Hacker-for-hire firms like NSO Group and Hacking Team have become notorious for enabling their customers to spy on vulnerable members of civil society. But as far back as a decade ago in India, a startup called Appin Technology and its subsidiaries allegedly played a similar cyber-mercenary role while attracting far less attention. Over the past two years, a collection of people with direct and indirect links to that company have been working to keep it that way, using a campaign of legal threats to silence publishers and anyone else reporting on Appin Technology’s alleged hacking past. Now, a loose coalition of anti-censorship voices is working to make that strategy backfire.
For months, lawyers and executives with ties to Appin Technology and to a newer organization that shares part of its name, called the Association of Appin Training Centers, have used lawsuits and legal threats to carry out an aggressive censorship campaign across the globe. These efforts have demanded that more than a dozen publications amend or fully remove references to the original Appin Technology’s alleged illegal hacking or, in some cases, mentions of that company’s cofounder, Rajat Khare. Most prominently, a lawsuit against Reuters brought by the Association of Appin Training Centers resulted in a stunning order from a Delhi court: It demanded that Reuters take down its article based on a blockbuster investigation into Appin Technology that had detailed its alleged targeting and spying on opposition leaders, corporate competitors, lawyers, and wealthy individuals on behalf of customers worldwide. Reuters “temporarily” removed its article in compliance with that injunction and is fighting the order in Indian court.
As Appin Training Centers has sought to enforce that same order against a slew of other news outlets, however, resistance is building. Earlier this week, the digital rights group the Electronic Frontier Foundation (EFF) sent a response—published here—pushing back against Appin Training Centers’ legal threats on behalf of media organizations caught in this crossfire, including the tech blog Techdirt and the investigative news nonprofit MuckRock.
No media outlet has claimed that Appin Training Centers—a group that describes itself as an educational firm run in part by former franchisees of the original Appin Technology, which reportedly ceased its alleged hacking operations more than a decade ago—has been involved in any illegal hacking. In December, however, Appin Training Centers sent emails to Techdirt and MuckRock demanding they too take down all content related to allegations that Appin Technology previously engaged in widespread cyberspying operations, citing the court order against Reuters.
Techdirt, Appin Training Centers argued, fell under that injunction by writing about Reuters' story and the takedown order targeting it. So had MuckRock, the plaintiffs claimed, which hosted some of the documents that Reuters had cited in its story and uploaded to MuckRock's DocumentCloud service. In the response sent on their behalf, the EFF states that the two media organizations are refusing to comply, arguing that the Indian court's injunction “is in no way the global takedown order your correspondence represents it to be.” It also cites an American law called the SPEECH Act that deems any foreign court’s libel ruling that violates the First Amendment unenforceable in the US.
“It's not a good state for a free press when one company can, around the world, disappear news articles,” Michael Morisy, the CEO and cofounder of MuckRock, tells WIRED. “That's something that fundamentally we need to push back against.”
Techdirt founder Mike Masnick says that, beyond defeating the censorship of the Appin Technology story, he hopes their public response to that censorship effort will ultimately bring even more attention to the group’s past. In fact, 19 years ago, Masnick coined the term “the Streisand effect” to describe a situation in which someone's attempt to hide information results in its broader exposure—exactly the situation he hopes to help create in this case. “The suppression of accurate reporting is problematic,” says Masnick. “When it happens, it deserves to be called out, and there should be more attention paid to those trying to silence it.”
The anti-secrecy nonprofit Distributed Denial of Secrets (DDoSecrets) has also joined the effort to spark that Streisand Effect, “uncensoring” Reuters' story on the original Appin Technology as part of a new initiative it calls the Greenhouse Project. DDoSecrets cofounder Emma Best says the name comes from its intention to foster a “warming effect”—the opposite of the “chilling effect” used to describe the self-censorship created by legal threats. “It sends a signal to would-be censors, telling them that their success may be fleeting and limited,” Best says. “And it assures other journalists that their work can survive.”
Neither Appin Training Centers nor Rajat Khare responded to WIRED's request for comment. However, two weeks after this story was initially published, lawyers from the firm Clare Locke sent a letter to WIRED on Khare's behalf, calling this story defamatory and demanding a retraction. WIRED stands by its reporting. The letter claimed that WIRED did not reach out to Khare for comment, which is false. It demanded that WIRED include a statement from Khare, which we've added as an update below. In addition, it denied that Khare had participated in any “conspiracy to or complicity in murder”—an allegation that was not made in this article.
The fight to expose the original Appin Technology’s alleged hacking history began to reach a head in November of 2022, when the Association for Appin Training Centers sued Reuters based only on its reporters’ unsolicited messages to Appin Training Centers’ employees and students. The company’s legal complaint, filed in India’s judicial system, accused Reuters not only of defamation, but “mental harassment, stalking, sexual misconduct and trauma.”
Nearly a full year later, Reuters nonetheless published its article, “How an Indian Startup Hacked the World.” The judge in the case initially sided with Appin Training Centers, writing that the article could have a “devastating effect on the general students population of India.” He quickly ordered an injunction stating that Appin Training Centers can demand Reuters take down their claims about Appin Technology.
That ruling has preceded any legal arguments over the truth of Reuters’ article. In a statement to WIRED, a Reuters spokesperson writes that the agency “stands by its reporting" and plans to appeal the Indian court order. In fact, Reuters says it based its story on interviews with dozens of Appin Technology's former staff and hundreds of alleged targets, as well as thousands of its internal documents. Those files include Appin Technology's marketing pitch documents that remain publicly available on DocumentCloud thanks to MuckRock, and appear to show the company explicitly offering to hack targets on behalf of clients via “phishing,” “social engineering,” “trojan” infections, and even discussing specific cases when clients hired them for hacking operations.
Appin Training Centers, for its part, argues that it’s merely a collection of educational institutions whose brand has been tarnished by Reuters’ reporting. Reuters has responded in a legal filing arguing that Appin Training Centers was created “solely for purposes of this lawsuit, with ulterior motive,” and pointed out, through an exhibit attached to a court filing, that it was incorporated only months after it named itself as the plaintiff suing Reuters.
Even so, a little more than two weeks after publishing its investigation into Appin Technology, on December 5, Reuters complied with the Indian court's injunction, removing its story. Soon, in a kind of domino effect of censorship, others began to take down their own reports about Appin Technology after receiving legal threats based on the same injunction. SentinelOne, the cybersecurity firm that had helped Reuters in its investigation, removed its research on an Appin Technology subsidiary’s alleged hacking from its website. The Internet Archive deleted its copy of the Reuters article. The legal news site Lawfare and cybersecurity news podcast Risky Biz both published analyses based on the article; Risky Biz took its podcast episode down, and Lawfare overwrote every part of its piece that referred to Appin Technology with Xs. WIRED, too, removed a summary of Reuters' article in a news roundup after receiving Appin Training Centers' threat.
Aside from the injunction that Appin Training Centers has used to demand publishers censor their stories, Appin cofounder Rajat Khare has separately sent legal threats to another collection of news outlets based on a court order he obtained in Switzerland. Two Swiss publications have publicly noted that they responded to court orders by removing Khare’s name from stories about alleged hacking. Others have removed Khare’s name or removed the articles altogether without a public explanation, including the Bureau of Investigative Journalism, the UK’s Sunday Times, several Swiss and French news outlets, and eight Indian ones.
“This is an organization throwing everything against the wall, trying to make as many allegations in as many venues as possible in the hopes that something, somewhere sticks,” says one person at a media outlet that has received multiple legal threats from people connected to Appin Technology, who declined to be named due to the legal risks of speaking out. “Sometimes it works, sometimes it doesn’t. Unfortunately, in India, it’s worked.”
Even before the EFF, Techdirt, MuckRock, and DDoSecrets began to push back against that censorship, some had immediately resisted it. The New Yorker, for instance, had mentioned a subsidiary of Appin Technology and Rajat Khare in a feature about India's hacker-for-hire industry in June of last year. It was sued by Appin Training Centers, but has kept its piece online while the lawsuit proceeds. (The New Yorker and WIRED are both published by Condé Nast.) Ronald Deibert, a well-known security researcher and founder of the University of Toronto's Citizen Lab, a group that focuses on exposing hackers who target members of civil society, had also mentioned Appin Technology in a blog post. Deibert received and refused Appin Training Centers' takedown threat, posting a screenshot of its email to his X feed in December along with his response: seven middle-finger emojis.
As the backlash to the censorship of reporting on Appin Technology's alleged hacking snowballs, however, it may now be going beyond a few cases where Appin Training Centers’ and Rajat Khare’s censorship attempts have failed, says Seth Stern, director of advocacy for the Freedom of the Press Foundation, who has written about the censorship campaign. Instead, it may be backfiring, he says, particularly for Appin Technology cofounder Rajat Khare. “It does seem like a sort of dubious strategy to be stirring this up now, and I do wonder if he is starting to regret that given the coverage it's getting,” says Stern. “You could easily see that it'll do more reputational harm than good for Khare and for Appin.”
MuckRock's Morisy says that attention is exactly the intention of his move, along with Techdirt and the EFF, to put a spotlight on the legal threats they've received. “It’s leveraging the Streisand effect to an extent. But also just finding ways to push back,” says Morisy. “There needs to be a cost for groups that are trying to silence journalists.”
Updated: 2/6/2024, 10:30 am ET with a statement from Reuters.
Updated at 2/16/24, 11:48 am ET to include details of a letter sent to WIRED by lawyers from the firm Clare Locke on behalf of Rajat Khare. The letter included the following statement:
“Mr. Khare has dedicated much of his career to the field of information technology security—that is, cyber-defense and the prevention of illicit hacking—and it is truly unfortunate that he has found himself the subject of false accusations of involvement in a “hack-for hire” industry or supporting or engaging in illicit hacking or cyberactivities. Those accusations are categorically false, and they have been rejected by courts and regulatory bodies and debunked by experts. And Mr. Khare will not hesitate to continue to take steps to enforce his rights and protect his reputation from such attacks because they are false."
