reflets.info

Translation from this paper in french by legum, Turquoise, SwissTengu, 4k and four anonymous plus one mysterious eraser

Mediapart and Reflets.info start together a three part inquiry on Qosmos, a french company that sells a digital intelligence tool known as DPI. Qosmos is now within the scope of a legal investigation in France for « complicity of torture » : the firm is suspected to have provided a mass-monitoring tool in Syria back in 2011.

November 2011: Bloomberg unveils that a French company, Qosmos, leader on net surveillance tool known as Deep Packet Inspection (DPI), is a subcontractor of German corporation Utimaco, which is itself outsourcing for Area Spa – an Italian firm – for a contract on a massive network monitoring system for Bashar al-Assad. Qosmos’ brand image is worsening, as the local revolution begun in Syria nine months before had already killed 3000 people.

To avoid further bad press troubles, Qosmos announced the end of the project and still claims today that its equipment have never been operational in the country. Will this line withstand the inquiry open by the three investigating judges of the Genocides and Crimes against humanity section, after Human Rights League and International Federation for Human Rights complaint?

In any event, Qosmos has developed its massive interception tool thanks to this contract. Dictators’ money has no smell in the French surveillance industry. Another of its leading figures, Amesys, was in business with Gaddafi : its Eagle solution had led to tortures in Libya. Eagle was also developed thanks to Gaddafi’s money.

Informations gathered by Mediapart and Reflets.info show that, even under a « loosen form« , Qosmos products have effectively been set up in Syria, even though the company has retired from the contract. Moreover, Qosmos has kept commercial relations with Utimaco at least up to november 2012. These relations may not have concerned Syria, but Utimaco had an access to new versions of Qosmos products long after Asfador’s project end, and the German could have refined the Syrian solution by itself.

Furthermore, it is hard to believe that Qosmos, who has strong relationships with French secret services – its businesses have Defense clearance – could have work on this project without the highest authorities’ approval.

The Bloomberg’s disclosure of the Asfador case had put the company in the limelight. A little while after the Amesys scandal (a Bull subsidiary at that time) implying the sale of a global surveillance system to Moammar Gaddafi’s Lybia (inquiries by Mediapart and Reflets.info), the general public discovered that Qosmos had delivered equipment allowing to spy on Syrian population. Selling a surveillance tool, able to monitor e-mails, live communications, Web history of dictatorship’s citizens is not a business that would make our great Republic shine on these countries, that mostly need more liberties and less spy probes. France is leader in these fields… not liberty or democracy, but in providing watching systems… massive ones.

In July 2012, human rights leagues LDH and FIDH whipped the French hypocrisy in a letter to the prosecution authority (le Parquet), asking for the opening of an inquiry against Qosmos. Two years later, the Vice Prosecutor in charge of Human Rights Violations, Aurelia Devos, has decided to start a judicial investigation for « complicity of torture« . Three investigating judges of the Genocides and Crimes against Humanity Section have been appointed to clarify two main points :

- Have Qosmos’ products ever been usable?

- Were society executives aware, while signing the contract, that their technologies could have been used by a dictator as a spying tool to identify, and arrest dissidents?

For its part, Qosmos has always denied its products have ever been usable, and claims having never sold solutions to Syria, being a simple subcontractor for the German society Utimaco, itself outsourcing for Italian consortium Area Spa.

The contract in issue has been signed in 2009. At this time, Qosmos is booming. Becoming a worldwide leader in DPI techs, the company commits in a fruitful covenant: it becomes the probe supplier for Utimaco, a German society specialized in telecommunications legal interceptions.

Soon after, Qosmos employees start working on a mysterious project, developed with their new partner Utimaco, as part of a consortium led by Italian company Area Spa. The project’s name is Asfador, and aims to endow al-Assad’s regime with a tool allowing to spy on every communications in the country.

DPI, an almighty mobile customs for the networks

What Qosmos brought in the system, is the keystone of such an architecture : probes. Those that monitor traffic, pump it into giant databases that can be exploited by human operators. All you need is a name, or an e-mail address to isolate ones’ flow. You can also draw relational graphic charts to identify partnerships, to know who talks with your target. If John spoked to Georges, you can extract Georges’ content too. And if Georges talked to Jerry about John, peruse Jerry’s mails may be useful. Just in case…

In a dictatorship or in a police state, Deep Packet Inspection is the ultimate weapon to find opponents. It is easy to see why the Genocides and Crimes against Humanity Section takes a closer look to these technologies, which will soon be the best assistant of executioners all around the world, if nothing is done quickly to regulate them in the strongest way. Moreover, global interception may not only seem desirable to tyrants. People that deal that kind of tool know it well, even if democracies cannot theoretically, due to legal issues, monitor their entire population.

Qosmos pretends selling simple « probes » that are a small part of a larger monitoring technology. These probes can be as used in a country-wide surveillance system as in basic network hardware (in routers that dispatch data to their target, for example). In fact, the company describes its products as « technological building bricks », that customers choose among others. Thus Qosmos rarely works directly with the buyer, but acts mostly as a subcontractor.

That being said, following the user demand doesn’t let Qosmos ignore the final use of its systems. Technical requirements for web usage analysis (statistics) or mass supervision are not the same. Furthermore, basic knowledge generally allows a quick valuation of the « democratic level » of a given country. Ethics thoughts mentioned by Qosmos CEO Thibaut Bechetoille in October 2011, while explaining the reasons he had to stop Asfador project, could easily be highlighted as soon as the customer’s name got known. In fact, at the very beginning of the project.

To get to grips with Qosmos activities, we have to understand what is Deep Packet Inspection : a neutral technology, quite common, with standard uses that could be easily considered as harmless. In the near future, more and more hardware will need DPI, in a routine manner. Let’s start with thinking of Internet as a road grid, with its tolls and jams… DPI could be represented as mobile customs, able to dismantle your car, reroute traffic, or even totally block it. What would draw a distinction between mobile customs and DPI is that the latter can be massive, systematic and nearly foolproof, if you know where to put your agents. Those could take your vehicle apart and restore it instantly, without any need to stop the car or even warn you.

But this versatile technology, is very close to nuclear power, with which you can generate electricity or build weapons. Deep Packet Inspection is to networking what neutron is to atomic energy: neither good nor evil. It all depends on how you use it.

And that’s exactly what has been criticized for Qosmos, suspected to knowingly provide this technology to countries not really trustworthy.

Now let’s imagine : every main route of our grid lead to one point, where our customs stand. And this is precisely the architecture of the Syrian network, where the Syrian Network Establishment (STE), the state-owned company, government’s ISP under al-Assad’s complete control, links every operator connectivity. The STE, which is the final contractor of Asfador project, has been presented many times on Reflets.info.

Even before 2011′s Syrian revolution, in 2009, another French corporation, SOFRECOM, which mainly targets not-so democratic markets (Congo, Viet Nam, Thailand, Syria, Ethiopia, Mauritania, Ivory Coast, Tchad, Gaddafi’s Lybia, Morocco or Ben Ali’s Tunisia) was helping the STE to improve its telecoms systems. SOFRECOM is a subsidiary of Orange. Orange is the French historical network operator. So incumbent that it maintains strong relationships with secret services, inside and outside. SOFRECOM, and more widely Orange are by the way implanted in, or near every place where France has economic, military or intelligence interest… to stay close to the enemy.

These dubious cooperations, like Amesys in Lybia, Qosmos with Syria, but also Alcatel in Myanmar are in fact so common, that one question comes in mind : are these contracts backed up by the highest authorities, in order to improve foreign intelligence collection, with the help and blessing of others countries?

Qosmos’ defence : Asfador has never been « operational »

Qosmos’ CEO Thibaut Bechetoille, in a 2011 Bloomberg’s interview, affirmed that his society decided « in October 2011 to cease every work on Asfador project, before any press disclosure« . « This decision was immediately applicable, and Qosmos’ softwares never operated in Syria ». Bloomberg’s paper has been issued on November 4th, and covers CEO’s words : he would have decided to withdraw four weeks before, around October 14th. Nevertheless, Qosmos’ marketing director Erik Larsson, quoted in the story too, outlines that « getting out of such an operation is technically and contractually complex« . In any case, Syrian revolution had spread to the whole country since March 2011, namely eight months ago…

The formal decision to stop Asfador project was taken at a Qosmos’ board meeting from which, however, there is no record. The project itself has not been mentioned in a specific contract, thus there is no proof of termination either. The Utimaco company has meanwhile confirmed the version of his former partner, namely that the probes were not operational and that deliveries have definitively ceased in November 2011, in a July 2013 statement, written at Qosmos’ request.

Only the Syrian authorities themselves could tell if the Asfador project has ever been operational, as Thibault Bechetoille claims it. However, several things are certain. First of all, the Qosmos probes were actually delivered, and equipment has been installed, according to our information, during the summer of 2011, hence five months after the beginning of disorders. All in all, between 5 and 10 information collecting servers aimed at Syrian users have been installed in the country. At the time Bloomberg unveiled the case, the project was actually not fully operational. The question remains to what extent… In fact, versions differ according to the interlocutors.

A company internal document dated September 8th, 2011 we could obtain, shows that at this date the Phase 2 of the project was in receipt state – namely, the validation step. The customer and the supplier check together, by a series of tests, that everything works as expected. The document refers to nearly incoming phases two and three. Receipt step indicates, at least, that the project is quite advanced.

 

At this time, the infrastructure sold to Bashar al-Assad was not « operational » in the sense of an active deployment for population global surveillance, but in receipt step – which is an essential phase before the delivery to the final customer in an IT trade. Qosmos also indicates that the probes able to reach GSM traffic (GTP protocol ) would be delivered on December 29th. Furthermore, September 29th, 2011 is referred to as the delivery deadline of the MSRP protocol listening ability. MSRP is a protocol used, among other things, for IP telephony and mobile phone multimedia file exchange. Another internal paper also evokes a MSRP and GTP technical informations delivery in May 2012.

A Qosmos engineer adds: « For me, the project wasn’t operational, because we didn’t know how to do for such flow rates. Between the boxes you check in a tender procedure and what you can really do, sometimes there is a difference. »

For other employees, the project could be at least partially operational, at least enough to be used later by the Syrian authorities, with patches and updates. The problem in this case is that, officially, the Asfador project has no existence. Indeed, it has no specific contract, and has always been a simple piece of the partnership agreement signed between Qosmos and Utimaco. And the latter has continued well, and until the end of year 2012.

Deliveries until the end of June 2012

This is what’s shown in other documents Mediapart and Reflets could get : though Asfador project was officially stopped, Qosmos continued delivering its products to Utimaco. In a work document dated first quarter of 2012, giving status on some running contracts, Utimaco name appears multiple times, with delivery dates forcasted for May and June 2012.

Even if Qosmos and Utimaco could have worked on other projects than the Syrian one, Utimaco had a direct access to Qosmos’ mass interception products updates. But there’s no need of any delivery, in the basic meaning, to operate a system like Asfador : clients, in this case Utimaco, have a special dedicated server where they can download new improved software versions. According to the documents gathered by Mediapart and Reflets, Qosmos has effectively delivered its products to Utimaco, although the « Asfador » project’s name never appears.

If Qosmos probes weren’t working in Syria, as Thibaut Bechetoille says, it’s quite interesting that his enterprise kept on delivering information on setup procedures, about nine months after Qosmos supposed withdrawal… Especially about specific protocols required by STE, the Syrian enterprise, for Asfador project.

The possibility remains of other projects, in addition to Asfador, carried out in partnership with Utimaco. According to our information , the leaders of Qosmos thus referred to the existence of other customers of the German company in Canada or Australia… However, among the various employees interviewed, none remembers, at that time, any other project than Asfador and Utimaco. « For me the two have always been linked and to be honest, I never knew the difference between the two», says one of them.

Another certainty is that, although its leadership is hiding behind its partnership with Utimaco , Qosmos was in fact perfectly aware of the way the Syrian regime could use its probes. Since the beginning of the project, the goal was clear : in addition to conventional monitoring network activities, Qosmos had to deliver probes able to do phone calls interception, mobile phone user geolocation, voice recognition and even taking control of personal computers or launch cyber attacks.

Furthermore, Qosmos’ board was aware that these weapons were intended to Bashar al- Assad’s mass surveillance project. In September 2013, the journalist Jean-Marc Manach stated, in a press article on Rue89 – at the time of Wikileaks’ Spyfiles publication, that a Qosmos employee visited Damascus : « A Qosmos engineer made a trip to Syria on January 2011, as a subcontractor for the Utimaco company, itself subcontractor of company Area Spa. This travel involved technical meetings with operators, in pre-project study framework. »

This engineer, Sébastien Synold, according to our informations, is the current head of the Qosmos’ U.S. office, could absolutely not ignore what use could be done of his company’s products. He knew the end customer (STE) and its specific demands on wiretapping types. Even more so, Thibaut Bechetoille could not ignore what its probes would be used for. Add that the protocol models, shown in company’s documents, mention what was expected. One more time, you don’t need the same things when making audience measurement and mass surveillance. Moreover, the tools mentioned in the Qosmos documents for Utimaco project are dressed as the symbol « LI » : Lawful Interception.

This, by the way, is a very specific vision of what a lawful interception is. In fact, recover user names, users’ passwords of the Syrian Internet, read their mail, know which Web pages they visit, etc. doesn’t look like lawful interception, as it can be conceived in a democracy – in a legal process.

Contacted to speak on these issues, the company refuses to answer : « Qosmos holds firmly and denies, as we have consistently done, false and slanderous accusation we have been charged for several months » as explained in an e-mail. « Indeed, we reaffirm that none of our equipment or software has been operational in Syria. We wish to recall that we have, as soon as September 2012, filed a complaint for slander against FIDH and LDH. For the rest, a judicial investigation is ongoing, we keep our answers for the court. »

Meanwhile, the Deputy Attorney Aurélia Devos, who studied for nearly two years the evidences adduced by the FIDH and LDH in their denunciation, and who conducted her own hearings, has notwithstanding decided to open a judicial information. Now three judges entered the record, to determine whether Qosmos should be sued for « complicity in torture. »