Fear This Man
To spies, David Vincenzetti is a salesman. To tyrants, he is a savior. How the Italian mogul built a hacking empire.
Outside critics were anything but sanguine. The company’s notoriety grew, particularly among privacy advocates. In March 2013, Reporters Without Borders included Vincenzetti’s operation in its annual “Enemies of the Internet” report, warning that online surveillance posed “a growing danger for journalists, bloggers, citizen-journalists, and human rights defenders.” That autumn, about 20 activists stormed their way past the Hacking Team’s frosted glass door in Milan. One protester shouted through a microphone, while others waved fliers with slogans like, “United We Stand” and “#Stop Watching Us.” Many of the demonstrators wore white plastic masks with wide smiles, rosy cheeks, and Van Dykes — the guise of Anonymous, the international collective of activists and hackers.
According to Vincenzetti, who was in Rome at the time, the intruders stole whatever they could grab — papers, notes, personal items — while filming their invasion, which they later posted online. “It was a full assault,” he says. (No one was injured.) Three days later, when the CEO returned to Milan, he got into his gray Smart car to find its battery exposed and the fuel cap missing. “It was a warning,” he insists. Vincenzetti’s rise had not come without a growing opposition, wishing and working for his fall.
In June 2014, the Hacking Team received a fax from the U.N.’s Security Council Committee, referencing another Citizen Lab report released earlier that year. International sanctions prohibited the sale of “arms…including military equipment,” wrote Lipika Majumdar Roy Choudhury, coordinator of the U.N.’s panel of experts on Sudan. The company’s dealings with that country may have constituted a violation of this ban.
Vincenzetti’s team pushed back. Alessandra Tarissi De Jacobis, a lawyer from Cocuzza & Associati Studio Legale who advised Vincenzetti on the matter, informed him in an email that selling RCS to Sudan was akin to hawking it Tortas de Milanesa. “If one sells sandwiches to Sudan, he is not subject, as far as my knowledge goes, to the law,” she wrote. “HT should be treated like a sandwich vendor.” The U.N. had a different opinion: “The view of the panel is that as such software is ideally suited to support military electronic intelligence (ELINT) operations it may potentially fall under the category of ‘military…equipment’ or ‘assistance’ related to prohibited items,” Choudhury wrote. “Thus its potential use in targeting any of the belligerents in the Darfur conflict is of interest to the Panel.”
Last December, the panel presented the U.N. Security Council with a report accusing the Hacking Team of failing to cooperate with its inquiry, saying “it found it difficult obtaining accurate information” from the firm. The Hacking Team “certainly obstructed the work with the panel by consistently and deliberately failing to provide the specific information at its disposal as requested by the panel,” according to an unpublished U.N. report leaked to Foreign Policy’s senior diplomatic reporter Colum Lynch in April. The U.N. has not taken any action against the Hacking Team. Vincenzetti, though, says he ended the company’s contract with Khartoum in November 2014.
Looking back, Vincenzetti claims that had he been more informed about Sudan, he “would have never sold to them.” But he will not say he regrets the deal. “We didn’t break any law,” he goes on, nonplussed about the experience. “It just happened.” In other words, the company made an error in judgment — nothing more. But even that wouldn’t be tolerated for much longer.
Italy implemented the Wassenaar Arrangement, a multinational pact that controls the export of dual-use goods, on Jan. 1, 2015. The arrangement, originally created in 1996, had been amended to include surveillance software, which meant the Italian government would now vet the Hacking Team’s clients. After previous run-ins over what he calls his “inefficient” information on customers, Vincenzetti considered the Wassenaar a relief. “Now they tell me exactly what is allowed and what is not allowed,” he explains, “and I’m very happy about that.”
Behind the scenes, however, Vincenzetti had attempted to work around the rules before they even came into effect. In late 2013, according to leaked emails, the businessman was negotiating with the Saudi Arabian government to sell the kingdom a majority stake in the Hacking Team, which would give the Saudis controlling interests. Though Vincenzetti won’t confirm or deny the talks, part of the appeal, it seems, was to set up shop beyond the Wassenaar’s scope. “The newco should be away from countries adhering to the new, forthcoming export regulations on ‘offensive technologies’ which will [be] dictated by the recent Wassenaar Arrangement,” Vincenzetti wrote to his contact in Saudi Arabia. “We would like the newco to be in a country which will not impair the export of our technology.” (Vincenzetti says he does not recall the correspondence or this particular comment.)
The negotiations fell apart for unknown reasons. Vincenzetti insists only that his company has taken an unfair beating about other dealings in Saudi Arabia, which Citizen Lab disclosed in its 2014 report. “We have clients in Saudi Arabia,” he says. “Is Saudi Arabia a democracy? No, it’s a kingdom. You can approve or not approve this. I am not the judge of this. Still, there is something which is very clear: There is al Qaeda in the Arabian Peninsula. It is very strong, very organized, very active…and invariably strikes in Saudi. These terrorists can be fought over there.” He would not comment on Riyadh’s human rights record.
Yet the discussions with Saudi Arabia telegraphed to many Hacking Team employees that the company might be “a sinking ship,” Landi says. “They were trying to sell the company so there was not much attention on making a good product.” Pelliccione agrees: “The company became more and more opaque,” he says. “I decided I don’t need to do this for a living.”
Pelliccione quit in February 2014, followed by Landi and others. Landi claims that when he gave notice, Vincenzetti said it wasn’t new information. In other words, as Landi and others had already believed, Hacking Team employees were under surveillance too. “We accepted this,” Pelliccione says. “They know where you are and where you go.” But Rabe, the Hacking Team spokesman, rebuts this claim: “No surveillance of Hacking Team employees has occurred.”
Angered by the rising tide against him, and frustrated by Citizen Lab’s reports condemning the Hacking Team, Vincenzetti publicly defended his company. In a November 2014 letter to the Intercept, which had published Marquis-Boire’s analysis of the Hacking Team’s technology, Vincenzetti dismissed his foe as “a tireless wolf-crier on the issue of privacy as he defines it—apparently requiring anyone to be allowed to do anything without fear of detection.” (In an email, Marquis-Boire described his reaction to Vincenzetti’s words as one of “amusement?”.) Reporter Brian Donohue fired off a response on the security blog Threat Post, which read, “Interestingly, Vincenzetti does not directly say in his letter that his company does not sell products to despots.”
Privately, Vincenzetti dialed back his cavalier attitude. Later that November, a client asked in an email whether it would be possible to record a Hacking Team training for later use. “Definitely NOT!!!” Vincenzetti responded. “Imagine this: a leak on WikiLeaks showing YOU explaining the evilest technology on earth! You would be demonized by our dearest friends the activists, and normal people would point their fingers at you.” Yet he couldn’t help but continue to savor his company’s reputation. “Definitely, we are notorious, probably the most notorious name in the offensive security market,” he emailed Daniele Milan, his operations manager in May 2015. And that, Vincenzetti added, “is great.”