By David Trilling
Think Skype is a secure way to make a call? Think again. That smartphone in your pocket? It could be a portable bug. And the camera on your laptop screen? You might consider covering it with duct tape.
Disguised as regular software updates, sophisticated British-made spyware – sometimes described as “malware” – is ending up in the hands of human rights abusers, a London-based watchdog group is alleging. In July, the group, Privacy International, filed a letter of complaint that asked the British government to start adhering to UK law and stop the export of such surveillance technologies to authoritarian states, including Turkmenistan. After an inconclusive response from government lawyers on August 8, Privacy International says it is pondering its options as it tries to place the issue in a public spotlight.
“Surveillance equipment and technology is now being exported from the UK by British companies to repressive regimes around the world without any controls,” said a July 12 letter from Privacy International’s lawyers to the Secretary of State for Business Innovation and Skills. “Such technology may be used to gather information on individuals who are then arrested, tortured and, in some cases, executed.”
The letter of complaint, prepared by Bhatt Murphy Solicitors, argues that the Export Control Act of 2002 requires London to ban exports of certain dual-use items – any technology that can be used for peaceful or military means – to countries where they could aid “internal repression” or “breaches of human rights.” Presenting evidence that such products were sold to repressive regimes including Turkmenistan, the letter alleges the British government is breaking the law by failing to impose export controls.
The Bhatt Murphy letter examines the activities of UK-based Gamma Group International, an entity that, according to its website, “provides advanced technical surveillance and monitoring solutions and international consultancy to National and State Intelligence Departments and Law Enforcement Agencies.” According to the Bhatt Murphy letter, a range of Gamma products falling under the rubric of FinFisher IT Intrusion can “covertly install malicious software” on computers and mobile phones by tricking users into downloading updates for popular programs, thus circumventing encryption and providing full access to emails, social media messaging and Skype calls. FinFisher products turn “the targeted device into a bug which the target individual willingly and unknowingly keeps in close proximity.”
“These tools allow a one-party state to flourish,” Eric King, the head of research at Privacy International, told EurasiaNet.org. The technology “permits dictators, autocrats and tyrants to maintain power by having maximum control over every piece of communication technology that exists within the state. No dissenting communication could take place unwatched.”
Such a one-party state is Turkmenistan, which heavily filters Internet content and blocks scores of Websites. Rachel Denber, Human Rights Watch’s deputy director for Europe and Central Asia, calls Turkmenistan “one of the most repressive countries in the world. It’s ruled by a government that tolerates absolutely no dissent. It’s gone to great lengths to monitor and interfere with peoples’ use of the Internet in order to keep down dissent.”
Various journalistic investigations have traced Gamma connections to authoritarian regions. The British newspaper The Guardian, for example, reported in 2011 that Gamma had offered the regime of fallen Egyptian dictator Hosni Mubarak the FinFisher software package. In December, German public broadcaster NDR’s ZAPP investigative journalism program aired a report alleging that Gamma had worked with Swiss Dreamlab AG to sell spyware to Turkmenistan. “Dreamlab alone anticipated an order valued around 900,000 Swiss francs [$930,000] in total. According to the documents [obtained by ZAPP], representatives from Dreamlab and Gamma even traveled to Turkmenistan to carry out the technical investigations for the project,” the program said.
ZAPP was unable to prove the products are actually operating in Turkmenistan, however. As King put it, “We have solid evidence explaining how, where and when this technology would be rolled out in Turkmenistan. However we cannot confirm the final transaction took place without evidence from Turkmenistan which it is currently impossible to obtain.”
Gamma International’s Munich-based managing director, Martin Muench, would neither confirm nor deny his UK-based company sold its products to Turkmenistan. “The nature of our business does not allow us to disclose our customers, nor how they use our products and the results that are achieved with them,” he told EurasiaNet.org by email. But he stressed that the company only sells to legitimate government agencies and does not break the law.
Gamma “complies with the national export regulations of the UK, United States and Germany and has never sold its products to any states that are restricted,” he said. Muench added that “law enforcement agencies have to follow and comply with the relevant laws of their respective country.”
Gamma and Dreamlab, of course, are not the only companies accused of selling spyware to authoritarian regimes. Multinational giant Nokia Siemens has faced criticism for selling Tehran software used to crush the 2009 “Green Movement” protests, for example.
Even if the British government picks up its monitoring efforts and prohibits some high-tech sales, other countries are sure to continue to allow exports of similar surveillance products. The industry is booming. Last December, Jerry Lucas, who organizes ISS World (Intelligence Support Systems) trade shows, told Bloomberg News the spyware industry is worth between $3 and $5 billion annually and is growing as much as 20 percent a year.
And as the software gets more sophisticated, the days of assuming privacy anywhere on the web appear to be over. “These guys know they are making tools for thugs,” computer security expert Jacob Applebaum, a former WikiLeaks spokesman, told ZAPP. “Instead of breaking the encryption, they just subvert it entirely.”
David Trilling is EurasiaNet’s Central Asia editor.