 Good morning, everyone Imagine you're in a position where you decide that well you want to know the surveillance capabilities of your government This is nice. Well, everyone wants to know that but now imagine that if you ask questions and the Required to be answered that would be even nicer That's what freedom of information requests are for and here to tell you about how this can be applied in Italy To determine what the Italian government has capability wise is Ricardo Coluccini Okay, hi hi everyone, I'm Ricardo Coluccini I'm a freelance journalist in Italy writing mainly for motherboard Italy and also a member of the Hermes Center for Transparency and each the human rights when I'm about to introduce you today It's a project for monitoring government surveillance capabilities via means of transparency tools some background The Italian history is peculiar due to organized crime and mafia. There are specific transparency and anti-corruption laws That can help to Understand better what is going on for this kind of projects But when we talk about surveillance Italian surveillance are well known Abroad worldwide due to some companies such as Aria and hacking team They they are well known for exporting surveillance technologies to authoritarian regimes all over the world and also I can team for the huge hacked which suffers and My question was okay The surveillance technology developed in Italy are famous abroad, but what's going on in Italy? What are the technologies that the government is using to intercept and surveil its own citizens? What I did it's basically Starting from some open source Intel available online starting from two great websites like The surveillance industry index and back planets in info which gather some information on several surveillance companies from all over the world as Specifically I looked for the Italian one the main Italian ones starting from that I Turned to Google searching for their value at the tax numbers Which gave me some interesting results What I got Where some spreadsheets Detailing the payments by the minister of interior to each companies Why this happened because due to a transparency law number 33 of 2013 The public sector is obliged to publish their payments from these spreadsheets what I got also of the money the There was also this the subject the tender identification code of what they were paying for Using the tender identification code. I turn back to Google again Google it and what I found where some XML files In which it was detailed all the public procurement datasets of The public sectors these again due to anti-corruption law Each public sector so the minister interior for example the minister of defense the minister of justice and all other public office Are obliged to publish on this XML format the information regarding their public procurement that sets so Whatever they're interesting in buying and there is a public tender is gonna be published online. This is the format and Given this data This was my reaction. I had all the ingredients To start monitoring exactly what the government was buying how much was paying for it and Which were the companies involved? So I constructed this workflow, which is basically starting from the public procurement data set XML files. I Can get the tender identification code and The list of companies participating in the tenders. It's not only the company that won the tender There are all the participants which is pretty interesting because you can discover new companies that you weren't aware of before Given this data than the tender identification code and the list of companies Thanks to the freedom of information access law recently introduced in Italy at the beginning of 2017 I Can ask for documents regarding invoices issued by the several companies and Technical and economic offers of the public tenders in this way I can monitor the expenditures and I can get information on the software the technologies and the devices that these companies are selling to the government So let's start with some of the results of this monitoring the table on the right Where the companies which I gather from the open source Intel website, so I? Was able to more than double the number of companies and there are more to add the two that I alighted are like Some peculiar one. There's one which is called NSA Italia, which is pretty fun name for a company and There's also telecom Italia Which is the second most large? Telecommunication company in Italy which is well known which is big and which is weird to find In a database of companies selling surveillance technologies and devices, but we see later why? Now I want to focus better on two other companies. The first one is cypher gate cypher gate It's a pretty reason new company belongs to the group of a electronica and another Italian company and among their products two of them are the Wi-Fi catcher Which is basically a Wi-Fi network monitoring system able to geolocalize and identify the nodes and Provide some traffic flow analysis the instead the net int It's basically an integrated platform which provides you the possibility to Surveal phone calls instant messaging chats Posted to make on social medias and even voice over IP calls Gonna have a look on their Twitter account. It's interesting. There are some interesting pictures Another company is CPM. This one basically sells Jammers drones jammers also, but look into the tenders There was a tender regarding MC catchers and CPM electronica is stated to be the official reseller of the Selkstone company, which is a an English company selling MC catchers So this is one of the results that we can get with this approach We can discover also official resellers of companies that are based abroad But can somehow are selling devices that the government the Italian government is interested in Still remaining on the topic of MC catchers. This is the XML Data that you get to regarding the tender. So on top. There's the subject the providing an MC catcher system Then there are the list of participants. There are some Well-known names and there's also telecom Italia. So telecom Italia our telecommunication company Participated in tender in 2015 for an MC catcher system They didn't win the company that one at that time was it alarms the the first one on top regarding MC catchers still you can get some information from the technical specification that the government is requesting to these companies. So Yeah, they're asking for the downgrade. So passing from 3g to 2g from 4g or 3g So to weaken the security of the communications and they're provided also a scheme of what I would like there The MC catcher to provide to to the authorities So you see to basically to track and provide some location targeting Following around the specific target collecting as you see at the center the MC and the email numbers This was regarding MC catchers So let's try to build the real the proper toolbox of what they They're interesting in what about internet surveillance internet and interception What I found there was a project which belongs to the national operative plan which is a Plan to to foster the the development of companies in south of Italy Which is using European money and Italian public money to funds this kind of projects this project which was held by the company RCS, which is another well known surveillance company in Italy from Italy was basically to provide some internet probes to Provide the lawful interception of data traffic interception regarding a specific user Or even intercepting traffic from or to towards a specific site what was weird is that the The tag of this project Highlighting yellow. It's for cultural activities. So they basically said this project regards the culture's fear But there are It's not it's an internet probe for interception There's a cost of this project was a little bit more than 900,000 euros It was approved in 2006 and it received 133,000 euros of public funding and the last payment was due on January 2015 I filed a request for information request to receive and obtain all the documents regarding this project since was funded with public money But the answer I got was a no a huge no due to intellectual property issues for the company and to the secrecy of the technology itself For a national security standpoint Which is a pity Next let's think about the the social media and the all the posts that we do online The minister of interior has bought a system for social media intelligence the project the codename project. It's crime Which is What does this system do it's basically? Its aim is to Provide the media monitoring system To gather all audio files available online from social media So facebook google youtube and everything basically doing that we are crawling scraping the these webpages transcribe the audio file that they get identify the speakers and Store a database of voice fingerprints Which are pretty concerning the the data protection authority the talent of the protection authority has opened an investigation into this and it's has requested the more documents and information to the minister of interior because this specific system would have to be implemented to fight terrorism but the The power of these instruments regarding the disability to crawl scrape and also how are these voice fingerprints Storing the database. What are the safeguards? What is going to happen? This is not clear but luckily I filed a freedom of information request access which was granted partially what happened The alma wave company the one on top on the right Won the tender but they refused to provide their technical offers due to intellectual property issues But they received some other for example from rcs vitro. She said there are well known companies and this is an excerpt from The vitro. She said technical offers and you see on the left side All the public channels including tar Uh, yahoo google reddit and basically How they would like to stream so No, who's there then to pass through because you also have a knowledge understanding of what's the meaning and the system also translates so it gets audio from several languages All these documents that we obtain will be published Probably at the beginning of the 2018 they're in italy and so we have to understand how to properly Translate them or made them available to all the community But let's move on Recently here in germany. I read an article on the berlin train station. They're gonna test face recognition system Well, italy Wants to do the same or actually maybe a little bit more what they did is at the beginning of this year They've bought a system a face recognition system for a project called sorry Which is basically a face recognition system. This is the architecture A picture taken from their Technical specs required. So you have these basically on the right the afis it's the the database of let's say the the mug shots the all the image that they already have of criminals They would like to have This several application with several engines using several face recognition algorithms to find the specific person on containing the image The system is split into two different parts. There's an enterprise version which has to deal with 10 million Images and which is basically a static version. So you you have a mean you have an image You would like to know if the person on that image Is present in your database the other one is a real-time one which needs to Work together with 10 cctv cameras that they bought in this tender as well to be deployed According to their necessities around italy This system will spot the the person in real time comparing to a watch list of 10,000 images which are Concerning numbers both on the For the 10 million images and the 10,000s I'm sorry we We filed a freedom of information request also for those technical offers and We we had some issues cause They only provided the technical offers of the company that won the tender but Obscure they redacted some some passages So it's not completely clear what's the engine used but again also for this system The italian data protection authority opened an investigation asking for more information to the go to the minister of interior But let's move on what we can request with our freedom of information law in italy We wanted to request invoices. So this is an example of the of an invoices that I request for the company area As you see that they come redacted. So they wanted to remove some specific detail regarding Investigations, but they basically provided us with documents. So this is uh This is good. This is a leverage because we have a president they provided us some invoices. I'm keeping Asking new invoices. So they're coming. We are collecting them. We would like to understand how much they Expand on these technologies So far I've been talking about the ministry of interior. This project can be applied also to the minister of defense and the minister of justice With the ministry of interior though, there are some caveats because the transparency laws The fairs are not so powerful as in other cases, but still we can get some information. This is uh The pdf document detailing the the expenditures of them of the defense Regarding some some communication intelligence the empowerment of community communication intelligence systems A pretty interesting one is the one I liked which is a big old system developed by the company expert system and this big old system it's It's used to select the intercepted traffic and to Provide a sort of speech-to-text translation so to transcribe it And here you can see more details. Yeah, we would like to think about it as some sort of weaker version of excuse girl, but Yeah, because basically you have some searching criterias parameters You can search connect and provide a comprehensive understanding of the The target of your target so What was my initial question? What are the two? What's inside the toolbox of the Italian government? looks like The Italian government has acquired everything that it needs everything that other bigger nations use Such as phasor cognitions social media intelligence and international interception and MC catchers But what's next? uh, we would like to keep Filing this film of information requests to get all the invoices and technical economic offers We would like to expand the database of companies because there are some missing companies for example hacking team there was No information regarding that but we are trying to find companies connecting to them and this would be really helpful because If we find the companies that are participating in the tenders We know more companies that are trying to sell this kind of technologies and we can somehow link them to hacking team or other More important companies another point an interesting point is to push the government on the expenditures So how much is it spending? not only on a Privacy concerning point of view, but also on the expenditures point of view. How much does it cost to surveil? your citizens And with this in this way we can somehow understand it What is missing so far is uh To analyze the legal framework That uh Let the government use such technologies so far. It's quite blurred. There's no for the face recognition There was not even a mention of terrorism threat. It was like yeah, we want to buy this face recognition system and use it in public events Which is concerning which is not even like the social media intelligent system only for terrorism related issues And something more we would like to involve activists from other countries Because we think that this framework Could be could be applied could be exported to other countries and to do that specifically There's going to be a workshop Right after this talk at 2 p.m at the redstone freedoms assembly I was going to work there is a Horizon 2020 funded project, which is called digi-wist the digital whistleblower Which is providing a platform For a accountability mechanism to understand what's the situation of the nations In europe, but then the workshop is if anyone is interested we can discuss of other nations and from this Yeah, coming to the workshop We can see how the public procurement datasets are available how which laws provides in the other countries the availability the possibility to apply this same framework to understand how your country is Acquiring such technologies and techniques. So I Invite you to if you're interested to come to the workshop later Yeah, that was it Thank you very much. Ricardo. We have four microphones here in the hall that you can line up behind for questions And we also have plenty of time for questions. Are there questions from the internet? No questions in that case microphone number one, please hi So when you were starting out your investigation, you said you looked at bug planet and the other website for italian Companies the providing surveillance equipment of Other laws in Italy specifying That the surveillance technologies have to come from domestic suppliers Or why was there a door choice to focus solely on specifically italian companies? Not sure on the laws regarding the domestic supplies for at least I don't think that for the The ministry of interior there are any constraints such kind of constraints what I wanted to know it was like I basically started from that because they were like the the well-known companies And basically then I found that in my hands. So it basically dropped in my hands and was like, okay Let's start digging deeper. So it's yeah, I don't want to focus only on italian companies Yeah, if any foreign companies pop-ups in the tenders I will surely follow that the trail for sure. So yeah, there was no specific reason why I did that One question from the internet via our signal intro, please. Yes, um, are These tools under secrecy Under secrecy well When I requested information to the police if these technologies were being used How how many times how often in the stuff they Didn't reply they didn't say anything So I hope that the data protection authority can understand better what's going on And of course, I will we try to to see if there's been any if it's already been used. So, yeah Not probably under secrecy, but kind of Microphone number two, please Hello, did you ask the ministry what is relation between the culture and ip surveillance? um I requested that in the freedom of information request. I mean to I did that to the ministry of the economic development because it was the one on holding that The kind of project, but they didn't reply on that so Microphone number four, please Joe Ricardo Tendering in italy if I'm right is something limited to offers higher than 80 or 100,000 euros So do you do you know do you have the feeling that there is some? Obfuscation by going below the tender line in order to not go into the public for into those databases I I didn't specifically check on that, but that's certainly a point. I mean from this study Clearly there is something missing for example the the trojans They're not appearing They're not there, but this also because probably I need to dig deeper into the ministry of justice because it's They are buying this technology so Yeah, not sure if they're doing that on purpose like lowering the the amount for for the tenders But definitely there is something missing. So this is not comprehensive. It's still on ongoing and still to search more Another question from the internet This is a three-part question. Are there any big newspapers in italy interested in your research results? And are the italians conscious of the surveillance and is there a public debate about it? Well It depends the The fist recognition system got some attention Since I'm a freelance journalist running for mandible italy. I basically wrote some articles on that But the media Not so didn't take on this on this kind of research yet. I hope they would I hope they will because I need help for sure if anyone wants to dig deeper to find something else We will provide the data and it's gonna be public available online. So, yeah, the public debate in italy on privacy It's quite tough because we recently introduced a new data that potential law which strikes the The the time of retention up to six years, which is A lot and which doesn't make completely sense Regarding to what are the principles at an european level? So Yeah Italian people are concerned about this, but probably not enough Do we have any more questions? It does not look like it. So A very warm and pleasantly felt the workshop. Thank you. Ricardo Colicini