Spyware
September 19, 2012As many have pointed out, not least Chancellor Angela Merkel in her weekly internet broadcast, the wheels of the Arab Spring have been oiled by social networks and the availability of cheap mobile phones with video cameras.
But repressive governments such as those in Bahrain, Syria, and Turkmenistan have not been slow to use digital weapons to fight back. Pro-democracy activists have come to expect propaganda campaigns undermining their work, as Husain Abdulla, director of Americans for Democracy and Human Rights in Bahrain (ADHRB), told Deutsche Welle recently, but few were expecting to be targeted by software that could come from a James Bond movie.
A number of software security firms have developed Trojan malware with the ability to remotely grab images from computer screens, intercept and record Skype calls, secretly turn on web cameras and microphones, and record keystrokes. Mobile versions of the spyware exist too, which can turn a smartphone into a tracking device by enabling the phone's GPS system.
The most recent case was revealed by the Munk School of Global Affairs' Citizen Lab at the University of Toronto, which analyzed spyware sent to Bahraini activists, including Abdulla, traced it to government-controlled servers in Bahrain, and identified the malware as made by German company FinFisher, a subsidiary of the UK-based Gamma Group.
Virus trade
Typically, according to Abdulla's account, the malware is attached to a legitimate email intercepted by government agents. If the attachment is then opened on the target computer, the virus copies itself into a system folder. When the computer is then re-started, it adds a new code into the system processes. This can hide the Trojan's network communication within a web browser and so avoid firewalls.
Andre Meister, internet activist at the German website netzpolitik.org, believes the software is very sophisticated. "From what I understand, it is very professionally put together," he told Deutsche Welle.
German media reports have already named and shamed a number of German companies - Elaman, Trovicor, Utimaco - said to be involved in the business of selling malware to countries like Turkmenistan and Syria.
But they are notoriously secretive. None of the above firms responded to DW requests for interviews, and even their promotional literature is kept under wraps, shown only to potential clients. One Elaman "German Security Solutions" brochure, obtained and released by Wikileaks, revealed that the company was helpfully pointing out that its technology could be used to "identify political opponents."
Dual-use
Though the German public and political class insist on stringent data protection laws at home, only opposition parties like the Greens and the socialist Left party have raised concerns about the sale of this software abroad.
"German politicians are maybe a bit critical of American corporations like Google and Facebook, but that doesn't mean that they would prevent the export of malware," said Meister. "After all, Germany is the third biggest weapons exporter in the world. But up until now, the export of this software is not limited in any way."
The legal difficulty, of course, is that this technology is "dual-use" - in other words, it can be used for both legitimate and illegitimate reasons - catching criminals or catching democracy activists.
Speaking to DW earlier this month, Gamma's International Managing Director Martin J. Muench used this as a convenient justification for their business. "We use the Export Controls Authorities (ECA) in the UK, Germany and USA to determine to whom we can sell our products. They in effect act as our 'moral compass,'" he said. "Given that a can of fizzy drink or a car battery can be abused and used as an implement of torture, it is of no surprise to anyone if our products can be abused too."
That sounds reasonable enough - except that there are no export guidelines that cover malware, so there is little that the ECAs can do. "There is no obligation to register where they are exporting to, and the companies don't say," said Meister. "That's the problem - it's all a business secret."
Pressure increasing
Germany's socialist Left party and the Green Party have both brought up the issue with the government. "We've started initiatives in parliament against the export of dual-use technologies," said Annette Groth, human rights spokeswoman for the socialist Left party. "The Left party has been calling for this for some time."
"We've been pointing out the problem for over a year and a half, ever since the Economy Ministry explicitly supported the export of this software," said the Green Party's internet policy spokesman Konstantin von Notz. "Anyway, everyone has really known about the problem for a long time."
And the pressure seems to be paying off. Speaking at an Internet and Human Rights conference, hosted by the German Foreign Ministry in Berlin last week, Foreign Minister Guido Westerwelle called for a EU-wide ban on the export of surveillance software to totalitarian states.
"These regimes should not get the technical instruments to spy on their own citizens," Westerwelle said. It was a good start, though he failed to give details on what technologies he meant, or by when a ban should be implemented.
For von Notz, it's very clear about where the blame lies. "We know the Foreign Ministry has got this problem in its in-tray too," he said. "But up till now the Economy Ministry has always got its way, and said, 'we can't limit German exports.' Of course they won't say anything about it, but from their practical actions it seems clear that human rights don't matter much to them."
The Economy Ministry would not acknowledge any split in the government. "The German government takes the view that the export of surveillance technologies which can be used to suppress freedom of speech or the press in the Internet is to be limited by the appropriate sanctions," ministry spokeswoman Felicitas Hoch told DW in an emailed statement, before adding that the EU was actively working on introducing extra export controls for surveillance technology for "Syria and Iran."
The statement did not mention Bahrain or Turkmenistan or any of the other dictatorships accused of importing malware. Hoch merely added, "The government is also participating in discussions on a possible extension of export controls for surveillance technology on an international level."
But when this extension might be introduced was left open.