Revealed: The EU Training Regime Teaching Neighbours How to Spy

Hundreds of slides obtained by Privacy International (PI) from an EU law enforcement training agency show how surveillance techniques are taught to security authorities in neighbouring countries.

Key findings
  • PI has obtained hundreds of documents detailing surveillance techniques used in trainings organised by the European Union Agency for Law Enforcement Training;
  • They’re being used to train authorities in the Balkans, Middle East, and Northern Africa in controversial phone and internet surveillance techniques;
  • They highlight the urgent need for reforms to such EU support to non-member countries.
Long Read

Tucked away in a discrete side street in Hungary’s capital, the European Union Agency for Law Enforcement Training (CEPOL) has since 2006 operated as an official EU agency responsible for developing, implementing, and coordinating training for law enforcement officials from across EU and non-EU countries.

Providing training to some 29,000 officials in 2018 alone, it has seen its budget rocket from €5 million in 2006 to over €9.3 million in 2019, and offers courses in everything from counterterrorism, cybercrime and law enforcement techniques to fundamental rights.

To support EU policies in neighbouring countries, CEPOL also facilitates experts and law enforcement officials from EU member state authorities to train counterparts from agencies across the Balkans, Northern Africa, and the Middle East.

Under the ‘EU/MENA Counterterrorism Training Partnership 2’, for example, worth just under €6.5 million, CEPOL formally partners with authorities in Algeria, Jordan, Lebanon, Morocco, Tunisia and Turkey on innocuous-sounding issues such as cyber security, modern investigative methodologies and techniques, counter violent extremism and financial terrorism.

However, training documents obtained by Privacy International (PI) reveal a far more worrying picture of what this training involves.

They suggest that CEPOL is facilitating training in surveillance techniques prone for abuse, which lack safeguards in EU countries themselves – including courses in advanced open-source intelligence gathering techniques, the use of indiscriminate surveillance equipment, techniques for cracking mobile devices, and methods for investigating charities.

While people in many of these countries face serious security threats as well as under-resourced public services, they are also plagued by unaccountable security agencies that engage in the unlawful surveillance of civilians enabled by inadequate legal frameworks and human rights protections.

In the absence of effective privacy and security safeguards and in contexts where security agencies arbitrarily target activists, journalists and others, surveillance techniques and tools pose a serious threat to people’s rights and their work. 

Using EU access to documents laws, PI is able to reveal the extent of this training regime for the first time, showing relevant information about courses provided to law enforcement agents from Albania, Algeria, Bosnia and Herzegovina, Kosovo, Montenegro, and Morocco.

The documents, available here, highlight the urgent need for reforms to such EU support to non-member countries. PI together with other NGOs is calling on the Commission to ensure that such training is not provided without sufficient safeguards, and to instead focus resources on ensuring security agencies in the EU’s neighbourhood are accountable and subject to the rule of law.

Below, we outline some of the core topics covered within the documents CEPOL uses for the training.

Open Source Intelligence

Training in open source intelligence gathering is provided to many of the authorities with which CEPOL partners. A session under the project organised by CEPOL in April 2019 to 20 members of Algeria’s National Gendearmie – a rural police force – provides an insight into the regime.

A session instructs the participants on the importance of monitoring social media users and provides practical tests on identifying information on various platforms.

Participants are advised to use ‘sock puppets’ for open source research - anonymous and fake profiles used to gather intelligence that are harder to trace. To avoid detection, the officers are directed to purchase different sim cards for different accounts, use picture editing tools, and to remember to post frequently and outside of work hours. Participants are also recommended online platforms to make it easier to manage numerous fake accounts at the same time.
 

Screenshot from training slide provided to Algerian authorities

Such tactics are not only contrary to terms of use policies implemented by social media platforms , they explicitly contradict the EU’s own policies on disinformation.

Because law enforcement and government-linked bodies may often deploy such techniques to spread propaganda and disinformation as well as track people, the EU has developed a Code of Practice on online disinformation which commits social media giants to “Authenticity policies restricting impersonation and misrepresentation.”

Facebook, for example, has policies which ban people from misrepresenting themselves, as well as engaging in “inauthentic behaviour”, described as the use of accounts “to mislead people or Facebook about the identity, purpose or origin of the entity that they represent”.

At the same time as CEPOL was advising participants how to thwart these restrictions, in Algeria’s capital in April 2019, a huge protest movement known as the Revolution of Smiles was taking place, culminating in the resignation of President Abdelaziz Bouteflika after 20 years in power. What followed was a wave of online disinformation and censorship, driven by networks of pro-regime fake accounts posting propaganda and reporting high-profile democracy activists.

Known as ‘electronic flies’, there is no indication that any of these troll networks were organised by anyone who attended the training – but nevertheless the promotion by the EU of techniques used to silence pro-democracy voices in a key neighbour must ring alarm bells.

Having established a “secure” profile, participants are also taught to use the tools of open source intelligence gathering. The sheer amount of data and network-connected devices around today, many of them vulnerable or poorly secured, means that the techniques used by open source professionals – while publicly available to anyone – can be surprisingly powerful. Such techniques go well beyond reading through the internet and include using online tools to access information not readily available, many of which are typically used by amateur hackers without coding expertise.

For example, the presentation describes the use of ‘dorking’, the identification of pages online which aren’t supposed to be public but which are nevertheless available due to poor security practices, as well as search tools used to map Wi-Fi networks (WiGLe), identify devices connected to the internet (Shodan), and search for similar usernames across the web (Sherlock). One tool, Wi-Fi Pineapple, is an openly available tool used to test the vulnerability of Wi-Fi networks, but which can be used to perform ‘man in the middle’ attacks to access people’s information, such as passwords. The presentation describes the use of the tool in conjunction with SSL Strip, a method of bypassing the encryption used by websites to protect users.
 

Screenshot from training slide provided to Algerian authorities

In a module on how to “go further” on Facebook provided to 20 agents of Morocco’s Directorate General for National Security (DGNS), accompanied by the advice that Facebook has been “helping stalkers since 2004”, the participants are advised to never use their personal profile, but to use fake profiles which are described as precious assets which need to be maintained like an “orchid”. Participants are advised to use open source websites designed to access information from Facebook, including Stalkscan, WhoPostedWhat, PeopleFindThor, and Facebook Matrix, as well as social network analysis tools used to visualise relationships. 

 

Screenshot from training slide provided to Moroccan authorities

In a module on how to “go further” on Facebook provided to 20 agents of Morocco’s Directorate General for National Security (DGNS), accompanied by the advice that Facebook has been “helping stalkers since 2004”, the participants are advised to never use their personal profile, but to use fake profiles which are described as precious assets which need to be maintained like an “orchid”. Participants are advised to use open source websites designed to access information from Facebook, including Stalkscan, WhoPostedWhat, PeopleFindThor, and Facebook Matrix, as well as social network analysis tools used to visualise relationships. 

In a module on how to analyse Twitter in real time, participants are advised to use open source tools designed for scraping tweets from the platform. In order to gain access to tweets in the required form, the participants are advised to register as developers – a service offered by Twitter which allows users enhanced access, for example in order to perform advanced searches to tailor targeted adverts.
 
To register as a developer however, users have to apply to Twitter, which the module makes clear is problematic because Twitter formally prohibits the use of developer accounts for surveillance. In its restricted use cases for developer accounts, Twitter makes it clear that “we prohibit the use of Twitter data and the Twitter APIs by any entity for surveillance purposes, or in any other way that would be inconsistent with our users' reasonable expectations of privacy. Period.” In its agreement with developers, Twitter states that “In no event shall your use, or knowingly display, distribute, or otherwise make Twitter Content, or information derived from Twitter Content, available to any Government End User whose primary function or mission includes conducting surveillance or gathering intelligence.”[2]

While the training session concedes that Twitter has restricted the use of such accounts because of “Russian bots”, it nevertheless seems to continue on the assumption that a developer account has been set up, and proceeds to advise participants to download DMI-TCAT, an open source Twitter analysis and visualisation tool.

 

Screenshot from training slide provided to Moroccan authorities

If participants are not able to obtain developer accounts, or if they would like to overcome some of the limitations imposed on developer users by Twitter, the module suggests they use Twint. Openly available to researchers, Twint “utilizes Twitter's search operators to let you scrape Tweets from specific users, scrape Tweets relating to certain topics, hashtags & trends, or sort out sensitive information from Tweets like e-mail and phone numbers.”

A session provided in Montenegro also seems to promote the use of TrueCaller – an app that ostensibly allows users to identify phone numbers so they can filter out calls, even if it is from a number they have never encountered before, but which can also be utilised to identify people who have been uploaded to the TrueCaller database.

Electronic Surveillance Techniques

As well as open source tools, the training in Algeria describes the use of specialised surveillance tools available to law enforcement agencies.

A session titled “CDR and IPDR analysis and possible attacks against the mobile user” describes the use of Call Detail Records (CDR) and Internet Protocol Detail Records (IPDR) in investigations. CDRs and IPDRs are metadata obtained from telecommunications networks and operators which describes general details of a call, such as who called who, and general details of internet traffic, such as the source and destination IP address.

A slide described “Special Software Using SS7 and its Possibilities: Geomapping, Practical Solutions Descriptions” could likely refer to tracking the location of devices the SS7 protocol – a suite which allows telecoms operators to talk to one another, for example to aid roaming. By exploiting the protocol, law enforcement agencies are able to identify a device’s location: a whistleblower recently revealed that operators in Saudi Arabia were using such SS7 look-ups to track the locations of individuals in the US.

Another slide titled “IMSI Catchers and Radio Transmitters”, also provided to participants in a training session in Montenegro, refers to IMSI Catchers – indiscriminate tools used to identify mobile devices in a certain area, for example during a protest. PI has sought to increase transparency around the use of such devices by law enforcement agencies in the UK, which maintain that they could “neither confirm nor deny” whether or not they use them.

Other slides include “Special Technical Solutions from Scientific Projects in the Area of Predictive and Descriptive Analytics”, as well as “Issues Around Forensic Examinations of SIMs/Handsets & Communication”, as well as modules on investigating cryptocurrency exchanges, and the ‘darknet’ – websites accessible to users of Tor, the anonymous browser.

A training session delivered in Morocco on ‘collecting counter-terrorism information from the internet’ also provides an insight into how the trainings seem to promote electronic surveillance techniques. Presentations provided by EU member states officials include modules on investigating mobile phones, involving for example a technical breakdown of the architecture of telecommunications networks, how different internet and telephone hardware function, and types of unique identifiers which appear on devices and sim cards.

In a module describing what information is accessible to operators of networks, France’s system is highlighted as an example: a menu of categories of data which operators are able to provide to government authorities upon request is demonstrated, ranging from the provision of a subscriber’s name from a telephone number to the name of subscriber visiting a particular website.

The categories correspond to a price list released by the French government detailing costs which should be paid by public agencies to telecommunications operators for the provision of certain types of data.

 

Screenshots from training slide provided to Moroccan authorities

Participants seem to be then advised on how operators are able to identify mobile internet users, and the importance of providing operators with detailed port numbers to enable an identification to take place.

Once the data is obtained, a module on analysing the obtained data is provided, recommending different ways to visualise and make connections within the data and the advantages and disadvantages of each approach. Solutions can be as simple as using open source spreadsheets, or turning to commercial products such as IBM’s Analysts Notebook – a common data analysis tool used by security agencies. Mercure V4, sold by French surveillance company Ockham Solutions, is featured: Ockham claims its telephone communication analysis tool is “a standard in the field of telephone investigations in Police, Customs and Borders, and other government  agencies” facilitating the analysis of call data from operators, data from cell sites, and data from mobile phone memories and SIM cards.

Screenshots from training slide provided to Moroccan authorities

A training session provided by the Policia Nacional, the national police force of Spain, to police, security, and intelligence authorities in Bosnia and Herzegovina (federal as well as those based in Republika Srpska) on financial investigations similarly outlines potential avenues for tracking IP addresses, emails, and conducting wiretapping. A slide towards the end of the session also promotes the use of malware or computer trojans – software used to hack into devices to extract data and take control of functions such as the camera and microphone, and sold on the open market by companies such as NSO Group.

Such tools are highly intrusive – so much so that even where governments conduct surveillance in connection with activities such as gathering evidence in a criminal investigation or intelligence, they may never be able to demonstrate that hacking as a form of surveillance is compatible with international human rights law.

Screenshots from training slide provided to authorities in Bosnia and Herzegovina

Data Extraction

In Morocco, participants were taught how to extract data from mobile phones in a module on ‘telecommunication training’, including ‘precautions to take when seizing a telephone’ and the exploitation of telephone data using ‘Xry/Ufed’, two high-profile brand names for mobile phone extraction software produced by Swedish-based Micro Systemation and Israeli-based Cellebrite. 

Such software is used by law enforcement agencies who have seized devices to extract and visualise data contained within them. A technical analysis by PI showed that, in addition to extracting photos, messages, and web histories, such tools can also extract “content that the phone collects without any user action (and sometimes without user knowledge)” such as GPS data and data contained within images, as well as data the user has deleted.

Another training session goes a step further, promising access to not just what is contained within the phone, but also to what is accessible from it. A module promoting the use of cloud extraction details how forensic software is also able to extract data that is contained in the ‘cloud’, a term used to describe user data which is stored on third-party servers, typically used by device and application manufacturers to back up data. As cloud storage is increasingly used for social media, internet-connected devices and apps, such cloud extraction is capable of accessing large amounts of personal data, including from apps such as Dropbox, Slack, iCloud, Instagram, Twitter, Facebook, Uber and Hotmail, as well as messages that are end-to-end encrypted such as WhatsApp, if cloud back-up is enabled.
 

Screenshots from training slide provided to Moroccan authorities

In addition to detailing how such extraction works, the training session lists specific products, as well sources which can be obtained. The automatic recovery of “tokens” is mentioned, which refers to the collection of authentication tokens by the forensic suites. Such tokens are generated by apps to allow users to log in to services without having to repeatedly enter a every time they access the site from the same browser. Extraction of these tokens enables authorities to access the service without triggering security features such as 2-factor authentication.

One recommendation is to use “AXIOM: partnered with GrayShift” to recover the keychain for IOS. GrayShift, dubbed by Forbes the “U.S. government’s go-to hackers-for-hire”, sell software which the company claims is able to bypass the password protections of modern iPhones – generally believed to be among the hardest to crack, while Axiom sells a suite for analysing the data once it is obtained. As well as bypassing the security protections of the device, GrayShift also claims to be able to decrypt the Keychain, where iPhones store passwords for apps and other sites.

As detailed in Privacy International’s guide on cloud extraction, once an authority obtains a users’ credentials, not only can they obtain their cloud-based data, they can also track them using their cloud-based accounts. For example, Cellebrite claims its Cloud Analyzer can “Track online behaviour, analyse posts, likes, events and connections to better understand a suspect or victim’s interests, relationships, opinions and daily activities.”
 

Screenshots from training slide provided to Moroccan authorities

Investigating Charities

Training on financial investigations given in Tunisia provide a concerning insight into how CEPOL raises awareness about the risk of charities raising funds for terrorism, and how in doing so it risks promoting suspicion and regulatory actions designed to undermine the freedom of civil society.

Provided in 2018 and 2019, three modules on financial investigations were provided to participants from the Directorate General of Training, the Directorate General of Technical Services, the Directorate General of Special Services, the Financial Brigade, the Tunisian Customs and the National Unit for the Investigation of Terrorist Crimes. Topics covered include techniques for investigating informal banking systems such as hawala banks (a transfer system popular across North Africa, the Middle East, and the Indian subcontinent), analysing accounting records, and understanding the use of businesses by financiers of terrorism. One module, focusing on terror financing by charities, covers ‘what methods of terrorism financing abuse occur’, examples of such abuse, and ‘how the UK has responded to this threat’ - likely meaning that the training was delivered by an officer from a UK agency.

 

Screenshots from training slide provided to Tunisian authorities

The “UK approach” is promoted to the participants, which involves a regulatory oversight agency and “proactive monitoring of the sector and trends” - in line with controversial legislation in Tunisia which requires civil society organisations to register in a bid to halt terrorist financing. Concerns about the requirement have been raised by the UN Human Rights Committee, which said there was “a worrying trend of putting up barriers to the registration of civil society organisations and making the process tantamount to seeking authorisation”, making it difficult for associations to do their work, as well as the UN Special Rapporteur on Freedom of Religion and Belief who said that the regulations might have “chilling effects on the work and contributions of CSOs, particularly human rights CSOs, through the securitisation of their work.”

Reforms Needed

These training sessions are financed by a confusing set of different EU bodies and instruments with different objectives in mind. These involve the Instrument contributing to Stability and Peace, a multi-billion euro fund used to provide security assistance to countries around the world, the Instrument of Pre-accession Assistance, used to provide support to potential future EU member countries, and the European Neighbourhood Instrument, used to provide assistance to other neighbouring countries.

As the EU finalises its next budget which will set its priorities for 2021 to 2027, many of these different instruments will be centralised into one main one, called the Neighbourhood, Development and International Cooperation Instrument.

Privacy International and partner NGOs are calling on the European Commission to work with the Parliament and member states to take the opportunity presented by centralising these disparate instruments and address the inherent dangers posed by these training regimes.

In particular, we are calling on the Commission to extensively carry out and improve due diligence and risk assessments, increase transparency and parliamentary scrutiny and public oversight, and to instead focus resources on supporting the capacity of judicial, security, and regulatory institutions to protect rights before proceeding with allocating resources and technologies which, in absent of proper oversight, will likely result in fundamental rights abuses.

More details can be found here.