Activists Sue UK Government Over Spy Software Supplier

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

HMRC sued by Privacy International over investigation into British seller of surveillance software thought to have targeted human rights activists

HMRC, the UK government’s tax agency, is being taken to court by Privacy International, following a dispute over export controls governing a British surveillance software maker, whose kit allegedly ended up in the hands of nation states with questionable records on human rights.

Privacy International has been fighting the government to investigate Gamma International, which produces the FinFisher line of software that can infect mobiles and PCs to spy on users. To the dismay of human rights activists, the FinSpy tool was seen in use in various nations run by apparently repressive regimes, including Bahrain, Egypt,  Ethiopia, Turkmenistan and Vietnam.

Online surveillance © - Fotolia.comSurveillance software dangers

PI saw some success last year, having written to business secretary Vince Cable, threatening legal action and asking for export controls to be imposed on seemingly legitimate malware sellers.

Foreign secretary William Hague later agreed the government should enforce new restrictions on “telecommunications equipment for which there is a reasonable expectation that it might be used to restrict freedom of expression on the internet”.

But the rights group has not persuaded HMRC to talk about whether it is investigating Gamma. Most recently, it wrote to the department in December on behalf of Dr Ala-A Shehabi, a British-born Bahraini pro-democracy activist, claiming his computer was targeted by the Bahrain authorities using Gamma technology.

But it got no response. PI believes HMRC has broken the law in keeping schtum, “either because it misconstrued the law to justify its evasive practices, or because it issued a blanket refusal without considering the facts of the case at hand”.

Lawyers have now filed an application for a hearing and the case is expected to hit court in the next few months, though no date has yet been specified.

“The law enforcement body responsible for investigating breaches of export control law (that we argue Gamma has) is HMRC, and this lawsuit will hopefully force them to come clean about what action they’re taking against Gamma,” PI’s head of research, Eric King, told TechWeekEurope.

“Thus far they have refused to talk to us about Gamma despite us providing a 186-page dossier of evidence against Gamma to them six months ago

“A criminal investigation into Gamma by HMRC will be far more effective, and more appropriate given the breach of export control law than any other lawsuits directly against Gamma which is why we’re following the path we’ve taken.”

At the time of publication, neither HMRC nor Gamma had responded to requests for comment.

The business of surveillance software has come in for much criticism of late. Companies like Gamma and Italy’s Hacking Team have been accused of working with repressive regimes, without questioning the ethics of their customers.

Both firms say they would not work with any governments doing anything illegal, but refuse to say who their customers are, due to the sensitive nature of their business. “One person’s activist is another person’s terrorist,” Eric Rabe, senior counsel for Hacking Team, recently said in defence of the firm.

Activists continue to be targeted by malware, possibly sponsored by nation states, as seen in recent concerted attacks on Tibetan activists. According to human rights defenders, where surveillance software is often used to uncover those organising anti-government protests, it can mean the difference between life and death, as certain governments go to excessive, brutal lengths to keep their grip on power.

What do you know about Internet security? Find out with our quiz!