A report released today by Citizen Lab has uncovered further evidence that British company Gamma International has sold their surveillance technology FinFisher to repressive regimes abroad, despite having no export licence to do so. The report builds on investigations conducted last year that demonstrated that Gamma International has been exporting FinFisher without a license to repressive regimes with dismal human rights records.
Citizen Lab has uncovered evidence that 25 countries now have command and control servers for FinSpy backdoors, part of Gamma International’s FinFisher “remote monitoring solution”, including Australia, Bahrain, Bangladesh, Brunei, Canada, Czech Republic, Estonia, Ethiopia, Germany, India, Indonesia, Japan, Latvia, Malaysia, Mexico, Mongolia, Netherlands, Qatar, Serbia, Singapore, Turkmenistan, United Arab Emirates, United Kingdom, United States, and Vietnam. The Citizen Lab research shows a continued trend of FinFIsher technology deployments with strong indications of politically motivated targeting; for example, a FinSpy campaign in Ethiopia uses pictures of Ginbot 7, an Ethiopian political opposition group, as bait to infect users. The report also contains strong evidence of a Vietnamese FinSpy Mobile Campaign.
In November, Privacy International provided a 186-page dossier of evidence against Gamma International to HM Revenue and Customs, the body responsible for enforcing export regulations, regarding this potentially criminal breach of the export control regime. On behalf of victims who were targeted by FinFisher, we called for an urgent investigation into Gamma International’s export practices.
However, HMRC has thus far failed to provide any information to Gamma International’s victims on the state of any investigation HMRC is undertaking into unlicensed exporting of surveillance equipment by Gamma International, despite multiple attempts at contact by Privacy International and parliamentary questions asked by Caroline Lucas MP.
Today’s report by Citizen Lab further calls into question claims made by Gamma International denying their involvement in sales of their technology to these countries, and their suggestions that previously discovered installations of their software were either stolen or demostration copies.
Eric King, Privacy International’s Head of Research, said:
As evidence continues to mount showing that British-made FinFisher is being used by repressive regimes to target activist and opposition groups, HM Revenue & Customs must come clean and explain what steps they have taken to investigate this potential breach of UK export laws.