Privacy International calls for criminal investigation into U.K. ‘malware’ manufacturer

Privacy International has lodged a formal criminal complaint with the British National Crime Agency calling for a criminal investigation into British software manufacturer Gamma, following the release of documents alleging that the company provided Bahrain with surveillance software used to track the activities of opposition activists within the U.K. without legal authorization. 

In helping Bahraini authorities conduct surveillance on legal British residents without proper authorization from the Home Office, the pro-privacy advocacy group argues argues, Gamma has violated the Regulation of Investigatory Powers Act (RIPA), the Serious Organized Crime act, or both. 

Until 2013 Gamma developed, marketed and provided support for surveillance software FinFisher, which allows the operator to monitor the real-time and historic communications of a target, wherever they are in the world—including the remote operation of webcams and microphones. The incidents flagged up by Privacy International all took place while Gamma was responsible for the software.

Privacy International’s claim is lodged on behalf of three Bahraini citizens, all legally resident within the U.K. and all involved in some fashion in political opposition to the autocratic Bahraini regime. Two of the three—Jaafar al Hasabi and Mohammed Moosa Abd Ali-Ali—have previously been tortured by the Bahraini authorities, and the third, Saeed Al-Shehabi, is “viewed by the regime as pivotal to the exhibition movement.”

All three had their computers infected with what appears to be FinFisher spyware software during 2011 while in Britain, documents leaked by Wikileaks earlier in 2014 show. At the time Wikileaks characterized FinFisher’s capabilities as akin to “weaponized malware.” 

In their letter requesting an investigation, Privacy International argues that Gamma should be considered under British legislation to be criminally liable for this “unlawful” surveillance, because Gamma is not only “aware of” but also “actively facilitating the Bahraini regime’s surveillance of targets located outside Bahrain through the provision… of intrusion technology… [and] detailed and ongoing helpdesk-type advice.”

The advocacy group argues that the software company does not merely supply technology: It also “offers extensive and comprehensive user support, aligning its own corporate mission with its client’s on the basis, that, in the company’s words, ‘the end user’s vision is our mission.’” This alignment and close integration with its clients means that Gamma is implicated in what appears to be unlawful surveillance by Bahraini authorities carried out on British soil. 

Because “Gamma officers must have known that a foreign state such as Bahrain would not have been authorized by the Home Secretary to carry out such interception in the U.K.,” Privacy International’s letter continues, they must have known “there was a real possibility that the tools it had consciously provided to the Bahraini authorities were being used for unlawful interception within the U.K.”

Gamma’s complicity in this surveillance means it may fall foul off the Regulation of Investigatory Powers Act’s (RIPA) ban on the interception of communications “without lawful authority,” as there is currently no evidence of any warrant issued by the British authorities authorizing surveillance of Bahraini political activists in the U.K. by Bahrain. 

Additionally, the privacy group argues, Gamma’s ongoing technical assistance to Bahraini authorities—allegedly “fundamental to [their] ability to intercept their targets’ communications”—the software company is “liable for encouraging or assisting an offence.” 

Targeted opposition figure Al-Sheabi claims that “the [Bahraini] regime is taking its war against activists worldwide,” and characterizes Gamma’s actions as helping Baharain “[undertake] extra-terrotirial repression.”

The documents leaked by Wikileaks also show that Australia, Belgium, Qatar, the Netherlands, Italy and South Africa are among the authorities that make use of FinFisher software, which is sold exclusively to law enforcement and spy agencies.

Illustration by Rob Price

Subscribe to the Daily Dot Politics newsletter here, and follow us on Twitter at @DotPolitics.

Rob Price

Rob Price

Rob Price is a technology and politics reporter who served as the U.K.-based morning editor for the Daily Dot until 2014. He now works as the news editor for Business Insider, and his work has appeared in Vice, Slate, the Washington Post, and the Independent.