(Bloomberg) — Representatives of Mitto AG have told clients that co-founder and Chief Operating Officer Ilja Gorelik is no longer involved at the company, following allegations that he operated a secret surveillance service that helped governments track mobile phones, according to three people familiar with the matter.
Mitto, a closely held company with headquarters in Zug, Switzerland, works with telecom operators in more than 100 countries to provide automated text messaging services to some of the world’s largest technology companies, including Google, Twitter and WhatsApp, helping them deliver security codes users need to log in to online accounts.
But a Bloomberg News investigation, carried out in collaboration with the London-based Bureau of Investigative Journalism, reported last week that Gorelik had sold access to Mitto’s networks to secretly locate people via their mobile phones.It’s not known whether Gorelik’s status at the company has changed on a permanent or temporary basis, nor is it clear if Gorelik left of his own accord. Mitto and Gorelik didn’t respond to requests for comment. Gorelik is still listed on Mitto’s website as a member of the company’s leadership team, and Swiss business records, which name Gorelik as a board member, haven’t been updated.In response to the allegations, Mitto previously said that it was conducting an internal review “to determine if our technology and business has been compromised.” Now, Mitto has informed at least two of its clients that Gorelik is no longer working with the company, according to three people with knowledge of those discussions, who requested anonymity because they were not authorized to speak publicly.Several of Mitto’s clients, including Google, MTN Group and the mobile communications company Kaleyra Inc., contacted Mitto to express concerns and seek more information about the surveillance allegations, according to two current Mitto employees, who said they expected the company to lose business as a result. Google, MTN Group and Kaleyra didn’t respond to requests for comment.
The revelations last week caused shock and confusion among Mitto employees, according to the two current employees at the company. Gorelik’s alleged association with the surveillance industry wasn’t widely known within Mitto, according to the employees, who spoke on condition of anonymity due to confidentiality agreements.
Shortly after the disclosures, Andrea Giacomini, Mitto’s chief executive officer, sent employees an email stating that he had assembled a team to respond to the allegations and defend the company. “Swift actions have been taken, and we are committed to ensuring the health and wellness of our brand and our organization,” he said in the email, which was reviewed by Bloomberg News. “Unfortunately, with success comes challenges and threats: some we expect, and some that surprise us. Nevertheless, we are always prepared. We will overcome this together.”
The internal statement made no mention of Gorelik. Giacomini said in the email that he remained “committed to the highest industry standards” and added that Mitto had never organized or operated “a separate business, division or entity” that provides surveillance services.
Since it was founded in 2013, Mitto has attracted several leading technology giants as customers, including Google, Twitter, WhatsApp, Microsoft’s LinkedIn and messaging app Telegram, in addition to China’s TikTok, Tencent and Alibaba, according to Mitto documents and former employees.
But between 2017 to 2018, Gorelik started giving surveillance-technology companies access to Mitto’s networks, which were then used by government customers to locate and track people via their mobile phones, Bloomberg News reported.
Former Mitto employees familiar with Gorelik’s alleged activities said he provided surveillance services to multiple companies. That Mitto’s networks were also being used for surveillance work wasn’t shared with the company’s technology clients or the mobile operators the it works with to spread its text messages and other communications, according to former Mitto employees.
Following the revelations, Switzerland’s federal data protection and information commissioner opened an investigation focusing on Mitto’s business practices.
Within the mobile industry, some experts warned that it had long been known networks were vulnerable to the kind of surveillance allegedly carried out by Gorelik.
Mitto leased hundreds of “global titles” from telecom companies — unique addresses that are used to route messages across phone networks relying on a protocol known as SS7, or Signaling System 7. SS7 is known to contain security weaknesses and can be abused to track phones or intercept calls and messages. The alleged surveillance service involved exploiting weaknesses in SS7, Bloomberg News previously reported.
Earlier this year, a group within the GSMA, a mobile industry organization that represents the interests of more than 700 companies, began working on a code of conduct intended to help prevent abuses of SS7, according to a GSMA document reviewed by Bloomberg News.
The document proposes a range of measures that the mobile industry could adopt to provide more oversight of companies leasing global titles from telecom companies. The practice of leasing global titles can “hide malicious or illegal activities and its true source,” the GSMA document says, and requires greater “transparency, traceability and ultimately accountability.”A GSMA spokesman said the draft document is part of an “extensive body” of guidance over the years that has raised standards for security within the mobile ecosystem. That document is planned to be made available on the GSMA website in early 2022, the spokesman said.
Critics contend that the mobile industry has known of the abuses for years but has been too slow to respond.
“For years mobile industry organizations such as the GSMA have been aware of operators selling network access resulting in targeted surveillance,” said Gary Miller, mobile security researcher at Citizen Lab, a research group at the University of Toronto that focuses on surveillance technology. “The lack of regulation and accountability has brought unnecessary privacy and security risks to mobile users across the globe.”
The GSMA spokesman said that the organization “takes network security and privacy very seriously and plays a leading role in creating a safer experience for mobile subscribers.” There was a need in the longer term, the spokesman added, “to move away from SS7 altogether and retire legacy mobile infrastructure and protocols.”
Another mobile industry group, the Mobile Ecosystem Forum, said it planned to seek clarifications from Mitto about the surveillance allegations.
Dario Betti, CEO of the organization, said that Mitto was a member of the Mobile Ecosystem Forum, but had not signed up to a voluntary code of conduct that sets out rules for ethical and commercial responsibility.
Betti declined to discuss specific allegations about Mitto, but said in general that abuses occurring in the sector posed “a threat to the market and the market has to close down all these bad behaviors.” “This is an industry built on trust, and we need to maintain that trust,” he said.
(Updates with comments from GSMA)
More stories like this are available on bloomberg.com
©2021 Bloomberg L.P.
