FinSpy surveillance software, marketed worldwide to law enforcement agencies as a way to monitor criminals, is widely used by repressive governments to spy on human rights groups and dissidents, according to a report released Wednesday.
The report by researchers at the Citizen Lab of the Munk School of Global Affairs at the University of Toronto found the software is "regularly sold to countries where dissenting political activity and speech is criminalized."
FinSpy, named after a line of code in its software, is a surveillance tool that infects computers to capture screenshots, log keystrokes, record Skype conversations and activate cameras and microphones. Gamma Group, a British company, makes the software and markets it to law enforcement agencies as a lawful way to monitor criminals.
Gamma Group could not immediately be reached for comment. Last year, Martin J. Muench, a Gamma Group managing director, told The New York Times that FinSpy was used mostly “against pedophiles, terrorists, organized crime, kidnapping and human trafficking." He declined to disclose which countries had bought the software.
But security researchers say FinSpy is used by governments around the world for broader purposes. Last year, Citizen Lab researchers found that the government in Bahrain had used FinSpy to target activists in that country.
The researchers said in their report Wednesday they found FinSpy in 25 countries, including the U.S. and several countries "with troubling human rights records."
"Our findings highlight the increasing dissonance between Gamma’s public claims that FinSpy is used exclusively to track 'bad guys' and the growing body of evidence suggesting that the tool has and continues to be used against opposition groups and human rights activists," the researchers wrote.
For example, the researchers found FinSpy on cell phones in Vietnam stealing text messages, snooping on phone calls and tracking users locations via GPS. Last year, a Vietnamese court convicted 14 bloggers, writers and activists of attempting to overthrow the government and sentenced them to up to 13 years in prison.
The researchers also found a version of FinSpy in Ethiopia that tricked users into downloading the spyware with photos of an Ethiopian political group, suggesting the government used the surveillance for political purposes, the report said.
The report comes a day after Reporters Without Borders compiled a list of what it called five "Corporate Enemies of the Internet" because those companies allegedly sell products used by authoritarian governments to conduct Internet surveillance. The five companies are Gamma, Trovicor, Hacking Team, Amesys and Blue Coat, according to the organization, which defends media freedom worldwide.
Governments around the world have used spyware designed by Hacking Team and Gamma to capture the passwords of journalists, the group said.
The report also comes a day after the top U.S. intelligence official, James R. Clapper Jr., warned Congress about the national security threats posed by companies that "develop and sell professional-quality technologies to support cyber operations -- often branding these tools as lawful-intercept or defensive security research products."
"Foreign governments already use some of these tools to target U.S. systems," Clapper told a Senate panel. He did not name specific companies.