UK court slams weak spyware investigation
Deutsche Welle - NSA and Digital Privacy

UK court slams weak spyware investigation

A UK firm has been selling software to dictatorships to help them track down opposition activists. Now the rights group Privacy International has scored a legal victory that may – one day – curb the trade.

Read it in Deutsche Welle

The NGO Privacy International greeted it as a big win in the fight against the illegal sale of spyware. The UK’s High Court ruled on Monday (12.05.2014) that Her Majesty’s Revenue and Customs (the body in charge of enforcing Britain’s export regulations) had acted unlawfully in failing to provide information on its investigation into the company Gamma International.

Gamma’s notorious FinFisher software is being used, according to Privacy International, in at least 36 countries around the world, including repressive regimes like Bahrain, Ethiopia, Egypt, and Turkmenistan – even though no license has been granted to export it.

FinFisher – developed in Munich, Germany – is a virus that covertly installs itself onto a target’s computer or cell phone and can then activate cameras and microphones, take screenshots, monitor emails, instant messages, and Skype calls, as well as track the device’s location – all at the command of a remote operator. FinFisher’s Munich office did not respond to requests for comment, but its website boasts that it employs some of the world’s best specialists in “offensive IT intrusion.”

“FinFisher is almost impossible to detect,” Privacy’s head of research Eric King told DW. “What happened in the examples that we know about is that people were suspicious, because either the infection took place via an email pretending to be someone that they knew, and they saw something off, or it was an email blast to a number of different people, where again the activists saw something off.”

Digital forensics

With forensic digital analysis, Privacy was able to determine that the spyware found on certain activists’ devices was indeed FinFisher, and that it was reporting information back to governments around the world. Because of its cryptography components, it has always been illegal to export FinFisher from the UK without a license (issued by the government’s Department for Business, Innovation and Skills), but a few years ago Privacy managed to confirm that Gamma International has neither applied for or been granted any such licenses.

In November 2012 the group submitted a 186-page dossier of evidence to HMRC – at the request of the British government – suggesting that Gamma International had illegally exported the surveillance technology. The evidence included testimonies from Ala’a Shehabi, a British-born Bahraini economist and pro-democracy activist, who has herself been arrested by Bahraini authorities – as well as technical details from servers.

“Now that the High Court has rightfully said that HMRC’s actions were unlawful, I hope that the government takes action to bring justice to all of the victims whose rights have been violated because of this intrusive spyware,” Shehabi said in a Privacy statement.

“We couldn’t even get HMRC to acknowledge that they’d received the letters – after months they finally did acknowledge that we’d sent them,” said King. “But we could never get from them what they were going to do with it – we couldn’t even get a confirmation that they were going to investigate it. So after lengthy correspondence we took them to court.”

Privacy contended that the victims of the surveillance – as well as the public – had a right to know about what the state was doing to enforce export guidelines, and this week the High Court agreed.

Judge Justice Green condemned HMRC’s refusal to give information on its investigation as “irrational” and “simply inconsistent with the legislation.” Green added in the ruling, “I can in such circumstances have no confidence that HMRC has properly addressed itself to the serious complaints advanced to it by the Claimant [Privacy International].”

Easier to make than to steal

Following a DW request for comment, a HMRC spokesperson would only say, by email, “We are considering the detail of the judgment. The Judicial Review confirms that we may only disclose information where the law allows it, and HMRC remains committed to its legal duty of confidentiality.”

The spokesperson also added, “HMRC receives information and intelligence from numerous different sources, and we always look into any allegation of criminal wrongdoing.” But HMRC would not address Privacy’s central concern – the illegal trade in malware. As far as King is concerned, the idea that Gamma International did not deliberately sell FinFisher to Bahrain and elsewhere is utterly implausible.

“It’s near-impossible for this software to be stolen,” he said. “It would require months of consultancy and contracting to work out where you put specific boxes in the network, to make sure it all works properly. It requires a considerable amount of installation and tweaking. If the Bahrainis wanted to spy on people using malware and they were technically sophisticated enough to steal it, they would have just built it for themselves. It actually would’ve been easier.”