Surveillance software targeted British/Bahraini citizen

Last month Privacy International (PI) filed an application for a judicial review against HM Revenue & Customs’ (HMRC) refusal to release data on the export of Gamma International’s FinSpy surveillance technology. Put simply, PI believes that HMRC is required by law to provide the requested information while HMRC claims it is prevented by law from doing so.

PI wants the court to decide. It follows presentation of a dossier of evidence against Gamma International (a UK/German company, primarily UK-based but with a Germany-based managing director), and a Citizen Lab report claiming that FinSpy has been deployed by secret police in 25 different countries.

FinSpy is usually installed on targets’ PCs or mobile devices via an infected email attachment. It then seeks to evade detection. Two weeks ago Mozilla Firefox sent Gamma International a ‘cease and desist’ letter after it discovered instances of FinSpy trying to disguise itself as Firefox. This followed publication of For their eyes only by Citizen Lab containing the details.

Now Dr Ala'a Shehabi has filed a witness statement with the court. Dr Shehabi is a Bahraini activist and daughter of the leader of the Bahrain Freedom Movement. She was arrrested in April 2012 at the time of the Bahrain Formula One Grand Prix. Although later released, she has relocated to London.

“According to her witness statement,” reported the Guardian yesterday, “a few weeks after her arrest Shehabi received a series of emails, the first purportedly from Kahil Marzou who was the deputy head of Bahrain's main opposition party, including one containing a virus. Other emails that claimed to be from an Al Jazeera journalist were also infected. Research found that the emails contained a product called FinSpy, distributed by a British company, Gamma International.”

Dr Shehabi’s witness statement (found at reference number 309) describes receipt of these suspect emails. “I was confident that these customised emails were trying to target me directly and I sensed the contents of the attachments should be investigated,” she says. “Through a colleague connected with Bahrain Watch I got in touch with Vernon Silver from Bloomberg, and I forwarded him the emails. This led to the Citizen Lab report of July 2012, which identified the attachments to the emails as containing FinSpy.”

FinSpy is a pure covert surveillance product treated as malware by most anti-virus companies. “Once the user installs the software,” says PI, “victims’ computers and mobile devices can be taken over, the cameras and microphones remotely switched on, emails, instant messengers and voice calls (including Skype) monitored, and locations tracked. Investigations have revealed that such technology has been used in monitoring and tracking victims who are subsequently subjected to torturous interrogations.”

PI wants to know what steps the UK government has taken to ensure that FinSpy sales are legal. Gamma claims that it abides by UK, US and German export controls, but its managing director, Martin J Muench, has reportedly commented in the past, “It appears that during a demonstration one of our products was stolen and has been used elsewhere.”

What’s Hot on Infosecurity Magazine?