Turkish police can surveil cell phones with a few clicks, thanks to FinSpy software “made in Germany.” In March 2022, FinFisher, the manufacturer of the spyware, had to file for bankruptcy following a criminal complaint by the Gesellschaft für Freiheitsrechte (GFF), Reporters Without Borders (RSF Germany), the blog netzpolitik.org and ECCHR. In May 2023, the Munich Public Prosecutor’s Office brought charges against four managers of the corporate group.

Since July 2019, the Public Prosecutor’s Office has investigated the conglomerate FinFisher, to which FinFisher Labs and Elaman also belong. Already in October 2020, the Public Prosecutor’s Office authorized the search of FinFisher offices in Germany and Romania. The Public Prosecutor’s Office announced that it has seized the accounts of the companies. FinFisher subsequently had to cease its business activities and filed for insolvency in March 2022. In May 2023, the Public Prosecutor’s Office files charges against four managers of the FinFisher corporate group. It accuses them of intentionally violating licensing requirements for dual-use goods by selling surveillance software to non-EU countries as the managing directors of limited liability companies of the FinFisher Group at the time, and thus of having made themselves liable to criminal prosecution.

FinFisher allegedly sold FinSpy to the Turkish government without the authorization of the German federal government. The consequences of the use of surveillance software by repressive states are clearly visible in cases concerning Syria or Bahrain: digital surveillance is often followed by imprisonment and torture. Yet, software companies tend to deny any responsibility for their role in human rights violations.

When FinSpy malware infiltrates a cell phone, it assumes complete control of the device. The individuals whose cell phones are monitored using FinSpy can be located at any time, while their telephone conversations and chats can be recorded, and all data from their devices harvested. FinSpy first appeared in Turkey in the summer of 2017 on a fake version of a campaign website for the Turkish opposition. The software was disguised as a downloadable app recommended to participants in anti-government demonstrations. This likely facilitated the surveillance of a large number of political activists and journalists.

The alleged illegal export of surveillance software to the Turkish government is particularly concerning given the repression of journalists and oppositional voices in Turkey. After a failed coup attempt in June 2016 by factions within the Turkish military, more than 50,000 people were arrested, nearly 140,000 people were fired from their jobs, and hundreds of media organizations were shut down.

In order to prevent the sale of surveillance technology to repressive regimes in such countries as Turkey, Syria and Bahrain, Europe-wide licensing requirements were established in 2015 for exports to countries outside the EU. Nonetheless, updated versions of FinSpy Trojan software continue to surface in Turkey, Egypt and Myanmar.

The violation of these licensing requirements is a prosecutable crime. However, in reality, most companies are able to operate globally without interference, as the current legal situation in Germany and Europe has rendered effective criminal prosecution nearly impossible. Despite this success in the case of FinFisher, the law is still in need of urgent changes. A broad alliance of organizations working to protect human rights and freedom of the press has been campaigning for years for a moratorium on the sale, transfer and use of surveillance technology. The law will remain applicable until an appropriate legally valid global framework has been created.

ECCHR has been working on FinFisher since 2013. At that time, ECCHR, together with RSF, Privacy International, Bahrain Center for Human Rights (BCHR) and Bahrain Watch (BW), filed OECD complaints against Munich-based Trovicor GmbH and the British-German Gamma Group, to which FinFisher belonged.