Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Explained: Our criminal complaint on behalf of Tadesse Kersmo

On Monday, Privacy International submitted a dossier to the National Cyber Crime Unit of the National Crime Agency on behalf of Ethiopian political refugee Tadesse Kersmo, asking them to investigate the potentially unlawful interception of Tadesse's communications, as well as the role a British company played in developing and exporting the invasive commercial surveillance software called FinSpy that was found on Tadesse's computer.

Here, we address some of the legal questions surrounding the complaint.

Why have we made this complaint?

It's quite simple. In order to intercept Tadesse's communications while he was here in the UK, his computer was hacked and infected with FinSpy. Privacy International argues that this was done without lawful authority, and the unlawful interception of someone’s communications is an offence under section 1 of the Regulation of Investigatory Powers Act 2000 (RIPA). Additionally, we believe that that the development and export of FinSpy may constitute assistance to this unlawful interception, which could be an offence in itself.

As these are potentially all criminal offences, we have brought the matter to the attention of the National Cyber Crime Unit. We think it is important that this intrusion is investigated, in particular because Tadesse is a political refugee who has been granted asylum in the UK and should be protected from measures potentially taken against him by his former government.

How does RIPA apply to this case?

Section 1 of RIPA prohibits unlawful interception of communications. Among other requirements, to fall within section 1 RIPA’s prohibition on interception, communications must have been intercepted in the course of their transmission:

A person intercepts a communication in the course of its transmission … if, and only if, he— (a) so modifies or interferes with the system, or its operation, (b) so monitors transmissions made by means of the system, or (c) so monitors transmissions made by wireless telegraphy to or from apparatus comprised in the system, as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication.

However, according to RIPA, a communication is legally in transit over a telecommunication system not just when its being sent over that system, but also when it is sitting in storage at one end of the system in a manner that enables the intended recipient to collect it or otherwise to have access to it. In other words, an interception also takes place, for example, if an email stored on a web-based service provider is accessed so that its contents are made available to someone other than the sender or intended recipient.

It is irrelevant whether or not these emails were previously received. This is in line with the rationale of the relevant section in RIPA, which addresses the unauthorised access to oral and written communications whilst they remain on the system by which they were transmitted.

This was confirmed in the cases regarding the News of the World phone hacking scandal in which employees of the newspaper were accused of engaging in phone hacking in order to intercept voicemail messages, and may apply in Tadesse’s case as well. We have argued that hacking Tadesse’s computer to make the content of Skype calls he participated in or his emails available to the operator of the Trojan is a violation of the statute.

When is assistance an offence?

Tadesse’s computer was hacked using FinSpy, a Trojan that is part of the commercial intrusion kit FinFisher, enabling the person operating the Trojan to intercept Tadesse’s communications. We argue that the development of FinSpy and its export assisted the unlawful interception of Tadesse’s communications, and qualifies as an offence itself under the Accessories and Abettors Act 1861 and/or the Serious Crimes Act 2007.

Simply put, an offence on the basis of the Serious Crimes Act is committed when you assist the unlawful interception of communications, while you believe there will be an unlawful interception of communications and your actions will assist in this interception. Additionally, helping someone to unlawfully intercept communications while you are aware that there is a "real risk" that the unlawful interception would be committed, is an offence under the Accessories and Abettors Act.

What are the next steps?

With a view to the fact that Tadesse was granted asylum in the UK because of his well-founded fear of persecution on political grounds in Ethiopia, and the UK’s particular responsibility to protect Tadesse from measures being taken against him by the Ethiopian government while he is in the UK, we have asked the police to investigate and keep Tadesse informed of the next steps.

The National Cyber Crime Unit has confirmed that it will work with the Metropolitan Police to investigate this matter. According to the Metropolitan Police’s description of its process, after an initial investigation, an assessment will be given. The two possible outcomes of this assessment are that the investigation will be closed, or that the matter will be investigated further. After this, suspects may be charged, cautioned or the case may be closed.

Is there a precedent for this type of case?

No. We are not aware of any other cases in relation to the unlawful interception of the communications of a refugee who has been granted asylum in the UK because of persecution by his government.

However, RIPA is a well known law because of it is being used in the prosecutions regarding the News of the World phone hacking scandal, among other cases. In one of the cases brought by various top former News International personnel facing conspiracy charges regarding alleged phone hacking, Coulson and Kuttner v Regina, it was clarified that messages that had already arrived at the voicemail inbox and been opened for reading or listening by the recipients can also be considered to have been intercepted in the course of their transmission. To a certain extent, Tadesse’s case is quite similar: all his online correspondence stored in his online email account has been accessible to the operator of the Trojan and can be considered to have been intercepted.

What are the possible larger implications of the case?

This case is not only relevant to Tadesse, but may have implications for other refugees in the UK as well. FinFisher enables countries to carry out borderless surveillance, and “follow” people that have fled the country and have been granted asylum elsewhere to monitor them via their computers and mobile phones in the country where they are under the impression that they are safe and for instance free to be politically active. As the UK has a particular responsibility to protect refugees it has granted asylum, measures taken by the UK government as a result of this case may help improve the safety of other refugees as well.

Measures taken by the UK government may however also create a precedent regarding the use of this type of intrusive surveillance technology, which will be relevant for other victims of unlawful interception using tools like FinFisher.