Privacy International seeking investigation into computer spying on refugee in UK
Privacy International today has made a criminal complaint1 to the National Cyber Crime Unit of the National Crime Agency urging them to investigate the potentially unlawful interception of the communications of an Ethiopian political refugee living in the UK, as well as the role a British company played in developing and exporting invasive commercial surveillance software called FinSpy.
Tired of living under constant surveillance and harassment, Tadesse Kersmo and his wife left Ethiopia and arrived in the United Kingdom in 2009 where they were subsequently granted asylum.
In April 2013, Mr. Kersmo became aware of a report published by the Citizen Lab, an interdisciplinary research lab at the Munk School of Global Affairs of the University of Toronto, that mentioned a spyware campaign targeting Ginbot 7 members. The report, titled “You Only Click Twice: FinFisher’s Global Proliferation”, describes how pictures of Ginbot 7 members included in an email were used as bait to infect computers with the Trojan FinSpy. One of the pictures included in the email was of Mr. Kersmo who is a member of the Ginbot 7 executive committee.
A subsequent analysis by Privacy International and Bill Marczak, a research fellow at the Citizen Lab, of Mr Kersmo’s computer suggests that in June 2012, three years after escaping persecution, his computer appears to have been infected with the commercial surveillance spyware FinSpy.
FinSpy was developed and produced by the British company Gamma International and is part of an intrusion kit called FinFisher.
Privacy International has now sent a dossier to the National Cyber Crime Unit calling on them to investigate the illegal surveillance, and demanding justice for Tadesse. This complaint, on behalf of a refugee alleging that he has been spied on in the UK using a FinFisher product, is the first of its kind, but builds on previous calls for investigations related to the alleged export of FinFisher to repressive regimes like that in Ethiopia.
Promotional material for FinSpy shows that it allows its user full access to a target’s infected device and everything contained within it, even enabling them to turn on functions such as cameras and microphones. Reports from the Citizen Lab suggest that FinFisher command and control servers have been found in 35 countries, including Ethiopia, Turkmenistan, Bahrain, and Malaysia.
Eric King, Head of Research for Privacy International, said:
Even when someone flees persecution in their own country, western-made surveillance technologies such as FinSpy can still be used by repressive regimes to monitor the moves of political activists anywhere around the world. No one should have to live under this constant threat, and authorities here in the UK are obliged to protect those who seek asylum. The police must investigate immediately and hold those responsible to account.”
Privacy International argues that surveillance of Tadesse is in conflict with three laws:
a) The Regulation of Investigatory Powers Act, which under a provision on unlawful interception states that if you don’t have lawful authority and you intercept someone’s communication in the UK, the interception is illegal; and
b) The Serious Crimes Act, which holds that if you assist in an offence, and you know the offence will be carried out, you will be committing an offence yourself; and/or
c) The Accessories and Abettors Act 1861 which provides that if you assist in an offence while you are aware that there was a "real risk" that the crime would be committed, you could also be held liable.