Swiss tech company boss accused of selling mobile network access for spying

The co-founder of a company trusted by Google and Twitter to text security codes to millions of users also ran a service that helped governments secretly surveil and track mobile phones, according to former employees and clients.

Since it started in 2013, Mitto AG has established itself as a provider of automated text messages for such things as sales promotions, security codes and appointment reminders. Mitto, a privately held company with headquarters in Zug, Switzerland, has grown its business by establishing relationships with telecom operators in more than 100 countries.

It has brokered deals that gave it the ability to deliver text messages to billions of phones in most corners of the world, including countries that are otherwise difficult for Western companies to penetrate such as Iran and Afghanistan. It has attracted major technology giants as customers, including Google, Twitter, WhatsApp, Microsoft’s LinkedIn and messaging app Telegram, in addition to China’s TikTok, Tencent and Alibaba, according to Mitto documents and former employees.

But an investigation by the Bureau of Investigative Journalism, carried out in collaboration with Bloomberg News, indicated that the company’s co-founder and chief operating officer, Ilja Gorelik, was also providing another service: selling access to Mitto’s networks to secretly locate people via their mobile phones.

That Mitto’s networks were also being used for surveillance work was not shared with the company’s technology clients, or the mobile networks Mitto works with to spread its text messages and other communications, according to former Mitto employees. The existence of the alternate service was only known to a small number of people within the company, these former employees said. Gorelik sold the service to surveillance companies which in turn contracted with government agencies, according to the employees.

Responding to the Bureau’s questions, Mitto issued a statement saying that the company had no involvement in a surveillance business and had launched an internal investigation “to determine if our technology and business has been compromised.” Mitto would “take corrective action if necessary,” it wrote.

‘It’s dangerous for human rights. It’s dangerous for trust in an information society. And it’s dangerous for trust in companies’
“We are shocked by the assertions against Ilja Gorelik and our company,” Mitto wrote. “To be clear, Mitto does not, has not, and will not organise and operate a separate business, division, or entity that provides surveillance companies access to telecom infrastructure to secretly locate people via their mobile phones, or other illegal acts. Mitto also does not condone, support, and enable the exploitation of telecom networks with whom the company partners to deliver service to its global customers.”

Gorelik did not respond to requests for comment. A Mitto representative declined to comment on Gorelik’s current role with the company.

Two sources who said their former company worked with Gorelik to carry out surveillance for governments added that he installed custom software at Mitto that could be used to target certain people. They claimed that, during the work, there was virtually no oversight of surveillance carried out using Mitto’s systems, creating potential opportunities for misuse.

In at least one instance, a phone number associated with a senior US State Department official was targeted in 2019 for surveillance through third party use of Mitto’s systems, according to documents reviewed by the Bureau and a cybersecurity analyst familiar with the incident, who requested anonymity because of a confidentiality agreement. It is not clear who was behind efforts to target the official, who was not identified by the documents or the analyst.

Marietje Schaake, international policy director at Stanford University’s Cyber Policy Center, said the revelations were “troubling” and highlighted a “huge problem.”

“The biggest technology companies that provide critical services are blindly trusting players in this ecosystem who cannot be trusted,” Schaake said, after being told about the Bureau and Bloomberg’s reporting. “It’s dangerous for human rights. It’s dangerous for trust in an information society. And it’s dangerous for trust in companies.” The Bureau Investigates