Internet: Selling spyware to trap dissidents
22 February 2013
He’s regarded as one of the meanest Germans in the cybersphere: Martin Münch supplies police and secret services with spyware, which some dictators use to terrorize dissidents.
Everything’s so simple in the Disney animated musical Mulan. The heroine fights in the men-only Chinese army against the invading Huns. The film portrays Mulan’s enemies as shadowy, faceless creatures. Good against evil: the old classic formula.
Martin Münch lives in a Disney movie. He knows who the bad guys are. And he knows he’s one of the good guys. There’s only one hitch: everyone else doesn’t know that. On the contrary: to them, Münch is on the wrong side of the Arab Spring, on the side of the oppressors. Human rights activists pillory him for supplying surveillance software, whether deliberately or carelessly, to dictatorships.
Memory infecting virus
Münch (31) develops intrusion software for computers and smartphones. These programs infect digital memory and pry into people’s virtual private lives. The Trojan horse that can do all that is called FinFisher. This sort of spyware is called Trojan because its snooping functions are smuggled in inside a harmless-looking shell.
Münch, who’s proud of his product, has now explained himself to German journalists for the very first time. The name of the company on the glass doors of his office in Munich: the Gamma Group.
Münch is good at explaining technical toys. Maybe because he taught himself everything he knows. He has no technical training, never studied computer science, just three terms of jazz piano and guitar.
To the world’s cybersnoopers, Münch is a little like Mushu, the diminutive dragon in Mulan, a nifty little fire-breathing helper who stands by Mulan in the field of battle. Münch has a firm of his own through which he holds a 15% stake in and serves as managing director of Gamma International GmbH, the German branch of the UK-based Gamma Group. In fact he named the firm Mushun after the dynamic dragon in the film, only with an extra "n" at the end, he adds, laughing sheepishly.
Gamma’s bestselling tool in the FinFisher family is called FinSpy. Münch bends over his Mac laptop to show what the program can do. First the infiltrator selects the operating system he wants to attack: you want to hit an Apple iPhone, a smartphone running Google’s Android operating system or a PC running on Windows or the free Linux system?
Action movie cyber-attack
You can enter how many servers you want in various countries to use as stepping stones, so even computer geeks can’t figure out who’s actually spying on them.
The snooper can then select how nasty the Trojan horse should be, how far it should go: Use the microphone as a bug. View and capture saved files when they are deleted or edited. See every letter the user types on the keyboard. Record Skype calls. Activate the device’s camera to see where it is and watch what’s going on in the vicinity. Turn mobiles into tracking devices using the GPS geo-localization function.
However, most of FinSpy’s functions happen to be illegal in Germany. And it costs a pretty penny. Prices start from about €150,000 and can run into seven-digit figures, says Münch. That’s because for each customer Gamma designs a different version of the Trojan, which is supposed to abide by the laws of the country in question. “The target is individual criminals,” he says. Note that he doesn’t add the word “suspected”, but employs the terms “criminal” and “offender” as though synonymous with “suspect” and “target”.
Especially useful for despots…
Ala’a Shehabi is one such target. Her offence: she criticized her country’s government. This British-born young woman lives in Bahrain, a small archipelago country in the Persian Gulf. It’s actually a kingdom – and a police state. The Sunni king, Hamad Bin Isa al-Khalifa, rules over a Shia-majority population. When the Arab Spring spilled over into his country two years ago and Ms Shehabi, along with thousands of others, called for reforms, the king called in the aid of the Saudi Arabian army. Photos and videos on the web show protesters’ eyes seared by tear gas and bodies riddled with lead shot pellets.
But the Formula One organizers failed to see any problem there, so they went ahead with the grand prix race in Manama, the capital, last April. The opposition tried to report the truth on what was going on there to some of the journalists who’d flown in for the big event. Shehabi, who hides her dark hair under a headscarf, also met with reporters. She told them about police brutality, about the wounded and the dead. She broke a taboo.
Shehabi was careful, making sure no-one was watching her, and switched her mobile off during the interview. But the police paid her a visit all the same shortly afterwards. The officers let her go, but then came the first e-mail. Subject: “Torture report on Nabeel Rajab”. Attachments: purported photographs of the tortured Rajab. He’s a friend of Shehabi’s and fellow dissident. Shehabi tried to open the file, but it didn’t work. Luckily for her, since there was a Trojan horse from Gamma concealed in the attachment. The Bahraini regime had her in their crosshairs, and Martin Münch’s software helped them get at her.
Surveillance industry transparency
Snoopware for a police state? The Gamma Group have reacted oddly to the accusations. They’ve made no clear-cut statement about Bahrain. Münch won’t say who Gamma’s clients are – or aren’t, for that matter. So the company will simply have to live with the fact that Reporters Without Borders and other human rights groups have filed an official complaint with the OECD (Organization for Economic Cooperation and Development), invoking the OECD Guidelines for Multinational Enterprises in their calls for tougher controls on where Gamma exports its spyware to.
Münch takes every opportunity to reiterate that his firm abides by German export regulations. But the FinFisher products were sent from England. Now Great Britain and Germany are subject to the selfsame EU regulation on exports of surveillance technology, which, for purposes of this legislation, doesn’t mean weapons, but “dual-use items” that can be used for civil and military purposes. Accordingly, the restrictions have a lot less teeth than those concerning sales of tanks, for example. So the long and short of it is that Gamma receives and files away a certificate from the customer, rubber-stamped by the government itself, saying FinFisher has really been installed by the right recipient.
Gamma has been getting bad press ever since the Arab Spring set in. In one government office in Egypt, protesters found an offer from Gamma to their toppled regime: the cost estimate for software, hardware and training came to €287,137. But the delivery never took place, claims Münch.
“Software doesn’t torture people.”
When Münch talks about detractors, he sounds genuinely indignant: “We’ve always got this bad boy image. But that’s not a nice feeling.” Especially seeing as it’s undeserved, he adds: “Some people say, ‘I don’t like that, that’s encroaching on people’s private lives.’ But the fact that they don’t like it doesn’t mean we’re doing anything illegal.”
Nevertheless, Münch is now promising a change: more transparency, real consequences. Gamma is going to put a human rights officer on its board of directors soon. He’ll probably be assigned the title himself, adds Münch. Rather an odd choice, though: after several hours’ interviewing Martin Münch, one still has the impression that there’s no needle on his moral compass.
Still, he is having a code of conduct drawn up that is to rule out exports to countries that violate human rights. Gamma is in touch with two human rights groups, which, he says, are to advise the company in borderline cases. For he doesn’t think he himself can make clear-cut distinctions: after all, he points out, the US tortured people too at Guantanamo – does that make it an illegitimate government?
The whole scandal has taken Münch entirely by surprise: “Software doesn’t torture people.” So he can’t understand all the fuss. “I think it’s a good thing the police are doing their job” – tracking down the bad guys. And in Bahrain that means political dissidents.
Translated from the German by Eric Rosencrantz