Why should the leaked documents of a hacking company concern Malaysians?

So recently, something super ironic happened. A company called Hacking Team kena hack. It’s okay tho, cos Hacking Team is the type of company that Reporters Without Borders calls ‘corporate enemies of the Internet’ – it sells SPYWARE to governments and law enforcement agencies.

So apparently this fler hacked into Hacking Team’s servers and leaked 415GB of their top secret data on the Internet.  But why would this concern us Malaysians? Well, as you might have guessed… it’s who bought their Remote Control System software (a.k.a. GALILEO) that’s scary… And to our horror, we found out the Prime Minister’s Office and Malaysian Intelligence (MIMY) have ACTIVE accounts! MACC also has an account, but sudah expired.

OMG is the Government spying on us? Can they see us in the shower? How to go on with life?! Previously we thought it was the US and Australia spying on us when Edward Snowden blew the whistle on them, but now our own Government too? Apparently Malaysians are not alone in this. Turns out, the US FBI, Singapore IT and telecommunications agency, the Australian Federal Police and 30 other countries also bought Galileo. And now, who knows who’s spying on who spying on us spying on them!

We’re not sure if the hacker Phineas Fisher exposed them because he believes in people’s fundamental right to privacy or because he was fishing for marriage proposals from hot Russian spies, but we definitely have him to thank for making everyone aware of this.

 

OMG SO WHAT DOES THE GOMEN KNOW ABOUT ME!?

https://www.youtube.com/watch?v=8GhEvuU8LjU

Being on the noob side of technology, we roped in experts to help us out. We spoke to Khairil Yusof the Coordinator and Tan Sze Ming the Programme Officer from Sinar Project, a parliamentary monitoring organisation. First of all, we asked her how does a tool like that work?

“It’s a spyware or malware virus that infects your device. Any kind device that can connect you to the Internet, like a handphone or computer.” – Sze Ming told us over the phone

One of the leaked documents we found on Google Drive is a price list that reveals Galileo can hack into your WhatsApp, SMS, Skype calls, emails, passwords, location, contact lists and call logs…. and no super tight privacy settings OR anti-virus programme is gotta help you.

Not creepy enough? It can even activate your webcam and microphone to record any physical activity.

Depending on whether you wanna spy on desktop platforms (Windows, Apple OS, or Linux) or mobile (Android, iOS, or Blackberry), for example, the price can range between €40,000 to €400,000.

We’re guessing the Malaysian gomen got the top-of-the-line one la… y’know… since they can pay RM6.6million for spellchecker.

So how does a device get infected to begin with? There’s no shortage of ways, Sze Ming tells us. The virus can come in through apps that we install in our phones or sometimes through weird links. Sometimes the apps have pop ups that prompt us for permissions, sorta like this:

 

But WHO is the gomen spying on and WHY?

Obviously the Government is not gonna TELL you if they’re spying on you, and that’s assuming if they are. But civil liberties lawyer Syahredzan Johan suggests the rakyat could always try to pressure them to reveal the truth. However, assuming that they are, then journalists and human rights activists are considered at risk groups, Khairil told us in an email (come to think of it, someone had been trying to break into CILISOS’s system a while back). Why journalists and human rights activists specifically?

“Most probably to stop people from spreading negative views about the Government.” – Sze Ming

According to Amnesty International, governments (in general) use this technology to prevent abuses from being exposed. Luckily for journalists and activists, Amnesty launched a FREE counter spyware tool last year called Detekt. “It represents a strike back against governments who are using information obtained through surveillance to arbitrarily detain, illegally arrest and even torture human rights defenders and journalists,” said Marek Marczynski Amnesty’s Head of Military, Security and Police.

Not that we’re saying in Malaysia they kena torture so bad as these 6 arrestees told CILISOS before.

There’s another group that could become targets – criminal and terror suspects. You can look at it two ways: 1) Police can catch violent criminals and terrorists easily. 2) But at what price…all of us ordinary citizens, our privacy? OMG, what if YOU became the suspect even though you’re innocent? And lately after they tightened a few security laws such as POTA and SOSMA, you don’t wanna be on the receiving end of it for sure.  😕

*Cue disclaimer: We have no proof that the Government has indeed spied on people and stuff, so we’re not alleging that they have, kthnx.

 

And it’s unconstitutitutional too!

Now that you’ve answered the poll, did you know that spying on you is, a legal violation of your constitutional rights? Article 5 protects Malaysians’ right to ‘life and personal liberty’; and ‘personal liberty’ of course includes the right to PRIVACY, recognised by the Federal Court. So just because it’s the Government, does it make it any better than a creepy neighbour peeping at you?

Maybe some of you might say it’s a grey area. It’s more acceptable coz…well…they’re the Government. Privacy is not a big thing in Malaysia compared to the Western world. Errr, except for the US, who likes to spy on EVERYONE. Even the UN slammed the US for spying on their own citizens and other world leaders. In Malaysia there’s a lack of privacy activists Syahredzan noted. We did a quick search on Google and seriously couldn’t find privacy activists specifically (if ugaiz know anyone who is one, please introduce them to us).

Heck, there’s barely any laws that protect a person’s privacy other than the Personal Data Protection Act 2010. Sze Ming shared an unsettling story about her friend who kena hacked:

My friend who working in MP serdang’s office told they received report on scamming. And they lodged police report, police told them no way for them to handle scamming cases, as well as hacking. “My friend who works in the Serdang MP’s office received a report on scamming. They lodged a police report, but the police told them there’s no way for them to handle scamming cases, as well as hacking.”

Aiyo, so how to protect my privacy?

Here’s where Sinar Project comes in…

“It’s hard to know who’s online, spying on you. It’s hard to detect,” Sze Ming explained. There won’t be like some kind of indicator on your computer or phone saying ‘Someone is intercepting your data’. So ordinary people like us really won’t know when we’re being spied on. Isn’t that freaky?

Just as the Government has different ways to block websites (as explained by Sinar Project in our previous article), there are different sections where they can hack in to spy. The slides Sze Ming shared with us explains how:

So the best way to truly protect yourself, is to not simply click on things.

“Don’t install apps that ask for all kinds of permissions.

Don’t click on pop ups.

Don’t key in your handphone number, IC, email address, etc.

If you receive scam emails, make sure you don’t click on those weird links…anything that looks suspicious.” – Sze Ming

She also shared more ways we can protect ourselves from prying eyes here. But Sinar Project has a more in-depth surveillance self-defence programme coming up in September and it’s open to everyone. Would be useful for journalists, bloggers, social media users and activists, maybe? Sze Ming will be training people on the types of tools and measures to protect digital spying, like how to delete your data securely and encrypt your digital devices.

 

Wait…shouldn’t they NOT spy on us instead?

Protect ourselves? Protect ourselvesss?! Should citizens have to defend their right to privacy against Governments? What about like ethics and respecting our privacy and all that stuff? Considering they are the ones who decide what’s ‘illegal’, then who will protect us?! Well, that’s why Khairil said we need a bipartisan parliament oversight committee. A wuuut?

“A civil society digital rights watchdog, with the technical and legal capacity to ensure continuous monitoring and to hold government accountable for issues such as this.

This organisation should also advocate use of tools and defensive measures by citizens, particularly at risk groups such as journalists and human rights activists.” – Khairil

Kinda like the Public Accounts Committee (PAC) – an organisation made up of both Government and Opposition flers that is btw investigating 1MDB right now! But you know what makes Sinar Project even awesomer-er? Those guys are collaborating with Loyar Burok to fight for better digital privacy laws.

“We’re planning to lobby in Parliament for law reform on digital security and privacy. We’ve just started!” – Sze Ming

And you guys can help too!

Sinar Project accepts cash donations!

When donating, please let them know which project it is for, or if it’s a general donation by sending them an email at [email protected].  All donation amounts and usage will be reported in respective project pages.

BANK	Malayan Banking Berhad (Maybank)
SWIFT-BIC	MBBEMYKL
BENEFICIARY	Sinar Project PLT
ACCOUNT	512307614259

 

They also accept donations of books and tech stuff. So check their CONTRIBUTE page for more info. CILISOS will top up RM50 for every single cash donation made (up to RM1k la we not that rich). Meaning let’s say 4 of you donate RM10, RM1,000, RM10,000 and RM2,467, we’ll chip in RM200 🙂 If you’ve donated, let us know in the comments below.

As for the current case, they are not letting it slide. Khairil urges PAC to investigate how the PMO, MACC and Malaysian Intelligence used the spyware and if it was used unconstitutionally, the public must be told. Now, we’re not expecting them to readily tell us what happened, so Phineas Fisher, you wanna take a crack at it? Just kidding. Don’t hack. Hacking is not cool!