Bahraini Government, With Help From FinFisher, Tracks Activists Living In The United Kingdom

Jaafar Al Hasabi, Mohammed Moosa Abd-Ali Ali, and Saeed Al-Shehabi each fled Bahrain for the United Kingdom with one goal: to be safe.

These men, activists in the pro-democracy movement in Bahrain, were variously subject to torture, arbitrary detention, harassment, and psychological trauma in their home country. They thought coming to the UK, and living in exile, would at least mean they would be outside the reach of the Bahraini government.

Despite the nearly 4,000 miles between their homes in Bahrain and their new lives in the UK, however, it is now clear that the Bahraini authorities were still able to watch their every move online, read their private messages, and infiltrate their networks of friends and family.

Evidence leaked online in August and first analysed by Bahrain Watch indicates that the Bahraini authorities were using a suite of software products, FinFisher, created by Gamma International, to gain remote access to the computers and mobile phones of these men. Once installed on a target computer or device, the software allows the operator to collect data, search files, read messages, and impersonate the target online, all the while undetected.

This is why today Privacy International and Bhatt Murphy Solicitors are acting on behalf of Jaafar, Moosa, and Saeed to lodge a criminal complaint with the National Cyber Crime Unit at Scotland Yard. If Gamma has knowingly sold spyware to the Bahraini authorities, and assisted the Bahraini authorities to use that spyware in unauthorised, unlawful remote surveillance of activists living in Britain, then Gamma ought to be prosecuted for either aiding and abetting or encouraging and assisting in the commission of a serious crime.

Confirmation from leaked documents

As a result of early work undertaken by Bloomberg and Citizen Lab, we have long known that Gamma International sold this surveillance technology to clients overseas, and Privacy International has previously launched litigation aiming to force the UK government to properly regulate this international trade, which provides repressive regimes with the tools they need to persecute their own people.

But thanks to the revelations in August, we now think that Gamma’s Bahraini government clients are targeting activists not just in Bahrain itself, but also on British soil. With the help of the human rights group Bahrain Watch, Jaafar, Moosa, and Saeed discovered that they were among a large number of Bahraini opposition members and pro-democracy activists worldwide whose computers appeared to be the targets of Bahraini spy surveillance using FinFisher software. And, according to the leaked evidence, Gamma International had not just sold Bahrain the software. The leaked service logs show that the Bahraini authorities were seeking technical support from Gamma to ensure they got the most out of their remote spyware: and, on the basis of the leaked logs, Gamma was providing that technical support.

There is no evidence that the Bahraini government has ever been authorised to carry out spying inside the UK. Unauthorised surveillance of personal computers in the UK to intercept data is an offence under the Regulation of Investigatory Powers Act 2000. Section 1(1) of that Act provides that it is an offence for any person ‘intentionally and without lawful authority to intercept, at any place in the United Kingdom, any communication in the course of its transmission by means of … a public telecommunication system,’ including the Internet. Conduct of this type is also an offence under the Computer Misuse Act, 1990.

The evidence suggests the surveillance was occurring from at least 2010: whereas Gamma International was still denying as late as 2012 that it had ever sold FinFisher to Bahrain.

Accessory to the crime

Gamma International is a limited company, but that is no barrier to its being prosecuted as an accessory to a crime. The Accessories and Abettors Act 1861 provides that, so long as the company’s actions actually helped Bahrain to commit the offence of unauthorised interception, and so long as the officers of Gamma could foresee that there was a real possibility that the interception activities would be carried out, that company can be held liable as an accessory.

Privacy International considers that Gamma’s officers must have known that its FinFisher software would assist the Bahraini authorities to carry out secret surveillance and communications interception: that was the selling point of the software. Equally, on the basis of the service logs leaked in August, Privacy International considers that Gamma must have known that the Bahraini authorities were using the technology against targets in the UK. Privacy International considers that the evidence shows that Gamma ought to be charged as an accessory to the unlawful surveillance of these activists.

Privacy International has long argued that Gamma is selling its sophisticated spy software to repressive regimes that use it to control and persecute unwelcome critics. The evidence indicates that the software is now being used against those critics within the UK. That means Gamma may itself be knowingly committing the serious crime of aiding and abetting unlawful State surveillance.

That is why we are asking the National Cyber Crime Unit to carry out a full investigation of Gamma’s dealings with the Bahraini authorities and their involvement in the continued persecution of three exiled Bahraini activists. Britain allowed these men to seek exile because it knew that the Bahraini regime was threatening their lives for speaking out against that autocratic State. If a British company is helping the Bahraini authorities to continue that persecution in Britain, it must be punished.