy remains unproven.

Apple says its plan is designed to “help amplify the efforts of the public health authorities” and that “many factors will help flatten [infection] curves — no one believes this is the only one.” A Google spokesman referred to a prior statement, which said “each user will have to make an explicit choice to turn on the technology.”

By contrast, deploying a mass surveillance platform like Intellexa’s means everyone would be under collection right away; no one needs to opt in, nor could anyone opt out. Such a setup can be done remotely in a matter of weeks, said an executive at NSO Group, which is also offering its wares to fight the coronavirus.


The surging spyware business is estimated by research firm MarketsandMarkets to be worth $3.6 billion this year.

But the industry has been dogged by legal and ethical concerns. Human rights groups have accused some companies of helping undemocratic governments target dissidents and activists. The companies say they help governments prevent terrorism and capture criminals.

Last year, for example, Facebook’s WhatsApp unit accused NSO Group of helping governments hack 1,400 targets that included activists, journalists, diplomats and state officials. NSO denies the allegations, saying it only provides the technology to government agencies under strict controls and is not involved in operations.

Intellexa’s Dilian fled Cyprus last year after an arrest warrant was issued for him, on accusations that he used a surveillance van to illegally intercept communications in the country. Dilian denies the allegations, returned to Cyprus last month and said he is cooperating with authorities. A Cypriot police spokesman told Reuters the investigation is active.

Now, industry executives, investors and analysts say the coronavirus crisis offers intelligence firms the possibility of billions of dollars in business, while burnishing their reputations.

India is among the courted countries. In April, New York-based Verint Systems asked Indian officials to pay $5 million for a year’s subscription to a host of services designed to track and surveil people with coronavirus. Those included a cellphone tower geolocation platform and a program to monitor social media activity, according to documents seen by Reuters and a person with knowledge of the negotiations. No sale has yet been agreed in India, the source said.

A Verint spokesman declined to answer questions, instead referring to an April 16 press release which said unspecified products were being used by an unnamed country to help respond to COVID-19. India’s Ministry of Interior said it had not purchased a system from Verint.

NSO Group and Intellexa are also both pitching COVID-19 tracking platforms to countries across Asia, Latin America and Europe. Their technology could allow a government to track the movement of nearly every person in the country who carries a cellphone, sucking up a continuous trove of location data. Installed within telecom providers, the technology functions through the analysis of call records, said NSO and Intellexa executives.

When a person tests positive, the systems would allow authorities to input the result, tracking those who made contact with the patient in the past few weeks. Those exposed would receive a text message encouraging them to get tested or self-isolate. NSO said the system’s administrators would not see the identity of individuals.

Revelations in 2013 that the U.S. National Security Agency had collected this kind of mobile phone data about Americans to track national security threats created a storm of controversy and fueled new restrictions on surveillance.

Suzanne Spaulding, a former U.S. intelligence community lawyer and senior Homeland Security official, described this potential COVID-19 tracking approach as “among the most privacy-invasive.” That’s because it “envisions all of the data about everyone’s movements, not just infected individuals and their known contacts, going to the government.”

South Korea, Pakistan, Ecuador and South Africa have all indicated in public statements they were rolling out contact tracing systems using telecom data to track infected citizens, though the details haven’t been released.

South Korean officials say any loss of privacy from surveillance must be weighed against the disastrous economic consequences caused from a long-term shutdown.

“It is also a restriction of freedom when you ban free movement of people in crisis,” Jung Seung-soo, a deputy director at the Ministry of Land, Infrastructure and Transport, told Reuters. The country is not using outside surveillance vendors, the official said.

Intellexa is in the process of installing its system in two Western European countries, Dilian said. He declined to name them.

In an interview with Reuters, NSO employees responsible for the product said the company is piloting the approach in 10 countries in Asia, the Middle East and Latin America, but declined to name them.

Three other Israeli companies, Rayzone Group, Cobwebs Technologies and Patternz, are offering countries coronavirus tracking capabilities. These largely rely on location data gathered from mobile advertising platforms, according to company promotional documents reviewed by Reuters and people familiar with the companies.

Rayzone Group declined to comment. Requests for comment to Patternz went unanswered. Omri Timianker, president and co-founder of Cobwebs Technologies, said his company is working with five governments to help track the spread of the virus, but declined to identify them.

While some experts say advertising data isn’t precise enough to combat the spread of COVID-19, the documents reviewed by Reuters suggest the three firms are marketing technology which they contend can ingest and process advertising data into a form that’s useful for narrowly tracking individuals.

Intellexa’s Dilian said his company’s platform will cost between $9 million and $16 million for countries with large populations. He believes COVID-19 tracking will be just the beginning. Once the pandemic ends, he hopes countries that invested in his mass surveillance tool will adapt it for espionage and security. “We want to enable them to upgrade,” he said.

(Additional reporting by Nqobile Dludla in Johannesburg, John Geddie in Singapore, Alexandra Valencia in Quito, Frank Jack Daniel in Mexico City, Sankalp Phartiyal in New Delhi, Douglas Busvine in Berlin, Tova Cohen in Tel Aviv, Asif Shahzad in Islamabad, Michele Kambas in Athens and Sangmi Cha in Seoul. Editing by Ronnie Greene and Jonathan Weber)

U.S. companies facing worker shortage race to automate

U.S. companies facing worker shortage race to automate
By David Randall

NEW YORK (Reuters) – U.S. companies are responding to the lowest unemployment rate in almost 50 years by increasing their focus on automation in order to maintain healthy margins as labor costs tick higher, a Reuters analysis of corporate earnings transcripts shows.

The attempt to save money through technology does not come down to just installing more robots in factories. Instead, companies appear to be confronting the lack of low-cost workers by investing in software and machines that can perform tasks ranging from human resources management to filling prescriptions.

Citigroup Inc, for instance, said that it is expanding its cloud infrastructure to replace routine tasks that used to require human labor. Health insurance company UnitedHealth Group told investors that its automation efforts should save the company over $1 billion next year. And Corona beer brewer Constellation Brands Inc said that its spending on automation should increase the efficiency in which it packs bottles in a variety pack, shaving costs.

Those investments are helping keep wage growth in line despite historically-low unemployment. Average hourly earnings were unchanged in October despite the unemployment rate falling to 3.5% from 3.7%, while the annual increase in wages fell slightly to 2.9%.

“I’m not at all worried about margin pressure from wages” because of increased productivity due to corporate spending on automation, said Jonathan Golub, chief U.S. equities strategist at Credit Suisse Securities.

Overall, companies have discussed automation on quarterly earnings calls more than 1,110 times since the beginning of the year, a 15% increase from this time last year and nearly double the mentions by this time in October, 2016, according to Refinitiv data. Corporate orders of robotics alone rose 7.2% over the first half of this year compared with 2018, totaling $869 million in spending, according to the Association for Advancing Automation.

Fund managers and analysts say that corporate spending on automation is contributing to positive earnings surprises. Nearly 83% of companies in the S&P 500 that have release third quarter earnings so far have reported earnings above expectations, compared with an average 65% beat rate since 1994, according to I/B/E/S data from Refinitiv.

“You’re seeing companies benefit in ways that aren’t easy to see when you look at the balance sheet, and all those investments start to add up and help protect margins,” said Matt Watson, a portfolio manager at James Investment Research.

Watson said that he is now buying companies that are benefiting from the use of automation because they trade at much more attractive valuations than the companies that provide it, which he is steering clear of.

FedEx Corp, for example, is investing in systems to both automate its shipping facilities and is testing robots that can handle some deliveries, he said. He is also buying shares of broker-dealer LPL Financial Holdings Inc, which is automating more of its client-relations platform to increase efficiency, he said.

“You don’t need to get into the nitty gritty when it’s back-of-the-napkin obvious that these companies are saving money” through increased productivity, Watson said.

The fastest-growing sectors of automation are in logistics and healthcare, said Jeremie Capron, head of research at ROBO Global, the company behind the $1.2-billion Robo Global Robotics & Automation ETF <ROBO.P>. The firm’s ETF is up nearly 20% for the year to date, in line with the performance of the benchmark S&P 500 index.

Capron sees the greatest opportunity in companies like Zebra Technologies Corp <ZBRA.O>, which makes radio-frequency identification device readers and real-time location systems that are used in hospitals and e-commerce fulfillment centers, he said. Shares of the company are up nearly 30% for the year to date.

Declining costs and a new generation of smaller systems should continue to push revenue growth in the sector, he said.

“We’ve hit the level where you don’t need great engineering skills to deploy automation because the software has made it so much easier to use,” he said. “You’re seeing not only large multi-national groups automate, but those technologies are increasingly available to smaller and mid-sized businesses.”

(Reporting by David Randall; Editing by Alden Bentley and Nick Zieminski)

New genre of artificial intelligence programs take computer hacking to another level

FILE PHOTO: Servers for data storage are seen at Advania's Thor Data Center in Hafnarfjordur, Iceland August 7, 2015. REUTERS/Sigtryggur Ari

By Joseph Menn

SAN FRANCISCO (Reuters) – The nightmare scenario for computer security – artificial intelligence programs that can learn how to evade even the best defenses – may already have arrived.

That warning from security researchers is driven home by a team from IBM Corp. who have used the artificial intelligence technique known as machine learning to build hacking programs that could slip past top-tier defensive measures. The group will unveil details of its experiment at the Black Hat security conference in Las Vegas on Wednesday.

State-of-the-art defenses generally rely on examining what the attack software is doing, rather than the more commonplace technique of analyzing software code for danger signs. But the new genre of AI-driven programs can be trained to stay dormant until they reach a very specific target, making them exceptionally hard to stop.

No one has yet boasted of catching any malicious software that clearly relied on machine learning or other variants of artificial intelligence, but that may just be because the attack programs are too good to be caught.

Researchers say that, at best, it’s only a matter of time. Free artificial intelligence building blocks for training programs are readily available from Alphabet Inc’s Google and others, and the ideas work all too well in practice.

“I absolutely do believe we’re going there,” said Jon DiMaggio, a senior threat analyst at cybersecurity firm Symantec Corp. “It’s going to make it a lot harder to detect.”

The most advanced nation-state hackers have already shown that they can build attack programs that activate only when they have reached a target. The best-known example is Stuxnet, which was deployed by U.S. and Israeli intelligence agencies against a uranium enrichment facility in Iran.

The IBM effort, named DeepLocker, showed that a similar level of precision can be available to those with far fewer resources than a national government.

In a demonstration using publicly available photos of a sample target, the team used a hacked version of video conferencing software that swung into action only when it detected the face of a target.

“We have a lot of reason to believe this is the next big thing,” said lead IBM researcher Marc Ph. Stoecklin. “This may have happened already, and we will see it two or three years from now.”

At a recent New York conference, Hackers on Planet Earth, defense researcher Kevin Hodges showed off an “entry-level” automated program he made with open-source training tools that tried multiple attack approaches in succession.

“We need to start looking at this stuff now,” said Hodges. “Whoever you personally consider evil is already working on this.”

(Reporting by Joseph Menn; Editing by Jonathan Weber and Susan Fenton)

British hospitals, Spanish firms among targets of huge cyberattack

An ambulance waits outside the emergency department at St Thomas' Hospital in central London, Britain May 12, 2017. REUTERS/Stefan Wermuth

By Costas Pitas and Carlos Ruano

LONDON/MADRID (Reuters) – A huge cyberattack brought disruption to Britain’s health system on Friday and infected many Spanish companies with malicious software, and security researchers said a dozen other countries may be affected.

Hospitals and doctors’ surgeries in parts of England were forced to turn away patients and cancel appointments. People in affected areas were being advised to seek medical care only in emergencies.

“We are experiencing a major IT disruption and there are delays at all of our hospitals,” said the Barts Health group, which manages major London hospitals. Routine appointments had been canceled and ambulances were being diverted to neighboring hospitals.

Telecommunications giant Telefonica was among the targets in Spain, though it said the attack was limited to some computers on an internal network and had not affected clients or services.

Authorities in both countries said the attack was conducted using ‘ransomware’ – malicious software that infects machines, locks them up by encrypting data and demands a ransom to restore access. They identified the type of malware as ‘Wanna Cry’, also known as ‘Wanna Decryptor’.

A Telefonica spokesman said a window appeared on screens of infected computers that demanded payment with the digital currency bitcoin in order to regain access to files.

In Spain, the attacks did not disrupt the provision of services or networks operations of the victims, the government said in a statement. Still, the news prompted security teams at large financial services firms and businesses around the world to review their plans for defending against ransomware attacks, according to executives with private cyber security firms.

A spokeswoman for Portugal Telecom said: “We were the target of an attack, like what is happening in all of Europe, a large scale-attack, but none of our services were affected.”

British based cyber researcher Chris Doman of AlienVault said the ransomware “looks to be targeting a wide range of countries”, with preliminary evidence of infections from 14 countries so far, also including Russia, Indonesia and Ukraine.


A spokesman for British Prime Minister Theresa May said she was being kept informed of the incident, which came less than four weeks before a parliamentary election in which national security and the management of the state-run National Health Service (NHS) are important campaign themes.

Authorities in Britain have been braced for possible cyberattacks in the run-up to the vote, as happened during last year’s U.S. election and on the eve of this month’s presidential vote in France.

But those attacks – blamed on Russia, which has repeatedly denied them – followed a entirely different modus operandi involving penetrating the accounts of individuals and political organizations and then releasing hacked material online.

The full extent of Friday’s disruption in Britain remained unclear.

“This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors,” NHS Digital, the computer arm of the health service, said in a statement.

Britain’s National Cyber Security Centre, part of the GCHQ spy agency, said it was aware of a cyber incident and was working with NHS Digital and the police to investigate.

A reporter from the Health Service Journal said the attack had affected X-ray imaging systems, pathology test results, phone systems and patient administration systems.

Although cyber extortion cases have been rising for several years, they have to date affected small-to-mid sized organizations, disrupting services provided by hospitals, police departments, public transportation systems and utilities in the United States and Europe.

“Seeing a large telco like Telefonica get hit is going to get everybody worried. Now ransomware is affecting larger companies with more sophisticated security operations,” Chris Wysopal, chief technology officer with cyber security firm Veracode, said.

The news is also likely to embolden cyber extortionists when selecting targets, Chris Camacho, chief strategy officer with cyber intelligence firm Flashpoint, said.

“Now that the cyber criminals know they can hit the big guys, they will start to target big corporations. And some of them may not be well prepared for such attacks,” Camacho said.

In Spain, some big firms took pre-emptive steps to thwart ransomware attacks following a warning from Spain’s National Cryptology Centre of “a massive ransomware attack.”

Iberdrola and Gas Natural, along with Vodafone’s unit in Spain, asked staff to turn off computers or cut off internet access in case they had been compromised, representatives from the firms said.

It was not immediately clear how many Spanish organizations had been compromised by the attacks, if any critical services had been interrupted or whether victims had paid cyber criminals to regain access to their networks.

(Additional reporting by Jim Finkle, Eric Auchard, Jose Rodriguez, Alistair Smout, Kate Holton, Andy Bruce, Michael Holden and David Milliken; Editing by Mark Trevelyan and Ralph Boulton)

SAP pushes to patch risky HANA security flaws before hackers strike

SAP logo at SAP headquarters in Walldorf, Germany, January 24, 2017. REUTERS/Ralph Orlowski

By Eric Auchard

FRANKFURT (Reuters) – Europe’s top software maker SAP said on Tuesday it had patched vulnerabilities in its latest HANA software that had a potentially high risk of giving hackers control over databases and business applications used to run big multinational firms. While hacks on phones, websites and computers that consumers rely on every day grab headlines, vulnerabilities in big business software are more lucrative to attackers as these tools store data and run transactions which are the lifeblood of businesses. The latest security weaknesses, known in industry parlance as “zero day” vulnerabilities, rank among the most critical ever found in HANA, the engine that runs SAP’s latest database, cloud and other more traditional business apps, according to Onapsis, the security company which uncovered these issues.

SAP software acts as the corporate plumbing for many multinationals and the company claims 87 percent of the top 2,000 global companies as customers.

Onapsis said vulnerabilities lay in a HANA component known as “User Self Service” (USS) which would allow malicious insiders or remote attackers to fully compromise vulnerable systems, without so much as valid usernames and passwords.

It reported 10 HANA vulnerabilities to SAP less than 60 days ago, which the German software maker fixed in near-record time, according to interviews with executives of both companies.

The resulting patch issued by SAP on Tuesday was rated by it as 9.8 on a scale of 10, “very high” in terms of relative risk to its customers. SAP is releasing five HANA patches this week to fix a range of vulnerabilities uncovered in recent months.

“SAP has done a great job by releasing fixes much faster than in past situations,” Onapsis Chief Executive Mariano Nunez told Reuters in an interview.

Customers must in turn choose when to apply such patches to software that runs their most critical corporate functions, a process that may take months or years, in rare cases. They must balance security risks against operational demands.

SAP executives urged security managers working for its customers to patch relevant systems.

“There has not been one case where a customer who applied the recommended patches has been affected,” Siddhartha Rao, vice president of SAP Product Security Response, said of the six years he has been on the job. “We currently expect there will not be that many customers affected by these issues,” he said.

Last May, however, the U.S. Department of Homeland Security issued an alert advising SAP customers they needed to urgently plug holes for which SAP already had offered patches in 2010, but which some customers failed to adopt, leaving dozens exposed to hacker break-ins afterward. (http://reut.rs/2mkTVgI)

Three dozen enterprises were found to have telltale signs of unauthorized access due to outdated or misconfigured SAP NetWeaver Java systems, Onapsis said at the time.

Onapsis helps secure more than 200 SAP customers ranging from Schlumberger to Sony Corp, Westinghouse and the U.S. Army. It also identifies security vulnerabilities for corporate customers in rival systems from Oracle.

Giving HANA customers breathing room, the USS component first offered by SAP in October 2014 is not activated by default, but must be specially enabled, Onapsis said.

It has identified two companies – an energy company and a retailer – where vulnerabilities were found and fixed. Companies which are not using USS features are unaffected, Onapsis said.

Technical details can be found on the security blogs of SAP (https://goo.gl/11Dz5w) and Onapsis (https://goo.gl/Xiryyp). There is no evidence hackers have taken advantage so far, the companies said.

Last year, the company issued more than 160 patches in all, SAP said. Ten percent of these were HANA related, Onapsis added.

(Reporting by Eric Auchard; Editing by Stephen Coates)

WikiLeaks offers CIA hacking tools to tech companies: Assange

WikiLeaks founder Julian Assange makes a speech from the balcony of the Ecuadorian Embassy, in central London, Britain February 5, 2016. REUTERS/Peter Nicholls/Files

By Dustin Volz and Eric Auchard

WASHINGTON/FRANKFURT (Reuters) – WikiLeaks will provide technology companies with exclusive access to CIA hacking tools that it possesses, to allow them to patch software flaws, founder Julian Assange said on Thursday.

The offer, if legitimate, could put Silicon Valley in the unusual position of deciding whether to cooperate with Assange, a man believed by some U.S. officials and lawmakers to be an untrustworthy pawn of Russian President Vladimir Putin, or a secretive U.S. spy agency.

It was not clear how WikiLeaks intended to cooperate with technology companies, or if they would accept his offer. The anti-secrecy group published documents on Tuesday describing secret Central Intelligence Agency hacking tools and snippets of computer code. It did not publish the full programs that would be needed to actually conduct cyber exploits against phones, computers and Internet-connected televisions.

Representatives of Alphabet Inc’s Google Apple Inc, Microsoft Corp <MSFT.O> and Cisco Systems Inc <CSCO.O>, all of whose wares are subject to attacks described in the documents, did not immediately respond to requests for comment before regular business hours on the U.S. West Coast.

“Considering what we think is the best way to proceed and hearing these calls from some of the manufacturers, we have decided to work with them to give them some exclusive access to the additional technical details that we have so that the fixes can be developed and pushed out, so people can be secure,” Assange said during a press conference broadcast via Facebook Live.

Responding to Assange’s comments, CIA spokesman Jonathan Liu, said in a statement, “As we’ve said previously, Julian Assange is not exactly a bastion of truth and integrity.”

“Despite the efforts of Assange and his ilk, CIA continues to aggressively collect foreign intelligence overseas to protect America from terrorists, hostile nation states and other adversaries.”

The disclosures alarmed the technology world and among consumers concerned about the potential privacy implications of the cyber espionage tactics that were described.

One file described a program known as Weeping Angel that purportedly could take over a Samsung smart television, making it appear it was off when in fact it was recording conversations in the room.

Other documents described ways to hack into Apple Inc <AAPL.O> iPhones, devices running Google’s <GOOGL.O> Android software and other gadgets in a way that could observe communications before they are protected by end-to-end encryption offered by messaging apps like Signal or WhatsApp.

Several companies have already said they are confident that their recent security updates have already accounted for the purported flaws described in the CIA documents. Apple said in a statement on Tuesday that “many of the issues” leaked had already been patched in the latest version of its operating system.

WikiLeaks’ publication of the documents reignited a debate about whether U.S. intelligence agencies should hoard serious cyber security vulnerabilities rather than share them with the public. An interagency process created under former President Barack Obama called for erring on the side of disclosure.

President Donald Trump believed changes were needed to safeguard secrets at the CIA, White House spokesman Sean Spicer told a news briefing on Thursday. “He believes that the systems at the CIA are outdated and need to be updated.”

Two U.S. intelligence and law enforcement officials told Reuters on Wednesday that intelligence agencies have been aware since the end of last year of a breach at the CIA, which led to WikiLeaks releasing thousands of pages of information on its website.

The officials, speaking on condition of anonymity, said contractors likely breached security and handed over the documents to WikiLeaks. The CIA has declined to comment on the authenticity of the documents leaked, but the officials said they believed the pages about hacking techniques used between 2013 and 2016 were authentic.

Contractors have been revealed as the source of sensitive government information leaks in recent years, most notably Edward Snowden and Harold Thomas Martin, both employed by consulting firm Booz Allen Hamilton <BAH.N> while working for the National Security Agency.

Assange said he possessed “a lot more information” about the CIA’s cyber arsenal that would be released soon. He criticized the CIA for “devastating incompetence” for not being able to control access to such sensitive material.

Nigel Farage, the former leader of the populist UK Independence Party, visited Assange at the Ecuadorean embassy in London earlier on Thursday. A representative for Farage said he was unaware what was discussed.

Assange has been holed up since 2012 at the embassy, where he fled to avoid extradition to Sweden over allegations of rape, which he denies.

(Reporting by Dustin Volz; Additional reporting by Eric Auchard in Frankfurt, Joseph Menn in San Francisco and Guy Falconbridge in London; Editing by Frances Kerry and Grant McCool)

Exclusive: Yahoo secretly scanned customer emails for U.S. intelligence – sources

Yahoo billboard

By Joseph Menn

SAN FRANCISCO (Reuters) – Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.

The company complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said three former employees and a fourth person apprised of the events.

Some surveillance experts said this represents the first case to surface of a U.S. Internet company agreeing to an intelligence agency’s request by searching all arriving messages, as opposed to examining stored messages or scanning a small number of accounts in real time.

It is not known what information intelligence officials were looking for, only that they wanted Yahoo to search for a set of characters. That could mean a phrase in an email or an attachment, said the sources, who did not want to be identified.

Reuters was unable to determine what data Yahoo may have handed over, if any, and if intelligence officials had approached other email providers besides Yahoo with this kind of request.

According to two of the former employees, Yahoo Chief Executive Marissa Mayer’s decision to obey the directive roiled some senior executives and led to the June 2015 departure of Chief Information Security Officer Alex Stamos, who now holds the top security job at Facebook Inc.

“Yahoo is a law abiding company, and complies with the laws of the United States,” the company said in a brief statement in response to Reuters questions about the demand. Yahoo declined any further comment.

Through a Facebook spokesman, Stamos declined a request for an interview.

The NSA referred questions to the Office of the Director of National Intelligence, which declined to comment.

The request to search Yahoo Mail accounts came in the form of a classified edict sent to the company’s legal team, according to the three people familiar with the matter.

U.S. phone and Internet companies are known to have handed over bulk customer data to intelligence agencies. But some former government officials and private surveillance experts said they had not previously seen either such a broad demand for real-time Web collection or one that required the creation of a new computer program.

“I’ve never seen that, a wiretap in real time on a ‘selector,'” said Albert Gidari, a lawyer who represented phone and Internet companies on surveillance issues for 20 years before moving to Stanford University this year. A selector refers to a type of search term used to zero in on specific information.

“It would be really difficult for a provider to do that,” he added.

Experts said it was likely that the NSA or FBI had approached other Internet companies with the same demand, since they evidently did not know what email accounts were being used by the target. The NSA usually makes requests for domestic surveillance through the FBI, so it is hard to know which agency is seeking the information.

Alphabet Inc’s Google and Microsoft Corp, two major U.S. email service providers, separately said on Tuesday that they had not conducted such email searches.

“We’ve never received such a request, but if we did, our response would be simple: ‘No way’,” a spokesman for Google said in a statement.

A Microsoft spokesperson said in a statement, “We have never engaged in the secret scanning of email traffic like what has been reported today about Yahoo.” The company declined to comment on whether it had received such a request.


Under laws including the 2008 amendments to the Foreign Intelligence Surveillance Act, intelligence agencies can ask U.S. phone and Internet companies to provide customer data to aid foreign intelligence-gathering efforts for a variety of reasons, including prevention of terrorist attacks.

Disclosures by former NSA contractor Edward Snowden and others have exposed the extent of electronic surveillance and led U.S. authorities to modestly scale back some of the programs, in part to protect privacy rights.

Companies including Yahoo have challenged some classified surveillance before the Foreign Intelligence Surveillance Court, a secret tribunal.

Some FISA experts said Yahoo could have tried to fight last year’s demand on at least two grounds: the breadth of the directive and the necessity of writing a special program to search all customers’ emails in transit.

Apple Inc made a similar argument earlier this year when it refused to create a special program to break into an encrypted iPhone used in the 2015 San Bernardino massacre. The FBI dropped the case after it unlocked the phone with the help of a third party, so no precedent was set.

“It is deeply disappointing that Yahoo declined to challenge this sweeping surveillance order, because customers are counting on technology companies to stand up to novel spying demands in court,” Patrick Toomey, an attorney with the American Civil Liberties Union, said in a statement.

Some FISA experts defended Yahoo’s decision to comply, saying nothing prohibited the surveillance court from ordering a search for a specific term instead of a specific account. So-called “upstream” bulk collection from phone carriers based on content was found to be legal, they said, and the same logic could apply to Web companies’ mail.

As tech companies become better at encrypting data, they are likely to face more such requests from spy agencies.

Former NSA General Counsel Stewart Baker said email providers “have the power to encrypt it all, and with that comes added responsibility to do some of the work that had been done by the intelligence agencies.”


Mayer and other executives ultimately decided to comply with the directive last year rather than fight it, in part because they thought they would lose, said the people familiar with the matter.

Yahoo in 2007 had fought a FISA demand that it conduct searches on specific email accounts without a court-approved warrant. Details of the case remain sealed, but a partially redacted published opinion showed Yahoo’s challenge was unsuccessful.

Some Yahoo employees were upset about the decision not to contest the more recent edict and thought the company could have prevailed, the sources said.

They were also upset that Mayer and Yahoo General Counsel Ron Bell did not involve the company’s security team in the process, instead asking Yahoo’s email engineers to write a program to siphon off messages containing the character string the spies sought and store them for remote retrieval, according to the sources.

The sources said the program was discovered by Yahoo’s security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in.

When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users’ security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails.

Stamos’s announcement in June 2015 that he had joined Facebook did not mention any problems with Yahoo. (http://bit.ly/2dL003k)

In a separate incident, Yahoo last month said “state-sponsored” hackers had gained access to 500 million customer accounts in 2014. The revelations have brought new scrutiny to Yahoo’s security practices as the company tries to complete a deal to sell its core business to Verizon Communications Inc for $4.8 billion.

(Reporting by Joseph Menn; Editing by Jonathan Weber and Tiffany Wu)