Allegations have resurfaced that a UK company sold a computer surveillance Trojan to the Egyptian police to monitor dissidents during recent unrest.
In March, news emerged that an activist, Mostafa Hussein, had discovered sale documents for a spying program called FinFisher while occupying the headquarters of the Egyptian State Security service during protests in the country.
Hussein subsequently photocopied and posted online what appear to be sales invoices for a sum of over 287,000 euros for the software, originally developed in Germany. The name on the invoice header was Gamma International UK Ltd.
The purpose of the program appears to be to covertly monitor Gmail, Yahoo, Hotmail and even Skype conversations, probably using a mixture of keystroke and sound recording techniques.
The technique is perfectly legal when used by police authorities in a supervised way and has been around in Germany and Switzerland for some years where it is used to get around the issue of programs that encrypt communications. Because this encryption is foolproof to all practical intents, the authorities instead attempt to record conversations as they are being spoken or typed.
By their nature, such programs are hard to detect, not helped by the fact that conventional security programs can’t spot them without resorting to unreliable heuristics. Finnish antivirus company F-Secure, which first publicised the allegations regarding FinFisher, admits that detection is impossible to verify without a sample from which to create a signature. But getting a signature is tricky unless victims – who are almost certainly small in number – are able to detect the infection.
“This proposal was sent to a notorious department known for torture, spying on citizens to help Mubarak’s regime,” Hussein is reported to have told The Washington Times, which has published a new article on the largely-ignored controversy. “The company Gamma, I consider them to be partners in the crime of trying to invade our privacy and arrest activists,” said Hussein.
We should make clear that the accusation against Gamma International depends on unverified paper documents. For a UK company to sell such a program to most foreign police forces would be, while controversial, also perfectly legal under current export licenses. The company denied any involvement in a sale to Egypt in a statement made to the The Washington Times.
Concern about the proliferation of ‘legal hacking’ software continues to swirl, however. In 2009, the Swiss creator of a Skype-recording ‘Bundestrojaner’ (Government Trojan), even went to the lengths of publishing the source code to his software in order to stop its continued use by security agencies.