No way to prevent FinFisher from getting into hands of repressive governments

It’s time for a public discussion over controversial FinFisher spyware technology, according to Bill Marczak, an activist who helped expose its use by repressive regimes to crackdown on dissidents.

Bill Marczak, a computer science doctoral candidate at the University of California, helped investigate the use of FinFisher spyware against activists and journalists in Bahrain in 2012. 

Marczak believes the technology cannot be described as immoral, as it can be actually used to prevent crime. However, countries exporting these technologies should ensure it does not end up in the hands of repressive regimes.  

RT:How does FinFisher spying technology work?

Bill Marczak: FinFisher technology consists of a number of different products. One of them, which is one I’ve been working on tracking, is called FinSpy. And FinSpy is a type of computer spyware which allows a government to infect an individual’s computer or mobile device. And then once these devices are infected, the government can essentially spy on them, in other words it can steal files, steal passwords for online accounts on Gmail and Facebook, record your calls, track your GPS location etc. So, it basically allows the government to see whatever you are up to.
There’s another popular product in the FinFisher product line known as FinFly. And what FinFly is, it’s a device that a government can purchase and install at the internet service providers. So, for example in the US this would be AT&T or Verizon. So, a government would purchase this system, install it inside an internet service provider, and then this device allows the government to infect any internet user in the country with spyware. Users can be targeted based on their name, based on their phone number. User will be browsing a web site and then the FinFly device will inject spyware into the web site and infect the user.
So I think this is the main advantage of the FinFisher line of products, which is this capability to infect users without their knowledge. 

RT:Where does the information gathered this way go?

BM: When a government purchases the spyware, the government has full control over what they do with it, so they can infect anyone who they want. The server that gathers this information from all the infected computers and mobile phones in the country is actually located physically in that country and the government can then look at the information that’s intercepted and filter it etc.

RT:Is there any effective way of regulating how FinFisher spyware is sold and who buys it?

BM: FinFisher is just one example – there are many other companies, for example Hacking Team, an Italian company that sells a similar type of spyware. But all of this market in surveillance, especially with regard to spyware, I think it definitely needs to be more regulated then it is now, especially in terms of export controls. Our research has shown that the spyware seems to be ending up in a number of countries which are very repressive. For example we’ve traced the FinSpy spyware to Bahrain, Turkmenistan and Ethiopia. I think these are the countries those companies should not be exporting to. For example if you look at Turkmenistan’s human rights ranking it ranks very low in terms of press freedom, political freedom. So I think there have to be better export controls to ensure these technologies do not end up in the hands of dictators.

‘FinFisher spread around the world without any debate or transparency’

RT:How widespread is the use of this spyware with political purposes?

BM: We don’t have any sort of contracts, so that we could see financial dealings between companies and these governments. The only indications that we have as to where the spyware has been used are based on the research. In cases that we’ve seen the spyware has been targeted against activists and journalists in a particular country. We’ve been scanning the internet looking for this technology. So we found, as I said, spywares in Bahrain. We saw it being targeted against Bahraini journalists and activists last year. We’ve also found servers for the spyware in a number of other countries, such as Turkmenistan, Qatar, Ethiopia. And we’ve got some indications that it’s also being abused in other countries, for example we found a piece of FinSpy spyware that seems to be targeted at perhaps the members of the political opposition in Malaysia. The spyware contained details of the upcoming Malaysian elections. You couldn’t say exactly who was targeted against, but the use of election-related content suggests politically motivated targeting. We also found a sample of this spyware that appeared to be targeted at activists in Ethiopia. The spyware contained a picture of Ethiopian opposition leaders that was displayed when the user opened it. By opening the picture the user copied the spyware. 

RT:Don't you think that such an immoral technology should be banned?

BM: I don’t think that inherently this type of technology or this business is immoral. I think that definitely society as a whole has to have a conversation about how far we want to go in terms of surveillance to stop criminals. While we’ve seen this technology being used against dissidents, it’s also quite possible for this to be used against legitimate suspects in criminal investigations. So I think the scary thing at least from my perspective is that this technology seems to have proliferated around the world without any sort of debate as to whether it’s necessary, under what circumstances it can be used without any sort of transparency. I think it’s time for a long overdue discussion about the merits and drawbacks of this technology.

RT:Who do you think could regulate spyware technology distribution? 

BM: I definitely think it is responsibility of the governments where these companies are located to try and take steps to ensure that this technology does not end up in the hands of repressive governments. For example countries like Britain where Gamma is based and Germany where Gamma also has operations… You hear a lot from European countries and the United States about providing freedom and democracy abroad. I think it’s definitely a key component of ensuring freedom around the world is to ensure we are not giving these technologies to repressive governments. So I think that the UK and Germany have obligations to step up and make sure they know where these companies are exporting and whether they are not doing anything shady.