go to content
World

Report: Pakistan's New Spy System Wants To "Rival The NSA" In Data Collection

The Pakistani government is reaching out to U.S. and European companies to help it build a sophisticated mass surveillance system, according to a new report published by the London-based Privacy International advocacy group.

Posted on

Pakistan has been trying to build a sophisticated National Security Agency-style mass surveillance system that would let it tap the phone calls and emails of hundreds of millions of people worldwide — and has been contracting with Western and other international companies to achieve its goal, a new report claims.

The report, by the U.K.-based advocacy group Privacy International, does not say if Pakistan has built the system. But it raises concerns about what Pakistan — a country that has been accused of providing refuge to the Taliban and has a history of cracking down on human rights activists — would do with the ability to carry out mass surveillance.

Pakistan was one of the so-called 3rd party partners approved to take part in gathering intelligence from electronic signals with the NSA. For years, the U.S.-run surveillance program in Pakistan intercepted communications in the country and provided intelligence to U.S. military operations across the region. But the Privacy International report published Tuesday says Pakistan has begun developing its own capability and would not be relying on the U.S. to gain access to hundreds of millions of people's emails, phone calls, and other communications.

Pakistan has already built itself a sizable surveillance toolkit, purchasing surveillance technology from companies ranging from the U.S.-based Blue Coat to the Chinese Huawei, according to the report. Those companies are known for their so-called deep-packet inspection software, allowing a user to search internet communications for a specific term. Another company named in the report, the U.K.-based Finfisher, develops and sells monitoring systems that can be used to spy on people using desktops and smartphones. It was ordered to report its activities in Pakistan by the Lahore High Court due to a petition filed by the Pakistani civil society group Bytes for All. At the time of this report, however, no activities report has been filed to the court.

Finfisher and Huawei did not respond to requests for comment from BuzzFeed News. BlueCoat sent BuzzFeed News a statement saying its end-user agreement "prohibits use of our products in public Internet networks in a manner that violates individuals' rights to privacy and freedom of expression."

The recent breach of the email server of the Milan-based Hacking Team surveillance company also revealed that the group was in talks with Pakistan's Inter-Services Intelligence (ISI) to sell its monitoring system.

To enhance their bids, several Pakistani contacts name-dropped current or former Pakistani intelligence officials they claimed close relationships with in an effort to persuade Hacking Team that a project in Pakistan could be expansive. "Our project lead on this is Brig. Javed Malik who was Deputy Director (Analysis) ISI-Technical Wing," wrote one. In another, "Brig Waqar is the Telecommunications head for ISI and the person responsible for all evaluation of products . We have extremely close relationship with him and can get you a letter in a few days."

Hacking Team did not respond to requests for comment.

These companies are named in the report as providing software to the Pakistani government dating back to early 2004. Nine years later, in 2013, Pakistan sought to drastically increase its mass-surveillance abilities, the report said. Documents provided to Privacy International reveal communications between the ISI and an unnamed company to commission a surveillance system that would tap into three international undersea fiber optic cables, effectively allowing them the sort of mass surveillance that had previously only been done in the country by the NSA. The report stopped short of saying whether Pakistan had moved forward in the last two years on creating the new surveillance system.

The system named in documents as the "Targeted IP monitoring System" would help ISI create centralized command centers in Karachi that would allow it to collect "a significant portion of communications travelling within and through the country," according to one of the company documents posted by Privacy International.

"While it is not clear whether the project was approved and built it is a marker for the imbalance currently in Pakistan between the power of the intelligence community and the power for the public to hold them to account," Matthew Rice, advocacy officer for Privacy International told BuzzFeed News. "It would appear that the ISI's plans for the kinds of technology they want to buy and the kind of project they want to put together illustrates an intelligence agency stretching the limits of what is democratic and what is legitimate when it comes to surveillance."

Researchers behind the report told BuzzFeed News that they could not say whether or not the project proposed by the ISI was accomplished.

"They are kinda copying the precedent shown by by the United States and trying to create their own NSA, or something that could rival the NSA" said one of the Privacy International researchers, who asked not to be named. "There is no indication that anything the ISI was doing was part of the NSA program. This is them trying to create their own mass surveillance network."

In interviews with BuzzFeed News, employees at companies currently operating in Pakistan and Western officials based there said the Munich-based Trovicor Company, previously known as NSN, was a front-runner for the contract.

NSN was one of the first companies to provide Pakistani authorities with lawful interception capacities in the late 1990s, according to Privacy International. NSN, which was originally a joint venture of Siemens AG and Nokia, was renamed Trovicor following damaging revelations in 2009 that NSN had sold monitoring equipment to Iran.

"Trovicor continues NSN's legacy," reads the Privacy International report. "It has expanded the capabilities of various monitoring centers across the world, including those connected to key service providers such as Telenor, Mobilink and Warid."

Trade records for Pakistan published online show Trovicor shipping more than 2,500 tons of computer equipment to one of Pakistan's largest cell phone carriers, Warid, in September 2014.

According to its own brochure, Trovicor's system is a "state-of-the-art solution to monitor, analyze and store all data acquired during investigation activities, such as the interception of communication data in fixed and mobile networks, to Next Generation Networks and the internet. The systems capture interactions, transactions and surveillance from multiple sources, including telephone, radio communication, email, web, chat, social media, and more in order to provide a framework for merging data into a single operational view thus providing meaningful information to decision makers about threats and targets."

Trovicor did not respond to repeated requests from BuzzFeed News for comment on its products, or on its business contracts in Pakistan. Two competitors, one from Narus and another from Alcatel, both of whom do business in Pakistan, told BuzzFeed News on condition of anonymity that they had heard that Trovicor had recently increased its business in Pakistan but did not know details of the deal.

The Pakistani Embassy did not respond to requests for comment.

Advocacy groups, including Privacy International, called Tuesday for the Pakistani legislature to investigate where the ISI stands on efforts to expand the country's mass surveillance system, and whether it has moved forward on installing international undersea fiber optic cables terminating in Pakistan.

"The scale of the system proposed by the Inter-Services Intelligence does not just affect those who live in Pakistan but also those who live in the region and anyone whose communications travel through Pakistan's networks," said Rice. "This will include a huge amount of innocent people swept up in a project like this for no good reason. We need to know whether this project was approved, and if so how it is being regulated to prevent abuse of such a powerful system."

Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F

Contact Sheera Frenkel at sheera.frenkel@buzzfeed.com.

Got a confidential tip? Submit it here.