Kampala: There are twenty one hotels in Uganda that reportedly colluded with government to hack and spy on potential opponents through computers, phones or any communication device.
The Serena Kampala, Sheraton Hotel, Hotel Africana, Speke Resort Munyonyo, Imperial Royale, Emin Pasha, Grand Imperial, Tourist Hotel, and Fairway Hotel are some of hotels named in a just-released report titled ‘For God and My President: State Surveillance in Uganda by Privacy International. Others named include Hotel Triangle, Golf Course Hotel, Protea Hotel, Mamba Point, Equatorial Hotel, Cassia Lodge, Travellers Inn, Imperial Resort Beach Hotel; Imperial Botanical Golf View Inn, Flight Motel and Brovad Hotel in Masaka.
In the 80-page report Privacy International says government, through an operation code-named ‘Fungua Macho’ (open eyes) reportedly carried out surveillance on opposition politicians, journalists and people deemed a threat to state security after the 2011 elections.
According to the report, through the Fungua Macho operation, the high-end hotels in Kampala, Entebbe and Masaka were reportedly compromised as part of the spying operation. These hotels, the report says, were specifically selected because they were known to be meeting points for politicians and journalists and also as places known for hosting political events.
How it is done
To do its work, the report says, government bought a computer virus called FinFisher that it used to corrupt electronic gadgets of its targets.
FinFisher access points were reportedly installed on the Wi-Fi networks and/or business centers of these hotels and according to Privacy International, it would take less than five minutes for the FinFisher malware to be inserted directly onto a phone or computer.
For particularly security-savvy targets, FinFisher can be disguised as a PDF, word processing document or other file that the target will inadvertently download and execute; or as a fake website which, when visited by the target, will download FinFisher onto the target’s device, the report states.
A device can also be infected by connecting to a fake network access point. This can be a Wi-Fi log-in screen disguised as an ordinary hotspot portal. FinFisher is designed to activate with a simple inadvertent click by the user. It is designed to bypass most antivirus programs.
In the report, Privacy International notes that it visited all 21 hotels in 2015 and found that computers in two-thirds did not protect administrator privileges, meaning that covert installation of a program onto the desktop computers would have been a simple task.
What is worrying, the report notes, is that many hotels have collaborated either consciously (overt penetration) or unconsciously (covert penetration).
“The potential collaboration of hotels with security services has serious implications. Guests and visitors pay expensive rates for physical security, comfort and privacy that these largely high-end establishments claim to offer,” the report notes.
The Hotels respond
In letter to Privacy International, a copy of which Eagle Online has seen, Serena Hotel General Manager, Anthony Chege, describes the contents of the report as ‘allegations that are very disturbing and untrue.”
“Serena Hotels Africa is a company of integrity that values and protects that privacy, safety and security of all clients staying or visiting our properties.
“Neither the undersigned nor any of my staff is aware that the Ugandan military (UPDF) and the police were engaged in a surveillance operation specifically targeting the organizers of the walk to work protests as well as parliamentarians, intelligence officials and media house during 2011 and 2012 or at any time,” the letter reads in part.
On behalf of Speke Resort Munyonyo, Sudhir Ruparelia, in a letter to Privacy International, wrote: ‘totally false and fabricated lies that we have allowed any forms of surveillance knowingly’.
“This is not the policy of the Group nor any of its entities unless it is prescribed in the laws of Uganda which I do not have knowledge whereby government has requested any such thing.
“It looks like you and your charity is dealing in rumours and may I suggest you correct your records or give us proof and or evidence for your accusations,” Sudhir’s letter reads in part.
