Amid Crackdown in Bangladesh, Government Forces Continue Spytech Shopping Spree
Creative Commons Photo Credit: Source
What started as demands that the government address road safety following the killing of two school pupils by a minibus, tens of thousands of student protestors have been on the streets in Bangladesh’s capital, Dhaka, in what has escalated to a broad show of resistance towards government inaction, corruption and impunity.
The government’s response has been extreme: protestors and journalists have been beaten and detained by security forces, while reports of physical and sexual violence by supporters of the ruling party have been circulated widely across Bangladeshi social media. Shahidul Alam, a prize-winning photojournalist, was beaten and hospitalised after being detained for giving “provocative comments” about the protests to al-Jazeera.
Inevitably, protestors have been sharing news and organising online, leading to a shutdown of mobile-networks’ internet. Quoted by the Guardian, Bangladesh’s Home Affairs minister has now vowed “to identify all those who spread rumours in the social media and incited violence” asserting that “None will be spared, be they students, teachers or political leaders.”
An official in the cyber crime division of the Dhaka metropolitan police told the Daily Star that they had “found over a thousand social media accounts propagating fake news and rumours and that they “have identified the IP addresses and mobile phones used for running those accounts.”
Such monitoring comes on the back of increased concerns among Bangladeshi journalists and activists that a new Digital Security Act will be used to undermine freedom of expression by placing jail sentences on anyone publishing material online which may cause offense or “tarnish the image of the state or to spread rumour.”
There are various ways in which government agencies around the world spy on peoples’ social media and other internet activity. In addition to demanding information from providers and using open source techniques, Bangladeshi security forces have been looking to buy such electronic surveillance equipment from the international market – and continue to do so.
Privacy International has come across documentation detailing some of the surveillance technology that Bangladeshi security forces have sought to purchase. Below is what we know so far.
Bangladeshi forces have been actively seeking mobile phone surveillance equipment known as ‘IMSI Catchers’. These devices pretend to be real cell towers, enticing devices to connect to them. Once connected, IMSI catchers can identify, track, and intercept communications from all the devices in a certain area. Using IMSI Catchers, it is possible to identify who is in a specific area, for example during a protest.
In 2014, Privacy International published a procurement tender document issued by the Rapid Action Battalion, a notorious branch of the Police branded a ‘death squad’ by rights groups and international media because of its role in hundreds of extrajudicial killings, showing they were looking to buy such a device to be incorporated onto a vehicle.
Privacy International identified a Swiss surveillance company, NeoSoft, as the potential provider – and worked with journalists at Swiss-based WOZ to record a meeting between the company and Bangladeshi representatives. Following intervention from the Swiss export authorities, Additional Director General of RAB, Colonel Ziaul Ahsah, subsequently reported to Bangladeshi media that the export had been stopped “just before the shipment of the materials” by Switzerland after “a human rights organisation reported against RAB.”.
But the RAB has since continued to look for IMSI Catchers, putting out calls for at least three purchases since then. In November 2015, RAB put out a tender looking for the “Procurement of Long Range Interception Module (GSM+UMTS)“ (GSM and UMTS are common telecommunications networks); in December 2016, RAB put out a call for the “Procurement of Backpack IMSI Catcher (2G, 3G, 4G)”; and in January 2017 put out a call for the “Procurement of Data Interception Including Tactical Detection Units”.
In addition to RAB, the regular Bangladeshi police are also looking for the surveillance devices: last month, they published a tender for a “IMSI Monitor/Mobile Tracker” and a “Back Pack IMSI Monitor/Location Finder”, which depending on the type of level of sophistication of the equipment provided, would allow them to identify and track devices from a backpack.
The Bangladesh army is also buying up IMSI Catchers: in July 2017, the Army issued several tender documents together with preliminary technical specifications, seen by Privacy International, looking for two IMSI catchers (an active as well as passive interception system), a portable interception system, as well as a stand-alone system used specially to locate people by tracking their phones.
According to the specifications, the passive IMSI Catcher, to be potentially integrated in a vehicle, must operate independently from any telecommunications network provider, be able to intercept calls and SMSs, and come with a deciphering unit to be able to de-crypt commonly encryption used across telecommunications networks.
The specifications also say that the Active IMIS Catcher is to be capable of making a ‘silent call’ to a targeted phone, meaning it makes a call to a mobile phone without it notifying the user, as well as sending fake SMSs, thereby revealing the target’s location. It must then be able to ‘control, interact divert, and stop all conversations’ of the cell phone, provide live interception of communications, and de-crypt any traffic.
Similarly, the specification for a “Cell phone Backpack/Portable Monitoring, Interception and Analysis System” also state that it must be capable of making silent calls, which would allow users to find the location of a targeted phone, and of carrying out similar interception.
With access to data about who a mobile device has called, the Army also sought to purchase a “CDR [Call Data Record] Analysis System” to “identify the target behaviour and calling pattern”, identify calls of interests, and the “cause behind” calls. The specifications include the requirement that system be able to generate reports about a suspect’s “location, association and behaviour”, as well as perform “pattern and link analysis” of a phone’s activity.
In addition to the RAB, Police, and Army, in 2017, Dhaka Tribune reported that the country’s National Telecommunications Monitoring Centre (NTMC), a centralised surveillance agency providing intelligence to a range of government departments, was also seeking to buy a “’Vehicle Mounted Data Interceptor’ to help stop militancy and control expression of ‘undesirable’ views”. The article was subsequently shared on the NTMC’s own website.
The export of IMSI Catchers is restricted by most governments, meaning in some cases it is possible to track which governments have signed-off on licenses for companies to export them - but only a handful of governments make this information publicly available. From those which do, the UK government has issued 4 licenses to British companies which allows them to export telecommunications interception equipment, which includes IMSI Catchers, to Bangladesh. In 2015, they issued three temporary licenses, and one in 2016 – allowing a company to export telecommunications interception equipment to Bangladesh temporarily, likely for demonstration purposes.
RAB Wants More
The RAB is now also actively looking for other electronic surveillance equipment. Currently, it has tender calls out for a “Wi-Fi Interceptor”, a “Laser Listening Device”, and – unusually – an “Under-door Viewer”.
“Wi-Fi interception” likely refers to the ability to hijack someone’s Wi-Fi connection to intercept their traffic, and can be done in multiple ways, with ease. While it is not known what particular capability the notice refers to, and who is bidding to win the contract, surveillance companies market such products.
Forbes reports that Israeli surveillance company WiSpear, for example, claims its Wi-Fi interceptor can force devices from 500 meters away to connect to its rogue Wi-Fi network. Once connected, its users can not only intercept some internet traffic, but also then use the connection to plant malware onto a device. Once malware is planed onto a device, it can be used to access all the data contained on it, and take control of the functions such as the webcam and microphone.
“Laser Listening Device” likely refers to what is commonly known as a laser microphone, which is used to listen into conversation from a distance by exploiting sound vibrations. Lithuania-based surveillance company Tigbis, for example, markets a ‘laser monitoring system’ capable of listening into conversation in a closed room through the window, at a distance of up to 100m.
An “Under-door Viewer” is not commonly marketed by surveillance companies. A hunt around the internet, however, shows eomax selling an under-door viewer providing what it calls “advanced ‘eyes-on’ intelligence gathering capabilities” by allowing its user to see what is happening behind a door by placing the device under it.
In addition to the spytech sought by these agencies, Bangladesh has also recently developed a National Telecommunications Monitoring Centre to spy on domestic telecommunications networks. By monitoring internet and phone traffic as it travels through networks, it’s possible to monitor, for example, communications metadata (the who, what, and where of traffic), and to intercept calls or access unencrypted emails.
In February 2015, New Age reported that all six telecommunications companies had paid over 20 millions Euros for new capabilities for the Bangladeshi national monitoring centre, allowing “to record as many as 20,000 mobile phone conversations at any one time”, and to allow greater access to e-mails and social networking sites.
Monitoring centres are sold by numerous surveillance companies. New Age and Handeslblatt report that Germany-based Trovicor had been contracted to provide a monitoring centre to Bangladesh, citing an official within the country’s intelligence headquarters.
In addition to using their own surveillance technology, any government can go directly to any company which stores peoples’ data and demand access to it, for example issuing a court order to Facebook. It is then incumbent on the provider to decide whether they hand over the information.
In effect, users of social media rely heavily on these companies to have policies in place which respect their rights, for example ensuring that they don’t provide national agencies with blanket, direct access to their users’ data, and to make sure they only hand data over if they are required to do so under a valid court order that’s in line with international human rights standards.
Following the protests, Bangladeshi media report that government representatives met with Facebook officials, saying that “It should not allow publishing of any post that goes against the state” and vowing to “take action to prevent such activities in the future”, including by potentially blocking the platform.
One of the best ways of monitoring this is by looking at their transparency reports – for example Facebook provides data on the amount of requests I has received for users data and how often it has complied. In 2017, 104 requests by Bangladeshi government agencies for data were made to Facebook for a total of 139 different users or accounts; Facebook lists the percent of requests where some data was produced at less than 50%.
Open source spying
Instead of asking for the information however, agencies around the world can also go on the platforms themselves to monitor what is being said and by who. They can even make fake accounts to infiltrate groups and solicit intelligence from unaware users.
There are numerous software products and intermediary surveillance companies which offer these kinds of investigative techniques as a service. For example, last month the Intercept reported on how a US-based surveillance company, Circinus, has been offering open source monitoring techniques to government agencies – for example scraping feeds from popular social media platforms – and offering to sell the information to agencies around the world, including to the UAE and Tunisia.
In June 2018, it was reported by Bangladeshi media that the NTMC was seeking to purchase a “Social Media Monitoring System (open sources intelligence) and Related Services” from foreign suppliers at a cost of Tk. 236 crore – nearly 25 million euros.
Watching the Watchers
Bangladesh is due to hold national elections later in 2018, which brings with it increased fears of violence by both criminal groups and state agencies. Speaking to reporters last month, Bangladesh’s Home Minister stressed that law enforcement agencies had been recently empowered “with enough equipment and devices which have improved their capacity”, adding that “the NTMC [National Telecommunication Monitoring Centre] unit has been introduced”, and that “additional forces have been added with new equipment to tackle any untoward situation in the country.”
Speaking to the Independent, an official in the post and telecommunications ministry said the government plans to bring even more “state-of-the-art equipment to widen its net of surveillance on communication.”
Ensuring, however, that the security forces themselves aren’t the ones perpetrating violence - as they have done against protestors in recent days – will come down to their commitment to upholding people’s rights and to the rule of law.
While the security forces may be able to monitor people, they should be reminded that people are also able to monitor them. As the country heads towards the polls, Bangladeshi people and the world will be watching.