By Joel Schectman and Christopher Bing
WASHINGTON (Reuters) – Firefox browser maker Mozilla is blocking the United Arab Emirates’ government from serving as one of its internet security gatekeepers, citing Reuters reports on a UAE cyber espionage programme.
Mozilla said in a statement on Tuesday it was rejecting the UAE’s bid to become a globally recognised internet security watchdog, empowered to certify the safety of websites for Firefox users.
Mozilla said it made the decision because cybersecurity firm DarkMatter would have administered the gatekeeper role and it had been linked by Reuters and other reports to a state-run hacking programme.
Reuters reported in January that Abu Dhabi-based DarkMatter provided staff for a secret hacking operation, codenamed Project Raven, on behalf of an Emirati intelligence agency. The unit was largely comprised of former U.S. intelligence officials who conducted offensive cyber operations for the UAE government.
Former Raven operatives told Reuters that many DarkMatter executives were unaware of the secretive programme, which operated from a converted Abu Dhabi mansion away from DarkMatter’s headquarters.
The programme’s operations included hacking into the internet accounts of human rights activists, journalists and officials from rival governments, Reuters found.
DarkMatter has denied being connected to offensive hacking operations, saying the reports of its involvement were based on “false, defamatory, and unsubstantiated statements.”
The UAE embassy in Washington and DarkMatter did not respond to a request for comment on Tuesday.
Selena Deckelmann, Mozilla’s senior director of engineering, said the reports from Reuters, as well as the New York Times and the Intercept, had made the browser company fear that DarkMatter would use the role of internet security gatekeeper to launch surveillance efforts.
Mozilla concluded “that placing our trust in DarkMatter and disregarding credible evidence would put both the web and users at risk,” Deckelmann told Reuters.
Websites seeking designation as safe by internet browsers have to be certified by an outside organization, which will confirm their identity and vouch for their security.
The certifying organization also helps secure the connection between an approved website and its users, promising traffic will not be intercepted.
But if a surveillance group gained that authority, it could certify fake websites impersonating banks or email services, allowing hackers to intercept user data, security experts say.
Organizations that want to obtain certifying authority must apply to browser makers like Mozilla and Microsoft.
Most of the certifying organizations are independent, private companies. Browsers like Firefox allow websites to obtain certification from any approved authority anywhere in the world.
But many countries, including China, the United States and Germany also have government-approved organizations in the role.
DarkMatter executives have argued that rejection of the UAE bid to become a certifying body would be a “dystopian” policy by Mozilla “against sovereign nations deemed not worthy of operating their own national certificates.”
In 2017, DarkMatter applied on behalf of the UAE government for certificate authority. The company also applied to Mozilla to become a commercial certifier in its own right.
Following Reuters reports earlier this year, Mozilla executives began to fear that DarkMatter could use the authority to spy on users, a Mozilla executive said in the company’s public online forum.
Mozilla executives said rejecting an applicant on the basis of media reports was unprecedented. In past cases, Mozilla primarily relied on technical evidence to determine certification authority.
In Mozilla’s public discussion boards, DarkMatter executives and some security experts warned that relying on news articles to decide who can become a certificate authority would permanently taint the process with bias.
Mozilla’s stated concerns showed “a hidden organizational animus that is fatal to the idea of ‘due process’ and ‘fundamental fairness,‘” Benjamin Gabriel, general counsel for DarkMatter, wrote in the online forum.
In May, a DarkMatter executive said the company would move its certificate business to a new entity called DigitalTrust. That company would be controlled by a firm called DM Investments, which is owned by DarkMatter founder Faisal Al Bannai.
“This ownership structure does not assure me that these companies have the ability to operate independently, regardless of their names and legal structure,” said Wayne Thayer, Mozilla’s certification authority programme manager, in his announcement on Tuesday.
Along with rejecting the UAE’s application, Mozilla said it would block several other separate bids by DarkMatter to become a commercial certificate provider. Mozilla also said it would mark as unsafe the more than 275 websites DarkMatter had already certified under an earlier provisional authority that the company gained in 2017.
Mozilla noted that another UAE government entity called the Dubai Electronic Security Center still had a pending application to become a certificate authority, on which Mozilla had not yet made a decision.
While each browser company makes its own decisions about who it allows to become a certifying authority, Mozilla is seen as a leader in this area. Security experts say competitors, such as Google’s Chrome browser and Apple’s Safari browser, tend to follow its lead.
Thayer said in his announcement that even without a smoking gun that showed DarkMatter had misused certificates, the risks demonstrated by the reports were too great.
”While there are solid arguments on both sides of this decision, it is reasonable to conclude that continuing to place trust in DarkMatter is a significant risk to our users,” he said.
(Reporting by Joel Schectman and Christopher Bing; Editing by Dan Grebler)