Germany Charges Spyware Firm With Violating Dual-Use Export Controls
Germany charged four managers of spyware company FinFisher with intentionally violating dual-use export controls after they sold surveillance products, without licenses, to countries outside the EU. The managers of the FinFisher group of companies, which were some of the “world's leading” spyware firms before declaring insolvency last year, never “even applied for” export licenses from German authorities and tried to evade detection, Munich’s public prosecutor announced this week, according to an unofficial translation.
Germany brought the charges after a yearslong investigation stemming from complaints by four nongovernmental organizations:, the Society for Civil Liberties, Reporters Without Borders, the European Center for Constitutional and Human Rights (ECCHR) and Netzpolitik.org. The groups accused FinFisher of selling spy software to Turkey without export licenses.
Miriam Saage-Maass, legal director of ECCHR, said companies like FinFisher “have been able to export almost unhindered worldwide despite European export regulations," saying the indictment was “long overdue” and calling for a “timely” conviction. “But even beyond that, the EU and its member states must take much more decisive action against the massive misuse of surveillance technology,” she said, according to an unofficial translation.
EU Parliament members earlier this month said the bloc needs tighter enforcement of export controls surrounding spyware products, saying several countries -- including Cyprus, Greece and Bulgaria -- are routinely flouting the bloc’s export restrictions (see 2305090040).
Munich’s public prosecutor said FinFisher sold spy software mainly to law enforcement agencies and intelligence services, including its commercial spy software known as FinSpy, which could “gain full control over” computers and smartphones. The company sold the items to a range of customers both inside and outside the EU but faced an “existential threat” when the bloc began requiring licenses for controlling exports of certain surveillance products in 2015, “since this also included the monitoring software that it developed and sold.”
FinFisher developed a “globally branched company structure,” Munich said, which was “intended to give the impression that even after the legal restrictions came into force,” the “distribution of the surveillance software in countries outside the EU would continue in a legally compliant manner.” But Munich's prosecutor office said the company’s officials continued certain operations out of Germany, which violated export license requirements.
To continue to “process contracts” with certain customers outside the EU, the Munich-based company’s managers, including its head of finance and an official “responsible for export control,” decided to “process the export of the surveillance software on paper” without a license. By “creating a corresponding paper situation, the impression was to be created that contracts with customers from the [non-EU] country group were no longer served by the Munich-based companies with the change in the legal situation,” the prosecutor's office said. But the “development of the surveillance software continued to be carried out" by a development team at FinFisher Labs, which was led by one of the company’s managers in Munich and “supported by developers working in Romania.”
In 2015, after the EU’s dual-use export controls took effect, FinFisher signed a contract worth about $5 million with Turkey to deliver the country’s secret service monitoring software, hardware, technical support and training but tried to “disguise” that the sales were coordinated by managers in Munich and the customers were Turkey’s intelligence service. The company instead listed the seller in the “contract document” as a Bulgarian company and the customer as an “actually non-existent ‘General Directorate for Customs Control’ in Ankara,” the prosecutor's office said.
Munich said “all of the accused were aware” they needed an export license but never received one, “not even by the Bulgarian export authorities.” The prosecutor's office added that the FinFisher officials were “also aware that transactions” brought “the FinFisher group of companies, and thus indirectly themselves, significant income.”
Although exports of spyware products have been subject to EU licensing requirements since 2015, “current versions of the FinSpy Trojan appear again and again in countries with repressive regimes, such as Egypt, Myanmar or Turkey,” the four NGOs said. Sarah Lincoln, a lawyer with the Society for Civil Liberties, said: “The fact that those responsible are finally being prosecuted is a long overdue signal that such violations must not go unpunished.”