Government pressured to reveal what steps it has taken to stop Gamma selling its FinFisher kit to repressive regimes
Surveillance software made by a British firm has been found in use in Ethiopia and Vietnam, possibly to spy on citizens for political reasons, and the UK government is facing pressure to take action.
Citizen Lab carried out a scanning operation to find where Andover-based Gamma International’s FinFisher tools were running in Ethiopia, where pictures of Ginbot 7, an Ethiopian opposition group, were used as bait to infect people’s machines. That would indicate the software was used for political means.
In Vietnam, a mobile version of the FinSpy software was spotted by the researchers.
Gamma has come under fire before, after its kit was found in Egypt and Bahrain, again apparently for political reasons, where activists or opposition were thought to have been spied on. The company, which also runs out of Munich, has repeatedly denied reports it sold to such regimes.
But, much like its European competitor Hacking Team, which has faced similar criticism, it will not reveal who its customers are, due to the confidentiality agreements it has with clients. They deny they are doing anything unethical, selling only to governments, law enforcement and intelligence agencies, and keep tabs on how their kits are used to ensure nothing nefarious is going on.
Their software carries out similar functions to traditional malware, such as keylogging and other data capture. Both were named “enemies of the Internet” by Reporters Without Borders this week.
Internet activists have been up in arms at Gamma’s activities, saying companies should be far more responsible about who they are selling to, and should not be working with those nations with poor human rights records. Jacob Appelbaum, security researcher and Tor Project contributor, claims governments have used such software to uncover opponents, who are then arrested and tortured.
In the UK, Privacy International believes Gamma may not have the right export licence to sell their kit to repressive regimes. The UK government reportedly contacted Gamma, telling the firm it needed to have a specific licence to sell outside Europe. It is unclear whether Gamma has, as required by law, country-specific licences.
Privacy International has now called on HMRC to open up on what it has done to keep tabs on Gamma. “As evidence continues to mount showing that British-made FinFisher is being used by repressive regimes to target activist and opposition groups, HM Revenue & Customs must come clean and explain what steps they have taken to investigate this potential breach of UK export laws,” said head of research at PI, Eric King.
Neither Gamma nor HMRC had responded to TechWeekEurope’s requests for comment.
Gamma found FinFisher command and control servers were running in 25 nations, including the UK, the US, Australia, Bahrain, Bangladesh, Brunei, Canada, Czech Republic, Estonia, Germany, India, Indonesia, Japan, Latvia, Malaysia, Mexico, Mongolia, Netherlands, Qatar, Serbia, Singapore, Turkmenistan and United Arab Emirates.
Are you a pedant on privacy? Try our quiz!