February 16, 2012 | By Trevor Timm

Spy Tech Companies & Their Authoritarian Customers, Part I: FinFisher And Amesys

Last week, EFF gave its recommendations to EU parliament on what steps to take to combat a growing and dangerous civil liberties concern: Western companies marketing and selling mass surveillance technology to authoritarian regimes. This technology has been linked to harassment, arrests, and even torture of journalists, human rights advocates, and democratic activists in many Middle East countries over the past year.

EFF recommended parliament approach the problem through a “know your customer” program whereby companies would investigate purchasers of surveillance technology and would refrain from doing business with a government or its agents if the sale would be used to assist in human rights abuses. This program would be voluntary for companies and encouraged via incentives but could, if necessary, become a formal requirement. As we’ve seen, transparency can be a powerful tool. The industry is notoriously secretive and a little sunlight can help spur protests and force companies to change their business practices.

Privacy International recently released a mapping of companies and countries that have attended the notorious I.S.S. World trade shows, where this technology is bought and sold. But their investigation is far from over and you can go here to help them file Freedom of Information requests, write to your representative, or dig though government spending reports.

In the first part of a new series, EFF will take a look at what we know about some of the worst offenders located in Europe and the United States. Part I will highlight two companies, United Kingdom based FinFisher and France based Amesys:

FinFisher, unit of Gamma International—based in the UK

Gamma International and its subsidiary FinFisher first made headlines after the fall of Hosni Mubarak in Egypt last year, when activists found the company’s records in an abandoned state security building, along with troves of surveillance files. The documents on Gamma and FinFisher showed how they provided Mubarak with a five-month trial of their sophisticated spying technology, most notably FinSpy, which can wiretap encrypted Skype phone calls and instant messages—a service once mistakenly trusted by activists for secure communications.

The Wall Street Journal has since reported about FinFisher’s techniques and its technology’s dangerous capabilities. It works much the same way online criminals steal banking and credit card information. Authorities can covertly install malicious malware on a user’s computer without their knowledge by tricking the user into downloading fake updates to programs like iTunes and Adobe Flash. Once installed, they can see everything the user can. The FinFisher products can even remotely turn on the user’s webcam or microphone in a cell phone without the user’s knowledge.

FinFisher doesn’t pretend to market their products for solely lawful use. In 2007, they bragged that they use and incorporate “black hat (illegal and malicious) hacking techniques to allow intelligence services to acquire information that would be very difficult to obtain legally,” according to a report by OWNI.

Gamma or FinFisher, of course, won’t comment on any of these facts that have come to light over the past year. They hid behind claims of client confidentiality, telling the Wall Street Journal that they “cannot otherwise comment upon its confidential business transactions or the nature of the products it offers." But of course you can’t use claims of confidentiality to hide illegal behavior in the US or the UK. Investigators, especially in the UK and wherever these companies have sufficient contacts to establish jurisdiction, should require them to come clean about their potentially illegal business practices and uphold human rights privacy standards in the tools they offer and the customers to whom they sell.   

Amesys, unit of Bull SAbased in France

When trade restrictions on Libya were eased in the early 2000s, Libya’s leader, Muammar Qaddafi, began to capitalize on the change by bringing in Western technology companies to surveil Libya's citizens’ Internet use under the guise of stopping terrorism. Instead, and to no one’s surprise, the technology was “deployed against dissidents, human-rights campaigners, journalists or everyday enemies of the state,” as the Wall Street Journal documented after seeing Qaddafi’s abandoned Internet monitoring center in Tripoli.

The main company tasked assisting Libya with all its surveillance needs was a unit of the French company Bull SA, known as Amesys. With Amesys’ monitoring centers, Libyan authorities could read emails, get passwords, read instant message conversations, and map connections among criminals, or in many cases, journalists or dissidents. OWNI graphically mapped out just how massive the surveillance system was. Documents released by WikiLeaks in November revealed that Amesys gear was even allowing Libya to spy on dissidents and opposition figures living in the United Kingdom. And as AFP reported, Qaddafi’s “regime [had previously] been accused of sending agents to harass and even kill opposition figures in exile.”

Despite the ease in trade restrictions, it was no secret Libya had a long history of human rights abuses and Amesys should have known who they were helping. The head of Libyan intelligence, the notorious Abdullah Senussi, was convicted in absentia in France of the Lockerbie terrorist bombing in 1989 that killed 170 people. Yet the former head of Amesys and current CEO of Bull, Philippe Vannier, was seen in Tripoli meeting with the same Abdullah Senussi in 2007, according to the Wall Street Journal.

Abdullah Senussi has since been indicted by the International Criminal Court for crimes against humanity for his role in the violent crackdown against Libyan citizens this past year.

The Amesys case highlights a problem with many of these companies—they are doing business with human rights violators that may have relations with the US or EU. As Amesys rightly points out, Libya was an “ally” of the west when their contract was signed and boasted of warm relations with France until NATO decided to take sides with the rebel forces late last year. "All Amesys activities strictly adhere to the statutory and regulatory requirements of both European and French international conventions," a spokeswoman said in Amesys’ defense. But this doesn’t excuse their behavior. EFF’s know your customer standards address this problem by creating a framework in which companies study non-partisan human rights reports and not just the legal restrictions against the West’s perceived enemies.

"We are fully prepared to answer any questions which the legal authorities may ask us," the spokesman for Amesys also said. Authorities should take them up on their offer. In France, human rights groups have filed court documents asking for an investigation into Amesys for “possible violations of export rules and complicity in torture.” EFF encourages the French authorities to conduct a full investigation.

But Gamma and Amesys are far from the only transgressors. There are dozens of companies in both the US and EU that have been supplying this gear to authoritarian regimes as well, and EFF will soon highlight more of these companies until Congress and the EU countries act to prevent more of this dangerous technology from falling into the wrong hands.

Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Backdoors have been discovered in Arris cable modems. This is why we need a security research exemption to the DMCA. http://w00tsec.blogspot.com/2...

Nov 27 @ 2:15pm

Censorship powers, data retention, and vague hacking crimes: Pakistan's terrible cybercrime bill has it all: https://www.eff.org/deeplinks...

Nov 25 @ 5:11pm

While Bangladesh blocks social messaging apps, locals are turning to Tor and Twitter: https://globalvoices.org/2015...

Nov 25 @ 3:50pm
JavaScript license information