Bill Marczak, a PhD student supervised by Networking and Security Director Vern Paxson, studies how repressive regimes around the world use technology to repress activists. He wants to bring international media attention to this practice and develop technical solutions and training to give activists the ability to protect themselves against cyber-attacks from regimes.

“I bring a certain type of research which is so often missing from activism,” Bill said. He noted that activist research often lacks rigorous evidentiary standards.

Bill’s interest in the Middle East dates back to the three and a half years he spent in Bahrain as a high school student. “When you go to high school in a certain place, you get to know people there,” he said. “It really becomes part of who you are.”

During the Arab Spring uprisings, which came to a head in Bahrain on February 14, 2011, the country’s government began increasing its use of physical weapons to fight protesters and turned to Western PR firms to burnish its reputation abroad. At the time, Marczak was interested in cloud computing and programming languages. He was performing doctoral research on cloud computing and programming languages and  decided to switch his focus to political surveillance and electronic attacks.

He got to know several activists working in the Middle East on Twitter; in February 2012, they founded Bahrain Watch. The organization, which is independent and works on research and advocacy, is organized “without any sort of structure, as an Internet collective.” Bill says this helps them defend against attacks from repressive regimes: “Their minds are calibrated to look for activists as people who are organizing.”

Bill also works with several human rights groups, including Privacy International, a charity based in London, and the Citizen Lab at the University of Toronto's Munk School of Global Affairs

In April and May 2012, several activists interested in Bahrain were sent suspicious attachments, which, when Bill analyzed them, turned out to contain spyware developed by Gamma International, a company based in Germany. The spyware, FinFisher, can record passwords, log keystrokes, and take screenshots of the infected computer. Bill and his colleagues traced the spyware’s command and control server to an address in Bahrain.

In order to identify other activity, Bill and his colleagues sent probes to servers and watch their behavior. They then scanned the Internet, searching for similar behavior. In addition to the server in Bahrain, they’ve found similar spyware associated with servers in six other countries considered to be ruled by oppressive regimes.

Bill says Citizen Lab in Toronto has been a particularly strong partner in identifying spyware. The lab, which primarily focuses on government surveillance and censorship systems, has a global network with connections to people in countries around the world.

Today, Bill, along with Vern and his colleagues at Citizen Lab and UC Los Angeles, presented a paper about their research into FinFisher, as well as the use of Hacking Team’s Remote Control System in the United Arab Emirates. Like Gamma, Hacking Team markets its software exclusively to governments. In Syria, they investigated the use of off-the-shelf remote access trojans. They found that the attacks were probably a factor in the imprisonment of one activist for a year and the publication of embarrassing videos of another, who was subsequently discredited.

The paper notes the “careful social engineering” used by attackers – in Bahrain, for example, several activists received email messages with attachments that were claimed to be reports of torture or pictures of jailed citizens.

The paper also notes that this is the first step in a broader rigorous study of attacks target at individuals by governments. “It’s difficult because researchers have little visibility into what activists are doing. I suspect more’s going on than we can see,” he said. “Part of the goal is to gain better visibility and engagement with activists.”

But in the meantime, Bill is enjoying the challenge.

 “It’s rewarding to be able to work on something that integrates my passion and my PhD,” Bill says.

Related Paper:  W. R. Marczak, J. Scott-Railton, M. Marquis-Boire, and V. Paxson. When Governments Hack Opponents: A Look at Actors and Technology. Proceedings of the 23rd USENIX Security Symposium, San Diego, California, August 2014