Is the FinFisher suite legitimate surveillance or software’s Dr Strangelove?

The UK is a bulwark against cybercrime, noted the world over for its respect for the principles of law and order; except that is when a British-based firm is accused of selling a hard-to-detect piece of spyware for use by governments that want to monitor their citizens. Then the world suddenly turns to shades of grey.

Enter a program called FinFisher (or FinSpy) from UK firm Gamma International, first covered by Techworld two years ago when claims emerged that it had been sold to spy on opposition activists during Egypt’s Arab Spring.

FinFisher.jpg Reports have circulated since then that the suite was being used by other governments, typically non-democratic regimes worried about political opposition. This week University of Toronto researchers published a disturbing analysis of Finfisher’s empire building that lays bare a network of command and control servers that that now stretches to 36 countries around the globe.

To be precise, Australia, Austria, Bahrain, Bangladesh, Brunei, Bulgaria, Canada, Czech Republic, Estonia, Ethiopia, Germany, Hungary, India, Indonesia, Japan, Latvia, Lithuania, Macedonia, Malaysia, Mexico, Mongolia, Netherlands, Nigeria, Pakistan, Panama, Qatar, Romania, Serbia, Singapore, South Africa, Turkey, Turkmenistan, UAE, the UK, USA, and Vietnam.

Who is using these C&C and for what purpose is not easy to discern but there is enough evidence to show that the program has already been used against people in Bahrain and Malaysia.

All bad enough but the researchers then noticed that the Finfisher was hitching a ride on Mozilla’s Firefox brand as a way of distributing itself, which drew an instant cease and desist letter from the browser firm and plenty of bad publicity from an open source community that detests subterfuge from ‘the man’.

All of this was perfectly predictable.

Malicious programs started as proofs-of-concept written by university programmers in the 1970s, morphed into a bedroom hobby for PC programmers in the 1980s before being rapidly professionalised a decade later as the Internet spread and web applications boomed.

By around 2006 and the German police 'Bundestrojaner' (not to mention cyber-weapons such as Stuxnet) malware had become something the world’s biggest states and police forces were prepared to invest in even if the officials wielding them would no doubt claim these programs were being used legitimately.

FinFisher looks like the next logical jump, a private sector programme created ostensibly for governments with enough money to pay for information, gathered according to their own legal conventions, or lack of them.

The moral and possibly legal dangers of this type of private-sector program should be as obvious to the British Government as they are to the clutch of human rights organisations that have attempted to track FinFisher’s use and yet it has so far offered no view. 

The news of Mozilla's unwilling co-option to the cause is surely a warning that things are heading off the rails if, that is, they were ever really on them in the first place. Meanwhile FinFisher's popularity is spreading to western governments too with the German Government reportedly paying 147,000 Euros to use the program.

Gamma International will not be the only private firm writing spyware to sell at a high price to governments and police even if it is now the most notorious. Security firms now have yet another enemy to add to state-sponsored cyber-weapons that eluded them for so long - state-tolerated spyware.

Let’s hope they improve their detection rates and quickly because FinFisher will not be the last of its type.