Network surveillance: Qosmos, a tool provider for Syria's leader al-Assad

Translation from this paper in french by legum, Turquoise, SwissTengu, 4k and four anonymous plus one mysterious eraser. Corrections made by Crousti.

November 2011: Bloomberg unveils that a French company, Qosmos, leader on network analysis tool known as Deep Packet Inspection (DPI) probing, is a subcontractor of Utimaco. Utimaco is a German corporation which is itself a subcontractor for Area Spa, Italian firm, for a contract on a massive network monitoring system, tailored for Bashar al-Assad. Qosmos PR worsens, as 3000 people have already died from the now 9 month old revolution in Syria.

To limit further bad PR, Qosmos announced the termination of the project, and is still claiming today that its equipment have never reached an operational status in Syria. As the Human Rights League and the International Federation for Human Rights opened a lawsuit and three judges from the Genocides and Crimes against humanity section are investigating, will this line of defense stand ?

Regardless, Qosmos has developed its massive interception tool thanks to this contract. Dictators’ money is still money for the French surveillance industry. Qosmos is not alone: another leading figure, Amesys, was also in bed with a known dictator: Gaddafi. Its Eagle solution led to political opponents getting arrested and tortured in Libya. As for Qosmos, Amesys developped its Eagle thanks to Gaddafi’s money.

Informations gathered by Mediapart and Reflets.info show that, even under an « underperforming, incomplete form » , Qosmos products have effectively been set up in Syria, wether Qosmos broke the contract or not. Even then, Qosmos kept doing business with Utimaco at least up to november 2012. These relations may have not concerned Syria, but Utimaco had access to Qosmos product upgrades long after Asfador’s project end; it could have refined and completed the DPI probes for the Syrian solution by itself.

Furthermore, Qosmos has strong relationships with French secret services, as its businesses have Defense clearance. Based on that fact, it is hard to believe that Qosmos could have worked on this project without French highest authorities’ approval.

Bloomberg’s disclosure of the Asfador case has put the company in the spotlight. Shortly before, a formerly owned Bull subsidiary named Amesys got involved in a similar scandal, regarding the sale of a global surveillance system to Moammar Gaddafi’s Lybia (inquiries by Mediapart and Reflets.info). Now, Qosmos delivery of probes allowing to spy on Syrian population has also gone public.

France companies selling massive surveillance tools that allow dictator's to monitor e-mails, live communications, Web history of their citizens is not a business that would make our great Republic shine. These countries need more civil liberties and less spy probes. France is leader in these fields… liberty, democracy ? No. Leader in providing surveillance systems… massive ones.

In July 2012, human rights leagues LDH and FIDH charged the French hypocrisy in a letter to the prosecution authority (le Parquet), filing an enquiry against Qosmos. Two years later, the Vice Prosecutor in charge of Human Rights Violations, Aurelia Devos, has decided to start a judicial investigation for « complicity of torture » . Three investigating judges from the Genocides and Crimes against Humanity Section have been appointed to clarify two main points :

• Have Qosmos’ products ever been usable?

• Were company executives aware, when they signed the contract, that their technologies could have been used by a dictator as a repressive, spying tool to identify, and arrest dissidents?

Qosmos line of defense has always been to deny its products have ever been usable. Qosmos PR claims they have have never sold solutions to Syria, and were only subcontractor for the German society Utimaco, itself outsourced by the Italian consortium Area Spa.

The incriminating contract has been signed in 2009. At this time, Qosmos is hugely expanding, becoming a worldwide leader in DPI technology. The company signs a very important contract for its growth by becoming the probe supplier for Utimaco, a German company specialized in legal telecommunication interceptions.

Soon after, Qosmos employees started working on a mysterious project, developed with their new partner Utimaco, as a part of a consortium led by Italian company Area Spa. The project’s name is Asfador, and aims to equip al-Assad’s regime with a tool allowing to spy on every communications in the country.

DPI, an almighty mobile customs for the networks

Qosmos provided the venture with the cornerstone of such an architecture : probes. They monitor traffic, clone it into giant databases that can be refined and used by human operators. Only a name or an e-mail address is needed to isolate a target's data flow from the rest. That data also allows to draw relational charts, in order to identify relations and partnerships, so you know who talks with your target. If John spoke to Georges, you can extract Georges’ content then. And if Georges talked to Jerry about John, then Jerry’s mails may be also useful. You never know ...

Deep Packet Inspection is the ultimate weapon to find opponents, when used by a dictatorship or a police state. It is easy to see why the judges from Genocides and Crimes against Humanity Section take a close look at these technologies. DPI will soon be the best partner of mass murderers all around the world if it does not get regulated quickly and strongly. As a matter of fact, global interception is not only desirable by tyrants. People in this industry know that very well; democracies cannot -theoretically, due to legal issues- monitor their entire population. Yet the desire is strong.

Qosmos pretends selling simple « probes » that are a small part of a larger monitoring technology. These probes can be used similarly in a country-wide surveillance system and in basic network hardware monitoring, typically in routers that dispatch data to their target. In fact, the company describes its products as « technological functionality bricks », that customers choose among others. Thus Qosmos rarely works directly with the end buyer, and acts as a blind subcontractor.

That being said, following the user demand doesn’t prevent Qosmos from knowing the final use of its systems. web usage analysis (statistics) and mass supervision systems do not have the same technical requirements, like bandwith. That and it does not take long to evaluate the « democratic level » of a given country. Qosmos CEO Thibaut Bechetoille mentionned ethic concerns in October 2011, when explaining the reasons he had to stop Asfador project. But these concerns could have easily been addressed as soon as the customer’s name got known, which as a matter of fact happened at the very beginning of the project.

To understand Qosmos activities, we have to understand what Deep Packet Inspection is. DPI is a neutral, quite common technology, that can be considered harmless. It scans networks and is used to priorize of differentiate data. In the near future, more and more hardware will ber equipped with DPI capabilities, in standard form. Think of Internet as a road grid, with its tolls and traffic jams… DPI probes could be represented as customs agents, who would be able to dismantle your car, reroute the whole traffic, or totally block it. The main difference between that and DPI probes is that the latter can be massive, systematic and nearly foulproof, if you know where to put your probes. Those could take your vehicle apart and restore it instantly, without any need to stop the car. What is even worse is there is no way to know it happened, unless you were warned about it, which, like customs operations, does not happen.

This versatile technology, is very close to nuclear power in that way. You can generate electricity with it, or build weapons. Deep Packet Inspection is to networking what neutron is to atomic energy: neither good nor evil. It all depends on its use.

And that’s exactly why Qosmos got a lot of attention and critics : they are suspected to knowingly provide this technology to countries they know should not be trusted to use it a nice way.

Remember the road grid comparison ? Let’s go a bit further. Every main route of our grid lead to one point, where our customs agent stand. This is precisely the architecture of the Syrian network, where the state-owned company Syrian Network Establishment (STE), government’s ISP, is under al-Assad’s complete control. It links every operators in the country and outside. The STE, which is the final contractor of Asfador project, has been presented many times on Reflets.info.

Things also happened before 2011′s Syrian revolution. In 2009, SOFRECOM helped the STE to improve its telecoms systems. SOFRECOM is another French corporation mainly targeting not-so democratic markets, like Congo, Viet Nam, Thailand, Syria, Ethiopia, Mauritania, Ivory Coast, Tchad, Gaddafi’s Lybia, Morocco or Ben Ali’s Tunisia. SOFRECOM is also a subsidiary of Orange, the French historical network operator, which maintains strong relationships with secret services. SOFRECOM, and more widely Orange are connected and present in nearly every place where France has economic, military or intelligence interests... stay close to your friends, even closer to your enemy !

These dubious cooperations, like Amesys in Lybia, Qosmos with Syria, but also Alcatel in Myanmar are actually so common that one question comes in mind : are these contracts backed up by the highest authorities, in order to improve foreign intelligence collection, with the help and blessing of others countries?

Qosmos' defence : Asfador has never been "operational"

Qosmos’ CEO Thibaut Bechetoille, in a 2011 Bloomberg’s interview, said that his company decided « in October 2011 to cease every work on Asfador project, before any press disclosure ». « This decision was applicable immediately, and Qosmos’ software has never operated in Syria ». Bloomberg’s paper has been issued on November 4th, and covers CEO’s words : he would have decided to withdraw four weeks before, around October 14th. Nevertheless, Qosmos’ marketing director Erik Larsson, quoted in the story too, outlines that « getting out of such an operation is technically and contractually complex ». In any case, Syrian revolution had spread to the whole country since March 2011, namely eight months before...

The formal decision to stop the Asfador project was supposedly taken at a Qosmos’ board meeting. However, no record or proof this meeter ever happened can be found. The project itself was diluted, and has never been mentioned in a precise manner, in a specific contract; thus no proof of termination can be produced either. Finally, Utimaco confirmed the version of his former partner, namely that the probes were not operational and that deliveries have definitively stopped in November 2011. That statement was written in July 2013, at Qosmos’ request.

Only the Syrian authorities could tell if the Asfador project has ever been operational, as Thibault Bechetoille claims it. However, several things are certain. First, according to our information, Qosmos probes were actually delivered and equipment has been installed during the summer of 2011, which is five months after the beginning of disorders. Around 5 and 10 intel collecting servers aimed at Syrian users have been installed in the country. Second, at the time Bloomberg unveiled the case, the project was actually not fully operational. The main question is now "how much that non operational system can do" ? That matter remains unclear, as answers differ according to who you speak with.

Nevertheless, we obtained an internal document dated September 8th, 2011 which shows that at this time, Phase 2 of the project, receipt, was being conducted. It is namely the final validation step before delivery. That step is an overview conducted according to planned tests; the customer checks if what is going to be delivered is what he agreed on. Real life situation tests are run, and the customer agrees to the delivery, or refuses. This is the last step before delivery. The document refers to a current phase two, and an incoming phase 3. That receipt indicates that the project is in a nearly final step.

At this time, the infrastructure sold to Bashar al-Assad was not « operational », meaning it was not fully installed, active and running its global surveillance purpose. It was sold as is in the receipt step – which is an essential phase before the delivery to the final customer in an IT trade. Qosmos also indicates that the probes able to reach cell phone traffic (GSM, GTP protocol ) would be delivered on December 29th. And September 29th, 2011 is also the delivery deadline of the MSRP protocol listening ability. MSRP is a protocol mainly used for IP telephony and mobile phone multimedia file exchange. Another internal paper also evokes a MSRP and GTP technical informations delivery in May 2012.

A Qosmos engineer adds: « For me, the project wasn’t operational, because we didn’t know how to do for such data flow rates. There can be quite a difference between the business offer one can make to win a market and what you can really do. »

For other employees, the project could be partially operational, at least enough to be completed later by the Syrian authorities, with patches and updates. The problem is again that Asfador is a diluted project with no proper existence. It uses software and hardware parts from multiple contracts, and has always been a simple cog in the partnership agreement signed between Qosmos and Utimaco. But While Asfador was put down, that partnership was not. It kept going until the end of year 2012.

Deliveries until the end of June 2012

This is what’s shown in other documents Mediapart and Reflets could get : though Asfador project was officially stopped, Qosmos continued delivering its products to Utimaco. In a work document dated first quarter of 2012, giving status on some running contracts, Utimaco name appears multiple times, with delivery dates forcasted for May and June 2012.

Even if Qosmos and Utimaco could have worked on other projects than the Syrian one, Utimaco had a direct access to Qosmos’ mass interception products updates. But there’s no need for any contract delivery to maintain a hidden system like Asfador : customers, in this case Utimaco, have a special dedicated server where they can download new, updated, improved software versions. According to the documents gathered by Mediapart and Reflets, Qosmos has effectively delivered its products to Utimaco, although the « Asfador » project’s name never appears.

If Qosmos probes weren’t working in Syria, as Thibaut Bechetoille says, it is quite interesting that his company kept on delivering informations on setup procedures, about nine months after Qosmos supposedly withdrew... It gets even more interesting considering the very nature of that information - specific protocols required by STE, the Syrian enterprise, for Asfador project.

There is still the possibility of other projects, in addition to Asfador, carried out in partnership with Utimaco. According to our information, Qosmos executives referred to the existence of other customers of the German company in Canada or Australia... However, among the various employees interviewed, none remembers, at that time, any other project than Asfador and Utimaco. « For me the two have always been linked and to be honest, I never knew the difference between them », says one of them.

Something is certain though. Even if the final executives are hidden behind its partnership with Utimaco, Qosmos was perfectly aware of the way the Syrian regime could use its probes. Since the beginning of the project, the goal was clear : in addition to conventional network monitoring activities, Qosmos had to deliver probes able to do phone calls interception, mobile phone user geolocation, voice recognition and even taking control of personal computers or launch cyber attacks.

Take into consideration that Qosmos’ board was aware these weapons were intended to Bashar al- Assad’s mass surveillance project, too. In September 2013, the journalist Jean-Marc Manach stated, in a press article on Rue89 – at the time of Wikileaks’ Spyfiles going public, that a Qosmos employee visited Damascus : « A Qosmos engineer made a trip to Syria on January 2011, as a subcontractor for the Utimaco company, itself subcontractor of company Area Spa. This travel involved technical meetings with operators, in pre-project study framework. »

This engineer named Sébastien Synold according to our informations, is the current head of the Qosmos’ U.S. office. In his position, he could absolutely not ignore what use could be done with his company’s products. He knew the end customer (STE) and its specific demands on mass surveillance and data flow sizes. Even more so, Thibaut Bechetoille could not ignore what its probes would be used for. The protocols and diagrams found in company’s documents do mention what was expected. One more time, making audience measurement has far less data processing requirements than mass surveillance. Finally, the tools mentioned in the Qosmos documents for Utimaco project wear the symbol « LI » : Lawful Interception.

One can wonder how this is a very specific and personal vision of lawful interception. Recovering user names and passwords from the Syrian Internet, reading their mail, tracing which Web pages they visit ... That does not look like lawful interception, the way it is conceived in a democracy. As in "following a legal process."

Contacted for some PR talk on these issues, the company refuses to answer. The answer is contained in an email that says : « Qosmos strongly denies, as we have consistently done, false and slanderous accusation we have been charged with for several months. [...] We keep on firmly saying that none of our hardware nor software has been operational in Syria. We wish to recall that we have, as soon as September 2012, filed a complaint for slander against FIDH and LDH. As far at it goes, investigations are ongoing, and we will keep our answers for the court. »

Meanwhile, the Deputy Attorney Aurélia Devos, who studied for nearly two years the evidence found by the FIDH and LDH in their filing, and who conducted her own hearings, has decided to open a judicial information. It is now up to the three appointed judges, to determine whether Qosmos should be sued for « complicity in torture. »