SourcePay TV piracy hits News
A secret unit within Rupert Murdoch’s News Corporation promoted a wave of high-tech piracy in Australia that damaged Austar, Optus and Foxtel at a time when News was moving to take control of the Australian pay TV industry.
The piracy cost the Australian pay TV companies up to $50 million a year and helped cripple the finances of Austar, which Foxtel is now in the process of acquiring.
A four-year investigation by The Australian Financial Review has revealed a global trail of corporate dirty tricks directed against competitors by a secretive group of former policemen and intelligence officers within News Corp known as Operational Security.
Their actions devastated News’s competitors, and the resulting waves of high-tech piracy assisted News to bid for pay TV businesses at reduced prices – including DirecTV in the US, Telepiu in Italy and Austar. These targets each had other commercial weaknesses quite apart from piracy.
The Australian Competition and Consumer Commission is still deliberating on final details before approving Foxtel’s $1.9 billion takeover bid for Austar, which will cement Foxtel’s position as the dominant pay TV provider in Australia.
News Corp has categorically denied any involvement in promoting piracy and points to a string of court actions by competitors making similar claims, from which it has emerged victorious. In the only case that went to court, in 2008, the plaintiff EchoStar was ordered to pay nearly $19 million in legal costs.
News Corp’s Australian arm, News Ltd, on Wednesday afternoon issued a statement hitting out at the AFR’s report.
The issue is particularly sensitive because Operational Security, which is headed by Reuven Hasak, a former deputy director of the Israeli domestic secret service, Shin Bet, operates in an area which historically has had close supervision by the Office of the Chairman, Rupert Murdoch.
The security group was initially set up in a News Corp subsidiary, News Datacom Systems (later known as NDS), to battle internal fraud and to target piracy against its own pay TV companies. But documents uncovered by the Financial Review reveal that NDS encouraged and facilitated piracy by hackers not only of its competitors but also of companies, such as Foxtel, for whom NDS provided pay TV smart cards. The documents show NDS sabotaged business rivals, fabricated legal actions and obtained telephone records illegally.
The email trail
The actions are documented in an archive of 14,400 emails held by former Metropolitan Police commander Ray Adams who was European chief for Operational Security between 1996 and 2002. The Financial Review is publishing thousands of the emails on its website at URL afr.com.
The email archive, which News Corp has previously sought to suppress, provides a unique insight into the secret side of Rupert Murdoch’s sprawling global empire – it reveals an operational arm that has generated multi-billion dollar windfall profits for the company.
The emails support claims by the BBC Panorama program, aired in the UK on March 26, that News sought to derail OnDigital, a UK pay TV rival to News’s BSkyB, that collapsed with losses of more than £1 billion in 2002, after it was hit by massive piracy, which added to its other commercial woes.
While News has consistently denied any role in fostering pay TV piracy, the Adams emails contradict court testimony given by Operational Security officers as well as statements by News lawyers in the past three weeks.
In addition to the controversy over OnDigital and Austar, the actions of Operational Security have triggered five separate unsuccessful legal actions by pay TV companies around the world, each claiming damages of up to $US1 billion.
Covert operations in Australia were directed by the head of Operational Security for Asia Pacific, Avigail Gutman. At the time Gutman was based in Taiwan, where her husband Uri Gutman was the Israeli consul, before she was promoted to be a Group Leader based in Jerusalem.
Battle of the boxes
In 1999, the battle to control the set-top box in Australia was at its height. The country’s first pay TV service, Australis Media, had collapsed in May 1998 leaving Foxtel, owned by Telstra, News Corp’s wholly owned Australian subsidiary News Ltd and Kerry Packer’s Consolidated Media, to pick up its satellite customers. At the same time News Ltd under Lachlan Murdoch focused on controversial strategies to rationalise the pay TV industry and bring it under News’s control.
At the time, Australia had no effective laws against pay TV piracy. None of the actions that followed would be illegal, senior lawyers told the Financial Review.
On Monday, NDS issued a comprehensive statement denying any role in promoting piracy or providing competitors’ codes for use in piracy.
Back in 1999, Telstra was involved in a poisonous dispute with News, which it accused of double dealing, and in July 1999 Telstra executives drew up a board submission that recommended legal action to force News to sell its 25 per cent stake in Foxtel.
Internal Telstra documents tabled in the Kerry Stokes C7 court case in 2006 said News Ltd “had breached, in Telstra’s belief, its contractual obligations in respect of programming and its good faith obligations by seeking to benefit its own financial interests to the detriment of Foxtel”.
Telstra’s then chief executive Ziggy Switkowski testified in 2006 that he had decided not to submit the paper to the board but noted: “There is no doubt in my mind that executives from all three shareholders often came to negotiations with a degree of emotion and ferocity that wasn’t helpful.”
With the internet in its infancy, the set-top box of the pay TV service was seen as the key to controlling future media, through the interactive and expanded services the box could offer.
The key to the set-top box – and the heart of any pay TV business – is the conditional access system. The broadcaster issues paying customers with a smartcard that is inserted into the set-top box to decrypt the satellite or cable signal fed into the customer’s home. The system also manages the entire customer record base. It’s the nerve centre for the business –but if the encryption is broken and the smartcard is hacked, the pay TV operator is wide open to piracy. It can no longer control who watches its broadcasts and loses its revenue stream.
When it established Foxtel in Australia, News used its own conditional access provider, its Israel-based subsidiary NDS. But the smart card NDS provided Foxtel was similar to NDS cards that had already been pirated elsewhere.
Only a handful of companies offered conditional access services for pay TV – NDS’s chief rivals were Nagra, owned by Kudelski in Switzerland; Seca, owned by Canal Plus in France; and Irdeto, owned by Mindport in South Africa.
By the mid-1990s, NDS had become the glue holding Rupert Murdoch’s global pay TV empire together providing conditional access services to Foxtel, BSkyB and STAR (in Asia). It also had big contracts with other broadcasters such as GM’s DirecTV in the US. But the NDS conditional access system was also the most widely pirated and was in danger of being driven out of business.
Hunting the pirates
Operational Security was set up as a secret unit within NDS with the active involvement of the Office of the Chairman at News. Initially when Reuven Hasak was hired in 1995, the goal was to help News sue Michael Clinger, a former NDS chief executive who had defrauded the company.
The target then became pay TV pirates and hackers – and Operational Security proved ruthless at prosecuting pirates attacking News Corp systems.
It’s an unusual step for a media company to set up its own security service and it was perhaps an indication of how desperate the piracy situation was for NDS.
Pay TV piracy is a murky world of hackers, hobbyists, dealers chasing millions of dollars from selling pirate cards and the growing incursion of organised crime.
Operational Security, headed by Hasak, Ray Adams in Europe, former US Army intelligence officer John Norris in the US, and Avigail Gutman in Asia, quickly gained a reputation for handling complex criminal investigations, using more than 20 informants and undercover agents and executing “stings” on pirate groups, often working with law enforcement agencies.
NDS in a statement issued on March 27 said it was common for conditional access companies to obtain code for competitors’ products – either through raids on pirates or for research and analysis.
However, the Adams emails show that Operational Security also had its own agenda, pursuing broader corporate goals for News, at times to the cost of News Corp’s allies and customers including Foxtel in Australia and DirecTV in the US.
In Australia, only Foxtel used NDS for conditional access. Australis, Austar and Optus all used Mindport’s Irdeto conditional access system. After Australis collapsed Foxtel took over its Galaxy satellite customers and relaunched them as a new arm, Foxtel Satellite, in April 1999. But that service also had to be broadcast using Irdeto services.
Irdeto enjoyed a market niche in Australia that would be worth tens of millions of dollars if NDS could take it over. But to break that stranglehold, NDS had to be able to show that Irdeto had been pirated and was no longer secure.
The frustration wasn’t just in Australia. News had bought into an Italian pay TV operation called Stream SpA that also used Irdeto.
Something had to be done.
“Hello Gentlemen, we’ve now managed to write to an Australian Irdeto card using the s/w [software] I got from Joyce,” Avigail Gutman wrote to her boss Hasak and to Ray Adams in London, on May 29, 1999.
Joyce was a codename for an informant Gutman used, and she was concerned that nothing could link back to him in the software “so that we do not expose Joyce in the process of exposing Irdeto”.
Adams proposed that one of his hackers rewrite the software into a new pirate program. Gutman said the new pirate cards by Adams’ contact could “be to our benefit if these came out on the market first”. She was proposing to sell the Operational Security pirate card before the real pirate card could be distributed.
On May 5, Andy Coulthurst, a British hacker working for Operational Security, emailed Gutman: “Hacking Irdeto is SO EASY! All you need is . . .” and he rattled off the details.
“Andy this is great stuff,” Gutman emailed back from Taiwan. She had been working with David Johnson, the business development manager at the NDS Sydney office, who had been testing the pirate software for her. “I am trying to get more cards (Foxtel this time) –but despite all the stories about crooked installers who will sell you extra cards –I have yet to find them.”
Johnson now proposed to get a Foxtel service installed in his building as he had no contacts with Foxtel Satellite apart from people who worked at Foxtel.
“WE WILL NOT USE THE ONES AT FOXTEL,” Gutman wrote.
“Somehow we ask the install crew for a de-authorised card,” Johnson replied.
The reason Gutman wanted the old cards without telling Telstra or Foxtel was to test out pirate software that she had downloaded from a UK piracy site called thoic.com (The House of Ill Compute).
Lee Gibling, who ran Thoic, had built it into the world’s leading piracy site, where hackers could download software programs, swap codes, and ask other hackers for help. Many hackers even used a Thoic email address.
“We currently see some 4 gigabytes of daily requests on all the sites averaging somewhere in the region of 300,000 hits a day,” Gibling wrote to Bob Cooper, the publisher of the influential monthly trade magazine SatFACTS.
Gibling hoped Cooper would advertise on Thoic. What he didn’t mention was that Thoic was funded, supervised and controlled by Operational Security. Copies of all postings were forwarded to Operational Security in NDS offices in Israel. So the pirate codes that Gutman planned to use on Foxtel cards came from a piracy site run by Operational Security. And now Op Sec wanted to earn advertising revenue from it.
Gibling had set up a special site on Thoic for Australian piracy, and elite Australian hackers had access to Area 51, a closed section run by a Sydney hacker called David Cottle under his online name Bond 007.
The Financial Review contacted Cottle under the company name listed in the Adams emails. He said he had become aware of Thoic after reading of it in SatFACTS, but he knew nothing of the piracy scene or Thoic other than rumours and reports.
“Wow what an integrate twisted tale of events!” Cottle said. “Funny about someone same surname as me that’s a coincidence in a very creepy way.”
The MadMax sting
By the end of May 1999, the piracy market in Australia had exploded. At its height more than 50,000 people were using pirate cards, which cost around $200. They were original Foxtel or Austar cards that had been reprogrammed to allow viewing of all programs without paying any subscription.
In that month, Rolf Deubel, a German hacker known as MadMax and based in South Africa, visited Australia to set up pirate dealerships. It was Deubel’s Millennium Group – composed mainly of German hackers in Europe – which had been posting the Irdeto pirate software on the Thoic website.
MadMax began a public correspondence with Bob Cooper at SatFACTS, describing in emails published on the internet his business plans for Australia, insisting that the reprogrammed cards he was selling were perfectly legal under Australian law.
What followed then was one of the strangest episodes in the history of Operational Security. Lee Gibling discovered from an email in MadMax’s Thoic account that he was travelling to Bangkok in September 1999.
Avigail Gutman alerted Mindport, the company making the Irdeto system, and arranged for Deubel to be arrested in Thailand. He was thrown into prison for attempting to monitor the local UBC pay TV broadcaster, which used Mindport’s Irdeto.
Just five weeks after engineering an arrest for piracy in Thailand, Avigail Gutman was planning to use Australian hackers to promote piracy in neighbouring Malaysia.
In a 2008 court case in California brought by Echostar against NDS, Reuven Hasak cited the MadMax operation as an example of how NDS Operational Security would help its competitors.
But in December 1999, Ray Adams had painted a different view: the only assistance Operational Security had given Mindport was the Bangkok operation.
“That was done primarily as Avigail feared that MM was about to become a threat to NDS products in Australia. We are withdrawing from assisting them.”
Gutman herself wrote: “Rest assured we are NOT doing any joint action with Irdeto in OZ. This would clash with our business interests (we are currently negotiating a simulcrypt solution for the satellite and the digital-cable there, and other broadcasters might show interest, too. Mindport are not aware of this yet, as far as I know.)”
Double dealings
Thus while Irdeto believed they were collaborating with NDS Operational Security to stop piracy in Australia, Gutman was now working to replace Irdeto with an NDS card used by StarTV in Hong Kong.
The conflict came to a head in London with a meeting on October 13, 1999 between Ray Adams and Irdeto’s vice president Special Project, Andrew Curle, and a former Dutch policeman, Steven Kuster. (“The man is very keen but a bit of an amateur,” Adams wrote later of Kuster.)
Curle and Kuster had identified Bond 007 (Cottle) in Sydney as the biggest hacking threat to Irdeto cards used by Foxtel, Austar and Optus. Adams deflected them and persuaded Curle to leave the matter in Gutman’s hands.
Gutman wrote to Adams that Reuven Hasak had told her to postpone any joint action (“I am concerned that it is premature to take Cottle out of the picture and we don’t stand to benefit from such an operation at this stage.”)
Later she would tell Curle was that “it is premature, in our opinon” to move against Cottle, as there was more to gain from keeping an eye on him.
It should be noted that under Australian law at the time, none of the hacking or piracy of smartcards that took place was illegal.
Making things even more difficult for Operational Security, while Bond 007 was working on Irdeto piracy, he was also working on a hack for the Star TV digital system. That card, which NDS hoped to use with Foxtel, had already been widely pirated in Latin America. Any report that StarTV was pirated could torpedo the deal NDS was working on with Foxtel.
“StarTV is not in the loop on the issue at this stage,” Gutman wrote on October 20. But she was working on a plan.
“The objective of any current action would be to eliminate Cottle as a threat to any NDS systems but without disturbing his other hacking activities (as much as possible) . . . We do not want Cottle in jail until he has a successor for the Irdeto hack.”
While Operational Security was assuring Curle at Irdeto that it was in his best interest not to move against Cottle, Gutman was focused on the need for Cottle to produce a new hack of Irdeto.
Two days later the plan had taken shape. “Remember you sent me the Malaysian Astro (Seca) system? . . . I would like to use it in Oz (to divert their attention away from our system),” Gutman wrote to Adams.
He had sent Gutman a pirate device for the Malaysian Astro pay TV service operated by MEASAT. It used another conditional access system called Seca, produced by Canal Plus.
Gutman was now proposing to send the Astro pirate box to Bond 007 to distract him from working on pirating StarTV.
“BUT—before I do—I want to make sure with you that there is nothing about the box or card that can trace it back to us . . . . is there?”
Adams was agreeable. Gutman wrote again on October 23: “Why don’t we give it a shot. I can supply it to cottle and his merrymen . . . Double benefit - 1) diversion from the NDS systems 2) verification of the seca hack in Asia.”
These two emails by Gutman were exhibits in the 2008 Echostar case in California. Cottle told the Financial Review he had no knowledge of the emails: “I never had any dealings with anyone and certainly never been contacted by anyone and it’s news to me I am mentioned in any documents, court or otherwise.”
When shown further emails that he had posted on Thoic, Cottle declined to make further comment.
On Monday the Financial Review made contact again with Cottle, on the outskirts of Sydney, where he denied having any role in the hacking of pay TV smart cards.
“Good luck to them proving it because I was never involved [in hacking],” he said. “I was not involved with that [hacking cards].”
Cottle confirmed a friend had provided him with a Star TV box, which he had used to watch news channels, but he had not hacked it.
He denied receiving an Astro box.
In his 2008 court testimony, Reuven Hasak described Gutman as his “right hand” in Operational Security, but said the Astro plan was never executed.
“I wanted to tell you that maybe –I just wanted to say that maybe it was initiative of Ms Gutman,” Hasak testified. “It was never approved.” Such a move would have needed his approval and he had never given it.
Business opportunity
Yet the emails show Gutman continued to act as if her scheme to get the Astro Seca box to Bond 007 was going ahead. “Fact is—the StarTV platform has all the holes of the Sky Latin America platform,” she wrote on November 2. She was pressing for the loopholes to be closed “and once this happens, and their Ozies get their hands on a Seca box, it may delay their NDS projects”.
On October 29, Cottle had received an email from “George Miller”(not his real name) in Melbourne, who said he had been given Cottle’s email address on Thoic by a business associate, “Scissors”. “I have been led to believe there is a business opportunity for us to explore,” George said.
“This is my guy,” Gutman wrote when Adams obtained the email from Thoic. George and Scissors were both informants working for Gutman.
By November 19, George and Cottle had met and were exchanging smartcards. On November 22, George wrote to Cottle, “Scissors wants feedback on the system he has given you . . .”
Cottle wrote back: “Okay the receiver is of no use to us in Australia. We need receivers capable of IRDETO.”
George replied that Scissors had told him, “The system given to you works using MEASAT satellite to receive digital broadcasts from Malaysia . . . It is not Irdeto but SECA, which is also used in France, Spain and will be used in New Caledonia.”
It should be a challenge to Cottle. For Scissors and Miller it was a fresh new business “with a large potential for income”.
George ended with an urgent PS: “Please Bond don’t let me down, I have given my associates a good impression of you. After all at the end of the day we are all in for the same reasons. $$$$$$$$$$$$”
Cottle wrote back: “Okay Measat, I will have a play on the weekend . . . We can do this and no problem in exploiting SECA and NDS Videoguard . . . You can market, sell and distribute as we discussed when you were here.”
The content of the emails show Hasak’s testimony about the plan to provide the Seca box to Cottle was not correct. It’s puzzling that he could not recall it, because he was due to be in Australia and New Zealand with Gutman a week after these exchanges.
Throughout the 2008 Echostar case Hasak testified on many points that he had memory problems. “One of my weak points is I don’t remember. Sorry.”
No further open reference to the Seca box can be found in the Operational Security emails as many were encrypted.
As this correspondence was going back and forth, Hasak had decided not to tell StarTV their system was under attack. Gutman wrote of a meeting with a StarTV exec: “I told Sue that she can/should forcefully deny any allegations of a Sky hack, should these come up.”
Gutman was contemptuous of the skills of Australian hackers: “They cannot produce a hack on their own - AT ALL!!! They are parasites of sorts, living off of recycled European know-how. But they are great at spreading hacks.”
As for Cottle: “it is amazing that Bond thinks he’s the only one in the world who can do it. As Andy (Coulthart) will tell you – this guy is unoriginal and incapable of achieving this on his own.
“But he is a master-organizer, a project manager of sorts, who has managed quite an infrastructure in OZ.” By March 2000 Gutman reported that Bond’s group was working on hacking European pirate cards for Irdeto, which could be reprogrammed to pirate Foxtel and Austar.
Delaying tactics
Gutman made arrangements with Adams to obtain 20 to 30 of the European cards for Cottle: “Blank would be great. But an assortment of both blank and loaded (no particular preference in country) would be nice, too.”
Adams assured her he would obtain the cards from an Operational Security consultant.
“Much appreciated,” Gutman wrote back. “The idea being, of course, to delay their attempts to tamper with our StarTV system.”
By mid-2000 Gutman’s relations with Irdeto were breaking down, as Foxtel Satellite moved to broadcast streams using NDS as well as Irdeto (known as simulcrypt).
But for Operational Security, the answer was to drop Irdeto completely.
“I met with NELL aka Mary-Ellen Payne from Foxtell,” Gutman wrote. “I explained the facts of life as far as piracy in concerned.”
The problem was “the up-link satellite people want to keep Irdeto running. They say that Irdeto can fix the problem. We convinced Nell that they cannot fix it—and explained why.”
“We do not want simulcrypt in our lives,” Adams told Payne. “. . . Get rid of Irdeto and you get rid of piracy and the future threat.”
Gutman complained to Adams on February 25, 2001 that Foxtel had not paid a penny for security in the years it had been an NDS customer, and said “but with the growing piracy down there, we will need them to start paying . . .”
She said Foxtel believed Irdeto was working on security for them, “which is ridiculous . . . occasional buys and ‘boo’ raids which are useless”.
Two days later Telstra signed a contract worth $937,500 for NDS to provide security for the Foxtel smartcards, when the number of subscribers was between 500,000 and 1 million.
This was on top of standard fees charged by NDS, which are believed to be up to $15 per card per year.
Piracy peaked in 2002 with about 100,000 pirate cards in circulation, costing Austar and Foxtel an estimated $50 million per year.
In 2003 Austar after writing off $600 million in losses, switched to the Irdeto 2 card, which promised to end piracy. Fifteen months later, Foxtel was pleading with the federal government for tougher laws to stop pay TV piracy.
But by then piracy seemed to have become entrenched in Australia.
This after many denials by News Corporation in Australia that none of the hacking discovered in the UK was happening in Australia.
