Government ramps up controls on FinSpy surveillance software

Videos released by WikiLeaks appear to be promotional animations showing FinSpy in use.

Exports of a British-made cyber-spying package are to be monitored by the government, after privacy activists challenged the government to clamp down on the UK’s thriving surveillance sector.

FinSpy is now classed as a ‘dual use’ technology, capable of being used for both civilian and military purposes.  As such, it now will require an export licence granted by the UK Government’s Department for Business, Innovation and Skills for all sales outside Europe.

The software is part of the FinFisher suite, made by Oxford-based Gamma International. Promotional videos released by WikiLeaks last year showed FinSpy being used to hack into the computers and mobile phones of targets, through spyware disguised as fake software updates, or planted through a USB key. Once installed the technologies allows authorities to monitor email, Skype and phone conversations, and search their files.

Click here to read the Bureau’s investigation, the State of Surveillance

The technology’s marketing purports to be aimed at law enforcement groups. But campaign group Privacy International, which lobbied the government for the export control change, points out that it can also be used by abusive regimes to monitor activists and dissidents.

Last year after the Egyptian regime crumbled, dissidents discovered documents from Gamma International, offering FinSpy to Hosni Mubarak’s regime for €287,000. Spying technology designed in other European countries was found in several other dictatorships. Earlier this year, Bloomberg reported that FinFisher malware had been used to target Bahraini activists.

FinSpy has also been discovered in Turkmenistan, Dubai, Ethiopia, Indonesia, Mongolia and Qatar, according to Privacy International.

Privacy International wrote to the government in July calling on it to classify FinFisher as dual-use technology. Last week officials from the Treasury Solicitor’s office replied that it had assessed FinSpy and agreed it should be reclassified ‘because it is designed to use controlled cryptography’.

Gamma had already been advised of the decision, the officials said.

The letter continued: ‘The Secretary of State also understands that other products in the Finfisher portfolio could be controlled for export in the same way.’

Privacy International has requested more information on when and how the decision to control exports was made, and on the scrutiny that such sales received from the government.

Eric King of Privacy International said the decision was ‘a step in the right direction’, but added: ‘However, without swift further action to bring other unethical British companies under the export licensing regime, it’s just a sticking plaster on a bullet wound. There are also a number of pressing questions about the circumstances surrounding the government’s abrupt volte-face that remain unanswered.’