NSO Group human rights

European-made FinSpy malware is being used to target critics in Turkey

Brussels, BE — Today, we are releasing a report detailing the extensive deployment of FinFisher malware against critics and protesters in Turkey. The first such violation was documented by Citizen Lab and exposed the use of FinFisher surveillance malware to target Bahraini activists five years ago. To our knowledge, our report exposes the first documented use of FinFisher’s mobile malware systems since the company was breached by the hacktivist Phineas Fisher in August 2014.

“There is an obvious failure here — by multiple actors — to adequately account for users’ rights to privacy and freedom of expression and respect due process; an unacceptable status quo which abandons human rights defenders and journalists around the globe,” said Lucie Krahulcova, EU Policy Analyst at Access Now.

The report provides up-to-date details on how FinFisher’s technology is currently being used against government critics and evading scrutiny by security researchers, drawing from two years of observation by technologists, including Access Now’s Digital Security Helpline, a 24-7, free of charge resource for civil society across the globe. The findings have significant human rights, security, and policy implications.

In the face of negative attention, public embarrassment, export controls violations, and even legal challenges, German-based company FinFisher appears to be continuing to facilitate the repression of non-violent activists and critics in authoritarian countries such as Turkey.

FinFisher says it partners exclusively with law enforcement and intelligence agencies, and markets itself as providing “government IT intrusion and remote monitoring solutions”. Based on our research, their clients would have access to surveillance technology that can record phone and VoIP calls; collect files, screen captures, and photos; monitor geolocation; enable the victim’s microphone or place hidden calls; and collect communications and media files from messengers like Line, WhatsApp, Viber, Telegram, Skype, Facebook Messenger, Kakao, and WeChat.

The EU is currently undergoing an update of its existing regulation on export controls for ‘dual-use’ items. The intention is to establish stronger rules for the protection of human rights as well as more frequent reviews and the possibility of revoking licenses. One important element of this recast (or update) is to add certain types of cyber-surveillance tools to the EU export controls list — tools and items that national export controls authorities must then approve before the tools are exported to non-EU countries. These rules are intended to cover primarily items that intercept mobile phones, remotely hack into computers, circumvent passwords, or identify internet users. Authoritarian regimes around the world have used these and other items to violate human rights, oppress citizens, suppress and silence political opposition, and attack human rights defenders.

“This is just another instance in a long line of failures we can attribute to the current EU export controls regime,” said Lucie Krahulcova, EU Policy Analyst. “The EU Council has stalled the update of the new rules, choosing private interests over creating a more secure environment for activists, journalists, and human rights defenders around the world. This betrays EU’s commitment to the protection of human rights.”

Some of the first rumours of FinFisher’s involvement in supplying tools to authoritarian governments originated from its sales to Middle Eastern governments during the “Arab Spring.” Repeatedly, the company has deepened its connection to countries which dramatically escalate the repression of dissent in their territories, including governments at the brink of collapse. While FinFisher and its apologists continue to claim that it provides value-neutral technologies for targeted surveillance to stop terrorism and preserve national security, the evidence points to its repeated, flagrant use to target political opponents. As we show in the report, that includes targeting the main opposition party in Turkey during a protest, using tactics that increase the subtlety, scale, and aggression of the attacks. In Turkey and elsewhere, these are attacks on fundamental rights, civil society, and democracy.

Like all companies, FinFisher has a duty to respect human rights and avoid causing or contributing to violations. Yet in our research, we see this secretive firm enabling human rights abuses in a country whose government refuses to protect its people,” said Peter Micek, General Counsel of Access Now.

“Turkey’s crackdown on civil society has led to hundreds of arrests, with writers, academics, and rights activists particularly under threat. When unscrupulous private actors do business in countries whose governments shut down networks and jail journalists, and repeatedly look past signs their products are part of the problem, higher authorities must investigate,” said Melody Patry, Advocacy Director at Access Now.

Our analysis of uses of FinFisher’s “FinSpy” for mobile devices exposes the attacks in Turkey, but also helped us to identify other copies of the malware that indicate broader current use. There is evidence of its use in concurrent efforts to undermine civil society outside Turkey, including the compromise of individuals in Indonesia, Ukraine, and Venezuela.

Read full report