The main Internet service providers in Indonesia are under investigation for spying on their own users.
Tech in Asia is reporting that Telkom, Biznet, and Matrixnet Global are all under investigation by Indonesia’s information and communications technology (ICT) ministry for the use of FinSpy, a remote surveillance software that’s part of the FinFisher suite, which allows a remote user to capture information on targeted computers.
According to “You Only Click Twice: FinFisher’s Global Proliferation,” a report by CitizenLab at the University of Toronto’s Munk School of Global Affairs, 25 countries have been found to host command-and-control servers for FinSpy, including Indonesia, the largest Islamic country and the fourth largest in the world.
“FinFisher products are marketed and sold exclusively to law enforcement and intelligence agencies by the UK-based Gamma Group,” according to the Munk study.
“Although touted as a ‘lawful interception’ suite for monitoring criminals, FinFisher has gained notoriety because it has been used in targeted attacks against human rights campaigners and opposition activists in countries with questionable human rights records.”
These activists include Bahrainis, who have been targeted during the Arab Spring protests in that country.
If the companies are found guilty of the spying, guilty parties could be sentenced to up to 15 years in prison under Indonesian law. According to Tech in Asia, a representative from one of the ISPs, Telkom, said the IP address identified as belonging to one of his company’s servers in reality belongs to a customer.
Although no government involvement in the Indonesian cases has been established or asserted, the government of Indonesia itself is not innocent of censorship and filtering. In that context, the Munk study’s conclusion gives one pause.
“(T)he increasing dissonance between Gamma’s public claims that FinSpy is used exclusively to track ‘bad guys’ and the growing body of evidence suggesting that the tool has and continues to be used against opposition groups and human rights activists.”
In addition to Indonesia, command-and-control servers were found in Australia, Bahrain, Bangladesh, Canada, Czech Republic, Estonia, Ethiopia, Germany, India, Japan, Malaysia, Mexico, Netherlands, Qatar, Serbia, Singapore, Turkmenistan, United Kingdom, United States, and Vietnam.
It has disappeared from servers in Brunei, United Arab Emirates, Latvia and Mongolia, where it had previously been detected.