Deutsche Welle, 14 May 2014
A UK firm
has been selling software to dictatorships to help them track down opposition
activists. Now the rights group Privacy International has scored a legal
victory that may - one day - curb the trade.
On Monday
(12.05.2014), the UK High Court ruled that Her Majesty's Revenue and Customs
(the body in charge of enforcing Britain's export regulations) had acted
unlawfully in refusing to give information on the status of its investigation
into the company Gamma International. Gamma's notorious FinFisher software is
being used, according to Privacy International, in at least 36 countries around
the world, including repressive regimes like Bahrain, Ethiopia, Egypt, and
Turkmenistan - despite the fact that it does not have a license to export.
FinFisher -
developed in Munich, Germany - is essentially a virus that covertly installs
itself onto a target's computer or cell phone and is then able to remotely
activate cameras and microphones, take screenshots, monitor emails, instant
messages, and voice calls (including Skype), as well as track the device's
location - all at the command of a remote operator. FinFisher's Munich office
did not respond to requests for comment, but its website boasts that it employs
some of the world's best specialists in "offensive IT intrusion."
 |
| Shehabi was one of the activists targeted by FinFisher spyware |
"FinFisher
is almost impossible to detect," Privacy's head of research Eric King told
DW. "What happened in the examples that we know about is that people were
suspicious, because either the infection took place via an email pretending to
be someone that they knew, and they saw something off, or it was an email blast
to a number of different people, where again the activists saw something
off."
Forensic
investigation
With
forensic digital analysis, Privacy was able to determine that the spyware was
indeed FinFisher, and that it was reporting information back to governments
around the world. Because of its cryptography components, it has always been
illegal to export FinFisher from the UK without a license (issued by the
government's Department for Business, Innovation and Skills), but Privacy
confirmed a few years ago that Gamma International had not been granted any
such licenses.
In November
2012 the group submitted a 186-page dossier of evidence to HMRC - at the
request of the British government - suggesting that Gamma International had
illegally exported the surveillance technology. The evidence included
testimonies from Ala'a Shehabi, a British-born Bahraini economist and
pro-democracy activist, who has herself been arrested by Bahraini authorities -
as well as technical details from servers.
"Now
that the High Court has rightfully said that HMRC's actions were unlawful, I
hope that the government takes action to bring justice to all of the victims
whose rights have been violated because of this intrusive spyware,"
Shehabi said in a Privacy statement.
"We
couldn't even get HMRC to acknowledge that they'd received the letters - after
months they finally did acknowledge that we'd sent them," said King.
"But we could never get from them what they were going to do with it - we
couldn't even get a confirmation that they were going to investigate it. So
after lengthy correspondence we took them to court."
Privacy
contended that the victims of the surveillance - as well as the public - had a
right to know about what the state was doing to enforce export guidelines - and
this week the High Court agreed.
Judge
Justice Green condemned HMRC's refusal to give information on its investigation
as "irrational" and "simply inconsistent with the
legislation." Green added in the ruling, "I can in such circumstances
have no confidence that HMRC has properly addressed itself to the serious
complaints advanced to it by the Claimant [Privacy International]."
Easier to
make than to steal
Following a
DW request for comment, a HMRC spokesperson would only say, by email, "We
are considering the detail of the judgment. The Judicial Review confirms that
we may only disclose information where the law allows it, and HMRC remains
committed to its legal duty of confidentiality."
 |
| The Bahraini regime has been condemned by human rights groups |
The
spokesperson also added, "HMRC receives information and intelligence from
numerous different sources, and we always look into any allegation of criminal
wrongdoing." But this response did not address Privacy's central concern -
the potentially illegal trade in malware. As far as King is concerned, the idea
that Gamma International did not deliberately sell FinFisher to Bahrain and
elsewhere is utterly implausible.
"It's
near-impossible for this software to be stolen," he said. "It would
require months of consultancy and contracting to work out where you put
specific boxes in the network, to make sure it all works properly. It requires
a considerable amount of installation and tweaking. If the Bahrainis wanted to
spy on people using malware and they were technically sophisticated enough to
steal it, they would have just built it for themselves. It actually
would've been easier."
Related Articles:
No comments:
Post a Comment