In December of last year, the German public prosecutors’ office had declared that there was no legal basis for the use of the so-called “Bundestrojaner” spyware, which was used to spy on German citizens. On top of it being illegally used, it was also found to be of very poor quality by extensive research performed by the Chaos Computer Club. In a surprising turn of events, German political platform NetzPolitik.org has now uncovered secret documents belonging to the Ministry of Finance, that the Ministry of the Interior sent to the Bundestag (the political seat of Germany) that reveals the German Federal Police’s intention to use Gamma Group’s Finfisher spyware to do the exact same thing.
Finfisher is quite an elaborate suite that allows for remote take-over of both computer systems and mobile devices such as iPhones, Androids, Blackberries and Windows Mobile-phones by pretending to be a software update. Gamma Group sells this product to dictatorial regimes all over the world, and that says a lot. What is also quite interesting is the presence of the logo for the UK’s Home Office and a link to its’ premier Security & Policing Exhibition. Does this imply that the UK government also purchased this product? Wikileaks recently published a document that looks like Finfishers’ marketing brochure and it is certainly geared towards the more modern police forces, as it sports solid integration with LEMF, which stands for Law Enforcement Monitoring Facility.
In august of last year, Bloomberg published an article that reported Finfisher presence on 5 continents and analysis performed by Rapid7 indicated its presence in at least Australia, the Czech Republic, Dubai, Ethiopia, Estonia, Indonesia, Latvia, Mongolia, Qatar, Bahrain and the United States. Now, of course this is not concrete proof that these governments actually use Finfisher, but Gamma Group is based in the UK and they have placed this software in the category of goods requiring an export permit because of the restrictions on exporting such digital weapons. Combined with how Gamma specifically markets Finfisher as ‘Governmental IT intrusion‘, it is highly unlikely that the British government would allow legitimate export to be done to just anyone. In a similar story posted by the New York Times, Bloomberg spoke to Martin J. Muench, who is managing director of Gamma International, and he stated that they had not sold their product to Bahrain and the malware that was found must have either been a stolen demonstration copy, or reverse-engineered by criminals.
To be clear, the use of this software is highly questionable. A while back the Dutch Minister of Safety and Justice Ivo Opstelten revealed that a plan was in the works to change the law so that it became allowed for the Dutch police to hack systems belonging to suspects. This led to international resistance and an open emergency letter [PDF warning – Dutch] was sent to the Minister to have this plan terminated because it was a gross violation of privacy. Apparently Germany is already at least one step further than this, having purchased the software already. Is this the future for the Netherlands as well? Will Minister Opstelten dust off his ill-advised plan and follow Germany in purchasing this software? I hope not. Not only is the Dutch police severely understaffed as it is, it also has a serious history of bending (or outright breaking) the rules and violating people’s rights when it comes to (ab)using technology such as this. And just how long will it take before hacking a suspects’ computer will no longer require an approval from a court judge? Where is our oversight then?