It has been linked to attacks on activists and dissidents and traced to servers operating across the world. But the next stop for a government spy technology that can infiltrate computers and eavesdrop on Skype chats could be a courtroom in England.
On Tuesday, human rights group Privacy International announced that it is challenging the British government for “unlawful” conduct during an investigation into exports of a surveillance tool known as FinFisher, sold by England-based Gamma Group. FinFisher, sometimes also called FinSpy, is a spy Trojan designed to covertly infiltrate targeted computers, monitor communications, and gather data from a hard drive. It can secretly record audio from a microphone, monitor emails and Skype conversations, and even take over a user’s webcam to conduct “live surveillance,” according to marketing materials.
The technology is supposed to be sold only to governments and law enforcement agencies for targeting serious criminals such as suspected terrorists. But a growing trove of evidence uncovered by researchers has linked it to attacks on political opponents or activists in a host of countries with poor human rights records, including Ethiopia and Bahrain. Late last year, Privacy International submitted a 186-page dossier to British authorities alleging a criminal breach of export control regulations. The group called for an investigation into potentially unlawful sales of the Gamma technology, acting on behalf of victims including a British-born Bahraini pro-democracy activist whose computer was allegedly targeted by Bahraini authorities using the FinFisher tool.
Now, Privacy International is taking fresh legal action. It has accused Her Majesty’s Revenue and Customs—the British export authority responsible for authorizing Gamma’s sales outside Europe—of illegally declining to provide information regarding the status of any investigation into Gamma and has lodged a judicial review application at the High Court in London seeking to compel disclosure of details. “HMRC's refusal to provide information to the pro-democracy activists who have been targeted is shameful,” said Eric King, head of research at Privacy International, in a statement. “In order for the public to have full confidence and faith that these issues will be addressed, we're asking the court to force HM Revenue & Customs to come clean."
HMRC told Privacy International in March that its criminal investigation team was considering the accusations leveled against Gamma, though claimed it was prevented by law from releasing information about the investigation and could not comment on individual cases. Privacy International says that the law does not bar the disclosure of details and alleges that the government “misconstrued the law to justify its evasive practices” or “issued a blanket refusal without considering the facts of the case at hand.”
The legal move from the human rights group is significant because, if successful, it may have wider ramifications. It could set a precedent for other cases in the U.K., forcing export authorities to be more transparent with their investigations in the future. The pressure from Privacy International also represents continuing escalation of efforts to force governments to respond to concerns around exports of Western surveillance technology to authoritarian countries. European parliamentarian Marietje Schaake has been persistently pushing for more stringent regulations around exports of spy software for more than two years. Meanwhile, in the United States, Rep. Chris Smith, R-N.J., is leading a crusade to block sales of surveillance and censorship gear to despots.
HMRC said it would respond to Privacy International’s legal challenge in due course, adding in an emailed statement that it would consider “all credible information we receive regarding potential breaches of UK strategic export controls and take action where we find evidence of abuse.” Gamma had not responded to a request for comment at the time of publication.