A new report released on Wednesday by Citizen Lab at the University of Toronto shows how the commercialization of digital spying has made it easier than ever for repressive regimes to get their hands on technology that helps authorities monitor and crack down on opposition groups:
“Companies selling surveillance and intrusion software commonly claim that their tools are only used to track criminals and terrorists. FinFisher, VUPEN and Hacking Team have all used similar language.
Yet a growing body of evidence suggests that these tools are regularly obtained by countries where dissenting political activity and speech is
criminalized. Our findings highlight the increasing dissonance between [United Kingdom-based Gamma International's] public claims that FinSpy is used exclusively to track ‘bad guys’ and the growing body of evidence suggesting that the tool has and continues to be used against opposition groups and human rights activists.”
FinSpy, the most prominent technology detailed in the report, is malware that is part of the commercial FinFisher intrusion kit distributed by Gamma. The malware is often distributed through email phishing scams with the installer for the program disguised as a different type of file attached to an email. Once a target is infected, the malware provides broad ranging digital surveillance, from spying via webcams and microphones and monitoring of video and email communications to keylogging and harvesting files from the hard drive. The program can also hide itself from antivirus scans. It delivers this intelligence and receives orders by connecting with remote command and control (C&C) servers. Today’s report reveals that FinSpy C&C servers have been observed operating in 36 countries since initially being discovered by security researchers in 2012 — including in many with suspect human rights records like Bahrain, Vietnam and Ethiopia.
While Gamma says on its website that the surveillance suite is solely offered to Law Enforcement and Intelligence Agencies, because some regimes criminalize dissent or broadly categorize criminal activity to include organizing political opposition, the concept of distributing surveillance packages for “lawful interception capabilities” to those countries is effectively moot. Although Gamma is tight lipped about who it sells to and no nations are willing to acknowledge using the package, FinSpy continues to show up again and again being used to target activists and other political dissidents.
Last year, the New York Times reported that FinSpy was being deployed against Bahraini activists without criminal histories. Gamma blamed that incident on demonstration copies of FinSpy being stolen, despite previous denials that its product had been identified at all. FinSpy also recently surfaced in Ethiopia, where it was being distributed disguised as images of an Ethiopian opposition group and in Malaysia disguised as a list of political candidates targeting native Malay speakers. After the fall of Egyptian President Hosni Mubarak, an invoice for the FinFisher platform was found in the Egyptian State Security Headquarters, although it is unclear if a sale was completed.
Privacy International has made repeated inquiries to the United Kingdom questioning if the distribution of Gamma’s technology violates export laws, but as of yet the relevant agencies have “categorically refused to provide any details regarding any investigation into Gamma’s export practices.”
Gamma and other Western tech companies mentioned in the Citizen Lab report are not the only groups reportedly helping states with questionable human rights records establish digital surveillance. Last year it was revealed that Chinese company Huawei offered to a sell a “lawful interception solution” to an Iranian telecommunications company and supplied the technological infrastructure behind the closed intranet system Iran is currently developing.