Documents recently released by WikiLeaks have brought new evidence to the public eye that the intrusive surveillance spyware FinFisher may be in use by several members of the Freedom Online Coalition, including Mongolia, Netherlands, and Estonia.1
If this evidence is correct, it should rightly raise serious concerns around the world. FinFisher is notorious malware—software that allows those who use it to place programs, often called Trojans, remotely onto computers and devices operated by others, usually without the target's knowledge much less consent.
Once downloaded onto a target’s computer, FinSpy allows the operator of the Trojan to spy on the target's activities. The operator can read a target’s email correspondence, search and take possession of documents on the target’s computer, monitor web surfing and chat conversations. It even allows the operator to remotely switch on the microphone of the computer and the webcam in order to extend surveillance beyond the computer to what is happening around it.
These intrusive tools have in the past been used by Bahraini and Ethiopian governments to spy on human rights activists. Unchecked by strong legal and technical safeguards protecting against unnecessary or disproportionate surveillance, the use of such software can undermine the integrity and security of computer and networking equipment and harm 'an internet free and secure'.2
Finfisher spyware is at the center of EFF's case against the Ethiopian government, for use against an American citizen in his home in Maryland.3
During the Freedom Online Coalition meeting in Tunisia, June 2013, a number of civil society organizations made a statement,4 reiterating the importance of the Necessary and Proportionate Principles and asking the governments to engage in a meaningful dialogue with civil society about these principles, the concept of privacy by design, and the international human rights framework which should also be applied to the technical architecture of communications and surveillance systems, ensuring that technological and policy protections are developed in parallel.
The Principles require a careful and public technical, legal and policy framework around digital surveillance tools such as those sold by Finfisher, one that can only be developed through such a dialogue. We would like to make use of this opportunity to repeat the request for a response and meaningful dialogue, which is of crucial importance for the Freedom Online Coalition and its engagement with stakeholders.