Surveillance Firm Pays $1 Million Fine After ‘spy van’ Scandal
The Office of the Commissioner for Personal Data Protection in Cyprus has collected a $1 million fine from intelligence company WiSpear for gathering mobile data from various individuals arriving at the airport in Larnaca.
While this is just an administrative fine under the European Union’s General Data Protection Regulation (GDPR), it is related to a scandal two years ago widely publicized as the “spy van” case.
In 2019, a Chevrolet van packed with at least $3.5 million worth of equipment that could hack Android smartphones and steal data including WhatsApp and Signal messages, was stationed near the Larnaca airport.
The van had been in the area for months when politicians in Cyprus criticized the government for being passive about the activity of the vehicle after seeing its capabilities in action close to the airport in a video from Forbes.
€925,000 fine for collecting MAC and IMSI
In a press release today, the data protection watchdog in Cyprus announced that WiSpear paid an administrative fine of 925,000 euros for GDPR violations.
Irene Nicolaidou, the Commissioner for the Protection of Personal Data in Cyprus said that WiSpear’s van collected the Media Access Control (MAC) address and International Mobile Subscriber Identity (IMSI) of multiple devices.
A MAC address is a unique device identifier on a network, including the internet; the IMSI is a 15-digit number that mobile providers assign to terminals in a cellular network. Both can be used to identify and track individuals.
Collecting this data was part of “tests and presentations of technologies” from the company, which constituted mitigating factors, said Nicolaidou, adding that an investigation found that “no device monitoring or interception of any private communication” occurred.
The $9 million surveillance truck
When the “spy van” scandal broke in 2019, local media said that the Cyprus police seized the vehicle in mid-November and started an investigation months after Forbes journalist Thomas Brewster published a story about Tal Dilian, the owner of the van and CEO of WiSpear.
At the time, WiSpear was registered in Limassol, Cyprus. Headed by Dilian, a former career officer in the Israel Defense Forces (IDF), the company specialized in providing end-to-end WiFi interception and security solutions.
The equipment in the truck, Brewster writes, consisted of surveillance kits and antennas that could trace, compromise, and exfiltrate content from a mobile device, including chats (Facebook, WhatsApp), texts, calls, or contacts.
Depending on the surveillance power fitted in, Dilian’s truck could cost as much as $9 million.
Upon seizing the “spy van,” the police also arrested three WiSpear employees, Cyprus nationals, on 13 charges ranging from violation of privacy laws to processing private data, and breaking radio communications legal provisions.
They were later released as there was no justification for detaining them. At a term on October 9, one of them
In statements about the arrests, WiSpear said that its employees were innocent and were installing a WiFi system at Larnaca airport as part of an agreement with operator Hermes Airports, FinancialMirror reports.
“Nine antennas of innovative technology out of which, three were installed in phase 1 to be tested as long-range Wi-Fi access point for visitors and tourists to enjoy high quality and high-speed internet access.”
However, the then-leader of the AKEL party claimed to have “extremely alarming” information about individuals related to the “spy van” case.
Between 1998 and 2002, Dilan was a commander of an independent service of the IDF called Unit 81 – for a long time a secretive technological division that specialized in building the most advanced technology for Israeli combat soldiers and spies.
Before WiSpear, Dilal founded Circles, the surveillance company that merged with NSO, the makers of the Pegasus spyware. Currently, he is running Intellexa, a company providing cyber-intelligence to law enforcement and intelligence agencies.