No way to prevent FinFisher from getting into hands of repressive governments
Bill Marczak, a computer science doctoral candidate at the University of California, helped investigate the use of FinFisher spyware against activists and journalists in Bahrain in 2012.
Marczak believes the technology cannot be described as immoral,
as it can be actually used to prevent crime. However, countries
exporting these technologies should ensure it does not end up in
the hands of repressive regimes.
RT:How does FinFisher spying technology work?
Bill Marczak: FinFisher technology consists of a number of
different products. One of them, which is one I’ve been working
on tracking, is called FinSpy. And FinSpy is a type of computer
spyware which allows a government to infect an individual’s
computer or mobile device. And then once these devices are
infected, the government can essentially spy on them, in other
words it can steal files, steal passwords for online accounts on
Gmail and Facebook, record your calls, track your GPS location
etc. So, it basically allows the government to see whatever you
are up to.
There’s another popular product in the FinFisher product line known as FinFly. And what FinFly is, it’s a device that a government can purchase and install at the internet service providers. So, for example in the US this would be AT&T or Verizon. So, a government would purchase this system, install it inside an internet service provider, and then this device allows the government to infect any internet user in the country with spyware. Users can be targeted based on their name, based on their phone number. User will be browsing a web site and then the FinFly device will inject spyware into the web site and infect the user.
So I think this is the main advantage of the FinFisher line of products, which is this capability to infect users without their knowledge.
RT:Where does the information gathered this way go?
BM: When a government purchases the spyware, the government has full control over what they do with it, so they can infect anyone who they want. The server that gathers this information from all the infected computers and mobile phones in the country is actually located physically in that country and the government can then look at the information that’s intercepted and filter it etc.
RT:Is there any effective way of regulating how FinFisher spyware is sold and who buys it?
BM: FinFisher is just one example – there are many other
companies, for example Hacking Team, an Italian company that
sells a similar type of spyware. But all of this market in
surveillance, especially with regard to spyware, I think it
definitely needs to be more regulated then it is now, especially
in terms of export controls. Our research has shown that the
spyware seems to be ending up in a number of countries which are
very repressive. For example we’ve traced the FinSpy spyware to
Bahrain, Turkmenistan and Ethiopia. I think these are the
countries those companies should not be exporting to. For example
if you look at Turkmenistan’s human rights ranking it ranks very
low in terms of press freedom, political freedom. So I think
there have to be better export controls to ensure these
technologies do not end up in the hands of dictators.
‘FinFisher spread around the world without any debate or
RT:How widespread is the use of this spyware with political purposes?
BM: We don’t have any sort of contracts, so that we could
see financial dealings between companies and these governments.
The only indications that we have as to where the spyware has
been used are based on the research. In cases that we’ve seen the
spyware has been targeted against activists and journalists in a
particular country. We’ve been scanning the internet looking for
this technology. So we found, as I said, spywares in Bahrain. We
saw it being targeted against Bahraini journalists and activists
last year. We’ve also found servers for the spyware in a number
of other countries, such as Turkmenistan, Qatar, Ethiopia. And
we’ve got some indications that it’s also being abused in other
countries, for example we found a piece of FinSpy spyware that
seems to be targeted at perhaps the members of the political
opposition in Malaysia. The spyware contained details of the
upcoming Malaysian elections. You couldn’t say exactly who was
targeted against, but the use of election-related content
suggests politically motivated targeting. We also found a sample
of this spyware that appeared to be targeted at activists in
Ethiopia. The spyware contained a picture of Ethiopian opposition
leaders that was displayed when the user opened it. By opening
the picture the user copied the spyware.
RT:Don't you think that such an immoral technology
should be banned?
BM: I don’t think that inherently this type of technology or this business is immoral. I think that definitely society as a whole has to have a conversation about how far we want to go in terms of surveillance to stop criminals. While we’ve seen this technology being used against dissidents, it’s also quite possible for this to be used against legitimate suspects in criminal investigations. So I think the scary thing at least from my perspective is that this technology seems to have proliferated around the world without any sort of debate as to whether it’s necessary, under what circumstances it can be used without any sort of transparency. I think it’s time for a long overdue discussion about the merits and drawbacks of this technology.
RT:Who do you think could regulate spyware technology distribution?
BM: I definitely think it is responsibility of the
governments where these companies are located to try and take
steps to ensure that this technology does not end up in the hands
of repressive governments. For example countries like Britain
where Gamma is based and Germany where Gamma also has operations…
You hear a lot from European countries and the United States
about providing freedom and democracy abroad. I think it’s
definitely a key component of ensuring freedom around the world
is to ensure we are not giving these technologies to repressive
governments. So I think that the UK and Germany have obligations
to step up and make sure they know where these companies are
exporting and whether they are not doing anything shady.