Advanced spying abilities have become available to tinpot dictators around the world thanks to a German company selling them the technology, according to a report by researchers at Citizen Lab of the University of Toronto.
The researchers identified 32 countries where “at least one” government entity was using the software, called FinFisher. The software allows users to log keystrokes and access microphones and cameras on infected computers, among other things.
The Munich-based company that produces the software, FinFisher GmbH, says the tool is meant to be used by law enforcement agencies in countries that purchase it. However, many of the countries that Citizen Lab identified as using the software, such as Bangladesh, Serbia and Egypt, have lackluster records on human rights.
Related Story: http://www.washingtonexaminer.com/article/2574118/
The most recent incident was reported in Uganda after a “progress report” was leaked to Privacy International this week. The report, written by an intelligence official and directed at the Ugandan president, detailed covert methods to “collect information and data” that was to be used to “manage and control the media houses and opposition politicians, which in the worst case scenario, may involve blackmailing them especially after personal information is in our hands.”
Perhaps most concerning to Americans, the software can also be used to spy on citizens of other countries. At least one country, Ethiopia, has already used it to spy on residents of the United States and United Kingdom. (The country was snooping on Ethiopian dissidents.)
“It can easily be used by foreign governments to spy on American citizens,” Bill Marczak, an author of the report, told the Washington Examiner. “It’s difficult to fully protect yourself from this sort of spyware, since it can get onto your computer or phone in so many different ways.”
As a preventative measure, he added, “One thing you can do is to not open suspicious attachments or links that you receive via e-mail.”
The researchers were able to extrapolate the countries that used the software by looking at Internet protocol addresses. “We noticed that when we issued a query like ‘What is my IP address?’ to a Google-decoy FinFisher server, the server would respond with a different IP address,” they explained. In one case, a server located in the U.S. responded that it was actually located in Indonesia, at an address previously identified as a FinFisher server.
FinFisher has one prominent competitor, the Italian-based Hacking Team. “It seems that both companies compete for the same clients (or, in some cases, a client buys both systems), and both have around a similar number of clients” based on leaked data, Marczak said. Thus even if one company is shuttered, programmers willing to take clients on regardless of their character will remain.
Citizen Lab’s report points to the Wassenaar Arrangement, an arms control agreement between 41 countries, including the U.S., Germany and Italy, as something that could change the dynamic in the future. The agreement was amended in 2013 to include methods of cyberattacks.
“Now, as participants like the European Union have undertaken their own implementations (or are still developing theirs as in the case of the United States), it remains to be seen whether or not this will lead to greater transparency and control, and what impact, if any, it will have on abusive surveillance,” the researchers said.
In the meantime, Marczak told the Examiner, governments should be more proactive in monitoring such activity, even without an agreement. “I definitely think that there needs to be a requirement to go to your government to get a license to export this stuff,” Marczak said. “But that’s not the entire solution. I think that if a company sells a product to someone that it should reasonably know or expect would use the product in service of human rights violations, then the company should be penalized for that, and the government should be penalized for issuing the export license. Unfortunately, I think we’re a long way from that type of arms control regime.”
