Post-Revolt Tunisia Can Alter E-Mail With `Big Brother' Software

Aided by American and European suppliers, Ammar 404 took control of virtually all electronic communication in Tunisia and turned lives upside down -- even changing the contents of e-mails in transit, Bloomberg News found in an investigation that draws a rare blueprint of a totalitarian nation's monitoring apparatus. Photographer: Shawn Baldwin/Bloomberg

In Tunisia, Big Brother goes by an alias: Ammar 404.

A play on the “Error 404” message for blocked websites, Tunisian bloggers dreamed him up as a fictional front man for the sprawling surveillance state of former ruler Zine El Abidine Ben Ali.

Aided directly and indirectly by American and European suppliers, Ammar 404 took control of virtually all electronic communication in Tunisia and turned lives upside down -- even changing the content of e-mails in transit. In this world, Tunisians of all stripes could never be sure if e-mails arrived as sent or at all, or who was reading them.

Asma Hedi Nairi, a former Amnesty International youth coordinator, says e-mails she and her friends exchanged were replaced by messages ranging from random symbols to ads for rental cars. Opponents of the regime toppled in January’s revolution received threatening messages such as “you can run but you can’t hide,” while people with no role in politics found their correspondence snagged if it inadvertently included words flagged as critical of the government. Ammar 404 even damaged reputations by inserting pornographic images in work e-mails and routing intimate photos onto Facebook, Nairi, 23, says.

“Ammar 404 was seeing everything,” says Nairi, who is studying in Tunis for a master’s degree in criminal sciences.

‘War of Information’

The interference forced her to shut down five e-mail accounts in the years before the revolution, robbing her of contact lists and documents. The sexual nature of some intrusions was especially embarrassing within the country’s mostly Muslim culture, Nairi says, further chilling the free flow of political discussion.

“Ammar 404 is more dangerous than any policeman in the street,” she says. “It was a war of information.”

Tunisia’s surveillance capabilities put it at the forefront of a technological arms race in which repressive regimes are gaining increasing power to monitor -- and manipulate -- citizens’ electronic activities.

The review of Tunisian surveillance draws a rare blueprint of a totalitarian nation’s monitoring apparatus, and is part of a Bloomberg News investigation across the region that reveals how governments use Western surveillance technology to track dissidents.

In Syria, an Italian company pulled the plug on an Internet monitoring system after Bloomberg reported the project was in the works as the death toll of protesters mounted. Iran purchased European gear to track citizens’ locations even after a crackdown surrounding the contested 2009 elections. And in Bahrain, police interrogated activists using text-messages intercepted with European surveillance equipment. Egypt, Yemen and Syria purchased the same interception gear, the investigation found.

Largely Unregulated

The export of surveillance gear is largely unregulated, and interception capabilities are standard in most communications systems around the world, intended for use by law enforcement. Neither the U.S. nor the European Union bars exports of monitoring technology to Tunisia.

Tunisia is a model of what could await the rest of the world if sales of these technologies go unchecked, says Ben Wagner of the European University Institute near Florence, Italy, who has published research on Internet governance in Tunisia.

Ben Ali’s regime deployed the surveillance gear to demonstrate its power, Wagner says. Changing e-mails into nonsense, rather than luring dissidents into ambushes, created a pervasive unease, in which even spam could be perceived as the work of Ammar 404, he says.

Testing Ground

“It leaves citizens in a persistent state of uncertainty about the security and integrity of their communications,” he says.

Western suppliers used the country as a testing ground. Moez Chakchouk, the post-revolution head of the Tunisian Internet Agency, says he’s discovered that the monitoring industry gave discounts to the government-controlled agency, known by its French acronym ATI, to gain access.

In interviews following Ben Ali’s ouster after 23 years in power, technicians, activists, executives and government officials described how they grappled with, and in some cases helped build, the repressive Wonderland.

Many Responsible

A post-revolution hunt for Ammar 404 shows that while he is, of course, nobody in particular, many shoulder responsibility for his deeds. They include the “cyber police,” the Internet agency that installed the systems, and the corporate enablers who sold the technology despite growing international outcries over the government’s human rights violations.

“I can tell you how it was done,” says Kamel Saadaoui, 46, who ran the Internet agency from 2008 through the revolution. “Tunisian companies, whether the telecoms or the Tunisian Internet Agency, have worked with European companies,” he says during an interview in May, soon after he was promoted to president of the nation’s telecommunications regulator.

Munich-based Trovicor GmbH provided voice and data interception on cell phones, and Sundby, Denmark-based ETI A/S, supplied mobile data interception used to reconstruct online activities, Saadaoui says. ETI systems are capable of tracking the websites a person visits and logs of e-mail correspondence.

Trovicor, a former unit of Siemens AG and Nokia Siemens Networks, didn’t respond to a request for comment. Nokia Siemens spokesman Ben Roome declined to comment. Siemens referred questions to NSN.

Deep-Packet Inspection

ETI is a subsidiary of London-based BAE Systems Plc, Europe’s biggest defense contractor, which bought ETI in March for more than $200 million. Sara Hirsch, a London-based spokeswoman for both companies, said they can’t comment on specific countries or contracts. Their operations comply with national laws and their own internal standards, she said.

Saadaoui, who has a master’s degree in computer science from Michigan State University, says he helped procure and set up the system that captured and changed e-mails. It uses a technique called deep-packet inspection, which peers into the content of communications and sends suspect e-mails to the Interior Ministry.

During an hour-long interview in his office at the National Telecommunications Agency, he describes a monitoring room with metal bars on the windows and 20 desks, where staffers review the e-mails in an array of languages.

“They were able to read why it was blocked and decided whether it should be re-routed to the network or deleted,” he says. “Or changed.”

‘Not Our Job’

Interior Ministry spokesman Hichem Meddeb says his ministry has no role in surveillance. “It’s not our job to intercept phone or e-mail or websites,” he says. Security agencies probably handle such things, he says.

As the capabilities ramped up in 2007, concerns reverberated among the men and women who monitored the Internet, Saadaoui says. “The cyber police just wanted to be the police,” he says. “The political police was something that was imposed on them.”

After the May interview, Saadaoui didn’t respond to requests for follow-up interviews, including attempts made during visits to his office on four consecutive days in September.

While Saadaoui was open about many details, he said nondisclosure agreements bar him from naming the companies that sold two main deep-packet inspection systems: one for blocking websites, and the other for intercepting e-mails.

Deep-packet inspection goes beyond traditional monitoring methods such as scanning for names of senders.

Nonsense E-mails

“It’s like intercepting written mail,” says Milton Mueller, an information studies professor at Syracuse University in New York who has a two-year National Science Foundation grant to study the technology.

In Sfax, a port halfway between Tunis and the Libyan border, human rights lawyer Abdelwaheb Matar noticed in 2008 that e-mails sent by his contacts started arriving as nonsense. One, in April that year, said, “How would you like to have dinner? I just bought a new car,” according to copies cited by Tunisian blogger Malek Khadhraoui that year and confirmed by Matar.

When clients didn’t get his e-mails, Matar, 55, resorted to faxing, he says. On a bookshelf in his office, he displays two Statue of Liberty replicas he bought in New York as a symbol of the values he defends in his work pursuing cases against government agencies.

Unspeakable Threat

Matar brings his laptop around to the front of his desk to show a visitor an e-mail he received on Sept. 26, 2008. He points to the words, which are too horrible for him to read aloud. In French, it calls him weak, compares his face to a pile of excrement, and then threatens, “Every day, I will try to perforate your anus with a baseball bat.” It then signs off with a common, profane insult.

The sender of the e-mail was “fdgfjdhjfk fdhfjkhjksdh,” and Matar is still unsure whether it started as a friendly message changed in transit, or was simple low-tech harassment. With Ammar 404, you never knew.

“How does it feel? I don’t know how to describe it,” he says. “It’s an intimidating aggression.” He now protects his communications with encryption software.

The cyber-repression was made easier by the physical structure of Tunisia’s data flow, which runs through just a few choke points. In broad terms, the system has two distinct parts: one for intercepting phone-related traffic and one for the Internet, Saadaoui says.

Palace Monitors

Each phone company taps for voice, text messages and other mobile data, which feed into monitoring posts, mostly at the Interior Ministry, a person familiar with the system says. Under Ben Ali, some headphone-wearing operators also sat inside the presidential palace in Carthage, the person says.

Trovicor and its predecessors, Siemens and Nokia Siemens Networks, supplied Tunisia’s phone companies with monitoring-center computers and maintained their ability to feed calls and data to the listening posts, four people familiar with the sales through their work for the companies say.

Utimaco Safeware AG, a unit of Abingdon, England-based Sophos Ltd., supplied systems that helped link those German monitoring centers to the phone network, a person familiar with the installations says. London-based Apax Partners LLP, which controls Sophos, referred questions to Sophos and Utimaco.

Utimaco General Manager Malte Pollmann says the company hasn’t sold directly to Tunisia. His products might be in the country because companies that build phone networks, including Nokia Siemens, use Oberursel, Germany-based Utimaco’s systems, Pollmann says. Sophos, the majority shareholder of Utimaco, directed questions to Pollmann.

Channeling All Traffic

To monitor the Web, the government channels virtually all computer traffic through the national Internet agency. Its gear is housed in rooms it controls at Tunisie Telecom buildings in three Tunis neighborhoods, including Belvedere, near the capital’s main park, and Kasbah, where the old city and souk are, Chakchouk says.

“All the international connections are coming to those sites,” Chakchouk, 36, the agency’s chief since February, says in an interview at the headquarters in a whitewashed, bougainvillea-draped villa in a hilly Tunis neighborhood. He says nondisclosure pacts with vendors bar him from disclosing their names.

Siphoning Messages

In each of the three telecom rooms, which are about half the size of a tennis court, a handful of computers known as “boxes” straddle the data pipelines, Chakchouk says. Their function is to siphon off communications, mostly by searching for key words, according to Saadaoui.

“You get all the traffic going through these boxes,” Saadaoui says.

Once the system flagged a suspect e-mail, a fiber optic network under the streets of Tunis carried it from the telecom offices to the Interior Ministry’s operator room, Saadaoui says.

Moez Ben Mahmoud Hassen, a spokesman for Tunisie Telecom, said the company “denies any possible relation with such practices.” He stressed that it follows the law and respects the confidentiality of communications. Asked about the company’s activities during Ben Ali’s government, he said it was a matter for the courts and declined to elaborate.

Communications through mobile operator Orascom Telecom Tunisie, also known as Tunisiana, were not monitored, according to a statement released by company spokeswoman Fatma Ben Hadj Ali. The country’s other mobile operator, Orange Tunisia, didn’t respond to requests for comment.

Politicized Internet

Saadaoui revealed details of Tunisia’s surveillance, he says, in part because he’d become disillusioned with how Ben Ali’s regime had politicized the Internet over two decades.

In 1991, a year after graduating from Michigan State, Saadaoui was part of the team that first set up the net in Tunisia, he says. At the start, it was a research tool, free of any censorship or surveillance, until the regime grabbed control in 1996 with the establishment of the ATI, he says.

Dhamir Mannai, a former adviser to state-controlled Tunisie Telecom’s chief executive officer, recalls how in the freewheeling 1990s he ran his own e-mail servers. “When the agency was created, I was told to stop,” he says. From that point on, “Everything goes through that agency, all Internet access, and all e-mail, so it’s very easy to monitor.”

View From Inside

As Saadaoui rose through the ranks, he saw from the inside the regime’s increasing interest and spending on cyber policing.

The effort started with censorship of websites critical of the government, he says. Blue Coat Systems Inc. and NetApp Inc., both based in Sunnyvale, California, provided filtering, Saadaoui says. NetApp, which sells data storage systems, previously had a unit that makes computers used for monitoring networks. It sold the business to Blue Coat in 2006.

Blue Coat spokesman Steve Schick said the company could neither comment nor confirm the accuracy of its reported involvement. A spokeswoman for NetApp said the company declined to comment.

Then, when dissidents started using e-mail to distribute the contents of banned sites, Tunisia’s Internet agency added e-mail surveillance.

“E-mails was a homemade solution,” Saadaoui says. Tunisian software developers used Postfix, a free, open-source mail management program, to scan traffic through the mid-2000s, he says.

Going Shopping

When the network grew with broadband, becoming less manageable by late 2006, Saadaoui went shopping for more sophisticated solutions at the ISS World trade shows, the marketplace for “lawful interception” gear that meets several times a year in locations including Dubai, Prague and Washington. Some companies, such as ETI, refused to take the work upgrading Tunisia’s surveillance because the requirements were so intrusive, Saadaoui says.

As part of the Web blocking, Tunisia paid to use Santa Clara, California-based McAfee Inc.’s SmartFilter product, says current Internet agency head Chakchouk.

In a statement, McAfee said it is committed to complying with all export laws and regulations. “Additionally, steps have been taken by McAfee to safeguard the product and to prohibit and disable illegal use,” the company said.

Saadaoui says he ended up with two European contractors that each used deep-packet inspection -- one supplier for filtering websites and another for capturing e-mails.

Snagging E-Mails

The surveillance system for e-mails became destructive because communications didn’t show up intact, or arrive at all, Saadaoui says.

Victims included businesses and professionals unlucky enough to have a keyword snagged in the system. “They need the e-mail to arrive quickly and it doesn’t arrive. They lose money. They lose image. They lose credibility,” Saadaoui says.

In 2008, activists noticed something was wrong, and conducted experiments to demonstrate Ammar 404 had employed new tools. Former political prisoner Abdallah Zouari teamed up with Tunisian blogger Sami Ben Gharbia.

The men’s locations made their test possible: Ben Gharbia was based in the Netherlands, where he is the advocacy director of Global Voices, an online community promoting free speech. Zouari lived in internal exile in southern Tunisia.

Testing the System

They logged onto Zouari’s account and simultaneously viewed his incoming correspondence, including one from the Tunisnews online newsletter with headlines about an imprisoned journalist. In the Netherlands, the e-mail appeared untouched. In Tunisia, the same message said, “If you want to increase your performance, try this and let us know. Regards,” a screenshot of the 2008 e-mail shows.

Zouari, 56, a rotund man who sports a callus on his bald forehead from regular use of a prayer rug, is now a leader of the Ennahda Islamist party, which won the most seats in October’s first post-revolution election. He says during an interview in Tunis that he suffered from changed and blocked e-mails for years.

“They did it even with our own families, our friends, far from politics,” he says.

‘Personal Secrets’

“The most important thing for me was the personal secrets,” he says, rubbing his hands together. “You have a political life, but also a personal life -- money, family relations, solving each others’ problems.”

By 2010, it became a contest as Tunisians increasingly employed encryption the packet inspection couldn’t crack. Communications on Facebook boomed, and the regime demanded better tools, Saadaoui says. The same European contractor that provided e-mail surveillance signed a deal to add monitoring of social networks, he says.

It was too late. The supplier hadn’t yet delivered the solution when the “Facebook revolution” crested in January.

The government’s last-ditch attempts to quell online organizing included hacking and password-stealing attacks by Ben Ali’s regime, outside the purview of the Internet agency, Saadaoui says.

Slim Amamou, a blogger who was arrested during the uprising and briefly became a minister for youth and sport after the revolution, says the presidential palace and ruling party orchestrated the final cyber attacks.

Hack Attacks

“When needed, they contracted foreign hackers for access to hack opponents and dissidents,” he says.

In the end, the regime couldn’t overcome a revolution that stayed one step ahead of the cyber police.

Today, Chakchouk, the new head of Tunisia’s Internet authority says he’s working to dismantle Ammar 404, and turned off the mass filtering, he says. Now he’s locked in legal battles over court orders to block specific Web pages.

On Saturday, May 7, he and his team pulled an all-nighter to set the filtering equipment to block a single Web page to comply with a military court’s demand related to a defamation complaint. The following Tuesday, still looking tired, Chakchouk says it took so long because they were figuring out how to replace the page with a message explaining the blockage -- rather than the customary Error 404.

Since the revolution, Chakchouk has spoken at conferences around the world, decrying censorship. Yet he won’t say much about surveillance. For now, the packet inspection boxes are still on the network.

“We tried to understand the equipment and we’re still doing that,” he says. “We’re waiting for the new government to decide what to do with it.”

-- With assistance from Ben Elgin in San Francisco and Jihen Laghmari in Tunis. Editors: Marcia Myers, Melissa Pozsgay

Before it's here, it's on the Bloomberg Terminal. LEARN MORE