Tuesday, February 24, 2015

Surveillance in Bangladesh - Govt purchased Tk 8.2cr software to spy on private computers

This is the first in the series of articles published in New Age about surveillance. This was originally published on 1 November 2014.

You can access all five of the articles from this page
Govt purchased Tk 8.2cr software to spy on private computers 
David Bergman 
The government has purchased surveillance software from a private European company which allows the country’s intelligence and law enforcement bodies to remotely intercept audio, video and written communications from privately owned computers, Wikileaks has revealed.
According to confidential records and information, leaked from the company and published last month on the Wikileaks website, the Bangladesh government has since December 2012 paid €831,060 (Tk 8.2 crore) to the German company FinFisher to purchase this ‘surveillance malware’.
The website does not state which particular Bangladesh law enforcement body or intelligence agency purchased the licenses, but the company only sells this software to government agencies.
According to the records, the main software license purchased by the Bangladesh authorities is called ‘FinSpy’.

FinSpy, once installed, can take control of a targeted computer, and through ‘control and command servers’ allows agent to intercept and record skype conversations, instant messaging, emails, and ‘silently’ extract files even if they are encrypted.
The software is said to be able to bypass anti-virus detection and when installed be almost impossible to safely remove.
The published records show that in the two months between 11 November 2012 and 11 January 2013, the Bangladesh government purchased three licenses. Though the licenses imposed no limit on the number of computers that could be accessed, together they only allowed a maximum of 60 computers to be put under surveillance at any one time.
The licenses allowed six ‘agents’ to remotely operate the system that monitored the information obtained from the FinSpy infected
Two of licenses have expired in January and November 2013 respectively, leaving the government with ability to monitor up to 20 computers at any one time, through two agents, at present. The last license expires on November 16 this year.
The software can be installed using a memory stick FinFly USB, licenses for which the government had also purchased at the same time they brought FinSpy.
According to the company manuals, ‘The FinFly USB dongle supports the auto execution of the Trojan …. This infection technique is very useful if a computer is just accessible within a short time frame or in time-critical operations. … [It is] a very easy to use method and can be used in operations even by untrained personnel.’
The Wikileaks website points to the surveillance software not just having been purchased, but used.
An un-dated ‘support request’ to the German company sent by a Bangladeshi agent named ‘Arefin’, published on the website, states that ‘yesterday we have infected one target. He is online … but we are not getting any feeding from him. Moreover, we have confirmation that the person is online and doing some activity. Please reply with suggestions.’
Kamal Uddin Ahmed, additional secretary (political) at the home ministry told New Age that he had not ‘heard’ about this. ‘To my knowledge, the concerned law enforcement people who deal with this kind of thing have not purchased this kind of software.’
‘I don’t know if [such software] would help law enforcement agencies, but if it does then that is good. We are trying to get equipment that tracks criminals involved in terrorism and money laundering. We need to strengthen our capacity in this area.’
Bangladeshi law allows the Home Ministry to authorise, ‘from time to time’ for a ‘specified period’, any officer of an ‘intelligence agency, national security agency, investigation agency or law enforcement agency’ to ‘record or collect’ information’ relating to ‘any message or conversation or any telecommunication service user.’
The term ‘telecommunication service user’ within the Telecommunications Act 2001 is defined to include an ‘internet user’.
It remains unclear whether this provision is wide enough either to permit a law enforcement officer to infect a person’s private computer with a surveillance virus or allow an officer to extract documents from a computer which are not part of a ‘message or conversation’. It would be illegal for ordinary Bangladeshi citizens to do so.
Wikileaks states that this kind of software is ‘used by intelligence agencies around the world to spy on journalists, political dissidents and others’. It can also be used against suspected terrorists and criminals.
The website provides information on 18 governments that are known to have purchased the software. Apart from Bangladesh, this includes Pakistan, Qatar, Singapore and Australia.
The Guardian newspaper has reported that the existence of the FinFisher suite of spy software first came into public domain in early 2011 when documents were found in the offices of Egypt’s secret police after former president Hosni Mubarak was deposed. Since then, there has also been particular controversy over its use in Bahrain.
Commenting on the software, Eva Galperin, of the Electronic Frontier Foundation, an Internet civil liberties group told the New York Times that, it was dual use technology. ‘If you sell it to a country that obeys the rule of law, they may use it for law enforcement. If you sell it to a country where the rule of law is not so strong, it will be used to monitor journalists and dissidents.’
In 2014, an American citizen sued the Ethiopian government for the surreptitious downloading of FinSpy on his computer, which was used to wiretap his private skype calls and monitoring his entire family’s every use of the computer for a period of months.
The revelations come at a time when the issue of government surveillance of private citizens has become a controversial issue in many countries, following the leaking by Edward Snowden of files from the United States NSI.
Until late 2013, FinFisher was part of the UK-based Gamma Group International.

No comments:

Post a Comment