IMAGE: JOHN STILLWELL, POOL/ASSOCIATED PRESS
WikiLeaks published a batch of documents and files pertaining to the controversial surveillance technology company FinFisher on Monday, including a list of its customers and actual copies of its spyware.
The release, the fourth one in the WikiLeaks series dubbed Spy Files, is made mostly of files that were leaked by an unidentified hacker who breached FinFisher’s corporate network in August.
FinFisher is a German company that makes surveillance software marketed to law-enforcement agencies. The software is designed to siphon off and intercept all kinds of data from a target’s computer or cellphone, including Skype calls, emails, and chat conversations.
It made headlines for the first time in 2011, when protesters in Egypt uncovered documents indicating the security services of then-President Hosni Mubarak had purchased its products. Subsequent research has revealed that some repressive regimes around the world have used FinFisher software to spy on dissidents or human rights activists. These episodes have since put Western companies that sell hacking tools to such governments into the spotlight and sparked a debate over the legality of the sales.
In addition to the company’s clients, Wikileaks has published actual copies of the software FinFisher sells to governments worldwide, in hopes security researchers can investigate further and build better defenses against these technologies. “This full data release will help the technical community build tools to protect people from FinFisher including by tracking down its command and control centers,” said Assange in a statement accompanying the release.
The company has long maintained that it only sells its products to government agencies that use it for legitimate law-enforcement purposes. Researchers at the University of Toronto’sCitizen Lab, however, have previously uncovered examples of repressive regimes like those in Bahrain and the United Arab Emirates using FinFisher to spy on dissidents and human rights activists.
Reached by phone at its headquarters, a FinFisher employee declined to comment for this story. “We don’t give any interviews,” he told Mashable.
In April of 2013, Citizen Lab identified 36 countries in which they found traces of FinFisher’s digital infrastructure and technology. The researchers, however, warned that their map didn’t necessarily reveal a list of FinFisher’s customers.
But now, WikiLeaks claims to have an actual list of 17 alleged customers, such as police departments or intelligence agencies from Australia, Bahrain, Bangladesh, Belgium, Bosnia-Herzegovina, Estonia, Hungary, Italy, Mongolia, Nigeria, Netherlands, Pakistan, Singapore, Slovakia, Qatar, South Africa and Vietnam.
Most of these countries were also part of the list released by Citizen Lab last year, but four (Belgium, Bosnia-Herzegovina, Italy and Slovakia) were previously unknown. WikiLeaks says they identified the additional nations by analyzing the support requests and other documents dumped by the hacker in August.
The anonymous hacker, who also launched a parody Twitter account named Phineas Fisher, obtained a series of email exchanges between FinFisher customers and the company’s support staff. Most customers were only identified with a unique ID, but WikiLeaks, and others, were able to identify some of them thanks to trails left in the files, such as email addresses or names of agents.
WikiLeaks estimated that FinFisher’s revenue from these customers amounts to at least 50 million euros ($64 million) based on a price list also included in the hacked files.
Bill Marczak, one of the researchers at Citizen Lab who has investigated FinFisher for years, told Mashable that he’s not completely convinced WikiLeaks’ estimate is accurate, since it doesn’t take into account support costs, and it adds the full price of the license every time a customer renews it.
But Mykko Hypponen, the Chief Research Officer at F-Secure and one of the world’s most respected malware experts, was still surprised by the numbers. “It’s remarkable how much money they are making by selling spyware,” he told Mashable.
The tip of the iceberg
A security researcher familiar with FinFisher, who asked not to be named to protect the people he works with, told Mashable that an important takeaway of this event is that FinFisher is only the tip of the iceberg in a larger market. (It’s estimated that the global computer surveillance technology market is worth $5 billion a year.)
“There is a lot more than FinFisher going on in the world,”
“There is a lot more than FinFisher going on in the world,” the researcher said, noting that some countries listed as customers only had bought a small number of licenses from FinFisher. “If these well-resourced countries only have a handful of licenses, what [other technologies] might they be using?”
Both the anonymous researcher and Hypponen advocated for more transparency to help fuel a public debate on the use of these technologies.
“Authorities should produce public reports on how often technologies like these were used and how effective they were,” Hypponen told Mashable in an email. “If tools like these are used in secret, we the citizens can’t decide if they are worth the privacy trade-off or not.”