Italy's surveillance toolbox
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
Title |
| |
Subtitle |
| |
Title of Series | ||
Number of Parts | 167 | |
Author | ||
License | CC Attribution 4.0 International: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
Identifiers | 10.5446/34790 (DOI) | |
Publisher | ||
Release Date | ||
Language |
Content Metadata
Subject Area | ||
Genre | ||
Abstract |
| |
Keywords |
34th Chaos Communication Congress164 / 167
1
2
3
4
5
6
7
10
11
12
14
15
25
26
29
30
31
33
34
39
40
42
43
45
46
49
50
53
58
59
61
63
65
68
69
71
73
77
78
79
81
82
83
85
86
87
88
91
92
94
99
100
101
102
108
109
110
113
114
115
116
118
119
122
124
125
126
127
129
130
131
132
133
134
136
138
139
140
141
145
147
148
150
151
152
153
154
157
159
160
161
163
164
165
166
167
00:00
Goodness of fitPosition operatorInformationPhysical lawComputer animationLecture/Conference
00:53
Internet forumMathematicsMotherboardRight angleProjective planeArithmetic meanLecture/ConferenceJSONXML
01:21
Self-organizationProjective planePhysical lawLatent heatLecture/Conference
01:43
AreaHacker (term)VarianceComputer animationLecture/Conference
02:09
Abelian categoryGoogolComa BerenicesAreaVideoconferencingComputer-generated imageryInterior (topology)Codierung <Programmierung>AlgebraFile formatAbstractionWebsiteIntelSource codeInformationSpreadsheetCodeArithmetic meanFile formatNumberSubject indexingFlow separationComputer fileResultantOffice suiteLine (geometry)Set (mathematics)System identificationInterior (topology)1 (number)Lecture/Conference
04:08
File formatLecture/Conference
04:32
CodeElectronic mailing listAdditionElectronic mailing listInformationCodeSystem identificationComputer animation
05:23
Thermal expansionAlgebraExpert systemSystem programmingRippingWeightCartesian coordinate systemGamma functionRight angleResultantTable (information)QuicksortSoftwareSingle-precision floating-point formatWebsiteDegree (graph theory)Optical disc driveDatabaseNumberTelecommunicationIntelOpen sourceLecture/ConferenceXMLTable
06:19
Product (business)Event horizonColor managementGroup actionPhysical systemDataflowComputing platformCollisionProduct (business)Mathematical analysisSoftwareLecture/ConferenceComputer animation
06:54
Power (physics)Physical systemModule (mathematics)LaptopCompact spaceMusical ensembleCASE <Informatik>SimulationMoving averageAlgebraGradientAreaGraphics tabletSoftware protection dongleInternetworkingMaxima and minimaSystem callHypermediaInternettelefonieTwitterPhysical systemInformationElectronic mailing listParity (mathematics)Cache (computing)Numbering schemeLatent heatObject (grammar)Cartesian coordinate systemElectronic signatureDualismMultiplication signTelecommunicationAuthorizationGrand Unified TheoryCondition numberInformation securityUniform resource locatorNumberEmailResultantLecture/ConferenceXML
09:08
Cartesian coordinate systemCommunications protocolCuboidIntercept theoremEvent horizonInternetworkingOperator (mathematics)Projective planeInternet service providerPhysical lawSoftware developerPlanningPurchasingProduct (business)Lecture/ConferenceXML
10:01
Projective planeIntercept theoremWebsiteBitInternetworkingLecture/Conference
10:38
InformationProjective planeCategory of beingXML
11:15
Speech synthesisFingerprintBroadcasting (networking)VideoconferencingHypermediaGradientHypermediaInformation securityLine (geometry)Physical systemProjective planeFacebookCodeInformationYouTubeComputer fileFingerprintWeb pagePredictabilityAuthorizationGoogolPower (physics)DatabaseData storage deviceAudio file formatWeb 2.0Lecture/ConferenceComputer animationXML
12:39
Maxima and minimaCartesian coordinate systemFatou-MengeInternet forumOperator (mathematics)Open sourceFingerprintInformationCategory of beingInternetworkingGoogolAddress spaceArithmetic meanGoodness of fitNatural languageOffice suiteMessage passingPhysical systemPartial derivativeLecture/Conference
14:00
StapeldateiEnterprise architecturePhysical systemArchitectureSoftwareSoftware testingMachine visionPhysical systemBitPhysicalismPattern recognitionRight angleMedical imagingParticle systemServer (computing)Computer architectureLatent heatAlgorithmDimensional analysisDatabaseProjective planeFlow separationComputer animation
14:56
Enterprise architectureReal numberPhysical systemMedical imagingPhysical systemMereologyEnterprise architectureRevision controlElectronic mailing listModal logicReal-time operating systemMultiplication signStandard deviationDatabaseLecture/ConferenceComputer animation
15:42
Enterprise architectureReal numberPhysical systemNumberMedical imagingProjective planePhysical systemInformationAreaSpeech synthesisCondition numberQuicksortCASE <Informatik>Expert systemProbability density functionArithmetic meanCharge carrierOffice suiteIntercept theoremClosed setMachine visionInterior (topology)TelecommunicationPhysical lawLecture/ConferenceXML
18:05
Revision controlSource codeInternetworkingIntranetInformationModul <Datentyp>File formatSuite (music)Expert systemTranslation (relic)Software testingQuicksortParameter (computer programming)Data storage deviceRevision controlLecture/ConferenceXMLUML
18:30
Integrated development environmentCuboidIntercept theoremHypermediaInternetworking
18:56
Internet forumDatabaseExpandierender GraphInformationComputer fileDatabaseForcing (mathematics)XML
19:21
HypermediaPhysical systemEvent horizonPoint (geometry)View (database)Dimensional analysisGraph coloringInformation privacyDispersion (chemistry)Software frameworkPattern recognitionLecture/Conference
20:34
QuantumPersonal area networkSoftware frameworkMechanism designRight angleInferenceUsabilityAddress spaceSet (mathematics)Projective planeComputing platformHorizonPhysical lawLecture/ConferenceComputer animation
21:36
MultilaterationLecture/ConferenceXMLComputer animation
21:58
InternetworkingMultiplication signCASE <Informatik>NumberSoftware bugPhysical lawWebsiteAxiom of choiceConstraint (mathematics)Independence (probability theory)Electronic mailing listLecture/Conference
23:28
InternetworkingNumberInformationComputer programmingMultiplication signPredictabilityAuthorizationMeeting/InterviewLecture/Conference
24:16
Theory of relativityNumberProjective planeSoftware developerInformationMeeting/InterviewLecture/Conference
24:43
Limit (category theory)Right angleLine (geometry)Order (biology)Meeting/InterviewLecture/Conference
25:05
Arithmetic meanInternetworkingObservational studyPoint (geometry)Transport Layer SecurityDatabaseLecture/Conference
25:51
ResultantPattern recognitionLevel (video gaming)Multiplication signPhysical systemHypermediaInformation privacyPolygonPhysical lawLecture/Conference
27:12
HypermediaFilm editingLecture/Conference
Transcript: English(auto-generated)
00:02
Good morning everyone. Imagine you're in a position where you decide that, well, you want to know the
00:23
surveillance capabilities of your government. This is nice. Well, everyone wants to know that. But now imagine that if you ask questions and they are required to be answered, that would be even nicer. That's what freedom of information requests are for. And here to tell you about
00:42
how this can be applied in Italy to determine what the Italian government has capability-wise is Riccardo Coluccini. Okay, hi everyone. I'm Riccardo Coluccini. I'm a freelance
01:05
journalist in Italy, writing mainly for Marder Board Italy, and also a member of the Ermes Center for Transparency and Digital Human Rights. What I'm about to introduce you today is a project for monitoring government surveillance capabilities via means of transparency tools.
01:23
Some background, the Italian history is peculiar due to organized crime and mafia. There are specific transparency and anti-corruption laws that can help to understand better what is going on for this kind of projects. But when we talk about surveillance,
01:44
Italian surveillance are well known abroad worldwide due to some companies such as ARIA and Hacking Team. They are well known for exporting surveillance technologies to authoritarian regimes all over the world, and also Hacking Team for the huge hacked which suffers. And
02:05
my question was, okay, the surveillance technology developed in Italy are famous abroad, but what's going on in Italy? What are the technologies that the government is using to intercept and surveil its own citizens? What I did, it's basically starting from some open
02:26
source intel available online, starting from two great websites like the Surveillance Industry Index and Backplanets.info, which gathers some information on several surveillance companies from all over the world. Specifically, I looked for the Italian one, the main Italian ones.
02:47
Starting from that, I turned to Google, searching for the value of the tax numbers, which gave me some interesting results. What I got were some spreadsheets detailing the payments
03:03
by the Minister of Interior to each company. Why this happened? Because due to a transparency law, number 33 of 2013, the public sector is obliged to publish their payments. From the spreadsheets, what I got also of the money, there was also the subject,
03:27
the tender identification code of what they were paying for. Using the tender identification code, I turned back to Google again. Google it. And what I found were some XML files
03:43
in which it was detailed all the public procurement data sets of the public sectors. These again, due to anti-corruption law, each public sector, the Minister of Interior, for example, the Ministry of Defence, the Ministry of Justice, and all other public offices, are obliged to publish on this XML format
04:04
the information regarding their public procurement data sets. So whatever they're interested in buying, and there is a public tender, is going to be published online. This is the format. Given this data, this was my reaction. I had all the ingredients
04:22
to start monitoring exactly what the government was buying, how much was paying for it, and which were the companies involved. So I constructed this workflow, which is basically starting from the public procurement data set XML files, I can get the tender identification code
04:43
and the list of companies participating in the tenders. It's not only the company that won the tender, there are all the participants, which is pretty interesting because you can discover new companies that you weren't aware of before. Given this data, then the tender identification code and the list of companies, thanks to the Freedom of Information
05:04
Access Law recently introduced in Italy at the beginning of 2017, I can ask for documents regarding invoices issued by the several companies and technical and economic offers of the public tenders. In this way, I can monitor the expenditures and I can get information
05:24
on the software, the technologies, and the devices that these companies are selling to the government. So let's start with some of the results of this monitoring. The table on the right were the companies which I gathered from the open source intel website. So I was able to
05:44
more than double the number of companies and there are more to add. The two that I highlighted are like some peculiar ones. There's one which is called NSA Italia, which is pretty fun name for a company, and there's also Telecom Italia, which is the second most large
06:04
telecommunication company in Italy, which is well known, which is big, and which is weird to find in a database of companies selling surveillance technologies and devices, but we'll see later why. Now I want to focus better on two other companies. The first one is Cyphergate. Cyphergate is a
06:23
pretty recent new company. It belongs to the group of Electronica, another Italian company, and among their products, two of them are the Wi-Fi Catcher, which is basically a Wi-Fi network monitoring system able to geolocalize and identify the nodes and provide some traffic flow
06:44
analysis. Instead, the NetInt, it's basically an integrated platform which provides you the possibility to surveil phone calls, instant messaging chats, posts that you make on social medias, and even voice over IP calls. Go and have a look on their Twitter account,
07:08
it's interesting, there are some interesting pictures. Another company is CPM. This one basically sells jammers, drones jammers also, but look into the tenders. There was a tender
07:24
regarding MC Catchers, and CPM Electronica is stated to be the official reseller of the Selxion company, which is an English company selling MC Catchers. So this is one of the results that we can get with this approach. We can discover also official resellers of
07:45
companies that are based abroad, but can somehow are selling devices that the Italian government is interested in. Still remaining on the topic of MC Catchers, this is the XML data that you get regarding the tender. So on top there's the subject, the providing an
08:04
MC Catcher system, then there are the list of participants. There are some well-known names, and there's also Telekomitalia. So Telekomitalia, our telecommunication company, telecommunication company participated in tender in 2015 for an MC Catcher system. They didn't win,
08:23
the company that won at that time was Eat Alarms, the first one on top. Regarding MC Catchers, still you can get some information from the technical specification that the government is requesting to these companies. So yeah, they're asking for the downgrade,
08:42
so passing from 3G to 2G, from 4G or 3G, so to weaken the security of the communications. And they provided also a scheme of what they would like the MC Catcher to provide to the authorities. So you see to basically to track and provide some location targeting, following
09:03
around the specific target, collecting as you see at the center the MC and the email numbers. This is regarding MC Catchers. So let's try to build the real, the proper toolbox of what
09:21
they're interested in. What about internet surveillance interception? What I found, there was a project which belongs to the National Operative Plan, which is a plan to foster the development of companies in south of Italy, which is using European money
09:43
and Italian public money to fund these kind of projects. This project, which was held by the company RCS, which is another well-known surveillance company in Italy, from Italy, was basically to provide some internet probes to provide lawful interception of data,
10:05
traffic interception regarding a specific user, or even intercepting traffic from or towards a specific site. What was weird is that the tag of this project, highlighted in yellow,
10:21
it's for cultural activities. So they basically said this project regards the culture sphere, but it's not, it's an internet probe for interception. The total cost of this project was a little bit more than 900 000 euros. It was approved in 2006 and it received 133 000 euros
10:46
of public funding, and the last payment was due on January 2015. I filed a request, a Freedom of Information request, to receive and obtain all the documents regarding this project. This was
11:00
funded with public money, but the answer I got was a no, a huge no, due to intellectual property issues for the company and to the secrecy of the technology itself for a national security standpoint, which is a pity. Next, let's think about the social media
11:28
and the all the posts that we do online. The Ministry of Interior has bought a system for social media intelligence. The project, the Codename Project, it's crime. What does this
11:46
system do? It's basically, its aim is to provide a media monitoring system to gather all audio files available online from social media, so Facebook, Google, YouTube and everything.
12:02
Basically doing that via crawling, scraping these web pages, transcribe the audio file that they get, identify the speakers and store a database of voice fingerprints, which are pretty concerning. The Data Protection Authority, the Italian Data Protection Authority, has opened an investigation
12:24
into this and has requested more documents and information to the Ministry of Interior because this specific system would like to be implemented to fight terrorism. But the power of these instruments regarding the disability to crawl, scrape and also how
12:45
are these voice fingerprints stored in the database? What are the safeguards? What is going to happen? This is not clear, but luckily I filed a freedom of information request access, which was granted partially. What happened? The Alma Wave company, the one on top on the right,
13:05
won the tender, but they refused to provide their technical offers due to intellectual property issues. But they received some other, for example, from RCS, Vitro C set that are well known companies. And this is an excerpt from the Vitro C set technical offers. And you see on the
13:29
Yahoo, Google, Reddit and basically how they would like to stream. So know who is there and then to pass through because you also have a knowledge understanding
13:41
of what's the meaning. And the system also translates, so it gets audio from several languages. All these documents that we obtained will be published probably at the beginning of 2018. They're in Italian, so we have to understand how to properly translate them or make them available to all the community. But let's move on. Recently here in Germany I read an article on
14:06
the Berlin train station. They're gonna test the face recognition system. Well, Italy wants to do the same or actually maybe a little bit more. What they did is at the beginning of this year, they've bought a system, a face recognition system for a project called Sari,
14:25
which is basically a face recognition system. This is the architecture a picture taken from their technical specs requires. So you have these basically on the right the AFIS. It's the database of, let's say, the mug shots, all the images that they already
14:42
have of criminals. They would like to have this server application with several engines using several face recognition algorithms to find the specific person containing the image. The system is split into two different parts. There's an enterprise version which has to deal with
15:06
10 million images and which is basically a static version. So you have an image, you would like to know if the person on that image is present in your database. The other one is a real-time one which needs to work together with 10 CCTV cameras that they bought
15:26
in this standard as well to be deployed according to their necessities around Italy. This system will spot the person in real time comparing to a watch list of 10,000 images
15:43
which are concerning numbers both for the 10 million images and the 10,000s.
16:00
We filed a freedom of information request also for those technical offers and we had some issues because they only provided the technical offers of the company that won the tender but obscure they redacted some passages so it's not completely clear what the engine
16:24
uses. But again also for the system the Italian Data Protection Authority opened an investigation asking for more information to the Minister of Interior. But let's move on. What we can request with our freedom of information law in Italy? We wanted to request invoices. So this is an
16:42
example of the invoices that I request for the company area that you see that they came redacted so they wanted to remove some specific detail regarding investigations but they basically provided us with documents. So this is good, this is a leverage because we have a president they provided us some invoices. I'm keeping asking new invoices so they're coming
17:06
we are collecting them we would like to understand how much they expand on these technologies. So far I've been talking about the Ministry of Interior. This project can be applied also to the Ministry of Defence and the Ministry of Justice. With the Ministry of Interior
17:25
there are some caveats because the transparency laws are not so powerful as in other cases but still we can get some information. This is a PDF document detailing the expenditures of
17:41
the defence regarding some communication intelligence, the empowerment of communication intelligence systems. A pretty interesting one is the one I like which is a Beagle system developed by the company Expert System and this Beagle system is used to select the intercepted traffic and to provide a sort of speech-to-text translation, so to
18:08
transcribe it. And here you can see more details. We would like to think about it as some sort of weaker version of xQisker but because basically you have some searching criteria, parameters, you can search, connect and provide a comprehensive understanding of the
18:26
the target of your target. So what was my initial question? What are the two what's inside the toolbox of the Italian government? Looks like the Italian government has
18:43
acquired everything that it needs, everything that other bigger nations use such as face recognition, social media intelligence and internet interception and MC catchers. But what's next? We would like to keep filing this film of information requests to get all
19:04
invoices and technical economic offers. We would like to expand the database of companies because there are some missing companies. For example, Acintime, there was no information regarding that but we are trying to find companies connecting to them and this would be
19:23
really helpful because if we find the companies that are participating in the tenders, we know more companies that are trying to sell this kind of technologies and we can somehow link them to Acintime or other more important companies. Another point, an interesting point, is to push the
19:41
government on the expenditures. So how much is it spending? Not only on a privacy concerning point of view but also on the expenditures point of view. How much does it cost to surveil your citizens? And in this way we can somehow understand it. What is missing so far is
20:02
to analyze the legal framework that lets the government use such technologies. So far it's quite blurred. There's no, for the face recognition, there was not even a mention of terrorism threat. It was like yeah we want to buy this face recognition system
20:21
and use it in public events, which is concerning, which is not even like the social media intelligence system, only for terrorism related issues. And something more, we would like to involve activists from other countries because we think that this framework could be
20:42
applied, could be exported to other countries. And to do that specifically, there's gonna be a workshop right after this talk at 2 pm at the Rights and Freedoms Assembly. How's it gonna work? There is a Horizon 2020 funded project which is called Digi-Whist, the Digital Whistlerblower,
21:03
which is providing a platform for accountability mechanism to understand what's the situation of the nations in Europe. But then the workshop is, if anyone is interested, we can discuss over other nations. And from this, yeah, coming to the workshop we can see how the public procurement
21:27
data sets are available, which laws provides in the countries the availability, the possibility to apply this same framework to understand how your country is acquiring such technologies and techniques. So I invite you to, if you're interested, to come to the workshop later.
21:48
Yeah, that was it. Thank you very much Ricardo. We have four microphones here in the hall that you
22:05
can line up behind for questions and we also have plenty of time for questions. Are there questions from the internet? No questions in that case. Microphone number one please. Hi, so when you were starting out your investigation you said you looked at Bug Planet
22:22
and the other website for Italian companies that are providing surveillance equipment. Are there laws in Italy specifying that the surveillance technologies have to come from domestic suppliers or why was there a choice to focus solely on specifically Italian
22:41
companies? Not sure on the laws regarding the domestic supplies for at least, I don't think that for the Ministry of Interior there are any constraints, such kind of constraints. What I wanted to know was like, I basically started from that because they were like the
23:03
the well-known companies and basically then I found that in my hands, so it basically dropped in my hands and was like okay let's start digging deeper. So it's yeah, I don't want to focus only on Italian companies. Yeah, if any foreign companies pop-ups in the tenders I will surely follow that trail for sure. So yeah, there was no specific reason why I did that.
23:28
One question from the internet via signal atro please. Yes, are these tools under secrecy?
23:41
Under secrecy, well, when I requested information to the police if these technologies were being used, how many times, how often, and the staff, they didn't reply, they didn't say anything. So I hope that the Data Protection Authority can understand better what's going on
24:05
and of course I will try to see if there's been or if it's already been used. So yeah, not probably under secrecy but kind of. Microphone number two please. Hello, did you ask the Ministry what is the relation between the culture and IP surveillance?
24:27
I requested that in the Freedom of Information request, I did that to the Ministry of the Economic Development because it was the one holding that kind of project but they didn't
24:40
reply on that. Microphone number four please. Tandering in Italy, if I'm right, is something limited to offers higher than 80 or 100 000 euros. So do you know, do you have the feeling that there is some obfuscation by going below the tender line in order to not go into the
25:08
for into those databases? I didn't specifically check on that but that's certainly a point. I mean from this study clearly there is something missing, for example the Trojans, they're not
25:23
appearing, they're not there. But this also because probably I need to dig deeper into the Ministry of Justice because they are buying this technology. So yeah, not sure if they're doing that on purpose, like lowering the amount for the tenders, but definitely there is
25:44
something missing. So this is not comprehensive, it's still ongoing and still to search more. Another question from the internet. This is a three-part question. Are there any big newspapers in Italy interested in your research results and are the Italians conscious of the surveillance
26:03
and is there a public debate about it? Well, it depends. The face recognition system got some attention. Since I'm a French journalist running for Manubale Italy, I basically
26:21
wrote some articles on that. But the media didn't take on this kind of research yet. I hope they will because I need help for sure. If anyone wants to dig deeper to find something else, we will provide the data and it's going to be publicly available online.
26:42
So yeah, the public debate in Italy on privacy, it's quite tough because we recently introduced a new data retention law which strikes the time of retention up to six years, which is a lot and which doesn't make completely sense regarding to what are the
27:02
principles at an European level. So yeah, Italian people are concerned about this, but probably not enough. Do we have any more questions? Yes, it does not look like it. So a very warm and pleasantly felt workshop. Thank you.
Recommendations
Series of 11 media