Tag Archives: FinFisher

Bytes for All hits snags in FinFisher court hearing

A public interest litigation case launched by Cyber Stewards Network partner Bytes For All (B4A)  at the Lahore High Court has been met with obstacles during court proceedings.

B4A began the proceedings using research conducted by the Citizen Lab, documented in the report titled “For Their Eyes Only: The Commercialization of Digital Spying.” The research revealed the presence of FinFisher on the Pakistan Telecommunication Company Limited (PTCL) Network, the largest telecommunications provider in Pakistan. The court action by B4A alleged that the presence of FinFisher servers in Pakistan may violate constitutional rights against breaches of privacy, given the software’s ability to use trojans to access the information of users.

Despite a court order to look into the matter and produce a report in one month, the Pakistan Telecommunications Authority (PTA) has repeatedly failed to do so. Six court hearings have been missed or cancelled by order. Questions remain as to who is using the FinFisher server in Pakistan, how it came to be implemented without public inquiry, and how much government funding has been employed for its purchase.

 

Update on Bytes for All Censorship and Surveillance Cases

In January 2013, Cyber Steward partner Bytes for All (B4A) submitted a petition to the Lahore High Court to challenge Internet censorship in the country. This case, in collaboration with the Media Legal Defense Initiative, a non-governmental organisation which helps journalists and independent media outlets around the world defend their rights, highlighted the ongoing censorship of YouTube in Pakistan. The popular video-sharing site has been blocked since 2012 since YouTube refused to remove the controversial anti-Islamic “Innocence of Muslims” video.

After months of deliberations, the Lahore High Court has decided to move the case to a larger bench presided by three or five judges, a move B4A sees as indicating how serious the stakes of the petition are, as cases presided by a full bench of judges “carry greater weight in terms of judgment.” B4A pledges to pursue the case as a constitutional issue and hopes for the speedy end to the blocking of YouTube in Pakistan. Minister for Information and Broadcasting Senator Pervaiz Rashid stated recently that the government is not interested in prolonging the YouTube ban and that Pakistanis “will hear good news soon.” Rashid then clarified that the ban will be overturned only after the installation of filters to block blasphemous and other objectionable content online. Last year, the Pakistani Ministry of Information Technology called for bids on a national URL filtering system. Research by the Citizen Lab found that filtering products produced by Netsweeper, a Canadian company, have been installed on the networks of the Pakistan Telecommunication Company Limited (PTCL), the country’s largest telecommunications corporation.

B4A is also initiating a contempt charge against the government for not appearing at court in regards to the ongoing FinFisher petition. The court ordered the Pakistan Telecommunication Authority (PTA), the country’s telecommunications regulatory agency, to investigate FinFisher’s presence in Pakistan. The petition also asks for accountability from other corporate and government entities, including the Federation of Pakistan, through the Ministry of Interior, the Ministry of Information Technology, and the Pakistan Telecommunications Company Limited (PTCL).FinFisher, a product advertised as “governmental IT intrusion” software, is marketed and sold to law enforcement and intelligence agencies by the UK-based Gamma Group.  Research conducted by the Citizen Lab on the presence of FinFisher found the software present in 36 countries across the globe, including Pakistan.

 

Cyber Steward Network and Local Activists Investigate Surveillance in Mexico

by Renata Avila

While the Mexican government has long been suspected of purchasing surveillance equipment, the frequency of these purchases and the level of public funds allocated to them are rapidly increasing. Last February,  New York Times published an investigative report on a USD 355 million outlay by the Mexican Ministry of Defense for sophisticated surveillance equipment. Six months earlier, Carmen Artistegui, a renowned investigative journalist in Mexico, published a report documenting five contracts from the Secretariat of National Defense for the purchase of surveillance technologies. All five contracts were confidential and granted to a single company headquartered in the state of Jalisco called Security Tracking Devices, Inc.

On March 13, 2013, Citizen Lab published “You Only Click Twice: FinFisher’s Global Proliferation,” in which researchers conducted a global Internet scan for the command and control servers of FinFisher surveillance software. The Citizen Lab found FinFisher servers hosted on two Mexican Internet service providers: Iusacell, a small service provider; and UniNet, one of the largest ISPs in Mexico.

As part of my work investigating surveillance in the Northern Triangle, I recognized that the findings revealed potential legal violations. I quickly translated the findings and disseminated them to human rights groups and technology collectives in Mexico.

The findings were widely shared via social networks and later translated by the online activist group YoSoyRed. Shortly thereafter, Mexican magazine Proceso published an investigative report on the harassment of human rights defenders online. The report  asked Iusacell  and UniNet to explain the presence of FinFisher on their servers. Neither of the ISPs responded to any of the magazine’s questions.

I connected with human rights activists in Mexico City  to raise awareness about civil society efforts in other countries that have resulted in legal action against the use of surveillance technology by repressive regimes, including cases against Amesys in France and Finfisher in Pakistan. A coalition of human rights lawyers and international experts, including Citizen Lab, ISOC Mexico, Privacy International, and other organizations, discussed the possibility of taking legal action to reveal the identity of those parties responsible for the purchase and deployment of FinFisher software in Mexico. At the time, however, we did not have enough information to present a strong case.

On May 1, 2013 Citizen Lab published “For Their Eyes Only: The Commercialization of Digital Spying,” which once again implicated Mexican ISPs in deploying FinFisher surveillance software. Two Mexico City-based human rights non-governmental organizations, Propuesta Cívica and ContingenteMx, requested a verification procedure regarding FinFisher’s presence in Mexico with the Instituto Federal de Acceso a la Información y Protección de Datos Inicio (Federal Institute for Access to Information and Data Protection or IFAI), Mexico’s privacy authority. Their filing cited Citizen Lab’s FinFisher research.

IFAI is legally mandated to protect citizen data and investigate possible personal data violations by private sector entities, as provided by the Federal Law on Personal Data Protection Held by Private Parties. It is also mandated to impose sanctions if a law has been breached. IFAI has the ability to launch a procedure either on its own initiative or at the request of affected parties. If, after preliminary findings, the IFAI determines that there is sufficient evidence to proclaim that a data breach has taken place, a formal investigation and possible sanctions will follow.

IFAI subsequently opened an official preliminary inquiry asking ISPs whether they were hosting FinFisher servers and what measures they were taking to protect the data of their clients. At the same time, Federal Deputy Juan Pablo Adame proposed a resolution before the Mexican Senate and Congress encouraging IFAI to investigate the use of FinFisher with reference to Citizen Lab’s findings and the requests submitted by civil society to investigate the deployment of FinFisher (registered as IFAI/SPDP/DGV/544/2013 and IFAI/SPDP/DGV/545/2013). The Permanent Assembly approved Adame’s motion, thereby imposing an obligation on the data protection authority to answer all questions submitted by the government.

After the Congress and Senate passed a joint resolution, IFAI announced that it required further information from ISPs and government agencies with powers to acquire surveillance technologies before deciding whether it would open a verification process for Iusacell and UniNet. UniNet denied responsibility for any programs that clients run on their servers, while Iusacell made no comment.

Purchase of FinFisher is confirmed by authorities 

On July 6, 2013, following the Congressional resolution and an IFAI public statement announcing the inquiry, YoSoyRed published a leaked contract and other documents implicating the Mexican Federal Government in the purchase of FinFisher software. The Procuraduría General de la Nación (Office of the Prosecutor or PGR) purchased the surveillance tool from Obses, a security contractor, for up to USD 15.5 million. José Ramirez Becerril, a representative from Obses, unveiled details about the equipment provided to PGN and claimed that other Mexican governmental institutions purchased the software as well. Mexican authorities confirmed that the equipment was purchased directly rather than through the governmental bid system that usually characterizes defence contracts so as not to  “alert organized crime.”

The media heavily scrutinized the leaked FinFisher contracts. The press, however, was more concerned about the amount of public funds allocated to purchasing these technologies than about the technologies themselves. In circumventing the public bid procedure, FinFisher and another surveillance tool called Hunter Punta Tracking/Locsys were sold at an inflated price to Mexican authorities during the Felipe Calderon administration. In response, authorities indicated they would prosecute culpable individuals who conduct illegal surveillance activities. To date, no criminal complaint has been filed, despite strict provisions that prohibit the interception of communications unless authorized by a federal judge and a warrant. The full content of the contracts has not yet been made public.

As the scandal unfolded, Congress offered help to activists on the ground demand greater transparency and accountability. On July 11, 2013, the Mexican Senate and Congress passed a joint resolution in which they demanded a full investigation and disclosure of any contracts between the Secretary of Interior, the PGR, and any other relevant institution. They were asked to send a full report about the purchase of surveillance and hacking systems capable of monitoring mobile phones, electronic communications, chats, and geolocation data from Obses, Gamma Group, Intellego, and EMC Computer Systems, and its affiliates. Congress also called for laws to regulate and restrict purchases of surveillance equipment, extensively quoting the Citizen Lab report in their request. The commercial entities named have not yet responded. IFAI also informed Congress that they would continue the investigation.

Iusacell and UniNet continued to deny hosting FinFisher servers. Iusacell indicated that the servers were located in Malaysia. Further evidence indicates otherwise: Wikileaks’ and La Jornada’s Spyfiles 3 publication revealed that FinFisher developers visited and were active in Mexico.

All Mexicans enjoy a constitutional right to privacy according to the recently amended Article 16 of the Mexican Constitution and the Federal Law on the Protection of Personal Data held by Private Parties, a general privacy framework. IFAI’s mandate ensures full monitoring powers and verification of compliance with these laws. If IFAI fails to open a full investigation, criminal and constitutional complaints can follow and any failure to investigate will be challenged under the basis of flagrancy. Technical assistance is often necessary to test devices and find examples  of infected individuals to support any legal course of action.

IFAI’s investigation is currently ongoing. The Citizen Lab and Cyber Stewards Network will continue supporting the case and helping both the Mexican authorities and the citizens to understand how surveillance systems operates so that they can evaluate whether those employing them are breaking the law.

 

Access Is My Right!: Bytes for All Launches Campaign Against Internet Filtering and Online Censorship in Pakistan

B4A - Prosperous Pakistan

Cyber Steward partner Bytes for All (B4A) has launched “Access Is My Right” — an advocacy campaign to engage Pakistani citizens on Internet censorship, privacy, and freedom of expression in the country. The campaign calls on citizens to raise awareness of information controls by sharing campaign visuals across the Internet, especially on social media sites such as Twitter and Facebook.

B4A describes the campaign as “a call for [a] larger human rights movement in the country and [for] citizens to fight the ongoing censorship as it will further take its toll on already compromised civil liberties in the country.”

The campaign features original art pieces by local artist Anny Zafar that highlight government practices and policies that limit the right to freedom of expression and information as guaranteed by the Pakistani constitution. It also complements larger campaigns that B4A has launched in response to threats to user rights, such as online filtering and surveillance.

Bytes for All (B4A) actively campaigns against the use of information controls in Pakistan. In recent years, the Pakistani government has blocked YouTube, Twitter, Facebook, and certain pages on Flickr and Wikipedia over content deemed to be threatening to national security or considered blasphemous. The Pakistani government has also on two occasions imposed cellphone communication bans in the name of national security.

In January 2013, B4A and the Media Legal Defense Initiative (MLDI) submitted a petition to the Lahore High Court challenging the government’s censorship of YouTube and other websites, claiming that Internet censorship is a violation of civil and political rights.

B4A’s Country Director, Shahzad Ahmad, has pointed out that this case is vital for upholding democratic rights and principles in Pakistan: “YouTube was shut down to try and control the news of massive corruption and human rights violations in the country. In Pakistan breaking news often first comes on citizen journalism platforms and not on mainstream media. YouTube has helped spread stories of human rights abuses, such as extra-judicial killings, and corruption, so from that perspective these channels are very important.” These issues have been highlighted in some of the artwork for the Access Is My Right! campaign.

B4A - Our Tube   B4A - YouTube Ban
These Access Is My Right! campaign posters highlights why the ban on YouTube violates the principles of right to information and freedom of expression.

In June 2013, research by the Citizen Lab in conjunction with B4A found that filtering software developed by the Canada-based company Netsweeper is deployed on a network operated by Pakistan Telecommunication Company Limited, Pakistan’s largest telecom company and operator of its Internet Exchange Point. Netsweeper is used for national level filtering that restricts access to content with political and social themes, including websites related to human rights, sensitive religious topics, and independent media. This development is significant because of the possibility that such censorship will be extended to lower-level ISPs in the country.

B4A has actively campaigned against Pakistan’s national filtering system since its proposal in 2012. Recently, it has raised concerns over Netsweeper filtering technology in the country. B4A submitted Citizen Lab’s Netsweeper research to the Lahore High Court as well as all relevant UN Special Mandate holders. The Access Is My Right! campaign has been used to raise public awareness about Netsweeper in Pakistan.

B4A - O Pakistan   B4A - Netsweeper
Access Is My Right’s Netsweeper campaign posters

Access Is My Right! also draws attention to B4A’s work around promoting privacy rights in Pakistan. In 2013, The Citizen Lab found evidence of two FinFisher command and control servers in Pakistan. FinFisher is a “governmental IT intrusion” software that can exfiltrate data, intercept e-mail and instant messaging communications, and spy on users through webcams and microphones. Although the presence of FinFisher command and control servers in the country does not necessarily imply that Pakistani government agencies are operating it, its presence is alarming given Pakistan’s lack of strong privacy laws and data protection legislation.

B4A - FinFisherAccess Is My Right’s FinFisher campaign poster illustrates how surveillance technologies violate the right to privacy.

B4A submitted a writ petition to the Lahore High Court, expressing concerns over increasing threats to citizen privacy, absence of individual protections and the violations of basic human rights granted by the country’s constitution, while questioning the existence of FinFisher in the country.This effort resulted in the court ordering the Pakistan Telecommunication Authority to investigate the use of FinFisher in Pakistan.

Access Is My Right! has garnered significant support, with the campaign posters being shared across social media sites. To learn more about the campaign, visit: http://www.accessismyright.pk.

 

Paradigm Initiative Nigeria Seeks Information on Surveillance Systems in Nigeria

Recent research from The Citizen Lab has detected the presence of devices capable of surveillance on networks operated by Nigerian Internet service providers. In January 2013, Citizen Lab researchers found installations of Blue Coat Systems’ PacketShaper device on netblocks associated with IPNX ISP and Cobranet. In April 2013, Citizen Lab released “For Their Eyes Only: The Commercialization of Digital Spying,” in which researchers identified FinFisher servers on a network operated by Suburban Telecom.

The Nigerian government’s procurement of Internet surveillance capabilities attracted local media attention on April 25, 2013, when the Premium Times reported that President Goodluck Jonathan had awarded a USD 40 million contract to Elbit Systems, an Israeli company that markets itself as an “international defense electronics company.” One day earlier, Elbit Systems announced in a press release that it would supply its “Wise Intelligence Technology (WiT) System for Intelligence Analysis and Cyber Defense,” a device tailor made for digital data collection and reportedly capable of harvesting network traffic, to “a country in Africa.” Premium Times’ sources within the Jonathan administration confirmed that the country in question was Nigeria.

‘Gbenga Sesan, a Cyber Steward Network partner and Executive Director of the Paradigm Initiative Nigeria (PIN) called attention to the issue on Twitter by highlighting Section 38 of the Nigerian Budget Office’s 2013 Appropriation Act, which clearly detailed that the Nigerian government had allocated N 4,312,479,720 (USD 27.6 million) to the “Wise Intelligence Network Harvest Analyzer System,” in addition to similarly large allocations toward an “Open Source Internet Monitoring System” and a “Personal Internet Surveillance System.”

On May 6, 2013, PIN filed a Freedom of Information (FoI) request with the Nigerian government regarding the USD 40 million Internet surveillance contract to Elbit Systems. The FoI filing requested that the government provide details of the process through which the contract was awarded and any information that could shed further light on the substance of the contract itself.

As of May 23, 2013, President Jonathan was reportedly considering the option of canceling the contract with Elbit Systems and had convened a meeting with the company’s management to discuss their potential breach of confidentiality in publishing the initial press release.  However, the government failed to respond to PIN’s FoI request, and the group subsequently applied for an order of mandamus through the Federal High Court in Abuja. In response to the request, Federal High Court Justice Gabriel Kolawole asked the National Assembly to amend Nigeria’s 2011 Freedom of Information Act to henceforth bar unjustified requests for information. In a press release, PIN challenged the High Court’s dismissal and called on the National Judicial Institute to address the issue. As of September 2013, PIN’s lawyers have filed an appeal against Justice Kolawole’s ruling and are awaiting a response.

Bytes for All Petitions Pakistani Court on Presence of Surveillance Software

On May 13, 2013, Bytes for All (B4A), a Pakistani civil society group and partner in the Cyber Stewards Network, filed a petition with the Lahore High Court on the possible use of the FinFisher product suite in Pakistan. B4A has advocated for the rights of Pakistani netizens to browse the Internet free of censorship and surveillance through numerous court and government actions, including a recent petition submitted in January 2013 in protest of the ongoing censorship of YouTube.

The first hearing took place on May 13, 2013 and resulted in a court decision ordering the Pakistan Telecommunication Authority (PTA) to investigate the use of FinFisher software in the country. The court order further stipulated that the PTA must make a statement to the court by June 24, 2013. Further news on this court case will be posted as updates develop.

B4A’s case is based on evidence revealed by the Citizen Lab on the presence of FinFisher software in 36 countries across the globe, including Pakistan. Developed by Munich-based Gamma International GmbH, FinFisher products are marketed and sold exclusively to law enforcement and intelligence agencies by the UK-based Gamma Group. The company advertises FinFisher as a “governmental IT intrusion” software that can exfiltrate data, intercept email and instant messaging communications, and spy on users through webcams and microphones.

Activists and civil society organizations in other countries have urged government authorities to investigate the use of FinFisher in their respective jurisdictions. Human rights activists in Mexico have filed a request with the Federal Institute for Access to Public Information and Data Protection (IFAI) to investigate FinFisher’s presence two Mexican ISPs. UK-based NGO Privacy International has filed for an application for judicial review regarding the refusal of Her Majesty’s Revenue and Customs (HMRC) to release information about Gamma Group’s export of FinFisher. Privacy International’s case was spurred by revelations that the Bahraini government had used FinFisher software to target domestic activist Ala’a Shehabi.