Around the world, dictatorships are using malware to track and arrest political activists, journalists and others who disagree with them – and the software in question was sold by a British firm. FinFisher is a piece of malicious software that sneaks onto a target’s computer and lets spies read emails, watch Skype conversations and snoop through webcams and microphones. It first hit the headlines in 2011, when a contract with Gamma International, the company that distributes the software, was found in the offices of Egyptian secret police during the uprising.
Gamma International is the Andover-based arm of the Munich-based Gamma Group. Lately, it’s been the subject of investigation by pressure group Privacy International, which argues that such software should face similar export controls to more traditional weapons. If all of this seems like someone else’s problem, consider this: although FinFisher has been used around the world by surveillance authorities, data leaked from a server breach in August suggests it’s also been used in the UK.
In particular, to spy on the mobile phones of a trio of Bahraini dissidents who sought refuge in Britain from arrest and torture by security services. “That led us to file a criminal complaint with the National Crime Agency in the UK to investigate if Gamma had been knowingly involved in supporting this – which would have been an unlawful surveillance and a breach of UK law,” said Kenneth Page, a policy officer at Privacy International. That complaint is still working its way through the system.
Gamma Group couldn’t be reached for comment, but it has denied selling its surveillance software to Bahrain, suggesting it may have been stolen. However, an analysis of the leaked data by Bahrain Watch suggests that Gamma’s support staff were helping a Bahrain-based customer between 2010 and 2012. This isn’t the first time FinFisher appears to have been used in the UK, either: Ethiopian activist Tadesse Kersmo was granted asylum in the UK in 2009 but, according to Privacy International, his computer may ubsequently have been accessed via FinFisher, logging his Skype chats and turning on the video and microphone of his PC.
How it works
FinFisher is advertised as a tool against cybercrime, with its website saying it “helps government law-enforcement and intelligence agencies identify, locate and convict serious criminals”. In practice, it acts like malware, sneaking onto a computer through the same vulnerabilities that cybercriminals exploit, such as fake email attachments or spoofed software updates. Reports suggest it’s previously taken advantage of holes in Apple’s iTunes, and last year browser maker Mozilla sent Gamma a ease-and-desist order alleging that the spyware was disguising itself as the Firefox browser.
“When a user examines the installed spyware on his or her machine by viewing its properties, Gamma misrepresents its program as ‘FIREFOX.EXE’,” the company said. “For an expert user who examines the underlying code of the installed spyware, Gamma includes verbatim the assembly manifest from Firefox software.” Once FinFisher is installed, it allows those using it remote access to a machine, giving them capabilities such as observing what the target does online, reading their messages and intercepting Skype calls.
Not only the UK
Of course, it’s not only British firms who make and distribute surveillance technology and software, and there’s more to it than simply malware. Page pointed out that such sophisticated tools are produced in numerous “technologically advanced” countries, and sold everywhere around the world. In Italy, a company called Hacking Team – partly funded by public money – makes malware that’s been “found targeting the Ethiopian political diaspora”, and which has also been used across Asia and North Africa, said Page.
“It says it is undetectable… it gets around defence systems, and advertises itself as able to target hundreds of thousands of people,” he said. In Germany, there’s Trovicor – a former Nokia Siemens Networks unit – which sells monitoring centres to “dozens of countries in central Asia and the Middle East,” said Page. “It pulls together all types of communications interceptions that would be undertaken by a law-enforcement agency in those countries.”
And then there’s Swiss firm Neosoft, which was referred for prosecution after selling mobile-phone surveillance tools to a notorious Bangladeshi police force. Page said it’s not clear how big the total malware and surveillance market is today, but back in 2011, Privacy International learnt from industry sources that it was worth between $3 billion and $5 billion globally – and it’s been growing since then.
What should be done
Weapons are already subject to export controls, and that’s what Privacy International wants to see happen with surveillance technology and malware. Companies that sell such software normally point out that it’s not illegal to do so, said Page: “The developers and the sellers kind of distance themselves, saying ‘it’s not our fault if someone uses our technology for illegal means – they’re the people you have to go after, not us’,” he said. The government also disclaims responsibility, saying “it’s up to foreign governments to decide if they should or shouldn’t be using it”.
An export licensing process would, however, provide insight into where the surveillance software is going, who’s buying it and what it’s going to be used for. “We feel there’s definitely some obligation on their part to know who they’re selling it to and what it will be used for,” Page explained.
“If you’re selling it to Saudi Arabia or the Bahraini government, you know exactly who they’ll be targeting with this.” The group admits the issue is more complicated than it may first appear. “It needs a lot of people involved to make sure that you catch this type of technology, but then not negatively affect legitimate security research, [such as] penetrative testers who might be hired by, say, a large financial institution to test the security of their system,” said Page. “A lot of the same tools are used by both.” “When the government is updating its controls, it really needs to take into account the human rights angle on this, not just the technical angle,” he added.