Abin hired a company that supplied the system to Myanmar and South Sudan

Cognyte, an Israeli company that provided the Brazilian Intelligence Agency (Abin) with a cell phone tracking service in 2018, was also hired by a Myanmar state-owned company and the South Sudanese intelligence agency to provide systems used for espionage and political persecution. .

Since February 2021, Myanmar has been governed by a military junta brought to power by a coup d’état, which resulted in the deaths of 1,600 people and the arrest of 12,000, according to the UN. In December 2020, a month after the electoral victory of civilian leader Daw Aung San Suu Kyi’s party, Cognyte won a bid from the state-owned telecommunications company to provide an advanced cyberintelligence system, capable of locating cell phones, spying on conversations, hacking devices and extract encrypted text and messages.

There are strong suspicions that the military junta used the system to monitor and persecute pro-democracy activists, and with that, carry out the coup d’état. The hiring was revealed in January by the Israeli newspaper “Haaretz”, based on documents from the NGO Justice For Myanmar.

In South Sudan, immersed in civil conflicts since 2013, the authoritarian regime of President Salva Kiir hired, between 2015 and 2017, Verint, the former name of Cognyte, to provide interception equipment for the National Security Service (NSS), the service government intelligence. The hiring was recorded in a 2021 report by Amnesty International, a British human rights NGO.

The organization says the NSS is responsible for silencing government critics, “harassing them, intimidating them, threatening them, arbitrarily detaining them and, in some cases, forcibly disappearing them and killing them extrajudicially.” .

In Brazil, the two cases were reported by Data Privacy, an association that brings together researchers in the areas of law and technology, and which carries out studies related to cybersecurity and personal data protection. In March, after the revelation, by the newspaper “O Globo”, that Cognyte was hired by Abin in 2018, to provide a cell phone location program, First Mile, the entity requested an investigation from the Federal Public Ministry (MPF).

In the letter, he informed that the program works as a “mobile device geolocation service in real time, capable of decoding the logical identities of the devices and generating alerts about the routine movement of targets of interest”.

In short, First Mile allows its users to enter a cell phone number and know, in real time, the approximate location of its holder. This is possible through clandestine access, which would be provided by Cognyte, to a system called “Signalling System No. 7” (SS7) used by mobile phone operators to redirect calls and forward messages between them.

“The attacker, in this case, configures the target number and obtains, through this exchange of information in the SS7 protocol, the location information of the radio base station, which constitutes a clear violation of privacy”, says Data Privacy .

For the entity, the First Mile service, developed by Cognyte, “is incompatible with the Brazilian legal system”. “The business model that underpins the product offered by Cognyte is structured around the illicit exploitation of personal data, which is obtained through attacks on telecommunications networks. In this sense, there is an illicit legal object, which, by its very nature, contradicts the fundamental right to privacy”, stated Data Privacy to the MPF.

This Friday (20), by order of Minister Alexandre de Moraes, of the Federal Supreme Court, the Federal Police arrested two Abin employees and carried out 25 search and seizure warrants to collect evidence in an investigation into the irregular use of the system. According to the PF, Abin used First Mile more than 30 thousand times, but it would have erased most of the access records to the targets’ location.

Even so, investigators managed to verify 1,800 uses related to politicians, journalists, lawyers and opponents of former president Jair Bolsonaro’s government. The PF suspects that ministers of the Federal Supreme Court (STF) and the Superior Electoral Court (TSE) were monitored. In a statement, Abin informed that it collaborates with the investigations and that the use of the program was discontinued in 2021.

Director of Abin from 2019 to 2022, now federal deputy Alexandre Ramagem (PL-RJ), stated, in a post on for the internal affairs department that of Cognyte.

According to Ramagem, the system had “passed technical proof of concept” and its acquisition would have received a favorable opinion from the Attorney General’s Office (AGU), the legal defense body for federal agencies.

“Today’s operation was only possible with the beginning of the austerity work promoted during our administration (Bolsonaro government). We pray that the investigations continue regarding facts, foundations and evidence, not being led by false narratives and speculations”, he wrote.

For Data Privacy, however, the use of First Mile contradicts international pacts signed by Brazil, which protect privacy, as well as the Federal Constitution, the Personal Data Protection Law, and the STF’s understanding on the subject.

“The violation of telecommunications data privacy occurs without a court order and without an ongoing criminal investigation or criminal procedural instruction. Simply including the target cell phones so that, through a service Software as a Service (SaaS), Cognyte offers a complete map of geolocation and movements of individuals, based on information obtained from their cell phones”, says the entity.

In 2020, when judging the creation, by the Ministry of Justice, of an “anti-fascist dossier” – a survey of police officers and university professors critical of the government on social media – the STF considered that this type of monitoring had no legal basis.

“The practice of investigation without objective and formal definition of the legal bases and limits, under the cloak of institutional secrecy and safeguarding of intelligence documents, is clearly unconstitutional. (…) Intelligence bodies at any hierarchical level of state powers submit themselves to the scrutiny of the Judiciary, which has the duty-function of judging the cases that come to it and ensuring compliance with the Constitution”, says the decision.

For Data Privacy, intelligence activities can use technological tools, but with the aim of preventing “attacks, terrorist practices and acts of destabilization of the Republic”. “The use of this software needs to be extensively documented and supported by public reasons that justify the potential violation of collective rights. This is a burden due to the potential damage caused.”

The entity recommended that the MPF investigate how and for what purposes the system was used, questioning, in the end, whether there was no need for “immediate judicial intervention to end a situation of illegality and incompatibility with constitutional principles”.