Co-creator defends suspected UAE spying app called ToTok
If the popular ToTok video and voice calling app is a spying tool of the United Arab Emirates, that’s news to its co-creator.
Giacomo Ziani defended his work in an interview with The Associated Press and said he had no knowledge that people and companies linked to the project had ties to the country’s intelligence apparatus, despite a recent report in The New York Times.
Millions downloaded the ToTok app during the several months it was available in the Apple and Google stores. Its surge in popularity was likely driven by the fact that it allowed users to make internet calls that have long been banned in the UAE, a US-allied nation where the largest city is Dubai.
The ban means Apple iPhones and computers sold in the UAE do not carry Apple’s FaceTime calling app. Calls on Skype, WhatsApp and other similar programs do not work.
Ziani, a 32-year-old native of Venice, Italy, said ToTok won rapid approval from UAE telecommunications regulators, something long sought by established competitors that remain banned. He attributed that decision to the monopoly on the telecom market held by two companies that are majority-owned by the government. ToTok’s small market share, he said, would not cut as deeply into their business as major firms if allowed access.
In this nation of 9.4 million people where all but a sliver of the population comes from another country, ToTok represented what appeared to be the first government-blessed app that would allow them to connect freely to loved ones back home. That drew everyone from laborers to diplomatic staffers to download it amid a publicity campaign by state-linked and government-supporting media in the Emirates.
Ziani denied that the company collected conversation data, saying the software demanded the same access to devices as other common communication apps. Emirati authorities insisted that they “prohibit any kind of data breach and unlawful interception.”
But this federation of seven sheikhdoms ruled by hereditary leaders already conducts mass surveillance and has been internationally criticized for targeting activists, journalists and others. Ziani repeatedly said he knew nothing about that, nor had any knowledge that a firm invested in ToTok included staff with ties to an Emirati security firm scrutinized abroad for hiring former CIA and National Security Agency staffers.
He also said he did not know about alleged ties linking companies involved with ToTok to Sheikh Tahnoun bin Zayed Al Nahyan, the Emirates’ national security adviser.
“I was not aware, and I’m even not aware now of who was who, who was doing what in the past,” Ziani said.
By installing the app, users agreed to allow access to their mobile device’s microphone, pictures, location information and other data.
“By using this app, you’re allowing your life to be opened up to the whims of national security as seen by the UAE government,” said Bill Marczak, a computer science researcher at the University of California, Berkley, who has studied ToTok and other suspected Emirati spying operations. “In this case, you’re essentially having people install the spyware themselves as opposed to hacking into the phone.”
An American diplomat, who spoke on condition of anonymity to discuss security matters, said local embassy and consular staff received orders to remove the app from all US government devices. That was only after the Times, citing anonymous US officials, described the app as a “spying tool” of the Emirati government.
Ziani alleged, without providing evidence, that criticism of ToTok came more from professional jealousy and US-China trade tensions than security concerns.
ToTok described itself on Apple as coming from developer Breej Holding Ltd. and on Google as being from ToTok Pte., a Singapore-based firm.
Both ToTok and Breej Holding Ltd. had been registered in a publicly accessible online database of companies operating out of the Abu Dhabi Global Market, an economic free zone set up in the Emirati capital. After suspicions emerged about ToTok, records of the two firms no longer appeared online.
Following an inquiry about the firms from an AP journalist, their information reappeared Tuesday night in the database. Market spokeswoman Joan Lew blamed a “data migration” problem for their disappearance.
Information from that database shows ToTok’s sole registered shareholder as Group 42, a new Abu Dhabi firm that describes itself as an artificial intelligence and cloud-computing company. Ziani said ToTok has another substantial investor he declined to identify.
Also known as G42, the company’s CEO is Peng Xiao, who for years ran Pegasus, a subsidiary of DarkMatter, an Emirati security firm under scrutiny for hiring former CIA and NSA staffers, as well as others from Israel.
“G42 has no connection to DarkMatter, whatsoever,” the company told AP in a statement. It did not respond to further queries.
G42′s sole director listed in Abu Dhabi Global Market filings is Hamad Khalfan al-Shamsi, whom Marczak identified as the public relations manager of the office of Abu Dhabi Sheikh Tahnoun bin Zayed Al Nahyan. Sheikh Tahnoun is a brother to Sheikh Mohammed bin Zayed Al Nahyan, the powerful crown prince of Abu Dhabi who has run the country from day-to-day since its president, Sheikh Khalifa bin Zayed Al Nahyan, suffered a stroke in January 2014.
Sheikh Tahnoun has served as the UAE’s national security adviser since 2016. The sheikh’s adopted son, Hassan al-Rumaithi, is the sole director of Breej Holding Ltd., Marczak said, citing market filings.
Similarly, an executive at Sheikh Tahnoun’s company Royal Group, Osama al-Ahdali, is the sole director of ToTok Technology Ltd., Marczak said.
Royal Group did not respond to a request for comment, nor did Emirati officials, Apple and Google.
For now, Ziani said he is focused on getting ToTok back into the Apple and Google app stores. He mentioned plans to have ToTok become like China’s all-encompassing app WeChat, handling payments, social media posts and other high-frequency activities. G42 appears to already have filed paperwork for a possible payment company in Abu Dhabi.
That could create an Emirati version of WeChat, a service used by more than 1 billion people in which Chinese government officials routinely censor posts. Dissidents suspect it of allowing surveillance.
Ziani insisted a former NSA hacker named Patrick Wardle, who analyzed ToTok, said the app “simply does what it claims to do.”
However, Ziani ignored the next sentence in Wardle’s analysis, which described “the genius of the whole mass surveillance operation” the app could represent by offering “in-depth insight” into ’“a large percentage of the country’s population.”