The Saudi Arabian government came close to buying control of Italian surveillance software company Hacking Team, notorious for selling its product to undemocratic regimes, according to hacked emails posted by WikiLeaks.
The negotiations were handled by Wafic Said, a Syrian-born businessman based in the U.K. who is a close friend of the Saudi royal family, and also involved Ronald Spogli, a former U.S. ambassador to Italy, who had an indirect investment in Hacking Team.
The deal collapsed in early 2014 after the removal of Prince Bandar bin Sultan as head of the Saudi intelligence service. The former Saudi ambassador to Washington had backed the purchase but it was not supported by his successor.
[ ALSO ON CSO: Looking for lessons in the aftermath of the Hacking Team incident ]
Saudi Arabia has long had a reputation as a human rights violator and this week it emerged that a Saudi court had confirmed a death sentence on a young man convicted of participating in antigovernment protests inspired by the Arab Spring. Ali al-Nimr has been sentenced to be beheaded and then crucified for crimes he allegedly committed at the age of 17.
Eric Rabe, a spokesman for Hacking Team, said the talks had never been close to completion. Countries such as Saudi Arabia were allies of the West and it was important that they should receive instruments that enabled them to combat crime and terrorism, he said in a telephone interview.
"If our technology is sold to a repressive regime it does not automatically mean it will be used to terrorize dissidents and repress democracy," Rabe said.
In late 2013 the negotiations to sell control of Hacking Team to Said's investment company Safinvest appeared to be progressing. On December 4 the billionaire philanthropist, who donated the prestigious Said Business School to Oxford University, wrote to Hacking Team CEO David Vincenzetti to assure him he was 100 percent committed to the project.
"You must have faith and trust me. We are serious and do not want to waste time or money," Said wrote in one of more than a million company emails posted online following a disastrous security breach at Hacking Team in early July.
On Feb. 10, 2014, a senior manager at Safinvest, Charles Stauffer, wrote to Vincenzetti to spell out some of the details of the transaction. Ironically, the Saudi-owned company was to be called Halo -- the circular symbol used to denote a saint in Christian art -- and the price was set at 37 million euros (US $42 million).
"Joint Venture company would be formed in the country and this will contract with The Client to execute the new project," Stauffer wrote. The email discussed the training of local staff and office space requirements.
Another email, sent by Vincenzetti to a business adviser on January 14, indicated that Hacking Team did not intend to allow its activities to be cramped by international agreements restricting the export of dual-use technologies to repressive or belligerent regimes.
"The newco should be away from countries adhering to the new, forthcoming export regulations on ‘offensive technologies’ which will [be] dictated by the recent Wassenaar Arrangement," Vincenzetti wrote. "We would like the newco to be in a country which will not impair the export of our technology."
Vincenzetti helpfully included a link to a list of countries participating in the Wassenaar Arrangement, which aims to encourage responsibility in the transfer of conventional arms and dual-use technologies, so that those countries could be avoided.
On April 14 Vincenzetti sent colleagues a newspaper article on Prince Bandar’s ouster as head of Saudi intelligence, saying it provided "further clarification as to why things didn’t move forward with W. [Wafic]."
"Hacking Team had a long legal battle to get permission to export its products to problematic countries. It's paradoxical that it couldn’t sell its software to Saudi Arabia but it could sell them the entire company," said Marco Lillo, the Italian journalist who first reported on the existence of the Saudi-related emails for the newspaper Il Fatto Quotidiano last month.
Despite Vincenzetti's close links to the Italian secret services -- he sold his company's Remote Control System to the foreign intelligence service AISE -- and the fact that a company owned by the Lombardy regional government had a 26 percent stake in Hacking Team, there is no evidence that the national government took any steps to prevent the sale. A spokesman for the Prime Minister's office said by SMS that he had no information on the subject.
It is probable that the U.S. government would have been made aware of the pending sale by Spogli. A venture capitalist and member of the board of trustees of Stanford University, the former ambassador owned a 10 percent stake in an investment company, Innogest, which controlled 26 percent of Hacking Team.
Spogli had only a minimal involvement in the Saudi negotiations, an Innogest official said by phone. He declined to comment further. Neither Said nor Spogli responded to requests for comment.
As well as being used to track Sunni fundamentalist terrorists, Hacking Team's technology was very likely deployed against Saudi Arabaia's internal Shia opposition to the regime, said Liisa Liimatainen, a Finnish journalist and author of a book on the battle for female emancipation in the Gulf kingdom.
"There are a lot of bloggers and very lively debates on Twitter, but it's a medieval state," Liimatainen said in a telephone interview. "They monitor Internet and use terrorism laws against civil society. Facebook activity and corresponding with a foreigner can be considered crimes in themselves," she said.
Hacking Team’s Rabe said he had no information on who was responsible for the disastrous hack that spilled 400GB of the company's internal data onto the Web. "It was a sophisticated attack and we don't believe its success was down to poor passwords," he said. Rabe said he didn't think the hack was the work of corporate rivals, as competitors were unlikely to post the results online.
"It was people who were trying to destroy our company. Our clients have been extraordinarily loyal and patient," he said. Around 40 software engineers spent the summer working around potential countermeasures resulting from the hack, Rabe said. "In fairly short order we’ll have people back using the system."