FinFisher, the spyware sold to police and tyrants around the globe, has gained the dubious honor of becoming the first piece of software judged by the Organization for Economic Co-operation and Development to have trampled human rights. The OECD is an influential consortium of world powers.
FinFisher, also known as FinSpy, infects PCs by exploiting vulnerabilities in Apple iTunes and other software, or is simply installed by tricking someone into opening and running an email attachment. Once in place, it uses a rootkit to hide itself from the user and antivirus programs, intercepts VoIP calls and other communications for eavesdroppers, allows the machine to be remotely controlled over the internet, and more.
The OECD's UK agency launched an investigation after Gamma International, the British arm of the spyware-making group, was accused of selling FinFisher to the authoritarian Bahraini regime.
A probe in 2014 by human-rights group Bahrain Watch claimed the Mid-East state had obtained a copy of the spyware and used it to infiltrate PCs belonging to a trio of anti-government activists, allowing officials to keep tabs on the men. The targeted pro-democracy campaigners – Moosa Abd-Ali Ali, Jaafar Al Hasabi and Saeed Al-Shehabi – were eventually granted political asylum in the UK after suffering years of harassment by the Bahraini authorities.
Now the OECD's UK agency reckons [PDF] Gamma breached human rights seven times by selling its surveillance software in OECD member states. The company is accused of flouting the organization's safeguards on matters of privacy, the freedom of thought and expression, and the right to liberty.
While that may sound serious, these safeguards are guidelines – merely voluntary – so Gamma can carry on selling to whomever it wants to around the world. Instead, the investigating team, part of the UK government's Department of Business, offers the following advice:
[We] recommend that Gamma International UK Limited takes the following actions to make its conduct more consistent with the guidelines: that the company takes note of evidence from international bodies and UK government advice in its future due diligence, that it participates in industry best practice schemes and discussions, that it reconsiders its communications strategy to offer the most consistent and transparent engagement appropriate for its sector, and that, where it identifies that its products may have been misused, it co-operates with official remedy processes.
There's no word from Gamma about the ruling as yet, although the firm's not fond of talking to journalists. It wasn't too keen to talk to the government, either: the Brit investigation team said the biz was "unsatisfactory" at answering questions.
That's not going to bother Gamma much; business is good in the commercial spyware field. The firm has found buyers everywhere from Ethiopia to Turkmenistan, and a study by Citizen Lab found at least 35 command-and-control servers for the software around the world.
Leaked documents obtained from Gamma Group in Germany show the biz charged one customer €1.4m for a copy of FinSpy, and €331,840 in fees for a year's worth of support. A variety of penetration-testing training services were also available at €27,000 a pop.
Despite the lack of penalty for Gamma, Privacy International – one of the campaigning groups that filed a complaint to the OECD about the company two years ago – hailed the ruling as a victory.
"Today's judgment is a watershed moment recognising that surveillance companies such as Gamma cannot shirk their human rights obligations," said Eric King, deputy director of Privacy International.
"This decision reaffirms that supplying sophisticated intrusive surveillance tools to the world's most repressive regimes is not only irresponsible business conduct, but violates corporate human rights obligations, and the companies that engage in such behaviour must bear the responsibility for how their products are ultimately used."
In the meantime, if you're worried, PI and Amnesty have released a software tool to remove FinFisher and other commercial spyware from Windows systems. ®