Ever been asked to do something at work you think is a bad idea? Kriss Andsten has. Before he quit, he was an engineer for a California-based technology firm, and he was part of a project so questionable that one colleague described it this way: “People could well die from this work.”
So, according to leaked information obtained by Forbes, he sent a company-wide email on April 4 announcing his departure. It’s the kind of email you wish you had the guts to send but haven’t had an epic-enough reason. In it, Andsten reveals to every employee what their company, Procera Networks, was doing.
“I do not wish to spend the rest of my life with the regret of having been a part of Erdoğan’s insanity, so I’m out,” he wrote. “We are … heading down the rabbit hole where we’re not using it for good anymore, in the name of chasing the next buck. A recent request from Turkey … seals the deal for me. The Cliffs Notes version is that we’re selling a solution for extracting usernames and passwords from unencrypted traffic.”
In other words, the technology Procera was selling—and still sells—to Turkey could be used by the government to steal login credentials that people enter into websites like The New York Times or Ebay. It could then re-enter those credentials into other sites, and if the passwords match (most people use the same password for everything) then the government could theoretically gain access to Google accounts, bank information and Amazon purchases. The Turkish government, which has taken a turn toward dictatorship, has persecuted political opponents and suppressed free speech. The police and military have killed protesters, activists and unarmed civilians.
When we talk about brutal regimes spying on their own citizens and using that information to oppress them, we usually think of a single bad actor: the government.
But 21st century surveillance states require specialized skills and advanced technologies. They want the best spy gear there is, and their countries aren’t always producing it. So they buy it from abroad. With billions of dollars up for grabs in a growing niche market, technology firms have been only too happy to comply.
Worse, the people who should be stopping them—or at least challenging them—aren’t.
Western governments have regulators whose job is to assess exports and stop them if it’s likely they’ll be used to violate human rights. Over the last several years, these authorities have been unwilling or unable to do so. Surveillance technology has been shipped from Italy to Egypt, from the United States to Turkey, and from Germany to Pakistan. (The regulators and the companies argue these are friendly allies, so any restrictions don’t apply.)
Some of this equipment is so invasive, it doesn’t even try to seem innocuous. One piece of software is called “Remote Control System.” Developed by the Italian company Hacking Team, it allows users to take over a target’s computer, explore files, steal passwords and even turn on the webcam. According to investigations from the NGO Privacy International, Hacking Team has sold Remote Control System to Egyptian intelligence and to Colombia for spying on leftist rebels.
Of course, there are political reasons that Western trade inspectors might allow this technology into countries with a crumbling rule of law. Turkey, Egypt and Pakistan, which all conduct some form of internet surveillance, are also key partners in the “war on terror,” they’re major trading partners and they’re buffer states that help control the flow of migrants and asylum seekers to the West.
The Forbes investigation, however, offers a rare window into what happened behind the scenes at a company where individuals decided to speak out about something they believed was unethical.
Early this year, employees started to question a contract with a subcontractor of Turk Telekom, one of the main internet service providers in Turkey. For $6 million, Procera was to provide “Deep Packet Inspection” capabilities, which allow network operators to peek into data passing between website servers and computers. If the websites don’t use encryption—Latterly.org does, but many sites, including Forbes, do not—then the operator can see IP addresses, sites visited and passwords. Turk Telekom says it wanted to use the technology to catch fraudsters, but the Procera employees weren’t convinced a client would need access to so much private information. (The Turkish government used to own Turk Telekom and still has a one-third stake.)
According to the Forbes article, the employees discussed the problem over email and through a company messenger: “Capturing passwords feels like a red line in the sand that we should not cross.“ “Why do we want to extract password? What is the use case? This feels pretty bad.” “Even if we discount the whole business of extracting passwords from the equation, what they are asking for is normally associated with a totally different market. I’m concerned about what the real ask is here and what brand risk exposure we’d be taking on.”
Then in April, Andsten resigned and sent the companywide email. Other employees started speaking out more publicly, throwing Procera into chaos. Executives called a meeting to update the company’s ethics code, and it outsourced some of the work on the Turkey contract to a Canadian firm, apparently to stem an internal uprising.
But Procera hasn’t given up the contract. This is an ongoing story…