Surveillance Secrets

In June, a sharp-suited Austrian executive of one of the world’s most significant yet little-known surveillance companies told a prospective client that he could “go to prison” for organising the deal they were discussing. But the conversation did not end there.

The executive, Günther Rudolph, was seated at a booth at ISS World in Prague, a secretive trade fair for advanced surveillance technology companies. He went on to explain how his firm, First Wap, could provide sophisticated phone-tracking software called Altamides, capable of pinpointing any person in the world. The buyer? A private mining company, owned by an individual under sanction, who intended to use it to surveil environmental protestors. “I think we’re the only ones who can deliver,” Rudolph said.

What Rudolph did not know: he was talking to an undercover reporter from Lighthouse.

The road to that conference room in Prague began with a vast archive of data, found by a Lighthouse reporter on the deep web, containing more than a million tracking operations: efforts to grab real-time locations of thousands of people worldwide. Investigating that archive — and First Wap’s activities — drew together more than 70 journalists from 14 media outlets.

What emerged is one of the most complete pictures to date of the modern surveillance industry. The tracking archive is unprecedented in scope, and reveals how the company and its clients surveilled all types of people from all over the world. Reporters interviewed more than a hundred victims, as well as former employees and industry insiders. A trove of confidential emails and documents provide a detailed inside account of how First Wap’s tech was marketed to authoritarian governments and accessed by corporate actors. Behind closed doors, First Wap’s executives touted their ability to hack WhatsApp accounts, and laughed about evading sanctions.

The surveillance industry has long maintained that its tools are deployed exclusively by government agencies to fight serious crime, portraying instances of misuse as rare exceptions. This investigation definitively dismantles that narrative.

Making sense of a secret data trove

This investigation began with an archive of data. This is not the first archive related to a surveillance company’s activities, but it is certainly the most granular. It contains 1.5 million records, more than 14,000 unique phone numbers, and people surveilled in over 160 countries. It represents an extraordinarily detailed account of when and where people were tracked, and what users of the tracking tool saw.

The only clue to a target’s identity was a phone number. A team of reporters at Lighthouse and paper trail media spent months painstakingly identifying the owners of those phone numbers. To drill down into the data and better understand it, we divided it into “clusters” of targets — networks of people connected in time or space. As we investigated clusters and put names to phone numbers, stories began to emerge.

For a more in-depth explanation of how we analysed the dataset, see our technical explainer.

The Altamides archive is global in scope. We found high-profile individuals, including powerful political figures such as the former Prime Minister of Qatar and the wife of ousted Syrian dictator Bashar al-Assad. We found Netflix producer Adam Ciralsky, Blackwater founder Erik Prince, Nobel Peace Prize nominee Benny Wenda, Austropop star Wolfgang Ambros, Tel Aviv district prosecutor Liat Ben Ari and Ali Nur Yasin, a senior editor at our Indonesian partner Tempo.

In Italy, investigative journalist Gianluigi Nuzzi was tracked days after publishing a dramatic exposé of corruption in the Vatican, as police closed in on his source. In California, Anne Wojcicki, founder of DNA startup 23andMe and then married to Google’s Sergey Brin, was tracked more than a thousand times as she moved across Silicon Valley. And in South Africa, associates of Rwandan opposition leader Patrick Karegeya were tracked before his assassination in a Johannesburg hotel room.

As our reporting partners dug into the archive, they found other traces of surveillance activity on their doorsteps. In Austria, home of First Wap’s founder Josef Fuchs, Der Standard uncovered a mystery surrounding a tracking spate of high-ranking employees at energy drink giant Red Bull. In Norway, NRK examined how Altamides zeroed in on a top telecom executive. In Indonesia, interviewees told our partner Tempo that they believed they had been targeted because they had taken part in political activities or spoken out against the government. In Serbia, KRIK identified targets in the energy industry, while in Israel, Haaretz located high profile lawyers and businessmen with interests in Africa and the Gulf.

First Wap said in a response to this investigation that it denies “any illegal activities” or “human rights violations.” The company said it could not comment on specific allegations that could “enable client identification.” It further elaborated that the company does not perform any tracking itself and that “after installation” of Altamides it has no further knowledge of how the product is used. First Wap emphasized that its technology is used by law enforcement to “fight against organized crime, terrorism and corruption.”

Surveillance without borders

In 2012, Sophia (not her real name) was walking near the coast of Goa on vacation, unaware that her movements were being monitored from halfway around the world with government-grade surveillance tech. But she was not being tracked by an intelligence or law enforcement agency. She was being stalked by a man who had been pursuing her, following her over the course of ten months.

Sophia’s case illustrates how Altamides proliferated far beyond the hands of governments to non-government actors, who used it to surveil victims for commercial and personal purposes. In addition to business leaders and politically-exposed individuals, the Altamides archive contains hundreds of regular people: a teacher, a therapist, a tattoo artist.

First Wap’s surveillance software was marketed through a shadowy network of middlemen who resold the system to clients worldwide. Confidential documents obtained by this investigation detail the operations of one such company, the British corporate investigations firm KCS Group. As the Arab Spring unfolded across the Middle East and North Africa, documents show that KCS attempted to capitalise on the unrest throughout the region, making concerted efforts to sell the tracking system to governments in Morocco and Algeria, as well as other countries in Africa and Asia. But at the same time it was using Altamides for corporate investigation work, digging for dirt on clients’ opponents. The company told us that it “has not been involved in selling or using inappropriate surveillance materials” and is “committed to maintaining ethical standards in all our operations.”

A ruthless pioneer

Unlike other industry heavyweights, which have seen years of adverse coverage because their customers targeted journalists, activists, businesspeople and diplomats, First Wap has thrived for two decades without falling under the spotlight. The story of Altamides dates back to the early 2000s, when former Siemens engineer Josef Fuchs recognised a critical vulnerability in the global telecom network. By exploiting an outdated – but still essential – communication protocol known as SS7, he could trick phone networks into revealing the locations of their users. Seeing a new business opportunity, Fuchs quickly pivoted his Jakarta-based company away from its focus on marketing messages, turning it into one of the world’s first phone-tracking firms. Its arrival on the market was seismic. At a time when Blackberrys ruled and Nokias were everywhere, a user could enter a phone number and the software would pinpoint its location anywhere in the world, within seconds.

Since then, the company has quietly built a globe-spanning phone tracking empire, operating in the shadows, without any apparent red lines. It has also expanded its surveillance arsenal, adding features to Altamides that allow it to intercept SMS messages, listen in on phone calls, and even breach encrypted messaging apps like WhatsApp.

“We can find a way”

Our initial reporting surfaced dozens of non-criminal people surveilled without their knowledge by the company. Data, sources we spoke to and documents we examined indicated that Altamides had been used by authoritarian governments and, without lawful basis, by non-governmental clients. We decided it would be in the public interest to carry out an undercover operation to better understand what red lines the company placed around use of its products.

In a statement, First Wap insisted to us that it “vets and verifies any government client/final user for sanctions compliance prior to the signature of any agreement” and that “there has never been any exception to this.”

Testing the red lines required a fake character, complete with a fake company name and LinkedIn. One of Lighthouse’s reporters became Albert, a South Africa-based businessman who runs a boutique “research consultancy” registered in the British Virgin Islands. Accompanying him was Abdou, a colleague, who would be playing a mover and shaker with political connections throughout West Africa. They signed up for ISS World in the Czech Republic, the largest annual surveillance technology fair, to pitch some projects and see how the company responded.

So this June, our reporter found himself in a Prague hotel room, straightening a suit jacket outfitted with a hidden camera.

Albert and Abdou met First Wap’s sales director Günther Rudolph at the company’s booth, to discuss a series of business propositions. Could First Wap help a government monitor opponents abroad? Could the company crack encrypted WhatsApp chats? Could it help the owner of a mining company disrupt protests by environmental activists? “He knows already who are the leaders, or he wants to find out?” asked Rudolph.

Rudolph drew the undercover reporters’ attention to a potential snag: some of the people they propose selling to might be under sanction from the EU or US, meaning that European nationals like First Wap’s executives risked imprisonment if it were known they organised the sale. “That’s why when we make such a deal we make it through Jakarta,” Rudolph said, referring to First Wap’s corporate base in Indonesia. It was a “grey area”, he said. But “we can find a way”. What this way might look like became clear the following day: using a newly invented shell company to mask the connection in the papertrail between First Wap and the sanctioned client.

When confronted with our undercover operation in Prague, the company said that “misunderstandings evidently arose” and that the statements by its executives referred merely to technical feasibility.