Good morning everyone. Imagine you're in a position where you decide that, well, you want to know the

surveillance capabilities of your government. This is nice. Well, everyone wants to know that. But now imagine that if you ask questions and they are required to be answered, that would be even nicer. That's what freedom of information requests are for. And here to tell you about

how this can be applied in Italy to determine what the Italian government has capability-wise is Riccardo Coluccini. Okay, hi everyone. I'm Riccardo Coluccini. I'm a freelance

journalist in Italy, writing mainly for Marder Board Italy, and also a member of the Ermes Center for Transparency and Digital Human Rights. What I'm about to introduce you today is a project for monitoring government surveillance capabilities via means of transparency tools.

Some background, the Italian history is peculiar due to organized crime and mafia. There are specific transparency and anti-corruption laws that can help to understand better what is going on for this kind of projects. But when we talk about surveillance,

Italian surveillance are well known abroad worldwide due to some companies such as ARIA and Hacking Team. They are well known for exporting surveillance technologies to authoritarian regimes all over the world, and also Hacking Team for the huge hacked which suffers. And

my question was, okay, the surveillance technology developed in Italy are famous abroad, but what's going on in Italy? What are the technologies that the government is using to intercept and surveil its own citizens? What I did, it's basically starting from some open

source intel available online, starting from two great websites like the Surveillance Industry Index and Backplanets.info, which gathers some information on several surveillance companies from all over the world. Specifically, I looked for the Italian one, the main Italian ones.

Starting from that, I turned to Google, searching for the value of the tax numbers, which gave me some interesting results. What I got were some spreadsheets detailing the payments

by the Minister of Interior to each company. Why this happened? Because due to a transparency law, number 33 of 2013, the public sector is obliged to publish their payments. From the spreadsheets, what I got also of the money, there was also the subject,

the tender identification code of what they were paying for. Using the tender identification code, I turned back to Google again. Google it. And what I found were some XML files

in which it was detailed all the public procurement data sets of the public sectors. These again, due to anti-corruption law, each public sector, the Minister of Interior, for example, the Ministry of Defence, the Ministry of Justice, and all other public offices, are obliged to publish on this XML format

the information regarding their public procurement data sets. So whatever they're interested in buying, and there is a public tender, is going to be published online. This is the format. Given this data, this was my reaction. I had all the ingredients

to start monitoring exactly what the government was buying, how much was paying for it, and which were the companies involved. So I constructed this workflow, which is basically starting from the public procurement data set XML files, I can get the tender identification code

and the list of companies participating in the tenders. It's not only the company that won the tender, there are all the participants, which is pretty interesting because you can discover new companies that you weren't aware of before. Given this data, then the tender identification code and the list of companies, thanks to the Freedom of Information

Access Law recently introduced in Italy at the beginning of 2017, I can ask for documents regarding invoices issued by the several companies and technical and economic offers of the public tenders. In this way, I can monitor the expenditures and I can get information

on the software, the technologies, and the devices that these companies are selling to the government. So let's start with some of the results of this monitoring. The table on the right were the companies which I gathered from the open source intel website. So I was able to

more than double the number of companies and there are more to add. The two that I highlighted are like some peculiar ones. There's one which is called NSA Italia, which is pretty fun name for a company, and there's also Telecom Italia, which is the second most large

telecommunication company in Italy, which is well known, which is big, and which is weird to find in a database of companies selling surveillance technologies and devices, but we'll see later why. Now I want to focus better on two other companies. The first one is Cyphergate. Cyphergate is a

pretty recent new company. It belongs to the group of Electronica, another Italian company, and among their products, two of them are the Wi-Fi Catcher, which is basically a Wi-Fi network monitoring system able to geolocalize and identify the nodes and provide some traffic flow

analysis. Instead, the NetInt, it's basically an integrated platform which provides you the possibility to surveil phone calls, instant messaging chats, posts that you make on social medias, and even voice over IP calls. Go and have a look on their Twitter account,

it's interesting, there are some interesting pictures. Another company is CPM. This one basically sells jammers, drones jammers also, but look into the tenders. There was a tender

regarding MC Catchers, and CPM Electronica is stated to be the official reseller of the Selxion company, which is an English company selling MC Catchers. So this is one of the results that we can get with this approach. We can discover also official resellers of

companies that are based abroad, but can somehow are selling devices that the Italian government is interested in. Still remaining on the topic of MC Catchers, this is the XML data that you get regarding the tender. So on top there's the subject, the providing an

MC Catcher system, then there are the list of participants. There are some well-known names, and there's also Telekomitalia. So Telekomitalia, our telecommunication company, telecommunication company participated in tender in 2015 for an MC Catcher system. They didn't win,

the company that won at that time was Eat Alarms, the first one on top. Regarding MC Catchers, still you can get some information from the technical specification that the government is requesting to these companies. So yeah, they're asking for the downgrade,

so passing from 3G to 2G, from 4G or 3G, so to weaken the security of the communications. And they provided also a scheme of what they would like the MC Catcher to provide to the authorities. So you see to basically to track and provide some location targeting, following

around the specific target, collecting as you see at the center the MC and the email numbers. This is regarding MC Catchers. So let's try to build the real, the proper toolbox of what

they're interested in. What about internet surveillance interception? What I found, there was a project which belongs to the National Operative Plan, which is a plan to foster the development of companies in south of Italy, which is using European money

and Italian public money to fund these kind of projects. This project, which was held by the company RCS, which is another well-known surveillance company in Italy, from Italy, was basically to provide some internet probes to provide lawful interception of data,

traffic interception regarding a specific user, or even intercepting traffic from or towards a specific site. What was weird is that the tag of this project, highlighted in yellow,

it's for cultural activities. So they basically said this project regards the culture sphere, but it's not, it's an internet probe for interception. The total cost of this project was a little bit more than 900 000 euros. It was approved in 2006 and it received 133 000 euros

of public funding, and the last payment was due on January 2015. I filed a request, a Freedom of Information request, to receive and obtain all the documents regarding this project. This was

funded with public money, but the answer I got was a no, a huge no, due to intellectual property issues for the company and to the secrecy of the technology itself for a national security standpoint, which is a pity. Next, let's think about the social media

and the all the posts that we do online. The Ministry of Interior has bought a system for social media intelligence. The project, the Codename Project, it's crime. What does this

system do? It's basically, its aim is to provide a media monitoring system to gather all audio files available online from social media, so Facebook, Google, YouTube and everything.

Basically doing that via crawling, scraping these web pages, transcribe the audio file that they get, identify the speakers and store a database of voice fingerprints, which are pretty concerning. The Data Protection Authority, the Italian Data Protection Authority, has opened an investigation

into this and has requested more documents and information to the Ministry of Interior because this specific system would like to be implemented to fight terrorism. But the power of these instruments regarding the disability to crawl, scrape and also how

are these voice fingerprints stored in the database? What are the safeguards? What is going to happen? This is not clear, but luckily I filed a freedom of information request access, which was granted partially. What happened? The Alma Wave company, the one on top on the right,

won the tender, but they refused to provide their technical offers due to intellectual property issues. But they received some other, for example, from RCS, Vitro C set that are well known companies. And this is an excerpt from the Vitro C set technical offers. And you see on the

Yahoo, Google, Reddit and basically how they would like to stream. So know who is there and then to pass through because you also have a knowledge understanding

of what's the meaning. And the system also translates, so it gets audio from several languages. All these documents that we obtained will be published probably at the beginning of 2018. They're in Italian, so we have to understand how to properly translate them or make them available to all the community. But let's move on. Recently here in Germany I read an article on

the Berlin train station. They're gonna test the face recognition system. Well, Italy wants to do the same or actually maybe a little bit more. What they did is at the beginning of this year, they've bought a system, a face recognition system for a project called Sari,

which is basically a face recognition system. This is the architecture a picture taken from their technical specs requires. So you have these basically on the right the AFIS. It's the database of, let's say, the mug shots, all the images that they already

have of criminals. They would like to have this server application with several engines using several face recognition algorithms to find the specific person containing the image. The system is split into two different parts. There's an enterprise version which has to deal with

10 million images and which is basically a static version. So you have an image, you would like to know if the person on that image is present in your database. The other one is a real-time one which needs to work together with 10 CCTV cameras that they bought

in this standard as well to be deployed according to their necessities around Italy. This system will spot the person in real time comparing to a watch list of 10,000 images

which are concerning numbers both for the 10 million images and the 10,000s.

We filed a freedom of information request also for those technical offers and we had some issues because they only provided the technical offers of the company that won the tender but obscure they redacted some passages so it's not completely clear what the engine

uses. But again also for the system the Italian Data Protection Authority opened an investigation asking for more information to the Minister of Interior. But let's move on. What we can request with our freedom of information law in Italy? We wanted to request invoices. So this is an

example of the invoices that I request for the company area that you see that they came redacted so they wanted to remove some specific detail regarding investigations but they basically provided us with documents. So this is good, this is a leverage because we have a president they provided us some invoices. I'm keeping asking new invoices so they're coming

we are collecting them we would like to understand how much they expand on these technologies. So far I've been talking about the Ministry of Interior. This project can be applied also to the Ministry of Defence and the Ministry of Justice. With the Ministry of Interior

there are some caveats because the transparency laws are not so powerful as in other cases but still we can get some information. This is a PDF document detailing the expenditures of

the defence regarding some communication intelligence, the empowerment of communication intelligence systems. A pretty interesting one is the one I like which is a Beagle system developed by the company Expert System and this Beagle system is used to select the intercepted traffic and to provide a sort of speech-to-text translation, so to

transcribe it. And here you can see more details. We would like to think about it as some sort of weaker version of xQisker but because basically you have some searching criteria, parameters, you can search, connect and provide a comprehensive understanding of the

the target of your target. So what was my initial question? What are the two what's inside the toolbox of the Italian government? Looks like the Italian government has

acquired everything that it needs, everything that other bigger nations use such as face recognition, social media intelligence and internet interception and MC catchers. But what's next? We would like to keep filing this film of information requests to get all

invoices and technical economic offers. We would like to expand the database of companies because there are some missing companies. For example, Acintime, there was no information regarding that but we are trying to find companies connecting to them and this would be

really helpful because if we find the companies that are participating in the tenders, we know more companies that are trying to sell this kind of technologies and we can somehow link them to Acintime or other more important companies. Another point, an interesting point, is to push the

government on the expenditures. So how much is it spending? Not only on a privacy concerning point of view but also on the expenditures point of view. How much does it cost to surveil your citizens? And in this way we can somehow understand it. What is missing so far is

to analyze the legal framework that lets the government use such technologies. So far it's quite blurred. There's no, for the face recognition, there was not even a mention of terrorism threat. It was like yeah we want to buy this face recognition system

and use it in public events, which is concerning, which is not even like the social media intelligence system, only for terrorism related issues. And something more, we would like to involve activists from other countries because we think that this framework could be

applied, could be exported to other countries. And to do that specifically, there's gonna be a workshop right after this talk at 2 pm at the Rights and Freedoms Assembly. How's it gonna work? There is a Horizon 2020 funded project which is called Digi-Whist, the Digital Whistlerblower,

which is providing a platform for accountability mechanism to understand what's the situation of the nations in Europe. But then the workshop is, if anyone is interested, we can discuss over other nations. And from this, yeah, coming to the workshop we can see how the public procurement

data sets are available, which laws provides in the countries the availability, the possibility to apply this same framework to understand how your country is acquiring such technologies and techniques. So I invite you to, if you're interested, to come to the workshop later.

Yeah, that was it. Thank you very much Ricardo. We have four microphones here in the hall that you

can line up behind for questions and we also have plenty of time for questions. Are there questions from the internet? No questions in that case. Microphone number one please. Hi, so when you were starting out your investigation you said you looked at Bug Planet

and the other website for Italian companies that are providing surveillance equipment. Are there laws in Italy specifying that the surveillance technologies have to come from domestic suppliers or why was there a choice to focus solely on specifically Italian

companies? Not sure on the laws regarding the domestic supplies for at least, I don't think that for the Ministry of Interior there are any constraints, such kind of constraints. What I wanted to know was like, I basically started from that because they were like the

the well-known companies and basically then I found that in my hands, so it basically dropped in my hands and was like okay let's start digging deeper. So it's yeah, I don't want to focus only on Italian companies. Yeah, if any foreign companies pop-ups in the tenders I will surely follow that trail for sure. So yeah, there was no specific reason why I did that.

One question from the internet via signal atro please. Yes, are these tools under secrecy?

Under secrecy, well, when I requested information to the police if these technologies were being used, how many times, how often, and the staff, they didn't reply, they didn't say anything. So I hope that the Data Protection Authority can understand better what's going on

and of course I will try to see if there's been or if it's already been used. So yeah, not probably under secrecy but kind of. Microphone number two please. Hello, did you ask the Ministry what is the relation between the culture and IP surveillance?

I requested that in the Freedom of Information request, I did that to the Ministry of the Economic Development because it was the one holding that kind of project but they didn't

reply on that. Microphone number four please. Tandering in Italy, if I'm right, is something limited to offers higher than 80 or 100 000 euros. So do you know, do you have the feeling that there is some obfuscation by going below the tender line in order to not go into the

for into those databases? I didn't specifically check on that but that's certainly a point. I mean from this study clearly there is something missing, for example the Trojans, they're not

appearing, they're not there. But this also because probably I need to dig deeper into the Ministry of Justice because they are buying this technology. So yeah, not sure if they're doing that on purpose, like lowering the amount for the tenders, but definitely there is

something missing. So this is not comprehensive, it's still ongoing and still to search more. Another question from the internet. This is a three-part question. Are there any big newspapers in Italy interested in your research results and are the Italians conscious of the surveillance

and is there a public debate about it? Well, it depends. The face recognition system got some attention. Since I'm a French journalist running for Manubale Italy, I basically

wrote some articles on that. But the media didn't take on this kind of research yet. I hope they will because I need help for sure. If anyone wants to dig deeper to find something else, we will provide the data and it's going to be publicly available online.

So yeah, the public debate in Italy on privacy, it's quite tough because we recently introduced a new data retention law which strikes the time of retention up to six years, which is a lot and which doesn't make completely sense regarding to what are the

principles at an European level. So yeah, Italian people are concerned about this, but probably not enough. Do we have any more questions? Yes, it does not look like it. So a very warm and pleasantly felt workshop. Thank you.