German prosecutor opens criminal investiation into FinFisher for selling spyware to Turkey without license

05.09.2019

Berlin, 5 September 2019 – The Society for Civil Rights (GFF), Reporters Without Borders Germany (RSF Germany) the blog netzpolitik.org and the European Center for Constitutional and Human Rights (ECCHR) filed criminal complaints against several high ranking CEOs of the German companies FinFisher GmbH, FinFisher Labs GmbH and Elaman GmbH for allegedly exporting the spyware FinSpy to Turkey without an export license. The public prosecutor’s office in Munich, where FinFisher is based, has opened an investigation on suspicion of violation of the Foreign Trade and Payments Act. This could result in a fine or up to five years imprisonment.

A FinSpy sample found on a Turkish website built the basis for this lawsuit. The Turkish government allegedly planted the spyware on a fake version of the Turkish oppositional website Adalet. While the original Adalet website was intended to help activists coordinate during the protest marches in summer 2017 against President Erdoğan, the fake version offered users a download of a networking application that, once installed, infected their devices with the FinSpy malware.

“It is outrageous and unacceptable to see German spyware being used against journalists and oppositional voices in Turkey,” said Christian Mihr, Executive Director of Reporters Without Borders Germany. “This, once again, illustrates the deficiencies of the European surveillance technology export regime and the dire need for reform.”

Experience from cases in Syria and Bahrain shows what consequences the use of monitoring software can have: “In repressive states, digital surveillance is often followed by imprisonment and torture. However, software companies reject responsibility for this,” added ECCHR’s Vice Legal Director Miriam Saage-Maaß. “Companies like FinFisher can operate almost unhindered globally, as the current legal situation in Germany and Europe makes efficient criminal prosecution nearly impossible. Therefore we urgently need changes in the law.”

When used and installed on a recipient’s mobile device, FinSpy enables government authorities to access telephone and VoIP conversations, data systems, screenshots and other photos, GPS data, microphones and connection data. Consequently, it constitutes a great threat to activists and journalists as it fully exposes their communication with contacts and sources.

Since 2015, the European dual-use regulation and the German Foreign Trade and Payments Act have required companies to obtain a license when exporting surveillance technology outside the EU. The German government has confirmed that it has not granted export licenses for intrusion software since 2015. In Germany, even software maintenance and updates are subject to licensing. Several independent analysts conducted a forensic examination of the malware sample found in Turkey and concluded that it is a new version of FinSpy. Time stamps in the code clearly show that this FinSpy malware could not have been coded or exported before October 2016. In exporting FinSpy to Turkey, FinFisher was allegedly acting in clear violation of both German law and EU regulations, thereby committing a criminal offense.

FinFisher has a history of exporting spyware to autocratic regimes. Some of the first rumours of its involvement in supplying tools to authoritarian governments originated from its sales to Middle Eastern governments during the Arab Spring. Over the years, the company has solidified its connection to repressive governments, thereby supporting them in brutally cracking down on activists, journalists or anyone critical of the authorities.

That is why GFF, RSF Germany, ECCHR and netzpolitik.org decided to use the analysis of the FinSpy malware found in Turkey to press legal charges against the companies and hold them accountable for their involvement in human rights abuses abroad.

This example shows the need for the strict and transparent EU-wide regulations on surveillance technology exports, as well as enforcement. This fall, the European Council, Commission and Parliament will commence political trialogue negotiations to agree on a reform of the dual-use regulation.

Who we are

To counter injustice with legal interventions – this is the aim and daily work of the European Center for Constitutional and Human Rights.

ECCHR is an independent, non-profit legal and educational organization dedicated to enforcing civil and human rights worldwide. It was founded in 2007 by Wolfgang Kaleck and other international human rights lawyers to protect and enforce the rights guaranteed by the Universal Declaration of Human Rights, as well as other human rights declarations and national constitutions, through legal means.

Together with those affected and partners worldwide, ECCHR uses legal means to end impunity for those responsible for torture, war crimes, sexual and gender-based violence, corporate exploitation and fortressed borders.

Press Contact

Maria Bause
T: +49 30 69819797
M: presse@ecchr.eu

Philipp Jedamzik
T: +49 30 29680591
M: presse@ecchr.eu

REGISTRATION PRESS

Press

Archive