Ugandan Government Deployed FinFisher Spyware To 'Crush' Opposition, Track Elected Officials And Media In Secret Operation During Post-Election Protests, Documents Reveal

Press release
Ugandan government deployed FinFisher spyware to 'crush' opposition, track elected officials and media in secret operation during post-election protests, documents reveal

Ugandan President Yoweri Museveni directed intelligence and police officials to use a powerful, invasive malware to spy on domestic political opponents – including parliamentarians, activists and media houses – following the 2011 presidential election, during a period of urban unrest and police violence, according to secret government documents obtained by Privacy International. A feature broadcast piece will air on BBC Newsnight on Thursday, 15 October.

Privacy International's new report, For God and My President: State Surveillance in Uganda, exposes the secret surveillance operation and the government's attempts to buy further powerful surveillance tools, including a national communications monitoring centre and intrusion malware, in the absence of a rigorous legal framework governing communications surveillance.

The report traces the relationship between Ugandan government and the Gamma Group of companies. The Chieftaincy of Military Intelligence (CMI) purchased FinFisher surveillance malware in December 2011 from Gamma International GmbH (Germany). The company also advised on the deployment of four Ugandan FinFisher-trained agents, according to Presidential briefing documents.

The explicit aim of the operation, codenamed Fungua Macho ('open your eyes'), was to collect intelligence to crush the Walk to Work protest movement, and spy on the Forum for Democratic Change (FDC) opposition party, media houses, parliamentarians and intelligence insiders. The senior intelligence officials in charge of the operation sought to neutralise other “threat[s] to National Interests” in order to consolidate the National Resistance Movement-led government faced with urban unrest, according to the documents.

At the height of the protests in April 2011, at least 600 persons were arrested and detained without charge; some bore marks consistent with allegations of whipping and beatings. Members of Parliament were arrested and placed under 24-hour surveillance. A second round of protests was launched in late 2011 and continued into 2012, during and after the launch of the surveillance operation.

President Museveni personally launched the operation in January 2012, according to the documents. Covert FinFisher 'access points' were installed within Parliament and key government institutions. Actual and suspected government opponents were targeted in their homes. Hotels in Kampala, Entebbe and Masaka were also compromised to facilitate infection of targets' devices. The CMI solicited state funds to 'bribe' collaborators to facilitate infections and intended to use collected information to 'blackmail' targets, according to the documents.

In the leaked documents a Ugandan intelligence official claims that Kenya, Nigeria, Rwanda, Senegal and Zimbabwe are FinFisher clients. He also claims that FinFisher was used in Syria during the Arab Spring uprisings. Privacy International was not able to verify this claim.

Gamma, which provided the FinFisher product, trained four Ugandan officials to use it in Germany in December 2011. On 19 and 20 January 2012, two Gamma officials met with senior intelligence officials in Kampala and briefed them on FinFisher's capabilities in an “IT Intrusion Seminar”. Ugandan officials later travelled to Germany and the Czech Republic as Gamma's visitors and attended the ISS World surveillance trade show in June 2012, according to company documents.

The report also reveals that Ugandan government has also been attempting to build a centralized communications monitoring centre. In 2013, the Ugandan inter-agency Joint Security/ICT Technical committee invited bids for the project from seven technology companies, according to government documents. These included Huawei and ZTE (China), Verint Systems Ltd. and NICE Systems (Israel), RESI Group (Italy), Macro System (Poland) and, again, Gamma Group International (United Kingdom).

While the monitoring centre is not operational, the government nevertheless continues to attempt to procure advanced tactical surveillance technologies. The Police contacted intrusion malware supplier and rival to Gamma group, Hacking Team, in mid-2015 through a company linked to a Ugandan media and business magnate.

Next year, Ugandans will vote in the fifth presidential election since President Museveni came to power. Along with more heavy-handed tactics, the use of surveillance technology has chilled free speech and legitimate expressions of political dissent. Covert, extrajudicial surveillance operations like those documented in this report have contributed towards making Uganda a less open and democratic country in the name of national security. This situation is unlikely to improve with the eventual addition of the centralized communications monitoring centre under the intelligence services' control.

Until and unless these issues are addressed, claims that Uganda is a burgeoning democracy ring hollow.

 

Gus Hosein, Executive Director, Privacy International:

Two years ago, we heard a rumour that the Ugandan Government was using FinFisher malware to covertly crush its perceived enemies. Today Privacy International's investigation offers a concrete example of what we have been warning against for years: powerful spying tools that are used by governments in secret will ultimately be used against citizens to protect state power.

During the time of the Fungua Macho operation, Ugandans protesting against rising costs of living and police brutality were being assaulted by police. Civilians were killed and people perceived to be opposed to the president were arbitrarily arrested. We now know that leadership of these protests were being spied on using FinFisher malware.

Our investigation shows that the Ugandan Government used surveillance tools explicitly to be one step ahead of their opponents. We also show that the Ugandan Government's appetite for secret surveillance is only growing. It is seeking out more capabilities to hack computers and devices, and aims to build a national monitoring centre capable of sweeping up large amounts of Ugandans' communications data.

The Ugandan Parliament needs to initiate an inquiry into Operation Fungua Macho. The Auditor General needs to increase transparency about the use of state funds to buy surveillance equipment. Elections are scheduled for early 2016 - what guarantees that this won't happen again? Ultimately, Uganda needs a legal framework that governs the use of surveillance in ways that are consistent with international human rights standards. Modern surveillance technologies are too great a power in the hands of unaccountable and secret institutions.

 

Jeff Ssebagala, Executive Officer, Unwanted Witness:

We are saddened by these findings and we demand that the Kampala government should come out to explain why it is resorting to secret surveillance when citizens are yearning for service delivery with some starving to death. It’s a shame our leaders are prioritizing regime survival at all costs.

It should be noted that what is happening here is a sign of a regime becoming weaker and authoritarian. These actions violate the National Constitution and international human rights laws and we condemn it in the strongest terms possible.

 

Update: 16/10/15: Statement by Privacy International in response to the Ugandan Government press conference

Privacy International has been made aware of the Uganda Media Centre's press conference today in Kampala following the release of Privacy International's report "For God and My President: State Surveillance In Uganda" and BBC Newsnight's broadcast based on the report. We would like to address certain points raised by Colonel Shaban Bantariza today.

We are confident that all documents presented in our report are genuine documents. We have undertaken extensive corroboration of all the documents we have been provided. We look to Uganda's press to follow up on the story and bring to light more surveillance in the country.

Our report is based on extensive research and evidence, including six sets of documents. Besides the Fungua Macho briefing memo drafted by the CMI Director of Technical Intelligence in January 2012, these include: a visitor program of Ugandan government officials' travel to meet with Gamma in 2012, a Ugandan government document indicating that seven firms including Gamma were invited to tender for a lawful interception monitoring centre, and corroborating evidence including a Powerpoint presentation delivered specifically to Ugandan officials, with business cards -- all amongst other information referenced in the report.

Many of these documents were obtained from independent sources both within the surveillance industry and the Ugandan government. The evidence taken as a whole shows a sustained and close relationship between Government of Uganda officials and Gamma Group officials from 2011 through 2013. The Government of Uganda appears not to have commented on the bulk of the documents, rather focusing on discrediting the Fungua Macho briefing memo.

Furthermore we note that the Regulation of Interception of Communications Act (2010) does not regulate the use of intrusion malware like FinFisher. Rather, the law only covers interception of communications, as conducted through Uganda's service provider networks. The use of FinFisher amounts to "hacking" an individual's device. The Fungua Macho operation -- which appears to have been completed without any reference to judicial oversight or warrants -- was thus not within the realm of law. Our report contains a more detailed legal analysis.

We encourage Ugandans to read the report for themselves. We remain open to engaging the Uganda Government in our goal of ensuring that surveillance is conducted in a legal and transparent manner with the interests of all Ugandans at heart.

Follow the debate on Twitter at #FunguaMacho

The report is here.