The executive, Günther Rudolph, was seated at a booth at ISS World in Prague, a secretive trade fair for advanced surveillance technology companies. He went on to explain how his firm, First Wap, could provide sophisticated phone-tracking software called Altamides, capable of pinpointing any person in the world. The buyer? A private mining company, owned by an individual under sanction, who intended to use it to surveil environmental protestors. “I think we’re the only ones who can deliver,” Rudolph said.

What Rudolph did not know: he was talking to an undercover reporter from Lighthouse.

The road to that conference room in Prague began with a vast archive of data, found by a Lighthouse reporter on the deep web, containing more than a million tracking operations: efforts to grab real-time locations of thousands of people worldwide. Investigating that archive — and First Wap’s activities — drew together more than 70 journalists from 14 media outlets.

What emerged is one of the most complete pictures to date of the modern surveillance industry. The tracking archive is unprecedented in scope, and reveals how the company and its clients surveilled all types of people from all over the world. Reporters interviewed more than a hundred victims, as well as former employees and industry insiders. A trove of confidential emails and documents provide a detailed inside account of how First Wap’s tech was marketed to authoritarian governments and accessed by corporate actors. Behind closed doors, First Wap’s executives touted their ability to hack WhatsApp accounts, and laughed about evading sanctions.

The surveillance industry has long maintained that its tools are deployed exclusively by government agencies to fight serious crime, portraying instances of misuse as rare exceptions. This investigation definitively dismantles that narrative.

Making sense of a secret data trove

This investigation began with an archive of data. This is not the first archive related to a surveillance company’s activities, but it is certainly the most granular. It contains 1.5 million records, more than 14,000 unique phone numbers, and people surveilled in over 160 countries. It represents an extraordinarily detailed account of when and where people were tracked, and what users of the tracking tool saw.

The only clue to a target’s identity was a phone number. A team of reporters at Lighthouse and paper trail media spent months painstakingly identifying the owners of those phone numbers. To drill down into the data and better understand it, we divided it into “clusters” of targets — networks of people connected in time or space. As we investigated clusters and put names to phone numbers, stories began to emerge.

For a more in-depth explanation of how we analysed the dataset, see our technical explainer.

The Altamides archive is global in scope. We found high-profile individuals, including powerful political figures such as the former Prime Minister of Qatar and the wife of ousted Syrian dictator Bashar al-Assad. We found Netflix producer Adam Ciralsky, Blackwater founder Erik Prince, Nobel Peace Prize nominee Benny Wenda, Austropop star Wolfgang Ambros, Tel Aviv district prosecutor Liat Ben Ari and Ali Nur Yasin, a senior editor at our Indonesian partner Tempo.

In Italy, investigative journalist Gianluigi Nuzzi was tracked days after publishing a dramatic exposé of corruption in the Vatican, as police closed in on his source. In California, Anne Wojcicki, founder of DNA startup 23andMe and then married to Google’s Sergey Brin, was tracked more than a thousand times as she moved across Silicon Valley. And in South Africa, associates of Rwandan opposition leader Patrick Karegeya were tracked before his assassination in a Johannesburg hotel room.

As our reporting partners dug into the archive, they found other traces of surveillance activity on their doorsteps. In Austria, home of First Wap’s founder Josef Fuchs, Der Standard uncovered a mystery surrounding a tracking spate of high-ranking employees at energy drink giant Red Bull. In Norway, NRK examined how Altamides zeroed in on a top telecom executive. In Indonesia, interviewees told our partner Tempo that they believed they had been targeted because they had taken part in political activities or spoken out against the government. In Serbia, KRIK identified targets in the energy industry, while in Israel, Haaretz located high profile lawyers and businessmen with interests in Africa and the Gulf.

First Wap said in a response to this investigation that it denies “any illegal activities” or “human rights violations.” The company said it could not comment on specific allegations that could “enable client identification.” It further elaborated that the company does not perform any tracking itself and that “after installation” of Altamides it has no further knowledge of how the product is used. First Wap emphasized that its technology is used by law enforcement to “fight against organized crime, terrorism and corruption.”

Surveillance without borders

In 2012, Sophia (not her real name) was walking near the coast of Goa on vacation, unaware that her movements were being monitored from halfway around the world with government-grade surveillance tech. But she was not being tracked by an intelligence or law enforcement agency. She was being stalked by a man who had been pursuing her, following her over the course of ten months.

Sophia’s case illustrates how Altamides proliferated far beyond the hands of governments to non-government actors, who used it to surveil victims for commercial and personal purposes. In addition to business leaders and politically-exposed individuals, the Altamides archive contains hundreds of regular people: a teacher, a therapist, a tattoo artist.

First Wap’s surveillance software was marketed through a shadowy network of middlemen who resold the system to clients worldwide. Confidential documents obtained by this investigation detail the operations of one such company, the British corporate investigations firm KCS Group. As the Arab Spring unfolded across the Middle East and North Africa, documents show that KCS attempted to capitalise on the unrest throughout the region, making concerted efforts to sell the tracking system to governments in Morocco and Algeria, as well as other countries in Africa and Asia. But at the same time it was using Altamides for corporate investigation work, digging for dirt on clients’ opponents. The company told us that it “has not been involved in selling or using inappropriate surveillance materials” and is “committed to maintaining ethical standards in all our operations.”

A ruthless pioneer

Unlike other industry heavyweights, which have seen years of adverse coverage because their customers targeted journalists, activists, businesspeople and diplomats, First Wap has thrived for two decades without falling under the spotlight. The story of Altamides dates back to the early 2000s, when former Siemens engineer Josef Fuchs recognised a critical vulnerability in the global telecom network. By exploiting an outdated – but still essential – communication protocol known as SS7, he could trick phone networks into revealing the locations of their users. Seeing a new business opportunity, Fuchs quickly pivoted his Jakarta-based company away from its focus on marketing messages, turning it into one of the world’s first phone-tracking firms. Its arrival on the market was seismic. At a time when Blackberrys ruled and Nokias were everywhere, a user could enter a phone number and the software would pinpoint its location anywhere in the world, within seconds.

Since then, the company has quietly built a globe-spanning phone tracking empire, operating in the shadows, without any apparent red lines. It has also expanded its surveillance arsenal, adding features to Altamides that allow it to intercept SMS messages, listen in on phone calls, and even breach encrypted messaging apps like WhatsApp.

“We can find a way”

Our initial reporting surfaced dozens of non-criminal people surveilled without their knowledge by the company. Data, sources we spoke to and documents we examined indicated that Altamides had been used by authoritarian governments and, without lawful basis, by non-governmental clients. We decided it would be in the public interest to carry out an undercover operation to better understand what red lines the company placed around use of its products.

In a statement, First Wap insisted to us that it “vets and verifies any government client/final user for sanctions compliance prior to the signature of any agreement” and that “there has never been any exception to this.”

Testing the red lines required a fake character, complete with a fake company name and LinkedIn. One of Lighthouse’s reporters became Albert, a South Africa-based businessman who runs a boutique “research consultancy” registered in the British Virgin Islands. Accompanying him was Abdou, a colleague, who would be playing a mover and shaker with political connections throughout West Africa. They signed up for ISS World in the Czech Republic, the largest annual surveillance technology fair, to pitch some projects and see how the company responded.

So this June, our reporter found himself in a Prague hotel room, straightening a suit jacket outfitted with a hidden camera.

Albert and Abdou met First Wap’s sales director Günther Rudolph at the company’s booth, to discuss a series of business propositions. Could First Wap help a government monitor opponents abroad? Could the company crack encrypted WhatsApp chats? Could it help the owner of a mining company disrupt protests by environmental activists? “He knows already who are the leaders, or he wants to find out?” asked Rudolph.

Rudolph drew the undercover reporters’ attention to a potential snag: some of the people they propose selling to might be under sanction from the EU or US, meaning that European nationals like First Wap’s executives risked imprisonment if it were known they organised the sale. “That’s why when we make such a deal we make it through Jakarta,” Rudolph said, referring to First Wap’s corporate base in Indonesia. It was a “grey area”, he said. But “we can find a way”. What this way might look like became clear the following day: using a newly invented shell company to mask the connection in the papertrail between First Wap and the sanctioned client.

When confronted with our undercover operation in Prague, the company said that “misunderstandings evidently arose” and that the statements by its executives referred merely to technical feasibility.

The production of this investigation was supported by a grant from the Investigative Journalism for Europe (IJ4EU) fund.

The post Surveillance Secrets appeared first on Lighthouse Reports.

Companies, including banks and Big Tech, don’t send login codes to their customers directly. This would be costly and inefficient. Instead they rely on a sprawling and opaque network of contractors and subcontractors, each of which promises to shave off a part of the sending cost in return for market share. This is what the industry calls “lowest cost routing”. The catch is that any of these middleman companies can see everything transmitted. The codes that come saying “Do not share with anyone” might in fact already have been shared with more or less anyone.

METHODS

Lighthouse obtained a cache of almost 100 million data packets from a phone industry source. The data gave a unique insight into telecom traffic passing through the network of a controversial Swiss outfit. Millions of these packets contained “A2P” (application-to-person) SMS messages. We analysed these to identify senders, recipients and type of message content.

We found millions of sensitive security codes and logins getting sent via Fink Telecom Services. The logins related to services from some of the world’s largest tech companies – including Google, Meta and Amazon; banks and crypto exchanges; dating sites and online marketplaces; and messaging apps including WhatsApp, Viber and Signal. Overall we identified over 1000 companies sending logins to their customers via the network run by maverick telecom entrepreneur Andreas Fink. The text messages we were looking at often told us the account names as well as the login codes and phone numbers.

STORYLINES

We revealed in 2023 how Fink also worked as a contractor for the surveillance industry, offering location tracking services to government agencies and spy companies worldwide. Our investigation also linked his network to the murder of a Mexican journalist, the cracking of email accounts in South East Asia and the takeover of crypto wallets in Israel – events which Fink either denied or blamed on customers of his own customers.

How do untrusted entities and surveillance contractors like Fink Telecom end up as conduits for such sensitive personal info? The answer is that tech companies outsource sending their text messages to an opaque and sprawling marketplace of large and small companies, all offering to get messages to different parts of the world quicker and cheaper than their competitors.

“There’s nothing stopping anyone from doing this work,” an industry insider told us. “Very quickly a company can be handling billions of messages.”

Fink Telecom and other such companies can offer cheap routing in part because of their access to multiple different countries’ “global titles” – the network access points used by telecom operators to communicate with each other. As the phone industry has globalised, a flourishing trade in leasing these global titles has evolved, one outcome of which is that companies can appear to be present in countries other than their actual base. We found Fink Telecom using global titles in Namibia, Chechnya and the UK, as well as its native Switzerland. Earlier this year the UK phone regulator banned the leasing of UK global titles to other companies, citing risks of surveillance and account cracks.

Following our findings, Meta said that it had notified its partners they shouldn’t subcontract or otherwise engage with Fink Telecom. But privacy advocates questioned whether tech companies are doing good-enough due diligence on their supply chain.

The post Two Factor Insecurity appeared first on Lighthouse Reports.

So when officials in Amsterdam—one of Europe’s most progressive cities—told us in 2023 that they were building a “fair” algorithm to detect welfare fraud, we wanted to know more.

Over the course of five years, Amsterdam’s welfare department has been engaged in a high-stakes experiment guided by Responsible AI: a framework of technical and ethical guidelines meant to ensure fairness, transparency, and accountability in automated systems. Promoted by academics, NGOs, multinational institutions, as well as a swelling consulting sector, Responsible AI has emerged as a leading response to the scandals surrounding algorithmic decision-making.

But few systems built using these principles have been subjected to independent journalistic scrutiny. Over the course of years, the city of Amsterdam spent hundreds of thousands of euros, hired consultants, spoke to academic experts, extensively audited its system for bias, and even brought in welfare recipients to provide feedback on the system’s design.

It also invited Lighthouse to look over its shoulder as everything unfolded.

Despite all this effort, the system still failed. In collaboration with MIT Technology Review and Trouw, we set out to understand why. We obtained unprecedented access to the system, the officials who built it, and the critics who fought against it.

The result is one of the first in-depth looks at a system developed under Responsible AI guidelines—and what happens when those promises meet reality.

STORYLINES

With our partners MIT Technology Review and Trouw, we explored an unanswered question: what does it actually mean for an algorithm to be deployed fairly?

Previous reporting, including our own, has covered the worst-case deployments of this technology. Because many of these systems are poorly designed or intentionally discriminatory, these stories have avoided some of the thorny questions about when, if ever, this technology should be deployed and what fair AI should look like.

Amsterdam followed every piece of advice in the Responsible AI playbook. It debiased its system when early tests showed ethnic bias and brought on academics and consultants to shape its approach, ultimately choosing an explainable algorithm over more opaque alternatives. The city even consulted a participatory council of welfare recipients — the very people the system would scrutinize — who sharply criticized the project.

Yet when the city deployed a pilot in the real world, the system continued to be plagued by biases. It was also no more effective than the human case workers it was designed to replace. As political pressure mounted, officials killed the project, bringing an expensive, multi-year experiment to a quiet end.

We reveal the different lessons drawn by participants and experts from Amsterdam’s experience of trying to build a Responsible AI system. These competing interpretations reflect deeper disagreements about whether Responsible AI can ever deliver on its promises, or whether some applications of artificial intelligence are fundamentally incompatible with human rights.

METHODS

In 2023, a few months after we published our original Suspicion Machines investigation, one of our reporters filed a public records request to Amsterdam. We requested code and documents related to a fraud detection system the city had been developing.

In previous investigations, obtaining this type of information took months, even years, with agencies stonewalling us at every turn. We were therefore surprised when the city immediately disclosed everything we requested and invited us to an online meeting. In that meeting, it immediately became clear to us why the city had been so forthcoming. The city had gone to great lengths to design a fair system and, at the time, was confident that it had done so.

When we first began speaking to the city, it was preparing for a pilot in which the model would score real-world welfare applicants. The pilot was ultimately a failure: the model was both biased and ineffective.

In the fall of 2024, nearly a year since we originally began reporting, the city shelved the project altogether. We wanted to better understand how biases had crept into the model as it was trained, reweighted, and then deployed in the real world. Doing so required auditing the system, but we hit a roadblock. While the city had disclosed machine learning models and extensive documentation, Europe’s GDPR barred it from sharing data on how the system had scored real world welfare recipients – important information to audit such systems.

In what is, to our knowledge, a first, the city cooperated in a remote access regime. We sent code and tests to city officials, who executed them on the real data and returned to us aggregate results. Lighthouse has published a methodology explaining our analysis on our website and all the underlying code and data to our GitHub.

Months of ground reporting, including interviews with officials, welfare recipients and experts, allowed us to piece together how the project came together and why it ultimately failed.

The post The Limits of Ethical AI appeared first on Lighthouse Reports.

We examined four companies offering software that uses algorithmic techniques to build profiles of passengers, assess their risk, and flag different categories of people: from terrorists and human traffickers to people migrating without papers.

Executives from Swiss start-up Travizory told us how their system flags people with unusual behaviour patterns or with attributes that look similar to known offenders, using a vast array of variables to determine “who looks unusual”. The algorithms which make these determinations are “black boxes”, the company’s chief data scientist said. The software “will tell you that this person is potentially risky and this person looks different, but how it makes this decision is kind of a mystery.”

Another company, SITA, has aspirations to use traveller data to show “what people are doing, not just who they are” when they cross a border, as well as helping governments “export” their borders “to every single point on the globe where passengers can board flights, ships or trains bound for their territory”.

Interviewees expressed concerns over the accuracy of the data that these new models are based on. We spoke to a Dutch activist who discovered, after a long campaign of information requests, that his Passenger Name Records included some flights he had never taken and excluded some flights he had taken. Other experts cautioned against relying on machines to predict who could be a terrorist and warned that profiling could undermine the legal right to seek asylum.

The post Computer says no fly appeared first on Lighthouse Reports.

Sources within the Social Insurance Agency — tasked with running Sweden’s social security — describe these algorithms as its “best-kept secret.” The benefit recipients who find themselves subject to sometimes humiliating investigations, or who have benefits suspended, have no idea that they have been flagged by an algorithm.

In October 2021, we sent a freedom-of-information request to the Social Insurance Agency attempting to find out more. It immediately rejected our request. Over the next three years, we exchanged hundreds of emails and sent dozens of freedom-of-information requests, nearly all of which were rejected. We went to court, twice, and spoke to half a dozen public authorities.

Lighthouse Reports and Svenska Dagbladet obtained an unpublished dataset containing thousands of applicants to Sweden’s temporary child support scheme, which supports parents taking care of sick children. Each of them had been flagged as suspicious by a predictive algorithm deployed by the Social Insurance Agency. Analysis of the dataset revealed that the agency’s fraud prediction algorithm discriminated against women, migrants, low-income earners and people without a university education.

Months of reporting — including conversations with confidential sources — demonstrate how the agency has deployed these systems without scrutiny despite objections from regulatory authorities and even its own data protection officer.

METHODS

Our Suspicion Machines series has investigated welfare surveillance algorithms in more than eight countries. Sweden was not anticipated to be the most difficult.

Over the course of three years, Lighthouse made wide-scale use of freedom-of-information laws in Sweden. Technical documentation and evaluations similar to those received in our previous investigations in France, Spain and the Netherlands were requested.

The refusals were relentless. The agency declined to disclose even the most basic material, arguing that it would allow fraudsters to evade detection. It refused to confirm whether its algorithms were trained on random samples or even how many people had been flagged in total by an algorithm. It also refused to disclose basic statistics about how it arrived at estimates of welfare fraud. In one email chain, a high level official at the agency wrote, referring to one of our reporters, “let’s hope we are done with him!” after seemingly forgetting to remove the reporter from CC.

To test the extent of the stonewalling, Lighthouse asked for information that the Social Insurance Agency had published in its annual reports. It refused to provide the information, claiming that it was confidential.

There were nonetheless strong indications that the agency’s use of fraud prediction algorithms was deeply problematic. A 2016 report from Sweden’s Integrity Committee described the practice as “citizen profiling” and warned of extreme risks to citizens’ personal integrity. Meanwhile, a redacted 2020 note from the agency’s data protection officer questioned the legality of the system.

A 2018 report from an independent supervisory authority of the Social Insurance Agency, the ISF, opened a new route for inquiry. The report concluded, based on a dataset the watchdog had received, that the agency’s algorithm for predicting fraud in parental assistance benefits did not treat applicants equally. The Social Insurance Agency rejected the conclusions of its supervisory authority and questioned the validity of their analysis.

By obtaining the dataset underlying the ISF report, in-depth reporting became possible. The dataset contained over 6,000 people flagged for investigation by the algorithm in 2017 and their demographic characteristics. With the support of eight academic experts, Lighthouse and Svenska Dagbladetran a series of statistical fairness tests to assess which groups were disparately impacted. The analysis found that women, migrants, low-income earners and people without a university education were overselected by the model. It also found that people from these groups who had done nothing wrong were more likely to be wrongly labeled as suspicious by the system.

This methodology describes our analysis and the underlying code and data is now available on Github.

STORYLINES

Lighthouse and Svenska Dagbladet produced a three-part series based on our joint-reporting and analysis.

The first story reveals how Sweden’s social security agency has deployed machine learning at an industrial scale and largely in secret. It recounts the experiences of parents who were left without money to cover basic essentials. Those with the highest risk scores are investigated by fraud investigators with enormous powers and who work inside a corner of the agency’s offices locked-off from other employees.

It shows how vulnerable groups historically discriminated against are also the groups more likely to be wrongly selected for investigation.

In response to our findings, Anders Viseth, the person who oversees the agency’s fraud algorithm, denied wrongdoing. He further argued that being put under investigation is not a disadvantage because a human investigator always makes the final decision. This is despite benefit payments being delayed while undergoing invasive investigations.

The second story examines the agency’s claims of large-scale fraud — one of the primary justifications for the use of AI and secrecy surrounding it. These estimates have been published by the media, highlighted in annual reports and have driven much of the public debate. Analysis of the methodology revealed that it was rooted in baseless assumptions, including a definition of fraud that failed to check whether mistakes were intentional.

In reality, data we obtained both from the agency and the Swedish criminal justice system show that very few cases where the social security agency alleges fraud reach the courts. And even when they do, courts rarely determine that a defendant has intentionally committed fraud.

The final piece interrogates the agency’s lack of transparency and accountability. Virginia Dignum, a professor at Umeå University and one of the 38 experts selected for the United Nations’ expert group on AI, sharply criticises the agency’s arguments against transparency.

David Nolan from Amnesty’s Algorithmic Accountability lab criticized the lack of redress for citizens profiled by the system.

“The opacity of the system means most individuals are not aware that fraud control algorithms were used to flag them for further investigation,” Nolan said. ”How are individuals expected to effectively challenge a decision made about them–as is their right–when they are likely to be unaware that they are the subject of an automated process?”

When asked whether the agency should be more transparent, its fraud algorithm supervisor, Viseth, responded: “I don’t think we need to be.”

The post Sweden’s Suspicion Machine appeared first on Lighthouse Reports.

While Africa has become a lucrative market for multinational tech vendors, the promised benefits of trustworthy election results and a revolutionising of the way that states deliver vital services is far harder to discern.

At the 2024 ID4Africa trade fair in South Africa, the promises kept coming: economic growth, empowering individuals, reducing government spending, enabling trust and being a key tool in solving humanitarian crises.

The conference sponsors include a who’s who of companies that have benefited from contracts meant to confer legitimacy on electoral processes and unlock the potential of Africa’s demographic advantage over other ageing continents.

A legal identity is among the UN’s sustainable development goals, where it is defined as a fundamental human right. The drive to meet this goal has seen near-bankrupt states prioritise the capture and storage of biometric data from iris scans and fingerprints to facial images.

We set out to investigate what has become of the blockbuster deals struck in sub-Saharan Africa. What has actually been delivered? Who has benefited? How have they been financed? And how have people on the ground in those countries been affected?

METHODS

As well as exploring the biometrics industry and how it has courted customers in a “frontier market” our investigation focused on a representative cross section of African countries where big tech investments have gone in three distinct directions.

In Uganda, where supposedly democratic elections have failed to deliver a change of government in four decades, we explored how a Chinese tech vendor provided biometric systems which have become the foundations for a surveillance state.

In Mozambique, we probe the worsening conduct of elections in a fragile democracy. The gas-rich nation is beset by rising poverty and a brutal counter insurgency, but its ballooning biometrics costs have failed to breed confidence in democracy.

In the Democratic Republic of Congo, we investigate a succession of phantom biometrics deals which have seen billions of dollars committed on paper but have so far failed to deliver a national population registry or any functioning ID cards across successive governments.

Working with partners, Bloomberg, over the course of nine months, the team combined in-depth ground reporting with expert interviews and accounts from confidential sources to reconstruct deals in the three countries from tender process to societal fallout. In support of these testimonies, we analysed thousands of pages of documents, ranging from bank records and business registries to unpublished contracts and correspondence between governments, vendors and middle men.

The result is the most detailed account yet of the failed promise of biometric technologies and one that looks at the accompanying harms for affected communities, as well as wrongdoing by several companies and individuals.

STORYLINES

Over the last decade debt-ridden Mozambique has bought a succession of multi-million-dollar contracts for biometric voter registration equipment. Whilst mass voter registration had been sold as a way to improve the credibility of elections in fragile democracies, in Mozambique it has shown how these technologies can be used to create new ways to fix results.

At the centre of the election business are the Sidats, three wealthy brothers with strong ties to the ruling party, Frelimo. In 2018, a company owned by two of the brothers, Artes Gráficas, brought in South African tech vendor, Laxton, to provide a biometric voter registration kit ahead of the country’s presidential elections.

But the process was marred by irregularities, which included inflated voter numbers in areas sympathetic to the ruling party.

Sources inside the government and former employees told us Laxton was aware of these issues. Yet, in 2023, Laxton won an ‘exceptional’ no-bid tender for $127 million, to provide a new set of voter registration technology. Behind the scenes, internal documents and meeting minutes reveal there were serious concerns inside the government electoral body over Laxton’s equipment and the technology’s value for money.

In 2023, the voter registration equipment was again critical to Frelimo efforts to suppress and manipulate the vote.

With the next presidential election in October, Laxton’s technology has already played a key role in whether millions of Mozambicans will be eligible to vote.

“In Mozambique elections are not free and fair,” said a senior international diplomat who did not want to be identified out of concern for his safety and the sensitive nature of the subject. Biometric technology, the person said, “is mostly a way for Mozambican companies to make money.”

In Uganda, where a national ID system ought to be a success story, we find it feeding a sweeping surveillance state built in cooperation with China’s Huawei. Nick Opiyo, one of East Africa’s leading human rights lawyers, who has defended victims of government crackdowns, has been a victim of widespread digital surveillance.

A succession of biometric tools have become central to many of the day to day functions of the state and also a powerful mechanism for surveilling politicians, journalists, human rights defenders and ordinary citizens.

A $126 million deal with Huawei has given Uganda the capacity to deploy facial and number plate recognition technology, as well as AI capabilities. Sensitive personal data, required to register a SIM card or make a bank transaction, can be accessed at will by state actors with no due process.

“There’s almost no confidentiality in my work any more,” Opiyo told Bloomberg. “There’s pervasive fear and self censorship.”

In the Democratic Republic of Congo, long plagued by violence, hunger and unemployment, the absence of a civil registry makes proving who you are into an ordeal.

Citizens have to find workarounds in the struggle to access services, open bank accounts or receive money from relatives abroad. Successive Congolese governments have promised to solve the identity crisis and presented increasingly expensive biometric ID schemes as the solution.

For all the promises, no actual ID system has emerged. When we investigated, what we found instead was a series of complex contracts used to conceal shell companies, secret negotiations and hidden payments.

A glitzy shopping mall is all that materialised from one failed scheme involving Belgian company Semlex. Analysing thousands of pages of unpublished and confidential documents, we found that Semlex boss Albert Karaziwan had approached then DRC president Joseph Kabila in 2014, offering a free citizen’s ID to be subsidised by income from sales of expensive passports, also to be produced by Semlex. After the passport sales began, however, sources told us how money was diverted away from the ID project and into the construction of the Hypnose shopping complex – seen as a safe way for Kabila to store his money.

A second round of ID procurement by new president Felix Tshisekedi resulted in a blockbuster contract valued at $1.2 billion for French vendor Idemia and its local partners. But as civil servants raised the alarm about financial irregularities and the risk of an “enormous scam”, and with the World Bank refusing to fund the project, production of IDs ground to a halt with only Tshisekedi himself and a few hundred VIPs having received them.

The post False Promise of Biometrics appeared first on Lighthouse Reports.

We teamed up with three local media partners, De Limburger, Omreop Brabant and Bureau Spotlight and Follow The Money in order to investigate the deployment of this technology in their own communities. Over the course of a year, we unravelled a web of data exchange, dragnet profiling and dozens of municipalities and government ministries.

The Netherlands has a long history of using algorithms and data exchange to profile and pursue vulnerable communities. Describing these systems in 2019, Phillip Alston, United Nations Special Rapporteur on extreme poverty and human rights, compared them to “the digital equivalent of fraud inspectors knocking on every door in a certain area and looking at every person’s records in an attempt to identify cases of fraud, while no such scrutiny is applied to those living in better off areas.”

Months of local reporting showed how in low-income neighbourhoods nearly a dozen forms of data-driven profiling were stacked atop each other. Residents were surveilled from entering school to starting a business or applying for government benefits. Internal documents reveal how local and national agencies trampled privacy regulations and their own data protection officers to profile vulnerable residents with little or no legal basis.

METHODS

Local governments in the Netherlands are increasingly deploying algorithms with little oversight. Local journalism has a vital role to play in holding these systems accountable and deep connections to the communities most directly affected. In 2022, With support from the Dutch Journalism Fund (SVDJ), we partnered with De Limburger, Bureau Spotlight and Omroep Brabant to produce nearly 20 investigations across 12 months.

Freedom-of-information requests were sent to 21 municipalities seeking documents on the various types of profiling they deployed and internal correspondence about the legal basis. Meanwhile community reporting revealed the harrowing consequences for the families who find themselves constantly pursued in nearly every aspect of their lives.

Over the course of the investigation it became increasingly clear that these tools were being deployed with little to no legal basis, and that insiders had been sounding the alarm for over a decade. ​​“We will find fraud here because we have looked; we will find ourselves further confirmed in the assumption that more fraud takes place in ‘poor deprived areas,’” one Data Protection Officer wrote.

After months of reporting that began with a collaborative investigation between Lighthouse Reports and Argos, the Dutch government announced in November it would halt all ‘neighbourhood-oriented’ projects to detect benefits fraud.

STORYLINES

In Limburg, a province in the southeast of the Netherlands, De Limburger investigated how the region had become a hotspot for algorithmic profiling. In the city of Kerkrade, officials targeted neighbourhoods with ‘high welfare density’ and used risk indicators like ‘single mother on welfare of which the father of the child is unknown’ to flag people for invasive house checks. Meanwhile, a project in the city of Venlo that targeted migrant workers and shared their data with government agencies was criticised by its data protection officer. Internal documents we obtained show how the city consciously continued and said that “ignoring privacy laws” was a “political decision.”

In Brabant, a province in the South of the Netherlands, local broadcaster Omroep Brabant discovered how city, national agencies, and the police were collaborating to profile residents for petty crimes. One project that cost hundreds of thousands of euros attempted to predict businesses involved in subversive crime. Too few Google reviews or a remote street could result in a business being flagged. One business owner recounted how 15 police officers and city officials descended on his office. Yet reports requested by Omroep Brabant show that the only wrongdoing found in any of the province’s checks was a fire extinguisher hanging in the wrong place and a blocked emergency exit.

In Gelderland, the breadbasket of the Netherlands, regional investigative newsroom Bureau Spotlight went deep on the story of Fatima, a young woman with multiple sclerosis. Documents and internal emails obtained by Spotlight show how Fatima and her entire family came into the crosshairs of city and government officials through a project that profiled residents based on their family relations, water consumption, and age, among other things. They were subject to invasive house visits where neighbours recalled seeing investigators hiding behind bushes near their home.

Internal emails suggest racial discrimination. When investigators received her case, one wrote in an email that they saw “last names that make me wonder.” After her investigation, city authorities accused Fatima of lying and claimed that she actually lived with her parents. Officials blocked her welfare support, despite Fatima being entitled to benefits regardless of whose house she was living at.

With national partner Follow The Money, we tied together the strands of our regional reporting in a story on the city of Breda, where the city’s poorest neighbourhood, Hoge Vucht, has been the subject of at least six different profiling projects. The piece shows how Breda is at the forefront of a growing trend wherein the government increasingly deploys algorithms and data-driven profiling to interfere in the private lives of residents. The result, according to residents and experts, is a state of constant distrust on both sides.

The post Automating Distrust appeared first on Lighthouse Reports.

What Juliette did not know at the time was that she was one of hundreds of thousands of people on welfare in France being flagged by an algorithm.

For more than a decade and without any public consultation, CNAF has deployed machine learning at a massive scale in a hunt for welfare fraud. Each year, nearly half of France’s population is silently ranked by a secretive risk score between 0 and 1. The only way to obtain the machine score is to make a subject access request under the General Data Protection Regulation.

People with the highest scores are subject to the CNAF’s most invasive investigations, where fraud controllers are empowered to search people’s homes, count toothbrushes to guess how many people live there, question their neighbours and scour bank records. Seven out of every ten people investigated in this way are flagged by the algorithm.

Over the course of six months Lighthouse and Le Monde investigated the algorithm deployed by CNAF. We used freedom-of-information laws to obtain far-reaching access to the building blocks of the system that enabled us to take it apart and analyse how it scores millions of people. We found that the algorithm hones in on people’s vulnerabilities — which have no apparent connection with fraud — such as being a single parent, having a low income or a disability.

METHODS

France is an early member of a growing club of nations that experiment with predictive technology on vulnerable populations with profound consequences. For more than two years, Lighthouse has investigated the growing deployment of this technology across European welfare systems as part of our Suspicion Machines reporting.

In 2021, Lighthouse worked with Algorithm Watch’s Nicolas Kayser-Bril to send a freedom-of-information request asking for the source code of the CNAF’s algorithm. The agency disclosed the source code, but redacted the variables that would allow us to understand how it actually scores people. After an appeal was rejected, work on the investigation paused as we pursued access elsewhere.

In parallel, digital rights groups La Quadrature du Net and Changer de Cap mounted a series of campaigns calling for the CNAF to release the code of the algorithm. Earlier this year, they successfully argued in front of France’s Commission for Access to Administrative Documents (CADA) that the CNAF should have to release the source code for previous versions of its risk assessment algorithm. The CNAF independently disclosed unredacted source code to La Quadrature and Le Monde. La Quadrature’s analysis can be found here.

Obtaining runnable code is rare and the far-reaching access we acquired enabled us to test how different kinds of people are scored (see this blog for a detailed discussion of the methodology). With nearly half of France’s population scored every year by the model, in principle a wide variety of people are at risk of being flagged. Yet when we tested the model we found that in practice it only flags the most vulnerable while it is nearly impossible for the better-off to score high enough to be investigated. Meanwhile poorly constructed criteria mean that arbitrary changes in behaviour — like sending an email one month instead of two months ago — can land people flagged

Interviews with insiders and CNAF officials allowed us to trace the system’s history back to the growing hysteria around welfare fraud in late 2000s as Nicolas Sarkozy vowed to “punish fraudsters.” Months of community-level reporting and interviews with lawyers allowed us illustrate the drastic consequences for vulnerable people.

STORYLINES

We worked with Le Monde’s Les Decodeurs desk to produce a three-part series based on our joint-reporting breaking down the technology, the people it affects and the system that has grown up.

The technology story provides an interactive explanation of our joint audit and how the algorithm makes broad, prejudiced generalisations about millions of people. It finds evidence that the system both directly and indirectly discriminates against groups protected under French discrimination law.

The people story traces the human consequences of being flagged for investigation and its dramatic toll on people’s lives. Readers follow Juliette as she types her details into a prototype of the algorithm and watch as her risk score rises. It ranges across France — where the level of unclaimed benefits is estimated to exceed 30 percent — and follows welfare recipients who struggle to navigate the complex rules of a system where mistakes are cast as deliberate fraud.

The system story traces the history of the system and how a small experiment at a local CNAF in Bordeaux went national amidst a growing moral-panic over welfare fraud. It shows how even key figures close to the algorithm’s development are beginning to sound the alarm, including former CNAF director Daniel Lenoir.

The post France’s Digital Inquisition appeared first on Lighthouse Reports.

His name is Andreas Fink: maverick tech expert and telecom entrepreneur, former ally of Julian Assange and vocal critic of the security state, now turned surveillance industry enabler.

Our investigation shows how Fink has built a surveillance apparatus that he has put at the disposal of governments and companies around the world – including Israel’s Rayzone Group, a top-tier cyber intelligence company. Fink’s set-up is capable of exploiting loopholes in mobile phone connection protocols to track the location of phone users and even redirect their SMS messages to crack internet accounts.

Experts in the telecom security field agree: these activities are “a clear and present danger to anyone with a phone”.

METHODS

For over a year, Lighthouse Reports worked with confidential sources in the telecom industry to build an unprecedented profile of Fink’s activity, rated by many industry experts as among the most significant sources of network attacks globally.

Central to understanding the Swiss’s operation was a list of network access points, called “global titles”. These GTs in industry jargon are not only operated by telephone service providers but also leased by private companies from SMS vendors to surveillance actors. GTs look like phone numbers. They send and receive data allowing phones to communicate with each other. Traffic through phone networks – such as requesting location info on a device – can be observed as coming from a particular GT. Working with industry insiders we developed a list of GTs which had been observed carrying out suspicious activities in different parts of the world. We were able to link these to specific operations, and cross-correlate them with other operations seen by analysts elsewhere.

Who owns or uses a particular GT is not always obvious, however, even to insiders. We could see that some of the GTs we observed were registered in public databases to Fink Telecom Services. But we also obtained leaked documentation with non-public lists of GTs used by Fink at different times.

Our resulting dataset has identified over 100 GTs linked to or used by Fink. From this list we focused on a smaller number of incidents, looking in detail at which GTs had been spotted working together on specific days in specific locations.

To understand this data we drew on multiple other resources. We obtained copies of communications between Fink and actual or potential business partners, as well as maps of his connectivity – that is, the companies he used as intermediaries to send requests into phone networks. We interviewed industry insiders and spoke in detail to security analysts who have been tracking his activities.

STORYLINES

Together with Der Spiegel, Haaretz, Tamedia and Mediapart, we explore the hidden ecosystem of telecom network penetration and how Fink’s activities spanned the world.

In the Democratic Republic of the Congo, he demonstrated his surveillance system to intelligence officials. The demo involved him pinpointing the location of an individual who, the officials said, operated an anonymous defamatory anti-government Facebook account.

Approaching a phone company employee via social media, he offered $1000 per month for access to the employee’s West African phone network – access which he intended to use to “track suspects” in war-torn Mali. He didn’t say why or who for.

In South East Asia and Israel his systems were used to take over Telegram and other accounts by redirecting SMSes used to secure them.

In Guerrero, Mexico, a trace shows an effort to extract personal data, including location data, from a journalist’s phone. The next day, the journalist was shot dead. The trace goes back to a global title leased by Fink, although he says he was not using it at that time.

These stories emerge as industry bodies and European parliamentarians are looking at the neglected risks inside phone networks in the context of mounting concerns over widespread surveillance.

The post Ghost in the network appeared first on Lighthouse Reports.

The Ministry of Foreign Affairs is not alone one among Dutch institutions that have been in the spotlight for structural racism. The Netherlands prides itself on automated decision making to reduce bias. But in the last two years of reporting from Lighthouse Reports have revealed wide-scale use of algorithmic risk profiling systems across the Netherlands.

New, leaked documents obtained by Lighthouse Reports and NRC reveal that at the same time Hoekstra was promising change, officials were sounding the alarm over a secretive algorithm that ethnically profiles visa applicants. They show the agency’s own data protection officer — the person tasked with ensuring its use of data is legal — warning of potential ethnic discrimination. Despite these warnings, the ministry has continued to use the system.

Unknown to the public, the Ministry of Foreign Affairs has been using a profiling system to calculate the risk score of short-stay visa applicants applying to enter the Netherlands and Schengen area since 2015.

An investigation by Lighthouse and NRC reveals that the ministry’s algorithm, referred to internally as Informatie Ondersteund Beslissen (IOB), has profiled millions of visa applicants using variables like nationality, gender and age. Applicants scored as ‘high risk’ are automatically moved to an “intensive track” that can involve extensive investigation and delay.

“Family members of Dutch citizens with a migration background are prevented in all kinds of ways by the Ministry of Foreign Affairs from getting a visa for short stays.” said Kati Piri, a Dutch MP. Regardless of the ministry claiming efficiency over the use of the IOB system, “from countries like Morocco and Suriname, it is incredibly difficult to get a visa,” Piri added.

METHODS

In February 2023 Lighthouse obtained previously unpublished, crucial documents pointing to heated internal discussion around the Ministry of Foreign Affairs’ use of nationality and gender in its algorithmic risk profiling.

According to documents, the internal Data Protection Officer advised the ministry to “immediately stop profiling visa applicants to distinguish them partly on the basis of nationality and then treating them unequally on the basis of that distinction.”

Examples of so-called “risk profiles” used by the algorithm include Surinamese men aged between 26-40 who applied from Paramaribo and unmarried Nepalese men aged around 35-40 who applied for a tourist visa. Officials claim that the risk profiles are also based on data from third parties to see if a group of individuals from the same nationalities attempted to apply for asylum.

Despite the Data Protection Officer’s serious and continuous warnings from at least 2021, the documents suggest that Hoekstra delayed making a decision about the system. With reporting partner NRC, we spoke with internal sources who confirmed it is still active and uses nationality as a variable.

STORYLINES

An internal watchdog at the Ministry of Foreign Affairs has pressed them since midway through 2022 to immediately halt algorithmic profiling of visa applicants based on their nationality. Despite pushback from officials, the DPO continued to insist that the algorithmic assessment system is potentially discriminatory.

With the national newspaper NRC, we chronicled how the ministry turned to algorithmic profiling in the midst of a larger drive to cut costs. Ministry officials maintain that the algorithm helps to centralise workloads and remove bias of caseworkers. They also claim that three consulted experts have concluded that the use of nationality in the algorithmic profiling system was proportional and not discriminatory.

Statistics from the ministry suggest that being flagged as a high risk can carry serious consequences. As of March 2023, 33 percent of applications in the intensive, ‘high risk’ track were rejected, whereas only 3.5 percent of applications in the normal, ‘low risk’ track were rejected.

Being flagged for the intensive track can come with months of delays and consequences in an already difficult bureaucratic process. With NRC we spoke to Saadia Ourhris, a Moroccan-Dutch mother who recounted a relative of hers receiving constant automated rejections when attempting to visit her in the Netherlands.

Reacting to our findings, Dutch MP Kati Piri described the use of algorithmic visa profiling as “downright shocking.”

The post Ethnic Profiling appeared first on Lighthouse Reports.