According to a report by Citizen Lab the intrusive and surveillance software FinSpy sold to governments to spy on their citizens has been found in 25 countries. The investigation was launched based on analysis of a suspicious email that was targeting Bahraini activists.

Summary of Key Findings

  • We have found command and control servers for FinSpy backdoors, part of Gamma International’s FinFisher “remote monitoring solution,” in a total of 25 countries: Australia, Bahrain, Bangladesh, Brunei, Canada, Czech Republic, Estonia, Ethiopia, Germany, India, Indonesia, Japan, Latvia, Malaysia, Mexico, Mongolia, Netherlands, Qatar, Serbia, Singapore, Turkmenistan, United Arab Emirates, United Kingdom, United States, Vietnam.
  • A FinSpy campaign in Ethiopia uses pictures of Ginbot 7, an Ethiopian opposition group, as bait to infect users. This continues the theme of FinSpy deployments with strong indications of politically-motivated targeting.
  • There is strong evidence of a Vietnamese FinSpy Mobile Campaign. We found an Android FinSpy Mobile sample in the wild with a command & control server in Vietnam that also exfiltrates text messages to a local phone number.
  • These findings call into question claims by Gamma International that previously reported servers were not part of their product line, and that previously discovered copies of their software were either stolen or demo copies.

This is not the first time that Gamma International, owners of FinFisher and thus FinSpy, has been under scrutiny for violating the rights of activists. Privacy International leveled a complaint against Gamma to the Organization for Economic Cooperation and Development (OECD)

The complaints contend that, if it is confirmed that the companies have supplied spyware to Bahrain, then they may be guilty of complicity in (“aiding and abetting”) human rights abuses perpetrated by Bahraini authorities. The right to privacy, and freedom from torture and arbitrary arrest find recognition in several international human rights instruments, including the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and the Convention against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment, all of which are ratified by Bahrain. In addition, these rights are recognized in the Constitution of Bahrain.

Private companies helping governments violate human rights is nothing new (see Blackwater), but to have firms engaging in hacking on this scale is unprecedented. It also provides another opportunity for the charge of hypocrisy as governments, including the United States, contract with private companies that are engaging in criminal hacking while charging political dissidents and private individuals with major felonies for the same activity.

Maybe if Aaron Swartz or Matthew Keys worked for a private security firm all would be well.