Summary
Economic espionage is the unlawful or clandestine targeting or acquisition of sensitive financial, trade, industrial, or economic policy information. Even though many cases remain unknown or unreported, some incidents of espionage reached the headlines of Brazilian news media in the past years. The cases had different natures, some perpetrated by the state and some by groups of individuals or companies. Despite the damage, they give hints on the scale of such actions in the country and potential threats, like the presence of spyware used to collect data from phones. The current geopolitical scenario, with impactful wars and commercial conflicts between world powers, helps stimulate stakeholders to put into practice unlawful methods to collect data.
Compromised Privacy
A series of cases involving invasion of privacy brought the topic of economic espionage under the spotlight in Brazil. On 15 January, Sport Club Corinthians Paulista took to the police spying equipment found in a sweeping carried out at the club, in São Paulo (SP) city. The discovery was made right after the change of the club’s board, which took place at the end of 2023. The new director, Augusto Melo, requested the search for this type of equipment to be done, which is a recommended measure during such transitions. The former president Duilio Monteiro Alves had already registered a police report, as he believed that he was the target of the espionage reported by the new management.
What Was Found?
A sweeping like the one carried out in the Corinthians office is a technical procedure completed by trained professionals and specialized devices. In this inspection, the specialists found three presence sensors with cameras hidden inside them; a fourth presence sensor that appears to have been used for the same objective; and a DVR recorder connected to one of the cameras.
The spying devices were installed in the reception on the fifth floor of the administrative building, where the club presidency is located; in a second location in the reception, just above the door that leads to the president’s office; in the president’s own office, above his armchair; in the base’s training center meeting rooms.
This Content Is Only For Subscribers
To unlock this content, subscribe to INTERLIRA Reports.
The following cases, even though not directly connected to people in work situations, show quite well how risks for the preservation of privacy are everywhere. Moreover, they could fit in with the routine of a regular employee on a business trip. The first case was reported in January, and it took place in OKA Beach Residence, a resort that operates on Muro Alto beach, in Porto de Galinhas, in Greater Recife, Pernambuco. A couple found inside their room a video camera in front of their bed. Several other cases have been reported to the media, including one disclosed by Publicist Mateus Bandeira, who claims to have found a hidden camera in front of his bed in a studio apartment rented in the central region of Campinas (SP) through an internet hosting platform.
According to police sources interviewed by media outlets for the cases above, many similar incidents have been reported, and for the most part, authorities believe that the devices were used for recording sexual content to be sold online. The spying devices are installed inside TVs, internet modems, sockets, lamps, and even in small air conditioning inlets. On the other hand, they form a set of solid evidence indicating how exposed guests of hotels and other accommodations are exposed. Thus, on a business trip, an executive can be targeted in the place of accommodation and everywhere including at the airport, through public Wi-Fi connections.
Another case of espionage that emerged in recent times became a national scandal and has spread concerns of systematic violation of basic rights and leakage of private information of people and institutions. Investigations point out that top Federal authorities monitored a great number of people, approximately 33,000, including journalists, politicians, Supreme Court Ministers (STF) and members of the opposition, without judicial order or any type of control during Jair Bolsonaro’s term. According to Federal Police (PF) investigations, the members of the Brazilian Intelligence Agency (Abin) used the software FirstMile developed by the Israeli company Cognyte, which can keep track of geolocation data of the target’s phone and other metadata.
An additional alarming fact connected to the monitoring method selected was the choice of place to store the information collected: the data was kept abroad, in Israel, the country of origin of Cognyte. Thus, strategic intelligence data would have been available to people from another country.
Several other spying software were bought by Brazilian authorities from different spheres. Abin also acquired Augury, a tool that allows continuous tracking of citizens’ browsing, capturing traffic data, such as session cookies, browsing details, and access credentials for accounts on private platforms: username and password. Webint, another Cognyte product, was sold to the Federal Highway Police (PRF). The program allows spies to invade Whatsapp groups and access information from closed profiles on social networks. Other spying systems revealed by Brazilian media include the GI2S and the Clarian Advanced, both from the same Israeli company, which accumulates R$ 57 million in contracts with the Air Force and five states.
In fact, the intelligence services from the Armed Forces and from many states’ police forces bought espionage equipment and technologies. Mato Grosso, São Paulo, Amazonas, Goiás, Santa Catarina, Rio Grande do Sul, Pará, Espírito Santo, and Alagoas are among the confirmed buyers of these products.
In an interview to the Intercept Brazil, Transparency International stated that the pervasive presence of such spying technologies associated to the lack of control mechanisms – most of the technologies were bought under secrecy – represent a threat to democracy, due to clandestine surveillance. Furthermore, this scenario opens gaps for these tools, contracted by various state bodies, to be accessed by private individuals and organized crime.
A case not that distant in time reveals that this is not a farfetched hypothesis, but most likely “a matter of when”. In 2017, the Federal Police operation nicknamed “Spy”, discovered that confidential data from companies stored in the Special Department of Federal Revenue of Brazil (RF) were stolen by corrupt public employees and sold in the foreign trade market to rivals that were looking to strategic advantages.
This was a large industrial espionage scheme with the participation of national and international stakeholders, and corrupt members of the Federal Revenue. Numerous companies, even multinationals, used this scheme to obtain information from their competitors. The corruption and money laundering scheme would have harmed more than 1,000 companies in several Brazilian states and outside the country, according to the PF.
Economic and Industrial Espionage
According to Abin’s National Program for the Protection of Sensitive Knowledge (PNPC), espionage is the “unauthorized acquisition of knowledge or sensitive data to benefit nations, organizations, factions, groups, companies or individuals”. The Brazilian agency also defines several types of espionage: economic, industrial, commercial and state. In this text, the terms economic or industrial espionage are used as generic terms to refer to the theft of information belonging to a private institution.
In general, economic espionage follows an economic logic. The perpetrator tends to get involved in an act of economic espionage if it calculates that it can obtain a greater profit in the medium or long term, considering the resources spent to steal the information. Though, a National State does not necessarily follow this cost/benefit logic. If the objective is considered strategic by a State, the resources used to obtain it may be greater than the eventual monetary profit.
Industrial espionage is most associated with sectors that are heavily dependent on the development and implementation of technology, thus, where great amounts of money are spent on research and development (R&D). The recurrent targets include the computer, biotechnology, aerospace, chemical, energy, and auto sectors. Aside from the information concerning technologies, other types of data frequently sought include trade secrets, client information, financial information, and marketing information.
People engaged in espionage can use an uncountable number of tactics, still, some are used with more frequency, like social engineering to reach a disgruntled, naïve, or negligent employee that can leak data or even be hired away and bring with him strategic information. Even the garbage can be useful for a spy, who may find therein files and other media that were unproperly discarded.
Spies can attempt to intrude into the property of a rival, and directly collect the desired material or set spying devices, which include a wide range of items, from telephone taps to drones. In Brazil, this was seen a few times. In 2007, during a visit by four employees from Korean supplier LPL, the quality manager from Manaus LG Electronics was accused by four employees of Philips da Amazônia of using a fake identity to enter the unit and access details about a new product from the competitor. To do that, he passed himself as another employee, from LPL.
On the Rise: Online Espionage
Another kind of espionage that gained popularity in recent years was the one perpetrated through the internet. Inadequate cybersecurity practices, better cost-benefit, less risk, and the constant evolution of threats have helped this growth.
Estimates from the American government published by Folha de São Paulo, in June 2023, indicate that almost 60% of cases of information theft occur through virtual actions, such as hacking. Another 40% involve more analog techniques, such as co-opting employees.
Furthermore, the virtual environment can even be currently paving new ways for the analog way of spying to be done better and easier. Social media added a new element of aid for criminals, which now can count on virtual methods to collect information about potential targets from a company, particularly when it comes to social engineering. The risk is high, since almost everyone that is formally employed has personal data stored in public systems and social networks, and this information can indeed be used for attacks aimed at the private sector.
In the global scenario, Brazil is one of the countries the most affected by data breaches. This South American nation is the most affected in its region and the 10th across the globe, with 3.260 million breaches reported last year, according to research developed by Surfshark. Another study, by Micro Trend, pointed out that the nation had was the second most affected by risk events worldwide (7.5 billion), in the first half of 2023, only behind the USA. Problems that weaken the country include low investment, lack of awareness and the high number of legacy systems used.
When States Are in Conflict, Espionage is Likely to Prosper… in Brazil
Many specialists say that the world has changed, and that after the beginning of the war between Russia and Ukraine, and the intensification of the commercial war between China and the USA, the world has moved to a state where globalization will be deeply affected. The fluxes of capital, goods, and people will, therefore, face more obstacles.
Even for those not directly involved in the military dispute, it represents a geopolitical division, less trust among nations, and potential impacts on commercial negotiations. Furthermore, countries spend more on their military budget and less on areas that can help social and economic development.
This context associated with several sanctions, barriers and the natural global competition becomes a fertile ground for the adoption of spying tactics to gain advantages and jump ahead of adversaries.
Many cases of industrial espionage involving the USA and China have been appearing lately. In November 2022, Chinese citizen Xu Yanjun, accused of being a professional spy, was sentenced to 20 years in prison for conspiracy. He stole trade secrets from several US aviation and aerospace companies, including GE.
Amid this, Brazil could be an excellent place for the theft of industrial secrets, according to the United States Government. The country has the operations of many US companies that use cutting-edge technologies, as well as companies from China. The most fragile sectors would be aircraft manufacturing, agriculture and information technology. At the same time, Brazil has few coordinated actions between the country’s security forces and companies. A representative of the American government told Folha de São Paulo that he considers that Brazil has rules to prevent the problem, but the measures are not applied.
When it comes to the Brazilian law system, espionage does not have a specific treatment. There is Law No. 9,279/1996 (Industrial Property Law) that protects industrial secrets, considering unfair competition from their unauthorized use. Espionage is loosely mentioned in criminal legislation, when it approaches the topic of military espionage. Nonetheless, the Brazilian legislation allows it to have effects beyond criminal law, with potential repercussions in civil and administrative fields.
The country is also a member of the 1995 Trips agreement, signed within the scope of the World Trade Organization (WTO), which provides ways to protect copyrights, such as industrial designs, patents, and sensitive company information.
However, some obstacles appear at this stage. Besides the fact that rules to prevent espionage are poorly or even not applied, legislation demands the presentation of evidence through documents, witness interviews, or expert examinations, which is often hard to obtain. Another point highlighted by specialists is the mild penalties imposed, often up to one year in prison.
Other difficulties arise when companies must deal with industrial espionage. Many instances of industrial espionage may not be reported publicly. Companies normally choose to handle incidents internally, which leads to underreporting. This is based on fear of negative impacts on the business’ image and, eventually, falls on the stock prices and investor confidence. There is also the chance of fines due to potential a violation of privacy requirements. In many countries, companies are responsible for ensuring the security of their customers’ sensitive data.
Normally, holding spies accountable is hard because of factors such as legislation variability. An international spy, which is often the case, particularly because of cyberespionage, could easily evade punishment.
Prevention
In Brazil, the General Law on Data Protection (LGPD) regulates this. The General Personal Data Protection Law (LGPD), Law No. 13,709/2018 was enacted to protect the fundamental rights of freedom and privacy, and the free formation of each individual’s personality. The Law talks about the processing of personal data, arranged in physical or digital media, carried out by an individual or legal entity under public or private law, encompassing a wide range of operations that can occur in manual or digital media.
The facts lead experts to counsel prevention as the best tool. The main idea and ideal scenario are to implement a protection system good enough to make undertakings too costly for most interested parties, attempting to eliminate the benefit of any spying operation.
Creating such a preventive system will demand bespoke work, which is provided by INTERLIRA. Among the measures indicated are:
- Implement a Technical Surveillance Countermeasures program, including the conduct of regular electronic surveillance sweeps
- Physical protection of data and network perimeter;
- Classification of data according to confidentiality level;
- Controlling the number of people accessing data (Need-to-know Rule);
- Raise employee awareness regarding imminent threats;
- Employ layered protection, combining different types of security measures;
- Create a complete security of information policy;
- Monitor employees activity;
- Draft and implement a business travel policy, considering that business travelers are preferred targets;
- Develop a reliable incident response plan.