Clash over controversial surveillance software turns personal
Markus Beckedahl was visiting Detroit when a legal threat arrived in his email inbox from the other side of the Atlantic Ocean: a cease-and-desist letter from lawyers representing FinFisher, a German company that sells surveillance technology that it says helps law enforcement stamp out crime.
Beckedahl, the 42-year-old founder of Netzpolitik, a German website that combines technology news and digital rights advocacy, is one of FinFisher’s loudest critics for, he says, selling spyware to authoritarian governments. In September, his organisation, along with several advocacy groups, filed a criminal complaint against the Munich-based surveillance company, alleging that it had supplied its technology to Turkey without obtaining the required license from Germany’s federal government.
The complaint was the latest effort from advocacy groups and journalists to confront companies for, they say, providing spyware or other technology to regimes that suppress freedom of speech and target opponents with prison or violence.
But this time, the company’s antagonists ramped up the pressure. Contained in the complaint were the names of FinFisher employees who the groups say are responsible.
“We feel like we have a certain responsibility to confront the source to make sure there is a regime of export control in place that protects basic human rights and journalistic freedoms worldwide,” said Julia Legner, policy adviser for Internet freedom at Reporters Without Borders Germany, which also took part in filing the lawsuit.
The allegations prompted prosecutors in Munich to open an investigation into FinFisher, according to the Associated Press. Prosecutors are obliged to open an inquiry when criminal allegations are leveled, the AP said.
Neither FinFisher, which is privately owned, nor the Munich prosecutor’s office responded to requests for comment.
In a letter sent to Netzpolitik, which was delivered on October 4 and seen by Bloomberg News, FinFisher denied providing its technology to Turkey or violating export laws, and it claimed that the news website’s reporting was “highly prejudicial” to the Munich prosecutor’s investigation. It hired Berlin-based law firm Schertz Bergmann, which demanded in the cease-and-desist letter that Netzpolitik remove an article it had published detailing the Turkey allegations.
“The press is obliged to refrain from any prejudgment of the persons concerned,” the letter said, referring to FinFisher and its employees.
Beckedahl said he viewed the legal threat as an attempt to stop Netzpolitik from producing further reporting on FinFisher’s activities. He said he stood by the accuracy of the news site’s work on FinFisher, but removed the article about the Turkey case from its website, saying it feared a potential injunction and a costly legal fight.
Klaus Buchner, a member of the European Parliament representing Germany’s Ecological Democratic Party, accused FinFisher of “trying to silence journalism.”
“Companies like these like to pretend that they do not have a responsibility for what dictators do with their spyware,” said Buchner, who helped lead an effort in 2018 to tighten European Union controls on the export of surveillance technologies.
Netzpolitik filed the complaint against FinFisher in collaboration with Reporters Without Borders Germany, the Society for Civil Rights and the European Center for Constitutional and Human Rights. It alleges that covert operators of FinFisher’s technology set up a fake Turkish-language opposition website and Twitter accounts that were used to lure government critics into clicking on a malicious link. It isn’t clear who created the website and social media profiles. FinFisher says it “partners exclusively with Law Enforcement and Intelligence Agencies,” according to its website.
People who clicked the link - sent through the fake Twitter accounts to supporters of the opposition Republican People’s Party - were prompted to download an Android application that was in fact surveillance software, which would monitor their calls, text messages, photos, and location data, according to a technical report published by the digital rights group Access Now. Source code found on the website used to target the Turkish activists was “practically identical” to the source code of FinSpy, surveillance software developed by FinFisher, the complaint alleges.
FinFisher and its spyware has been the subject of previous news articles, advocacy group reports and a WikiLeaks release of documents and files.
In 2012, for instance, Bloomberg News reported that a prominent human rights activist in Bahrain was targeted with spyware traced to FinFisher. In 2014, WikiLeaks used leaked documents to identify FinFisher sales worth €47m ($52m) to countries including Qatar, Bahrain, Pakistan, Vietnam, Nigeria, Singapore and Bangladesh. And earlier this month, FinFisher’s technology was linked to an effort by an intelligence agency in Uzbekistan to spy on activists and journalists, according to Reuters.
FinFisher didn’t respond to specific allegations, but it has said complies with export laws and helps governments hack the phones of serious criminals, enabling security agencies to read suspects’ private messages or listen in on their phone calls.
In its letter to Netzpolitik, FinFisher’s legal representatives said the company no longer maintains “active client relationships” with countries outside of the European Union, unless they are designated under European regulations as an “EU-001” country, such as Australia, Canada, Japan, New Zealand, Norway, Switzerland and the US.
Gustaf Björksten, chief technologist at Access Now, said other countries that purchased the FinFisher technology years ago may still be able to use it, but would have difficulty doing so without the company’s support due to licensing restrictions and necessary software updates.
“The question now is, are those nations outside of the EU-001 list getting support directly from FinFisher, or from third parties with endorsement from FinFisher?” he said.