An uncontrollable mess: The proliferation of state spyware
Three NGOs and a digital rights platform from Germany including Reporters Without Borders (RSF Germany), The Society for Civil Rights (GFF), the European Center for Constitutional and Human Rights (ECCHR) this month filed a criminal lawsuit against FinFisher, a German company that develops and markets the spyware called FinSpy, for illegally exporting their software to Turkey. The Munich public prosecutor has launched an investigation into the charges.
The matter is not new for those who follow this field; reports of FinSpy's use against the opposition in Turkey have been circulating for years. This latest episode is based on the claim that the Turkish government planted the software on a fake website designed to attract people interested in, or involved with the Adalet website, which was originally created to facilitate the coordination of opposition during 2017 protest marches.
According to the claims, this site contained an app that infected the users' devices with FinSpy, which has many capabilities that can completely undermine the privacy of the individuals who used their devices, opening up opportunities for the Turkish government to abuse information to put pressure on opposition figures. At this point, this is a claim that is still being investigated, but it is well known that intelligence agencies, governments, and even third parties routinely utilise spyware for multiple purposes.
Installing antivirus or privacy protection software is no guarantee against such tools, which are designed to evade such measures. Regardless of the result of the German court case, such tools will continue to proliferate in the foreseeable future. As early as six years ago, researchers from the Citizen Lab at the University of Toronto found servers operating FinSpy in 25 countries including Australia, Britain, Canada, Germany, India, Indonesia, Japan, the Netherlands, Qatar and the United States.
In some cases, the sale and use of FinSpy happened through legal channels, but in an age when the proliferation of extremely complex and costly programmes such as nuclear weapons cannot be fully controlled, to suggest that uncontrolled proliferation of mere software is difficult as it is bound by legal frameworks would be ludicrous. There have already been multiple reports of state actors using FinSpy to monitor their populations and suppress dissent, as the Turkish example also suggests.
And FinSpy is by no means the only tool used by states for such purposes; another recent report of abuse, also revealed by the Citizen Lab in 2018 shows that spyware called Pegasus, developed by Israeli company NSO Group was used by a number of countries. Citizen Lab also found that at least 10 operators of the spyware "appear to be engaged in cross-border surveillance". In total, the report found Pegasus infections in 45 countries.
When it comes to the proliferation of surveillance software, states are not the only interested audience; from businesses to hacker groups (ethical or otherwise), from criminal organisations to terrorist organisations, there is an enormous and chaotic marketplace for such tools, and proliferation happens at every level. In the case of Pegasus, a former employee of NSO Group was charged with stealing the spyware and trying to sell it for $50 million over the dark web.
Much of the code of FinSpy was found to have been copied and used by the hacker group StrongPity, which staged numerous "Man-in-the-Middle (MiTM)" attacks in recent years, especially in Turkey (but also in Belgium, Italy and Syria). In other words, FinFisher did not have to sell anything illegally to anyone; its code and methods could be compromised by one of many hacker groups.
Proliferation does not only happen through illicit or illegal means. In 2016, it was found that Turk Telekom had used Sandvine/Procera Networks Deep Packet Inspection (DPI) devices to deliver FinSpy to users who wanted to download Windows applications. Similar claims were made for Telecom Egypt, as well. When the U.S.-based company Procera, which operates branches in Canada and Sweden, became aware through its engineers in Sweden that its products were used by Turk Telekom, senior technical engineer Kriss Andsten resigned, sending a company-wide email that said: "I do not wish to spend the rest of my life with the regret of having been a part of Erdoğan’s insanity, so I'm out."
According to Forbes, the initial request by Turk Telekom through a proxy had been deemed legitimate by senior figures at the company. But it turned out that Turk Telekom did not just request usernames and passwords, but also the IP addresses of the users, as well as a list of sites they visited.
The strength of the software that was sold to Turkey was likened to a tool used by the National Security Agency in its capabilities by computer security researchers.
If you thought that the major threat to your privacy came from businesses and social media, consider the fact that the motivations of most businesses involve profit, and the legal tools at their disposal can only collect so much. While this is not taken lightly, it is the tip of the iceberg. What about tools built from the ground up to spy on your every activity, designed to avoid detection, tools capable of reading all your messages, including encrypted ones, tools capable of locating your location at any given time with great precision, tools that can not only access your most intimate personal information, but are capable of acting on your behalf using your own equipment?" Do not forget, these tools are primarily being used by state actors with vast resources, in addition to other groups.
Turkey has been accused time and again of abusing human rights, including the right to privacy. In all three examples above, Turkey was one of the top consumers of spyware. This is not a coincidence.
*My thanks to MiTM Labs (https://mitmlabs.com/) for the help in researching certain aspects of this article.
© Ahval English
The views expressed in this column are the author’s and do not necessarily reflect those of Ahval.