Co-creator Defends Suspected UAE Spying App Called ToTok

In this Dec. 31, 2019 photo, Giacomo Ziani, the co-founder of the app ToTok, speaks to The Associated Press in Abu Dhabi, United Arab Emirates.

The co-creator of a video and voice calling app suspected of being a spying tool of the United Arab Emirates defended his work in an interview with The Associated Press and denied knowing that people and companies linked to the project had ties to the country's intelligence apparatus.

Millions downloaded the ToTok app during the several months it was offered in the Apple and Google stores. Co-founder Giacomo Ziani described the popularity as a sign of users' trust despite a longtime ban in the UAE on such apps.

He denied that the company collected conversation data, saying the software demanded the same access to devices as other common communication apps. Emirati authorities insisted that they “prohibit any kind of data breach and unlawful interception.”

But this federation of seven sheikhdoms ruled by hereditary leaders already conducts mass surveillance and has been internationally criticized for targeting activists, journalists and others. Ziani repeatedly said he knew nothing about that, nor had any knowledge that a firm invested in ToTok included staff with ties to an Emirati security firm scrutinized abroad for hiring former CIA and National Security Agency staffers. He also said he did not know about ties a computer researcher says link companies involved with ToTok to Sheikh Tahnoun bin Zayed Al Nahyan, the Emirates' national security adviser.

“I was not aware, and I'm even not aware now of who was who, who was doing what in the past,” Ziani said. “These are not questions you should be (asking) me. You should be eventually asking” them.

IIn this Dec. 31, 2019 photo, the Abu Dhabi Global Market, an economic free zone, is seen in Abu Dhabi, UAE.

ToTok surged to popularity by allowing users to make internet calls long banned in the UAE, a U.S.-allied nation on the Arabian Peninsula that is home to Dubai. The ban means Apple iPhones and computers sold in the UAE do not carry Apple's FaceTime calling app. Calls on Skype, WhatsApp and other similar programs do not work.

Ziani said ToTok won rapid approval from the UAE's Telecommunications Regulatory Authority, something long sought by the established competitors that remain banned. The 32-year-old native of Venice, Italy, attributed that to the monopoly on the telecommunications market held by two companies, Du and Etisalat, that are majority-owned by the government. ToTok's small market share would not cut as deeply into their business as major firms if allowed access, he said.

“They will see their business like totally crashed from a day to another,” Ziani said. With ToTok, “they felt like they were not risking to fall into this situation.”

By installing the app, users agreed to allow access to their mobile device's microphone, pictures, location information and other data invaluable to intelligence agencies. Most internet firms are based in the U.S., but privacy is viewed far differently in the Emirates, where ToTok's headquarters are in the capital, Abu Dhabi.

“By using this app, you're allowing your life to be opened up to the whims of national security as seen by the UAE government,” said Bill Marczak, a computer science researcher at the University of California, Berkley, who has studied ToTok and other suspected Emirati spying operations. “In this case, you're essentially having people install the spyware themselves as opposed to hacking into the phone.”

In this nation of 9.4 million people where all but a sliver of the population comes from another country, the app represented what appeared to be the first government-blessed app that would allow them to connect freely to loved ones back home. That drew everyone from laborers to diplomatic staffers to download it amid a publicity campaign by state-linked and government-supporting media in the Emirates.

An American diplomat, who spoke on condition of anonymity to discuss security matters, said local embassy and consular staff received orders to remove the app from all U.S. government devices. That was only after The New York Times, citing anonymous U.S. officials, described the app as a “spying tool” of the Emirati government.

Ziani alleged, without providing evidence, that criticism of ToTok came more from professional jealousy and trade tensions between the U.S. and China than security concerns. ToTok partly used code from a previously developed Chinese app called Yeecall, where his co-founder, Long Ruan, once worked in a senior position, he said. Ziani said he met Long through G42, which he described as a business “incubator.”

But ToTok described itself on Apple as coming from developer Breej Holding Ltd. and on Google as being from ToTok Pte., a Singapore-based firm.

Both ToTok and Breej Holding Ltd. had been registered in a publicly accessible online database of companies operating out of the Abu Dhabi Global Market, an economic free zone set up in the Emirati capital. After suspicions emerged about ToTok, records of the two firms no longer appeared online.

Following an inquiry about the firms from an AP journalist, their information reappeared Tuesday night in the database. Market spokeswoman Joan Lew blamed a “data migration” problem for their disappearance.

In this Feb. 6, 2019 photo, released by Emirates News Agency, Sheikh Tahnoun bin Zayed Al Nahyan, left, walks to a meeting in Abu Dhabi, UAE.

Information from that database shows ToTok's sole registered shareholder as Group 42, a new Abu Dhabi firm that describes itself as an artificial intelligence and cloud-computing company. The company, also known as G42, in an email to the AP also described itself as “the registered shareholder in ToTok Technology Ltd.,” though Ziani said ToTok has another substantial investor he declined to identify.

G42's CEO is Peng Xiao, who for years ran Pegasus, a subsidiary of DarkMatter, the Emirati security firm under scrutiny for hiring former CIA and NSA staffers, as well as others from Israel. G42's website also lists PAX AI as a subsidiary, the new name Pegasus operates under, according to job postings for PAX AI that mention Pegasus. Ziani similarly interchangeably referred to Pegasus as PAX AI while speaking to the AP.

“G42 has no connection to DarkMatter, whatsoever,” the company told AP in a statement. It did not respond to further queries, though other former DarkMatter and Pegasus employees now work at G42, according to publicly accessible profiles on the social media website LinkedIn.

G42's sole director listed in Abu Dhabi Global Market filings is Hamad Khalfan al-Shamsi, whom Marczak identified as the public relations manager of the office of Abu Dhabi Sheikh Tahnoun bin Zayed Al Nahyan. Sheikh Tahnoun is a brother to Sheikh Mohammed bin Zayed Al Nahyan, the powerful crown prince of Abu Dhabi who has run the country from day-to-day since its president, Sheikh Khalifa bin Zayed Al Nahyan, suffered a stroke in January 2014.

Sheikh Tahnoun, a Brazilian jiu-jitsu practitioner always photographed in sunglasses, has served as the UAE's national security adviser since 2016. The sheikh's adopted son, the mixed martial artist Hassan al-Rumaithi, is the sole director of Breej Holding Ltd., Marczak said, citing market filings. Similarly, an executive at Sheikh Tahnoun's company Royal Group, Osama al-Ahdali, is the sole director of ToTok Technology Ltd., Marczak said.

Royal Group did not respond to a request for comment, nor did Emirati officials, Apple and Google.

ToTok on its website meanwhile still lists itself as Totok Pte. Ltd., the Singapore-based company initially listed on the Google app store. Singaporean business records obtained by the AP show a single shareholder, Manoj Paul, with a listed address at one of Abu Dhabi's upscale Etihad Towers. Paul, who describes himself on LinkedIn as G42's general counsel and head of group operations, declined to speak with an AP journalist.

For now, Ziani said his focus remains on getting ToTok listed again in the Apple and Google app stores. He mentioned plans to have ToTok become like China's all-encompassing app WeChat, handling payments, social media posts and other high-frequency activities. G42 appears to already have filed paperwork for a possible payment company in Abu Dhabi.

That could create an Emirati version of WeChat, a service used by more than 1 billion people use in which Chinese government officials routinely censor posts. Dissidents suspect it of allowing surveillance.

Ziani insisted a former NSA hacker named Patrick Wardle, who analyzed ToTok, said the app “simply does what it claims to do.”

However, Ziani ignored the next sentence in Wardle's analysis, which described “the genius of the whole mass surveillance operation” the app could represent by offering “in-depth insight in a large percentage of the country's population.”