U.K. Limits Spyware That May Have Targeted Dissidents

Bill Marzcak
Marczak found evidence that traces malicious software e-mailed to Bahraini activists back to FinFisher, a spyware sold by U.K.-based Gamma Group. Photographer: David Paul Morris/Bloomberg

The British government has imposed export controls on U.K.-based Gamma Group’s FinSpy surveillance tool, which can remotely take over computers and phones, following reports that the systems may have been used to target political dissidents.

The U.K. Secretary of State for Business Innovation and Skills informed the company that existing export restrictions apply to FinSpy, requiring Gamma to obtain a license to sell the system outside the European Union, according to an Aug. 8 letter the government sent to lawyers for London-based Privacy International, which is pressing for such restrictions.

Martin J. Muench, managing director of Gamma’s Munich-based unit, Gamma International GmbH, confirmed the changes to the licensing requirements in an e-mail today.

“Gamma has and will always comply with Export Controls,” he wrote. “Gamma never exported anything knowingly that required an Export License without having obtained the appropriate License.”

The company also markets its FinFisher product portfolio, which includes FinSpy, through Andover, England-based Gamma International UK Ltd. Muench says that Gamma complies with the export regulations of the U.K., U.S. and Germany.

FinFisher products can secretly monitor computers, intercepting Skype calls, turning on Web cameras and recording keystrokes. They are marketed by Gamma for law enforcement and government use.

The Observer earlier reported news of the restrictions on FinSpy.

Activists Targeted

Research published July 25 based on e-mails obtained by Bloomberg News showed activists from the Persian Gulf kingdom of Bahrain were targeted by what looked like the software.

The findings, published by the University of Toronto Munk School of Global Affairs’ Citizen Lab, later led researchers to find computers that appeared to be command servers for FinSpy in at least 15 countries.

The U.K. tightened the requirements after determining that FinSpy qualified for regulation under the arms-related export controls followed by most Western nations, according to the Aug. 8 letter from the Treasury Solicitor’s Department.

The basis was FinSpy’s use of cryptography, which is regulated for its possible military uses, the letter said. “The Secretary of State also understands that other products in the Finfisher portfolio could be controlled for export in the same way,” it said.

The correspondence was a response to a July 12 letter from Privacy International’s lawyers, who are seeking to restrict exports of surveillance technology.

Welcome Decision

“We welcome the government’s decision to start controlling exports of FinSpy,” Privacy International’s head of research, Eric King, said in a statement.

Privacy International says there are still questions about the government’s regulation of earlier FinSpy sales and the extent to which the control now exercised over Gamma also applies to other surveillance technologies and companies, the group said in a news release provided by King.

The government’s letter said regulation of surveillance technologies beyond those covered by the cryptography restrictions remains under discussion.

“The identification of the relevant types of surveillance equipment that might be subject to any form of further export control requires detailed analysis as this is a technically complex area in which technological developments are fast-moving,” the government’s letter said. It noted that surveillance technologies also may have legitimate uses for civilian telecommunications.

A spokesperson for the U.K.’s Department for Business declined to comment.

Under Scrutiny

Gamma first came under scrutiny after a sales pitch made to Egyptian state security was uncovered following that country’s February 2011 revolution.

In November, the Wall Street Journal published Gamma brochures on its website, and the following month anti-secrecy website WikiLeaks posted Gamma promotional videos showing how police could plant FinSpy, which is part of the FinFisher line of products, on a target’s computer.

Since July, security researchers have uncovered what appear to be FinFisher’s capabilities and reach.

Morgan Marquis-Boire, the San Francisco-based researcher who wrote the Citizen Lab report on FinFisher and Bahrain, last month documented FinSpy’s ability to take over mobile phones -- turning on microphones, tracking locations and monitoring e-mails.

Marquis-Boire, who works as a security engineer at Google Inc., has done the research on his own time with collaborators who include Bill Marczak, a computer science doctoral candidate at the University of California Berkeley.

Gamma’s Muench said the company has worked with U.K. authorities to ensure its sales of these new technologies comply with regulations, and is adapting to restrictions.

“Gamma is already developing a range of products which includes both those that require an export license and those that do not,” he said in his e-mail.

Before it's here, it's on the Bloomberg Terminal. LEARN MORE